Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    Home FortiADC 6.2.1 Handbook
    6.2.1
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.1
    6.0.0
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.6
    5.3.5
    5.3.4
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.2.7

    Using the security log

    Using the security log

    The Security Log table displays logs related to security features.

    Before you begin:
    • You must have Read-Write permission for Log & Report settings.
    To view and filter the log:
    1. Go to Log & Report > Log Browsing.
    2. Click the Security Logs tab to display the attack log.

    IP Reputation log to Geo IP log list the log columns in the order in which they appear in the log.

    IP Reputation log
    Column Example Description
    date date=2014-12-02 Log date.
    time time=10:27:01 Log time.
    log_id log_id=0200004230 Log ID.
    type type=attack Log type: attack.
    subtype subtype=ip_reputation Log subtype: ip_reputation.
    pri pri=warning Log level.
    vd vd=root Virtual domain.
    msg_id msg_id=13065998 Message ID.
    count count=1 For IP reputation, count=1.
    severity severity=high Rule severity.
    proto proto=6 Protocol.
    service service=http Service.
    src src=4.4.4.4 Source IP address.
    src_port src_port=49301 Source port.
    dst dst=2.2.2.2 Destination IP address.
    dst_port dst_port=80 Destination port.
    policy policy=vs1 Virtual server name.
    action action=deny Policy action.
    srccountry srccountry=cn Location of the source IP address.
    dstcountry dstcountry=us Location of the destination IP address.
    msg msg=msg

    		 Security rule name, category, subcategory, and description of the attack.

    WAF log
    Column Example Description
    date date=2015-07-22 Log date.
    time time=10:27:01 Log time.
    log_id log_id=0202008074 Log ID.
    type type=attack Log type: attack.
    subtype subtype=waf Log subtype: waf.
    pri pri=alert Log level.
    vd vd=root Virtual domain.
    msg_id msg_id=1512 Message ID.
    count count=1 Rule match count.
    severity severity=low Rule severity.
    proto proto=6 Protocol.
    service service=http Service.
    src src=1.1.1.1 Source IP address.
    src_port src_port=34352 Source port.
    dst dst=2.2.2.2 Destination IP address.
    dst_port dst_port=80 Destination port.
    policy policy=vs1 Virtual server name.
    action action=pass Policy action.
    sigid sigid=1 Attack signature ID.

    owasp_top10

    owasp_top10=A3:2017-Sensitive Data Exposure

    OWASP Top10 category
    subcat subcat=waf_subtype WAF module: waf_web_attack_signature, waf_url_access, waf_http_protocol_cont and waf_sql_xss_injection_detect.

    http_method

    http_method=GET

    HTTP method in HTTP request
    http_host http_host=192.168.1.140:8080 HTTP Host header in HTTP request. Maximum length is 64. Longer URIs are truncated and appended with ....
    http_url http_url=/bigdata URI in HTTP request. Maximum length is 128. Longer URIs are truncated and appended with ....

    user_agent

    user_agent=curl/7.19.7 (i386-redhat-linux-gnu)

    libcurl/7.19.7 NSS/3.16.2.3 Basic ECC

    zlib/1.2.3 libidn/1.18 libssh2/1.4.2

    User agent in HTTP request.
    pkt_hdr pkt_hdr=header Contents of the packet header that matched the attack signature.
    srccountry srccountry=Australia Location of the source IP address.
    dstcountry dstcountry=France Location of the destination IP address.
    msg msg="Find Attack ID: 1010010001 NAME: "HTTP Method Violation" CATEGORY: "HTTP Protocol Constraint" SUB_CATEGORY: "Request Method Rule"" Security rule name, category, subcategory, and description of the attack.

    example

    GET /etc/passwd HTTP/1.1

    Host: www.example.com

    Connection: keep-alive

    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36

    Accept: text/html,application/xhtml+xml,application/xml

    Referer: https://www.example.com/login.html

    Accept-Encoding: gzip, deflate, br

    Accept-Language: zh-CN,zh;q=0.9

    An example of what the WAF scan engine looks for. "/etc/passwd" is the signature in this example. The WAF scan engine inpsects HTTP packets and if the signature matches, it is logged.

