View Logs for a Specific IP Address

The most common log query: "show me everything involving IP X." On FortiGate this is straightforward in both GUI and CLI once you know the field names.

Via GUI

1. Log & Report → Forward Traffic.
2. Add Filter (button or right-click a column).
3. Filter options:
   • Source = 10.0.0.50 — sessions that originated from this IP.
   • Destination = 10.0.0.50 — sessions destined to this IP.
   • Source IP + Destination IP in OR mode — any session involving this IP either way.
4. Set the time range (top of page) to focus the search.
5. Apply filter.

📸 Screenshot needed

Forward Traffic log view with a filter applied for Source = 10.0.0.50, showing matching log entries.

Useful additional filters

• Action = Deny — only blocked sessions.
• Application = Facebook — by FortiGuard app.
• Country = China — by GeoIP.
• Service = HTTPS — by port/protocol.
• Policy ID = 5 — sessions that hit a specific policy.

Via CLI

# Filter by source IP:
execute log filter category 0
execute log filter field srcip 10.0.0.50
execute log filter start-line 1
execute log filter max-checklines 1000
execute log display

# Filter by destination IP:
execute log filter category 0
execute log filter field dstip 10.0.0.50
execute log display

# By either source or destination (clear and re-filter):
execute log filter reset
execute log filter category 0
execute log filter field srcip 10.0.0.50
execute log display
execute log filter reset
execute log filter category 0
execute log filter field dstip 10.0.0.50
execute log display

Other Log Categories

The category field switches what log table you're viewing:

• 0 — Forward Traffic (most common).
• 1 — System events.
• 2 — Local Traffic (traffic to/from FortiGate itself).
• 4 — Application Control.
• 5 — Web Filter.
• 7 — Intrusion Prevention.
• 9 — AntiVirus.
• 12 — VPN events.

To search across categories: use FortiAnalyzer (single search across all).

Real-Time Tail

# Streams Forward Traffic logs as they happen:
diagnose log device
execute log filter category 0
execute log filter field srcip 10.0.0.50
execute log display
# (Use Ctrl+C to stop, then re-run for fresh data — there's no continuous tail like Linux tail -f.)

For continuous tail, use FortiAnalyzer's live log view.

Export Logs for an IP

GUI: 1. Apply your filter. 2. Tools → Download Filtered Logs (or right-click → Export). 3. Pick CSV / JSON / plaintext.

CLI:

execute log filter category 0
execute log filter field srcip 10.0.0.50
execute log backup tftp <filename> <tftp-server>

Common Issues

• No results. Logging disabled on the policy that handled this traffic. See Enable Traffic Logging.
• Results truncated. GUI limits initial view; scroll / paginate or export to CSV.
• Filter syntax wrong. Field names case-sensitive. Use srcip not SrcIP.
• IP rotated (DHCP). The IP at log time may not be the IP now. Cross-reference DHCP leases or user-mac mappings.

Related Pages

• Enable Traffic Logging
• Look Up Calls in CDR (UnifiedBX KB)
• Use Debug Flow