By default, in Fortinet logs, you can see only source and destination IPs. IP addresses are not very human-friendly. That's why DNS was invented (one of many reasons). In this article, I'll show you how to pimp your logs with additional information about source and destination IP addresses.
Let's assume that you have a private DNS server which is capable of resolving each machine's IP address to its name, just like below:
$ nslookup 192.168.1.110 Server: UnKnown Address: 192.168.1.99 Name: surface.home Address: 192.168.1.111
Then you configure FortiGate to use that DNS server. Will it resolve source IP and show hostname in logs? No, it won't! That is currently* not supported. I can't tell if it ever will. However, there is a way to display the name of a source device. All you have to do is enable device detection on the interface to which clients are connected. Usually, it's a LAN interface.
Warning: It won't work well if FortiGate is not a default gateway for devices or there is some other router on the way. In that scenario, you have to use a licensed FortiClient software on each machine.
*latest available FortiOS session at present day is v6.2.2
Destination IP addresses can be resolved to the hostnames using DNS servers configured in the Network section.
You can enable in the GUI (Log Settings section) or CLI:
FGT# config log setting FGT (setting)# set resolve-ip enable FGT (setting)# end
Once connected to FortiAnalyzer, you don't have to configure too much. Just add a column Destination Name, reorder them in the way it works best for you and start analyzing logs:
SOC / FortiView has its own settings which control if destination IP addresses should be resolved or not. Enable hostname resolution in CLI:
FAZ# config system fortiview setting FAZ (setting)# set resolve-ip enable FAZ (setting)# end
Warning: You might notice that this view will load significantly longer than before.
Yet another place with independent DNS resolution settings. It is configured per report: