Fortinet black logo

CLI Reference

log threat-weight

log threat-weight

Use log threat-weight to enable and customize the threat-weight feature, which assigns logs a threat score based on configurable factors.

Note: status must be enabled for the rest of the options to be available.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.2.

Command Description

set malware-detected {disable | low | medium | high | critical}

set botnet-connection-detected {disable | low | medium | high | critical}

Removed malware-detected and botnet-connection-detected options from log threat-weight settings.

config malware

set virus-infected {disable | low | medium | high | critical}

set virus-blocked {disable | low | medium | high | critical}

set command-blocked {disable | low | medium | high | critical}

set oversized {disable | low | medium | high | critical}

set virus-scan-error {disable | low | medium | high | critical}

set switch-proto {disable | low | medium | high | critical}

set mimefragmented {disable | low | medium | high | critical}

set virus-file-type-executable {disable | low | medium | high | critical}

set virus-outbreak-prevention {disable | low | medium | high | critical}

set botnet-connection {disable | low | medium | high | critical}

Configuration method added for setting antivirus malware threat weight settings. The default values for each setting are as follows:

  • virus-infected: critical
  • virus-blocked: low
  • command-blocked: disable
  • oversized: disable
  • virus-scan-error: high
  • switch-proto: disable
  • mimefragmented: disable
  • virus-filetype-executable: medium
  • virus-outbreak-prevention: high
  • botnet-connection: critical
config log threat-weight
    set status {enable | disable}   Enable/disable the threat weight feature.
    config level
        set low {integer}   Low level score value (1 - 100). range[1-100]
        set medium {integer}   Medium level score value (1 - 100). range[1-100]
        set high {integer}   High level score value (1 - 100). range[1-100]
        set critical {integer}   Critical level score value (1 - 100). range[1-100]
    set blocked-connection {option}   Threat weight score for blocked connections.
            disable   Disable threat weight scoring for blocked connections.
            low       Use the low level score for blocked connections.
            medium    Use the medium level score for blocked connections.
            high      Use the high level score for blocked connections.
            critical  Use the critical level score for blocked connections.
    set failed-connection {option}   Threat weight score for failed connections.
            disable   Disable threat weight scoring for failed connections.
            low       Use the low level score for failed connections.
            medium    Use the medium level score for failed connections.
            high      Use the high level score for failed connections.
            critical  Use the critical level score for failed connections.
    set url-block-detected {option}   Threat weight score for URL blocking.
            disable   Disable threat weight scoring for URL blocking.
            low       Use the low level score for URL blocking.
            medium    Use the medium level score for URL blocking.
            high      Use the high level score for URL blocking.
            critical  Use the critical level score for URL blocking.
    config malware
        set virus-infected {option}   Threat weight score for virus (infected) detected.
                disable   Disable threat weight scoring for virus (infected) detected.
                low       Use the low level score for virus (infected) detected.
                medium    Use the medium level score for virus (infected) detected.
                high      Use the high level score for virus (infected) detected.
                critical  Use the critical level score for virus (infected) detected.
        set virus-blocked {option}   Threat weight score for virus (blocked) detected.
                disable   Disable threat weight scoring for virus (blocked) detected.
                low       Use the low level score for virus (blocked) detected.
                medium    Use the medium level score for virus (blocked) detected.
                high      Use the high level score for virus (blocked) detected.
                critical  Use the critical level score for virus (blocked) detected.
        set command-blocked {option}   Threat weight score for blocked command detected.
                disable   Disable threat weight scoring for blocked command detected.
                low       Use the low level score for blocked command detected.
                medium    Use the medium level score for blocked command detected.
                high      Use the high level score for blocked command detected.
                critical  Use the critical level score for blocked command detected.
        set oversized {option}   Threat weight score for oversized file detected.
                disable   Disable threat weight scoring for oversized file detected.
                low       Use the low level score for oversized file detected.
                medium    Use the medium level score for oversized file detected.
                high      Use the high level score for oversized file detected.
                critical  Use the critical level score for oversized file detected.
        set virus-scan-error {option}   Threat weight score for virus (scan error) detected.
                disable   Disable threat weight scoring for virus (scan error) detected.
                low       Use the low level score for virus (scan error) detected.
                medium    Use the medium level score for virus (scan error) detected.
                high      Use the high level score for virus (scan error) detected.
                critical  Use the critical level score for virus (scan error) detected.
        set switch-proto {option}   Threat weight score for switch proto detected.
                disable   Disable threat weight scoring for switch proto detected.
                low       Use the low level score for switch proto detected.
                medium    Use the medium level score for switch proto detected.
                high      Use the high level score for switch proto detected.
                critical  Use the critical level score for switch proto detected.
        set mimefragmented {option}   Threat weight score for mimefragmented detected.
                disable   Disable threat weight scoring for mimefragmented detected.
                low       Use the low level score for mimefragmented detected.
                medium    Use the medium level score for mimefragmented detected.
                high      Use the high level score for mimefragmented detected.
                critical  Use the critical level score for mimefragmented detected.
