DOCUMENT LIBRARY

Handbook

Introduction
What's New
Key Concepts and Features
- Server load balancing
- Link load balancing
- Global load balancing
- Security
- High availability
- Virtual Domain (VDOM) and Administrative Domain (ADOM)
Getting Started
- Step 1: Install the appliance
- Step 2: Configure the management interface
- Step 3: Configure basic network settings
- Step 4: Test connectivity to destination servers
- Step 5: Complete product registration, licensing, and upgrades
- Step 6: Configure a basic server load balancing policy
- Step 7: Test the deployment
- Step 8: Back up the configuration
Dashboard
- Widgets
- Dashboard management tools
Security Fabric
- Automation
- Fabric connectors
- External connectors
FortiView
- Logical Topology
- Server Load Balance
- Security
- System
  - Event Logs
  - Automation
- Global Load Balance
  - Host
  - Data Analytics
- Link Load Balance
  - Gateway
- ZTNA FortiClient endpoint
System
- Settings
- Virtual Domain
- High Availability
- Traffic Group
- Administrator
- Global Resources
- WCCP
- SNMP
- Replacement Messages
- FortiGuard
  - Connecting to FortiGuard services
  - Configuring FortiGuard service settings
- Debug
- Certificate
Network
- Interface
- Routing
- NAT
  - Configuring source NAT
  - Configuring 1-to-1 NAT
- QoS
- Packet capture
Shared Resources
- Health Check
- Schedule Group
- Address
- Service
  - Creating service groups
  - Creating service objects
Server Load Balance
- Virtual Server
- Application Resources
- Application Optimization
- Real Server Pool
- Scripting
  - Using HTTP scripting
- SSL-FP Resources
Link Load Balance
- Link Policy
- Link Group
- Virtual Tunnel
Global Load Balance
- GLB Wizard
- FQDN
- Zone Tools
- Global Object
Web Application Firewall
- OWASP TOP10
- WAF Profile
- Known Web Attacks
  - Configuring a Web Attack Signature policy
  - Using the Signature Creation Wizard
- Common Attacks Detection
- Sensitive Data Protection
- Input Validation
- Access Protection
- CORS Protection
- API Protection
- Bot Mitigation
- Web Vulnerability Scanner
Advanced Bot Protection (ABP)
- Enabling the Advanced Bot Protection connector
- Obtaining the Application ID from the FortiGuard ABP User Portal
- Configuring an Advanced Bot Protection policy
- Advanced Bot Protection troubleshooting and debugging
Network Security
- Firewall
- Intrusion Prevention
- AntiVirus
- IP Reputation
- Geo IP Protection
Zero Trust Network Access (ZTNA)
- How device identity and trust context is established with FortiClient EMS
- Configuring FortiClient EMS Connector for ZTNA
- Verifying client certificate, FortiClient endpoint and ZTNA tag synchronized from FortiClient EMS
- Configuring a ZTNA Profile
- ZTNA troubleshooting and debugging
DoS Protection
- DoS Protection Profile
- Application
- Networking
User Authentication
- Authentication Policy
- User Group
  - Configuring user groups
  - Configuring customized authentication forms
- Local User
- Remote User
- Using Kerberos Authentication Relay
  - Using HTTP Basic SSO
- SAML
  - Configure an SAML service provider
  - Import IDP Metadata
- AD FS Proxy
  - Adding an AD FS Publish
  - Adding an AD FS Proxy
- OAuth 2.0 authentication
Log & Report
- Using the traffic log
- Using the security log
- Using the script log
- Log Setting
- Report Setting
SSL Advanced Services
- SSL offloading
- SSL decryption by forward proxy
- SSL profile configurations
- Certificate guidelines
- SSL/TLS versions and cipher suites
- Exceptions list
- SSL traffic mirroring
- HSM Integration
Best Practices and Fine-tuning
- Regular backups
  - Rebooting, resetting, and shutting down the system
  - SCP support for configuration backup
- Security
- Performance tips
- High availability
Troubleshooting
- Logs
- Tools
- Solutions by issue type
- Resetting the configuration
- Restoring firmware (“clean install”)
- Additional resources
Appendix A: Fortinet MIBs
Appendix B: Port Numbers
Appendix C: Scripts
- Scripting application
- Events and actions
- Predefined commands
- Predefined scripts
- Control structures
- Operators
- String library
- Function
- Special characters
- Examples
Appendix D: Maximum Configuration Values
Change Log

Home FortiADC 7.4.1 Handbook

7.4.1

Using the security log

The Security Log displays logs related to the following FortiADC security features:

IP Reputation — Traffic logged by the IP Reputation feature.
DDoS — Traffic logged by the DoS Protection feature.
WAF — Traffic logged by the Web Application Firewall feature.
GEO — Traffic logged by the Geo IP block list feature.
AV — Traffic logged by the Anti Virus module.
IPS — Traffic logged by the IPS feature.
Firewall — Traffic logged by the Firewall module.
ZTNA - Traffic logged by the ZTNA feature.