    Geo IP log
    Column Example Description
    date date=2014-12-02 Log date.
    time time=10:27:01 Log time.
    log_id log_id=0200004230 Log ID.
    type type=attack Log type: attack.
    subtype subtype=geo Log subtype: geo.
    pri pri=warning Log level.
    vd vd=root Virtual domain.
    msg_id msg_id=13065998 Message ID.
    count count=1 Rule match count.
    severity severity=high Rule severity.
    proto proto=0 Protocol.
    service service=http Service.
    src src=173.177.99.94 Source IP address.
    src_port src_port=49301 Source port.
    dst dst=10.61.2.100 Destination IP address.
    dst_port dst_port=80 Destination port.
    policy policy=vs1 Virtual server name.
    action action=deny Policy action.
    srccountry srccountry=cn Location of the source IP address.
    dstcountry dstcountry=us Location of the destination IP address.
    msg msg=msg Security rule name, category, subcategory, and description of the attack.

    AV log
    Column Example Description
    date date=2014-12-02 Log date.
    time time=10:27:01 Log time.
    log_id log_id=0200004230 Log ID.
    msg_id message id=362301459 Message ID
    virus category virus category=N/A Virus Category.
    count count=1 Rule match count.
    severity severity=high Rule severity.
    proto proto=0 Protocol.
    service service=http Service.
    src src=173.177.99.94 Source IP address.
    src_port src_port=49301 Source port.
    dst dst=10.61.2.100 Destination IP address.
    dst_port dst_port=80 Destination port.
    type type=attack Type
    subtype subtype=av Sub Type
    action action=deny Policy action.
    srccountry srccountry=cn Location of the source IP address.
    dstcountry dstcountry=us Location of the destination IP address.
    msg msg=msg Security rule name, category, subcategory, and description of the attack.
    sign_id sign_id=0 Signature ID
    virus_id virus_id=0 Virus ID
    av_anatype av_anatype=analytics AV AnaType
    url url=none URL
    virus/botnet virus/botnet=N/A Virus/Botnet
    Submitted to FortiSandbox Submitted_to_Fortisandbox=no Submitted to FortiSandBox
    quar file name quar_file_name=N/A Quar File Name
    Proto Method proto_method=none Proto Method
    AV Profile av_profile=AV1 AV Profile
    FortiSandbox Checksum B08663FD9FC147D6ADBB3D70DCEC1271A4288C71D887D44811D93E366D91AD2C
    Previous
    Next

    Using the security log

    Using the security log

    The Security Log table displays logs related to security features.

    Before you begin:
    • You must have Read-Write permission for Log & Report settings.
    To view and filter the log:
    1. Go to Log & Report > Log Browsing.
    2. Click the Security Logs tab to display the attack log.

    IP Reputation log to Geo IP log list the log columns in the order in which they appear in the log.

    IP Reputation log
    Column Example Description
    date date=2014-12-02 Log date.
    time time=10:27:01 Log time.
    log_id log_id=0200004230 Log ID.
    type type=attack Log type: attack.
    subtype subtype=ip_reputation Log subtype: ip_reputation.
    pri pri=warning Log level.
    vd vd=root Virtual domain.
    msg_id msg_id=13065998 Message ID.
    count count=1 For IP reputation, count=1.
    severity severity=high Rule severity.
    proto proto=6 Protocol.
    service service=http Service.
    src src=4.4.4.4 Source IP address.
    src_port src_port=49301 Source port.
    dst dst=2.2.2.2 Destination IP address.
    dst_port dst_port=80 Destination port.
    policy policy=vs1 Virtual server name.
    action action=deny Policy action.
    srccountry srccountry=cn Location of the source IP address.
    dstcountry dstcountry=us Location of the destination IP address.
    msg msg=msg

    		 Security rule name, category, subcategory, and description of the attack.

    WAF log
    Column Example Description
    date date=2015-07-22 Log date.
    time time=10:27:01 Log time.
    log_id log_id=0202008074 Log ID.
    type type=attack Log type: attack.
    subtype subtype=waf Log subtype: waf.
    pri pri=alert Log level.
    vd vd=root Virtual domain.
    msg_id msg_id=1512 Message ID.
    count count=1 Rule match count.
    severity severity=low Rule severity.
    proto proto=6 Protocol.
    service service=http Service.
    src src=1.1.1.1 Source IP address.
    src_port src_port=34352 Source port.
    dst dst=2.2.2.2 Destination IP address.
    dst_port dst_port=80 Destination port.
    policy policy=vs1 Virtual server name.
    action action=pass Policy action.
    sigid sigid=1 Attack signature ID.

