Fortinet black logo

Handbook

Using the security log

Using the security log

The Security Log displays logs related to the following FortiADC security features:

  • IP Reputation — Traffic logged by the IP Reputation feature.

  • DDoS — Traffic logged by the DoS Protection feature.

  • WAF — Traffic logged by the Web Application Firewall feature.

  • GEO — Traffic logged by the Geo IP block list feature.

  • AV — Traffic logged by the Anti Virus module.

  • IPS — Traffic logged by the IPS feature.

  • Firewall — Traffic logged by the Firewall module.

Before you begin:
  • You must have Read-Write permission for Log & Report settings.
  • Have enabled to write security logs on the FortiADC log disk in Log & Report > Log Setting > Local Log.
  • Have enabled or disabled related security logs in Log & Report > Log Setting > Local Log.
To view and filter the log:
  1. Go to Log & Report > Security Log.
  2. From the top navigation, select the security category from the drop-down menu.

    The log page displays with the log columns and data specific to the security category.

The following lists the log columns in the order in which they appear in each security log. Use the below links to navigate to the security log of your choosing:

For additional detail on each log, click the (Detail icon) for any log. For further description of each log message, see the FortiADC Log Reference.

IP Reputation log

Column

Description

Date Log date.
Time Log time.
Count Rule match count.
Source Source IP address.
Destination Destination IP address.
Action Action type that was taken as a result.

(Detail icon)

Click the (Detail icon) for the log details. For further description of each log message, see the FortiADC Log Reference.

DDoS log

Column

Description

Date Log date.
Time Log time.
Count Rule match count.
Source Source IP address.
Destination Destination IP address.
Action Action type that was taken as a result.

(Detail icon)

Click the (Detail icon) for the log details. For further description of each log message, see the FortiADC Log Reference.

WAF log

Column

Description

Date Log date.
Time Log time.
WAF Subcategory Web Application Firewall subcategory.
Severity Security level.

Source

Source IP address.

Destination Destination IP address.
Action Action type that was taken as a result.

(Detail icon)

Click the (Detail icon) for the log details. For further description of each log message, see the FortiADC Log Reference.

The following actions may be performed directly from the WAF log details:

  • Add Exception — You can add WAF Exceptions directly from the WAF log. This option appears only for WAF subcategories that support WAF Exceptions. For details, see Configuring WAF Exception objects.

  • Disable Signature — You can disable WAF signature profiles directly from the WAF log. This option appears only for Attacks Signature WAF subcategories. Disable Signature can only be successful if the WAF signature profile exists, otherwise the disable will fail with the error message "Entry not found".

  • View Signature — You can view the WAF signature status and information directly from the WAF log. This option appears only for Attacks Signature WAF subcategories.

GEO log

Column

Description

Date Log date.
Time Log time.
Count Rule match count.
Severity Security level.

Source

Source IP address.

Destination Destination IP address.
Action Action type that was taken as a result.

(Detail icon)

Click the (Detail icon) for the log details. For further description of each log message, see the FortiADC Log Reference.

AV log

Column

Description

Date Log date.
Time Log time.

Source

Source IP address.

Destination Destination IP address.

Service

Service type.

Severity

Security level.

Virus Category

Virus category.

Action Action type that was taken as a result.

(Detail icon)

Click the (Detail icon) for the log details. For further description of each log message, see the FortiADC Log Reference.

IPS log

Column

Description

Date Log date.
Time Log time.

Source

Source IP address.

Destination Destination IP address.

Service

Service type.

Severity

Security level.

Rule Name

Security rule name

Action Action type that was taken as a result.

(Detail icon)

Click the (Detail icon) for the log details. For further description of each log message, see the FortiADC Log Reference.

Firewall log

Column

Description

Date Log date.
Time Log time.

Log Level

Log level.

Policy Firewall policy.

Message

Security rule name, category, subcategory, and description of the attack.

(Detail icon)

Click the (Detail icon) for the log details. For further description of each log message, see the FortiADC Log Reference.