Before you begin:

You must have Read-Write permission for Log & Report settings.
Have enabled to write security logs on the FortiADC log disk in Log & Report > Log Setting > Local Log.
Have enabled or disabled related security logs in Log & Report > Log Setting > Local Log.

To view and filter the log:

Go to Log & Report > Security Log.
From the top navigation, select the security category from the drop-down menu.

The log page displays with the log columns and data specific to the security category.

The following lists the log columns in the order in which they appear in each security log. Use the below links to navigate to the security log of your choosing:

IP Reputation log
DDoS log
WAF log
GEO log
AV log
IPS log
Firewall log
ZTNA log

For additional detail on each log, click the (Detail icon) for any log. For further description of each log message, see the FortiADC Log Reference.

IP Reputation log

Column	Description
Date	Log date.
Time	Log time.
Count	Rule match count.
Source	Source IP address.
Destination	Destination IP address.
Action	Action type that was taken as a result.
(Detail icon)	Click the (Detail icon) for the log details. For further description of each log message, see the FortiADC Log Reference.

DDoS log

Column	Description
Date	Log date.
Time	Log time.
Count	Rule match count.
Source	Source IP address.
Destination	Destination IP address.
Action	Action type that was taken as a result.
(Detail icon)	Click the (Detail icon) for the log details. For further description of each log message, see the FortiADC Log Reference.

WAF log

Column	Description
Date	Log date.
Time	Log time.
WAF Subcategory	Web Application Firewall subcategory.
Severity	Security level.
Source	Source IP address.
Destination	Destination IP address.
Action	Action type that was taken as a result.
(Detail icon)	Click the (Detail icon) for the log details. For further description of each log message, see the FortiADC Log Reference. The following actions may be performed directly from the WAF log details: Add Exception — You can add WAF Exceptions directly from the WAF log. This option appears only for WAF subcategories that support WAF Exceptions. For details, see Configuring WAF Exception objects. Disable Signature — You can disable WAF signature profiles directly from the WAF log. This option appears only for Attacks Signature WAF subcategories. Disable Signature can only be successful if the WAF signature profile exists, otherwise the disable will fail with the error message "Entry not found". View Signature — You can view the WAF signature status and information directly from the WAF log. This option appears only for Attacks Signature WAF subcategories.

GEO log

Column	Description
Date	Log date.
Time	Log time.
Count	Rule match count.
Severity	Security level.
Source	Source IP address.
Destination	Destination IP address.
Action	Action type that was taken as a result.
(Detail icon)	Click the (Detail icon) for the log details. For further description of each log message, see the FortiADC Log Reference.

AV log

Column	Description
Date	Log date.
Time	Log time.
Source	Source IP address.
Destination	Destination IP address.
Service	Service type.
Severity	Security level.
Virus Category	Virus category.
Action	Action type that was taken as a result.
(Detail icon)	Click the (Detail icon) for the log details. For further description of each log message, see the FortiADC Log Reference.

IPS log

Column	Description
Date	Log date.
Time	Log time.
Source	Source IP address.
Destination	Destination IP address.
Service	Service type.
Severity	Security level.
Rule Name	Security rule name
Action	Action type that was taken as a result.
(Detail icon)	Click the (Detail icon) for the log details. For further description of each log message, see the FortiADC Log Reference.

Firewall log

Column	Description
Date	Log date.
Time	Log time.
Log Level	Log level.
Policy	Firewall policy.
Message	Security rule name, category, subcategory, and description of the attack.
(Detail icon)	Click the (Detail icon) for the log details. For further description of each log message, see the FortiADC Log Reference.

ZTNA log

Column	Description
Date	Log date.
Time	Log time.
Severity	Security level.
Source	Source IP address.
Destination	Destination IP address.
Action	Action type that was taken as a result.
(Detail icon)	Click the (Detail icon) for the log details. For further description of each log message, see the FortiADC Log Reference.