        set virus-file-type-executable {option}   Threat weight score for virus (filetype executable) detected.
                disable   Disable threat weight scoring for virus (filetype executable) detected.
                low       Use the low level score for virus (filetype executable) detected.
                medium    Use the medium level score for virus (filetype executable) detected.
                high      Use the high level score for virus (filetype executable) detected.
                critical  Use the critical level score for virus (filetype executable) detected.
        set virus-outbreak-prevention {option}   Threat weight score for virus (outbreak prevention) event.
                disable   Disable threat weight scoring for virus (outbreak prevention) event.
                low       Use the low level score for virus (outbreak prevention) event.
                medium    Use the medium level score for virus (outbreak prevention) event.
                high      Use the high level score for virus (outbreak prevention) event.
                critical  Use the critical level score for virus (outbreak prevention) event.
        set botnet-connection {option}   Threat weight score for detected botnet connections.
                disable   Disable threat weight scoring for detected botnet connections.
                low       Use the low level score for detected botnet connections.
                medium    Use the medium level score for detected botnet connections.
                high      Use the high level score for detected botnet connections.
                critical  Use the critical level score for detected botnet connections.
        set content-disarm {option}   Threat weight score for virus (content disarm) detected.
                disable   Disable threat weight scoring for virus (content disarm) detected.
                low       Use the low level score for virus (content disarm) detected.
                medium    Use the medium level score for virus (content disarm) detected.
                high      Use the high level score for virus (content disarm) detected.
                critical  Use the critical level score for virus (content disarm) detected.
    config ips
        set info-severity {option}   Threat weight score for IPS info severity events.
                disable   Disable threat weight scoring for IPS info severity events.
                low       Use the low level score for IPS info severity events.
                medium    Use the medium level score for IPS info severity events.
                high      Use the high level score for IPS info severity events.
                critical  Use the critical level score for IPS info severity events.
        set low-severity {option}   Threat weight score for IPS low severity events.
                disable   Disable threat weight scoring for IPS low severity events.
                low       Use the low level score for IPS low severity events.
                medium    Use the medium level score for IPS low severity events.
                high      Use the high level score for IPS low severity events.
                critical  Use the critical level score for IPS low severity events.
        set medium-severity {option}   Threat weight score for IPS medium severity events.
                disable   Disable threat weight scoring for IPS medium severity events.
                low       Use the low level score for IPS medium severity events.
                medium    Use the medium level score for IPS medium severity events.
                high      Use the high level score for IPS medium severity events.
                critical  Use the critical level score for IPS medium severity events.
        set high-severity {option}   Threat weight score for IPS high severity events.
                disable   Disable threat weight scoring for IPS high severity events.
                low       Use the low level score for IPS high severity events.
                medium    Use the medium level score for IPS high severity events.
                high      Use the high level score for IPS high severity events.
                critical  Use the critical level score for IPS high severity events.
        set critical-severity {option}   Threat weight score for IPS critical severity events.
                disable   Disable threat weight scoring for IPS critical severity events.
                low       Use the low level score for IPS critical severity events.
                medium    Use the medium level score for IPS critical severity events.
                high      Use the high level score for IPS critical severity events.
                critical  Use the critical level score for IPS critical severity events.
    config web
        edit {id}
        # Web filtering threat weight settings.
            set id {integer}   Entry ID. range[0-255]
            set category {integer}   Threat weight score for web category filtering matches. range[0-255]
            set level {option}   Threat weight score for web category filtering matches.
                    disable   Disable threat weight scoring for web category filtering matches.
                    low       Use the low level score for web category filtering matches.
                    medium    Use the medium level score for web category filtering matches.
                    high      Use the high level score for web category filtering matches.
                    critical  Use the critical level score for web category filtering matches.
        next
    config geolocation
        edit {id}
        # Geolocation-based threat weight settings.
            set id {integer}   Entry ID. range[0-255]
            set country {string}   Country code. size[2]
            set level {option}   Threat weight score for Geolocation-based events.
                    disable   Disable threat weight scoring for Geolocation-based events.
                    low       Use the low level score for Geolocation-based events.
                    medium    Use the medium level score for Geolocation-based events.
                    high      Use the high level score for Geolocation-based events.
                    critical  Use the critical level score for Geolocation-based events.
        next
    config application
        edit {id}
        # Application-control threat weight settings.
            set id {integer}   Entry ID. range[0-255]
            set category {integer}   Application category. range[0-65535]
            set level {option}   Threat weight score for Application events.
                    disable   Disable threat weight scoring for Application events.
                    low       Use the low level score for Application events.
                    medium    Use the medium level score for Application events.
                    high      Use the high level score for Application events.
                    critical  Use the critical level score for Application events.
        next
end