    owasp_top10

    owasp_top10=A3:2017-Sensitive Data Exposure

    OWASP Top10 category
    subcat subcat=waf_subtype WAF module: waf_web_attack_signature, waf_url_access, waf_http_protocol_cont and waf_sql_xss_injection_detect.

    http_method

    http_method=GET

    HTTP method in HTTP request
    http_host http_host=192.168.1.140:8080 HTTP Host header in HTTP request. Maximum length is 64. Longer URIs are truncated and appended with ....
    http_url http_url=/bigdata URI in HTTP request. Maximum length is 128. Longer URIs are truncated and appended with ....

    user_agent

    user_agent=curl/7.19.7 (i386-redhat-linux-gnu)

    libcurl/7.19.7 NSS/3.16.2.3 Basic ECC

    zlib/1.2.3 libidn/1.18 libssh2/1.4.2

    User agent in HTTP request.
    pkt_hdr pkt_hdr=header Contents of the packet header that matched the attack signature.
    srccountry srccountry=Australia Location of the source IP address.
    dstcountry dstcountry=France Location of the destination IP address.
    msg msg="Find Attack ID: 1010010001 NAME: "HTTP Method Violation" CATEGORY: "HTTP Protocol Constraint" SUB_CATEGORY: "Request Method Rule"" Security rule name, category, subcategory, and description of the attack.

    example

    GET /etc/passwd HTTP/1.1

    Host: www.example.com

    Connection: keep-alive

    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36

    Accept: text/html,application/xhtml+xml,application/xml

    Referer: https://www.example.com/login.html

    Accept-Encoding: gzip, deflate, br

    Accept-Language: zh-CN,zh;q=0.9

    An example of what the WAF scan engine looks for. "/etc/passwd" is the signature in this example. The WAF scan engine inpsects HTTP packets and if the signature matches, it is logged.

    Geo IP log
    Column Example Description
    date date=2014-12-02 Log date.
    time time=10:27:01 Log time.
    log_id log_id=0200004230 Log ID.
    type type=attack Log type: attack.
    subtype subtype=geo Log subtype: geo.
    pri pri=warning Log level.
    vd vd=root Virtual domain.
    msg_id msg_id=13065998 Message ID.
    count count=1 Rule match count.
    severity severity=high Rule severity.
    proto proto=0 Protocol.
    service service=http Service.
    src src=173.177.99.94 Source IP address.
    src_port src_port=49301 Source port.
    dst dst=10.61.2.100 Destination IP address.
    dst_port dst_port=80 Destination port.
    policy policy=vs1 Virtual server name.
    action action=deny Policy action.
    srccountry srccountry=cn Location of the source IP address.
    dstcountry dstcountry=us Location of the destination IP address.
    msg msg=msg Security rule name, category, subcategory, and description of the attack.

    AV log
    Column Example Description
    date date=2014-12-02 Log date.
    time time=10:27:01 Log time.
    log_id log_id=0200004230 Log ID.
    msg_id message id=362301459 Message ID
    virus category virus category=N/A Virus Category.
    count count=1 Rule match count.
    severity severity=high Rule severity.
    proto proto=0 Protocol.
    service service=http Service.
    src src=173.177.99.94 Source IP address.
    src_port src_port=49301 Source port.
    dst dst=10.61.2.100 Destination IP address.
    dst_port dst_port=80 Destination port.
    type type=attack Type
    subtype subtype=av Sub Type
    action action=deny Policy action.
    srccountry srccountry=cn Location of the source IP address.
    dstcountry dstcountry=us Location of the destination IP address.
    msg msg=msg Security rule name, category, subcategory, and description of the attack.
    sign_id sign_id=0 Signature ID
    virus_id virus_id=0 Virus ID
    av_anatype av_anatype=analytics AV AnaType
    url url=none URL
    virus/botnet virus/botnet=N/A Virus/Botnet
    Submitted to FortiSandbox Submitted_to_Fortisandbox=no Submitted to FortiSandBox
    quar file name quar_file_name=N/A Quar File Name
    Proto Method proto_method=none Proto Method
    AV Profile av_profile=AV1 AV Profile
    FortiSandbox Checksum B08663FD9FC147D6ADBB3D70DCEC1271A4288C71D887D44811D93E366D91AD2C
    Previous
    Next