Using the security log

The Security Log displays logs related to the following FortiADC security features:

IP Reputation — Traffic logged by the IP Reputation feature.
DDoS — Traffic logged by the DoS Protection feature.
WAF — Traffic logged by the Web Application Firewall feature.
GEO — Traffic logged by the Geo IP block list feature.
AV — Traffic logged by the Anti Virus module.
IPS — Traffic logged by the IPS feature.
Firewall — Traffic logged by the Firewall module.
ZTNA - Traffic logged by the ZTNA feature.

Before you begin:

You must have Read-Write permission for Log & Report settings.
Have enabled to write security logs on the FortiADC log disk in Log & Report > Log Setting > Local Log.
Have enabled or disabled related security logs in Log & Report > Log Setting > Local Log.

To view and filter the log:

Go to Log & Report > Security Log.
From the top navigation, select the security category from the drop-down menu.

The log page displays with the log columns and data specific to the security category.

The following lists the log columns in the order in which they appear in each security log. Use the below links to navigate to the security log of your choosing:

IP Reputation log
DDoS log
WAF log
GEO log
AV log
IPS log
Firewall log
ZTNA log

For additional detail on each log, click the (Detail icon) for any log. For further description of each log message, see the FortiADC Log Reference.

IP Reputation log

Column	Description
Date	Log date.
Time	Log time.
Count	Rule match count.
Source	Source IP address.
Destination	Destination IP address.
Action	Action type that was taken as a result.
(Detail icon)	Click the (Detail icon) for the log details. For further description of each log message, see the FortiADC Log Reference.

DDoS log

Column	Description
Date	Log date.
Time	Log time.
Count	Rule match count.
Source	Source IP address.
Destination	Destination IP address.
Action	Action type that was taken as a result.
(Detail icon)	Click the (Detail icon) for the log details. For further description of each log message, see the FortiADC Log Reference.

WAF log

Column	Description
Date	Log date.
Time	Log time.
WAF Subcategory	Web Application Firewall subcategory.
Severity	Security level.
Source	Source IP address.
Destination	Destination IP address.
Action	Action type that was taken as a result.
(Detail icon)	Click the (Detail icon) for the log details. For further description of each log message, see the FortiADC Log Reference. The following actions may be performed directly from the WAF log details: Add Exception — You can add WAF Exceptions directly from the WAF log. This option appears only for WAF subcategories that support WAF Exceptions. For details, see Configuring WAF Exception objects. Disable Signature — You can disable WAF signature profiles directly from the WAF log. This option appears only for Attacks Signature WAF subcategories. Disable Signature can only be successful if the WAF signature profile exists, otherwise the disable will fail with the error message "Entry not found". View Signature — You can view the WAF signature status and information directly from the WAF log. This option appears only for Attacks Signature WAF subcategories.

GEO log

Column	Description
Date	Log date.
Time	Log time.
Count	Rule match count.
Severity	Security level.
Source	Source IP address.
Destination	Destination IP address.
Action	Action type that was taken as a result.
(Detail icon)	Click the (Detail icon) for the log details. For further description of each log message, see the FortiADC Log Reference.

AV log

Column	Description
Date	Log date.
Time	Log time.
Source	Source IP address.
Destination	Destination IP address.
Service	Service type.
Severity	Security level.
Virus Category	Virus category.
Action	Action type that was taken as a result.
(Detail icon)	Click the (Detail icon) for the log details. For further description of each log message, see the FortiADC Log Reference.

IPS log

Column	Description
Date	Log date.
Time	Log time.
Source	Source IP address.
Destination	Destination IP address.
Service	Service type.
Severity	Security level.
Rule Name	Security rule name
Action	Action type that was taken as a result.
(Detail icon)	Click the (Detail icon) for the log details. For further description of each log message, see the FortiADC Log Reference.

Firewall log

Column	Description
Date	Log date.
Time	Log time.
Log Level	Log level.
Policy	Firewall policy.
Message	Security rule name, category, subcategory, and description of the attack.
(Detail icon)	Click the (Detail icon) for the log details. For further description of each log message, see the FortiADC Log Reference.

ZTNA log

Column	Description
Date	Log date.
Time	Log time.
Severity	Security level.
Source	Source IP address.
Destination	Destination IP address.
Action	Action type that was taken as a result.
(Detail icon)	Click the (Detail icon) for the log details. For further description of each log message, see the FortiADC Log Reference.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

Handbook

Using the security log

Using the security log

Before you begin:

To view and filter the log:

IP Reputation log

DDoS log

WAF log

GEO log

AV log

IPS log

Firewall log

ZTNA log

Using the security log