Introduction

By default, in Fortinet logs, you can see only source and destination IPs. IP addresses are not very human-friendly. That's why DNS was invented (one of many reasons). In this article, I'll show you how to pimp your logs with additional information about source and destination IP addresses.

Source IPs

Let's assume that you have a private DNS server which is capable of resolving each machine's IP address to its name, just like below:

$ nslookup 192.168.1.110
Server:  UnKnown
Address:  192.168.1.99

Name:    surface.home
Address:  192.168.1.111

Then you configure FortiGate to use that DNS server. Will it resolve source IP and show hostname in logs? No, it won't! That is currently* not supported. I can't tell if it ever will. However, there is a way to display the name of a source device. All you have to do is enable device detection on the interface to which clients are connected. Usually, it's a LAN interface.

Warning: It won't work well if FortiGate is not a default gateway for devices or there is some other router on the way. In that scenario, you have to use a licensed FortiClient software on each machine.

*latest available FortiOS session at present day is v6.2.2

Destination IPs

Destination IP addresses can be resolved to the hostnames using DNS servers configured in the Network section.

You can enable in the GUI (Log Settings section) or CLI:

FGT# config log setting
FGT (setting)# set resolve-ip enable
FGT (setting)# end

Results

FortiGate Logs

FortiAnalyzer Logs

Once connected to FortiAnalyzer, you don't have to configure too much. Just add a column Destination Name, reorder them in the way it works best for you and start analyzing logs:

Extra Settings

FortiAnalyzer SOC

SOC / FortiView has its own settings which control if destination IP addresses should be resolved or not. Enable hostname resolution in CLI:

FAZ# config system fortiview setting
FAZ (setting)# set resolve-ip enable
FAZ (setting)# end

Warning: You might notice that this view will load significantly longer than before.

FortiAnalyzer Reports

Yet another place with independent DNS resolution settings. It is configured per report: