Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    Home FortiADC 7.4.4 Handbook
    7.4.4
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.1
    6.0.0
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.6
    5.3.5
    5.3.4
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.2.7

    Security Logs

    Security Logs

    The FortiView > Security Logs page provides you with graphical analysis tools to view and analyze the statistical data collected from Log & Report > Security Log. All security logs from Log & Report > Security Log can be accessed from FortiView > Security Logs except for logs related to the Firewall module.

    There are two types of FortiView logs:

    • Security Log — displays a bar graph of the security log event count against a specific time-period, from where you can drill down to a detailed view of particular logs.

    • Aggregate Log — displays a doughnut chart and bar graph that provide an aggregate view of security logs within a selected time-frame.

    Security Log

    From the Security Log tab, you can generate a bar graph of the log count and time-period of your choosing. The default selection is ALL, which generates a second bar graph of the log count of all security logs by category.

    To view and filter the security log data:
    1. Navigate to the settings along the top of the window.
    2. Select the Security Log Category. The table below lists the available log options and their associated security module.

      Security Log Category

      Security Module

      AV Detection Anti Virus

      DDoS DNS Query Flood

      DoS Protection

      DDoS DNS Reverse Flood

      HTTP Access Limit
      HTTP Connection Flood
      HTTP Request Flood
      IP Fragmentation Attack
      TCP Access Flood
      TCP Slow Data Attack

      TCP SYN Flood

      GEO Blocklist

      Geo IP Blocklist

      IP Reputation

      IP Reputation

      Intrusion Detection

      Intrusion Prevention System (IPS)

      Anti Defacement

      Web Application Firewall (WAF)

      API Gateway

      Bot Detection

      Brute Force Login

      Cookie Security

      CORS Protection

      Credential Stuffing Defense

      CSRF Protection

      Data Leak Prevention

      SQL/XSS Inject Detection

      HTTP Input Validation

      HTTP Protocol Constraint

      JSON Validation

      OpenAPI Validation Detection

      SOAP Validation

      URL Protection

      Attacks(Signature)

      Web Scraping

      XML Validation

    3. Select the time-period from which the selected security logs should be included to generate the graph.
      You have the following options:
    • 1 Hour
    • 6 Hours
    • 1 Day
    • 1 Week
    • 1 Month
    • 1 Year

    From each graph, you can click on any data point to view the associated logs for further analysis. The log columns displayed depends on the security log category. For additional detail, click the (Detail icon) to show the log details. For further description of each log message, see the FortiADC Log Reference.

    The following table describes the columns for each security log.

    Column

    Description
    Date Log date.
    Time Log time.
    Count

    The Count column is only available for security logs related to DoS Protection, Geo IP Blocklist, and IP Reputation.

    Rule match count.
    Source Source IP address.
    Destination Destination IP address.
    Action Action type that was taken as a result.
    Destination Destination IP address.

    Service

    The Service column is only available for security logs related to Anti Virus and IPS.

    Specifies the service type.

    Severity

    The Service column is only available for security logs related to Anti Virus, Geo IP Blocklist, IPS and WAF.

    Specifies the security level.

    Virus Category

    The Virus Category column is only available for security logs related to Anti Virus.

    Specifies the virus category.

    Rule Name

    The Rule Name column is only available for security logs related to IPS.

    Specifies the security rule name.

    WAF Subcategory

    The WAF Subcategory column is only available for security logs related to WAF.

    Specifies the Web Application Firewall subcategory.
    Action Action type that was taken as a result.

    (Detail icon)

    Click the (Detail icon) for the log details. For further description of each log message, see the FortiADC Log Reference.

    For WAF related security logs, the following actions may be performed directly from the log details:

    • Add Exception — You can add WAF Exceptions directly from the WAF log. This option appears only for WAF subcategories that support WAF Exceptions. For details, see Configuring WAF Exception objects.

    • Disable Signature — You can disable WAF signature profiles directly from the WAF log. This option appears only for Attacks Signature WAF subcategories. Disable Signature can only be successful if the WAF signature profile exists, otherwise the disable will fail with the error message "Entry not found".

    • View Signature — You can view the WAF signature status and information directly from the WAF log. This option appears only for Attacks Signature WAF subcategories.

    Aggregate Log

    From the Aggregate Log tab, you can generate two graphs, a doughnut chart of the security logs by date and a horizontal bar graph of the security logs by category. these graphs provide an aggregate view of security logs within the time-period of your choosing.

