/
m. Secure Socket Layer (SSL)

m. Secure Socket Layer (SSL)

Owned by Svetlana Sheptiy
Last updated: Jan 13, 2021 by Karein Directo (Unlicensed)
1 min read

Records detected/blocked malicious SSL connections.

 

Sample Events

date=2019-03-28 time=10:44:53 logid="1700062002" type="utm" subtype="ssl" eventtype="ssl-anomalies" level="warning" vd="vdom1" eventtime=1553795092 policyid=1 sessionid=10796 service="HTTPS" srcip=10.1.100.66 srcport=43602 dstip=104.154.89.105 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" proto=6 action="blocked" msg="Server certificate blocked" reason="block-cert-invalid"

date=2019-03-28 time=11:09:14 logid="1701062003" type="utm" subtype="ssl" eventtype="sslexempt" level="notice" vd="vdom1" eventtime=1553796553 policyid=1 sessionid=12079 service="HTTPS" srcip=10.1.100.66 srcport=49102 dstip=172.16.200.99 dstport=443 srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" proto=6 action="exempt" msg="SSL connection exempted" reason="exempt-addr"

date=2020-02-07 time=11:10:58 logid="1702062101" type="utm" subtype="ssl" eventtype="ssl-negotiation" level="warning" vd="vdom1" eventtime=1581102658589415731 tz="-0800" action="blocked" policyid=1 sessionid=141224 service="HTTPS" profile="deep-inspection-clone" srcip=10.1.100.66 srcport=33666 dstip=172.16.200.99 dstport=8080 srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" proto=6 eventsubtype="unexpected-protocol" msg="SSL connection is blocked."

Fields

Field

Description

Field

Description

DATE

Event date, in the format YYYY-MM-DD

TIME

Event time, in the format HH:MM:SS

SYSTEM

The source system

TABLE

FortiGateSSL

CRITICALITY

 

LOGID  

Unique 10-digit identifier (log type, subtype/event type and message ID) for that specific log and includes information about the log entry

TYPE  

Represented by the first two digits of the log ID

SUBTYPE  

Represented by the first/second two digits of the log ID

EVENTTYPE  

Represented by the second two digits of the log ID

DEVNAME  

 

DEVID  

Serial number of the device for the traffic's origin

LEVEL  

Security level rating

VD  

Name of the virtual domain in which the log message was recorded

EVENTTIME  

Epoch time the log was triggered by FortiGate

TZ

 

ACTION

 

POLICYID

 

SESSIONID

 

SERVICE

 

PROFILE

 

SRCIP

Source IP

SRCPORT

Source port

SRCINTF

Source interface

SRCINTFROLE

 

DSTIP

Destination IP

DSTPORT

Destination port

DSTINTF

Destination interface

DSTINTFROLE

 

PROTO

 

EVENTSUBTYPE

 

CAT

 

CATDESC

 

HOSTNAME

 

MSG

Message text

SNAREDATAMAP

All other data in the event will be pushed to this field

Notes

Log Message Reference Documentation: https://docs.fortinet.com/document/fortigate/6.4.2/fortios-log-message-reference

 

Related content

l. Secure Shell (SSH)
l. Secure Shell (SSH)
Snare Central v8 Documentation
More like this
c. Intrusion Prevention Services (IPS)
c. Intrusion Prevention Services (IPS)
Snare Central v8 Documentation
More like this
p. Internet Content Adaptation Protocol (ICAP)
p. Internet Content Adaptation Protocol (ICAP)
Snare Central v8 Documentation
More like this
b. Web Filter
b. Web Filter
Snare Central v8 Documentation
More like this
Log Types: Cisco FTD SSL Stack log type
Log Types: Cisco FTD SSL Stack log type
Snare Central v8 Documentation
More like this
Log Types: GauntletFirewallLog
Log Types: GauntletFirewallLog
Snare Central v8 Documentation
More like this