Using the security log

The Security Log displays logs related to the following FortiADC security features:

  • IP Reputation — Traffic logged by the IP Reputation feature.

  • DDoS — Traffic logged by the DoS Protection feature.

  • WAF — Traffic logged by the Web Application Firewall feature.

  • GEO — Traffic logged by the Geo IP block list feature.

  • AV — Traffic logged by the Anti Virus module.

  • IPS — Traffic logged by the IPS feature.

  • Firewall — Traffic logged by the Firewall module.

Before you begin:
  • You must have Read-Write permission for Log & Report settings.
  • Have enabled to write security logs on the FortiADC log disk in Log & Report > Log Setting > Local Log.
  • Have enabled or disabled related security logs in Log & Report > Log Setting > Local Log.
To view and filter the log:
  1. Go to Log & Report > Security Log.
  2. From the top navigation, select the security category from the drop-down menu.

    The log page displays with the log columns and data specific to the security category.

The following lists the log columns in the order in which they appear in each security log. Use the below links to navigate to the security log of your choosing:

For additional detail on each log, click the (Detail icon) for any log. For further description of each log message, see the FortiADC Log Reference.

IP Reputation log

Column

Description

Date Log date.
Time Log time.
Count Rule match count.
Source Source IP address.
Destination Destination IP address.
Action Action type that was taken as a result.

(Detail icon)

Click the (Detail icon) for the log details. For further description of each log message, see the FortiADC Log Reference.

DDoS log

Column

Description

Date Log date.
Time Log time.
Count Rule match count.
Source Source IP address.
Destination Destination IP address.
Action Action type that was taken as a result.

(Detail icon)

Click the (Detail icon) for the log details. For further description of each log message, see the FortiADC Log Reference.

WAF log

Column

Description

Date Log date.
Time Log time.
WAF Subcategory Web Application Firewall subcategory.
Severity Security level.

Source

Source IP address.

Destination Destination IP address.
Action Action type that was taken as a result.

(Detail icon)

Click the (Detail icon) for the log details. For further description of each log message, see the FortiADC Log Reference.

The following actions may be performed directly from the WAF log details:

  • Add Exception — You can add WAF Exceptions directly from the WAF log. This option appears only for WAF subcategories that support WAF Exceptions. For details, see Configuring WAF Exception objects.

  • Disable Signature — You can disable WAF signature profiles directly from the WAF log. This option appears only for Attacks Signature WAF subcategories. Disable Signature can only be successful if the WAF signature profile exists, otherwise the disable will fail with the error message "Entry not found".

  • View Signature — You can view the WAF signature status and information directly from the WAF log. This option appears only for Attacks Signature WAF subcategories.

GEO log

Column

Description

Date Log date.
Time Log time.
Count Rule match count.
Severity Security level.

Source

Source IP address.

Destination Destination IP address.
Action Action type that was taken as a result.

(Detail icon)

Click the (Detail icon) for the log details. For further description of each log message, see the FortiADC Log Reference.

AV log

Column

Description

Date Log date.
Time Log time.

Source

Source IP address.

Destination Destination IP address.

Service

Service type.

Severity

Security level.

Virus Category

Virus category.

Action Action type that was taken as a result.

(Detail icon)

Click the (Detail icon) for the log details. For further description of each log message, see the FortiADC Log Reference.

IPS log

Column

Description

Date Log date.
Time Log time.

Source

Source IP address.

Destination Destination IP address.

Service

Service type.

Severity

Security level.

Rule Name

Security rule name

Action Action type that was taken as a result.

(Detail icon)

Click the (Detail icon) for the log details. For further description of each log message, see the FortiADC Log Reference.

Firewall log

Column

Description

Date Log date.
Time Log time.

Log Level

Log level.

Policy Firewall policy.

Message

Security rule name, category, subcategory, and description of the attack.

(Detail icon)

Click the (Detail icon) for the log details. For further description of each log message, see the FortiADC Log Reference.