    To view and filter the aggregate log data:
    1. Navigate to the settings along the top of the window.
    2. Select the security logs from the following options:
    • IP Reputation — Traffic logged by the IP Reputation feature.
    • DDoS — Traffic logged by the DoS Protection feature.
    • WAF — Traffic logged by the Web Application Firewall feature.
    • GEO — Traffic logged by the Geo IP block list feature.
    • AV — Traffic logged by the Anti Virus module.
    • IPS — Traffic logged by the IPS feature.
  • Select the time-frame from the following options:
    • 3 Days
    • 5 Days
    • 7 Days

    From each graph, you can click on any data point to view the associated logs for further analysis. The log columns displayed depends on the security log category. For additional detail, click the (Detail icon) to show the log details. For further description of each log message, see the FortiADC Log Reference.

    The following table describes the columns for each security log.

    Column

    Description
    Date Log date.
    Time Log time.
    Count

    The Count column is only available for DDoS, GEO, and IP Reputation.

    Rule match count.
    Source Source IP address.
    Destination Destination IP address.
    Action Action type that was taken as a result.
    Destination Destination IP address.

    Service

    The Service column is only available for AV and IPS.

    Specifies the service type.

    Severity

    The Service column is only available for security logs related to AV, GEO, IPS and WAF.

    Specifies the security level.

    Virus Category

    The Virus Category column is only available for security logs related to AV.

    Specifies the virus category.

    Rule Name

    The Rule Name column is only available for security logs related to IPS.

    Specifies the security rule name.

    WAF Subcategory

    The WAF Subcategory column is only available for security logs related to WAF.

    Specifies the Web Application Firewall subcategory.
    Action Action type that was taken as a result.

    (Detail icon)

    Click the (Detail icon) for the log details. For further description of each log message, see the FortiADC Log Reference.

    For WAF security logs, the following actions may be performed directly from the log details:

    • Add Exception — You can add WAF Exceptions directly from the WAF log. This option appears only for WAF subcategories that support WAF Exceptions. For details, see Configuring WAF Exception objects.

    • Disable Signature — You can disable WAF signature profiles directly from the WAF log. This option appears only for Attacks Signature WAF subcategories. Disable Signature can only be successful if the WAF signature profile exists, otherwise the disable will fail with the error message "Entry not found".

    • View Signature — You can view the WAF signature status and information directly from the WAF log. This option appears only for Attacks Signature WAF subcategories.
    Previous
    Next

    Security Logs

    Security Logs

    The FortiView > Security Logs page provides you with graphical analysis tools to view and analyze the statistical data collected from Log & Report > Security Log. All security logs from Log & Report > Security Log can be accessed from FortiView > Security Logs except for logs related to the Firewall module.

    There are two types of FortiView logs:

    • Security Log — displays a bar graph of the security log event count against a specific time-period, from where you can drill down to a detailed view of particular logs.

    • Aggregate Log — displays a doughnut chart and bar graph that provide an aggregate view of security logs within a selected time-frame.

    Security Log

    From the Security Log tab, you can generate a bar graph of the log count and time-period of your choosing. The default selection is ALL, which generates a second bar graph of the log count of all security logs by category.

    To view and filter the security log data:
    1. Navigate to the settings along the top of the window.
    2. Select the Security Log Category. The table below lists the available log options and their associated security module.

      Security Log Category

      Security Module

      AV Detection Anti Virus

      DDoS DNS Query Flood

      DoS Protection

      DDoS DNS Reverse Flood

      HTTP Access Limit
      HTTP Connection Flood
      HTTP Request Flood
      IP Fragmentation Attack
      TCP Access Flood
      TCP Slow Data Attack

      TCP SYN Flood

      GEO Blocklist

      Geo IP Blocklist

      IP Reputation

      IP Reputation

      Intrusion Detection

      Intrusion Prevention System (IPS)

      Anti Defacement

      Web Application Firewall (WAF)

      API Gateway

      Bot Detection

      Brute Force Login

      Cookie Security

      CORS Protection

      Credential Stuffing Defense

      CSRF Protection

      Data Leak Prevention

      SQL/XSS Inject Detection

      HTTP Input Validation

      HTTP Protocol Constraint

      JSON Validation

      OpenAPI Validation Detection

      SOAP Validation

      URL Protection

      Attacks(Signature)

      Web Scraping

      XML Validation

    3. Select the time-period from which the selected security logs should be included to generate the graph.
      You have the following options:
    • 1 Hour
    • 6 Hours
    • 1 Day
    • 1 Week
    • 1 Month
    • 1 Year

    From each graph, you can click on any data point to view the associated logs for further analysis. The log columns displayed depends on the security log category. For additional detail, click the (Detail icon) to show the log details. For further description of each log message, see the FortiADC Log Reference.

    The following table describes the columns for each security log.

    Column

    Description
    Date Log date.
    Time Log time.
    Count

    The Count column is only available for security logs related to DoS Protection, Geo IP Blocklist, and IP Reputation.

    Rule match count.
    Source Source IP address.
    Destination Destination IP address.
    Action Action type that was taken as a result.
    Destination Destination IP address.

    Service

    The Service column is only available for security logs related to Anti Virus and IPS.

    Specifies the service type.

    Severity

    The Service column is only available for security logs related to Anti Virus, Geo IP Blocklist, IPS and WAF.

    Specifies the security level.

    Virus Category

    The Virus Category column is only available for security logs related to Anti Virus.

    Specifies the virus category.

    Rule Name

    The Rule Name column is only available for security logs related to IPS.

    Specifies the security rule name.

    WAF Subcategory

    The WAF Subcategory column is only available for security logs related to WAF.

    Specifies the Web Application Firewall subcategory.
    Action Action type that was taken as a result.

    (Detail icon)

    Click the (Detail icon) for the log details. For further description of each log message, see the FortiADC Log Reference.

    For WAF related security logs, the following actions may be performed directly from the log details:

    • Add Exception — You can add WAF Exceptions directly from the WAF log. This option appears only for WAF subcategories that support WAF Exceptions. For details, see Configuring WAF Exception objects.

    • Disable Signature — You can disable WAF signature profiles directly from the WAF log. This option appears only for Attacks Signature WAF subcategories. Disable Signature can only be successful if the WAF signature profile exists, otherwise the disable will fail with the error message "Entry not found".

    • View Signature — You can view the WAF signature status and information directly from the WAF log. This option appears only for Attacks Signature WAF subcategories.

    Aggregate Log

    From the Aggregate Log tab, you can generate two graphs, a doughnut chart of the security logs by date and a horizontal bar graph of the security logs by category. these graphs provide an aggregate view of security logs within the time-period of your choosing.

    To view and filter the aggregate log data:
    1. Navigate to the settings along the top of the window.
    2. Select the security logs from the following options:
    • IP Reputation — Traffic logged by the IP Reputation feature.
    • DDoS — Traffic logged by the DoS Protection feature.
    • WAF — Traffic logged by the Web Application Firewall feature.
    • GEO — Traffic logged by the Geo IP block list feature.
    • AV — Traffic logged by the Anti Virus module.
    • IPS — Traffic logged by the IPS feature.
  • Select the time-frame from the following options:
    • 3 Days
    • 5 Days
    • 7 Days

    From each graph, you can click on any data point to view the associated logs for further analysis. The log columns displayed depends on the security log category. For additional detail, click the (Detail icon) to show the log details. For further description of each log message, see the FortiADC Log Reference.

    The following table describes the columns for each security log.

    Column

    Description
    Date Log date.
    Time Log time.
    Count

    The Count column is only available for DDoS, GEO, and IP Reputation.

    Rule match count.
    Source Source IP address.
    Destination Destination IP address.
    Action Action type that was taken as a result.
    Destination Destination IP address.

    Service

    The Service column is only available for AV and IPS.

    Specifies the service type.

    Severity

    The Service column is only available for security logs related to AV, GEO, IPS and WAF.

    Specifies the security level.

    Virus Category

    The Virus Category column is only available for security logs related to AV.

    Specifies the virus category.

    Rule Name

    The Rule Name column is only available for security logs related to IPS.

    Specifies the security rule name.

    WAF Subcategory

    The WAF Subcategory column is only available for security logs related to WAF.

    Specifies the Web Application Firewall subcategory.
    Action Action type that was taken as a result.

    (Detail icon)

    Click the (Detail icon) for the log details. For further description of each log message, see the FortiADC Log Reference.

    For WAF security logs, the following actions may be performed directly from the log details:

    • Add Exception — You can add WAF Exceptions directly from the WAF log. This option appears only for WAF subcategories that support WAF Exceptions. For details, see Configuring WAF Exception objects.

    • Disable Signature — You can disable WAF signature profiles directly from the WAF log. This option appears only for Attacks Signature WAF subcategories. Disable Signature can only be successful if the WAF signature profile exists, otherwise the disable will fail with the error message "Entry not found".

    • View Signature — You can view the WAF signature status and information directly from the WAF log. This option appears only for Attacks Signature WAF subcategories.
    Previous
    Next