status {enable | disable}

Enable threat-weight calculation in logs.

config level

Use the below subcommands to set the scores for the four levels of threats.

  • edit low <value>
  • edit medium <value>
  • edit high <value>
  • edit critical <value>

blocked-connection {disable | low | medium | high | critical}

Set the threat-weight score for blocked-connection errors. disable assigns no score.

failed-connection {disable | low | medium | high | critical}

Set the threat-weight score for failed-connection errors. disable assigns no score.

url-block-detected {disable | low | medium | high | critical}

Set the threat-weight score for URL blocking events. disable assigns no score.

config ips

Use the following subcommands to set the threat score assigned to IPS events at different severity levels:

  • set info-severity {disable | low | medium | high | critical}
  • set low-severity {disable | low | medium | high | critical}
  • set medium-severity {disable | low | medium | high | critical}
  • set high-severity {disable | low | medium | high | critical}
  • set critical-severity {disable | low | medium | high | critical}

config web

Specific FortiGuard Web Filtering Categories that might appear in logs can be assigned a threat score, using the below commands:

edit <id>

A table value for custom threat score assignments for Categories. Edit to create new and configure the custom assignments using the following commands:

category <value>

The Category that will have a threat score assigned to it. You can view a list of Categories by entering set category ?.

level {disable | low | medium | high | critical}

The threat score assigned to the Web Filtering Category.

config geolocation

Specific geographic locations that might appear in logs can be assigned a threat score, using the below commands:

edit <id>

A table value for custom threat score assignments for countries. Edit to create new and configure the custom assignments using the following commands:

country <country code>

The country that will have a threat score assigned to it. You can view a list of country codes by entering set country ?.

level {disable | low | medium | high | critical}

The threat score assigned to the country.

config application

Specific FortiGuard Application categories that might appear in logs can be assigned a threat score, using the below commands:

edit <id>

A table value for custom threat score assignments for categories. Edit to create new and configure the custom assignments using the following commands:

category <value>

The application category that will have a threat score assigned to it. You can view a list of categories by entering set category ?.

level {disable | low | medium | high | critical}

The threat score assigned to the Application category.

log threat-weight

Use log threat-weight to enable and customize the threat-weight feature, which assigns logs a threat score based on configurable factors.

Note: status must be enabled for the rest of the options to be available.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.2.

Command Description

set malware-detected {disable | low | medium | high | critical}

set botnet-connection-detected {disable | low | medium | high | critical}

Removed malware-detected and botnet-connection-detected options from log threat-weight settings.

config malware

set virus-infected {disable | low | medium | high | critical}

set virus-blocked {disable | low | medium | high | critical}

set command-blocked {disable | low | medium | high | critical}

set oversized {disable | low | medium | high | critical}

set virus-scan-error {disable | low | medium | high | critical}

set switch-proto {disable | low | medium | high | critical}

set mimefragmented {disable | low | medium | high | critical}

set virus-file-type-executable {disable | low | medium | high | critical}

set virus-outbreak-prevention {disable | low | medium | high | critical}

set botnet-connection {disable | low | medium | high | critical}

Configuration method added for setting antivirus malware threat weight settings. The default values for each setting are as follows:

  • virus-infected: critical
  • virus-blocked: low
  • command-blocked: disable
  • oversized: disable
  • virus-scan-error: high
  • switch-proto: disable
  • mimefragmented: disable
  • virus-filetype-executable: medium
  • virus-outbreak-prevention: high
  • botnet-connection: critical
config log threat-weight
    set status {enable | disable}   Enable/disable the threat weight feature.
    config level
        set low {integer}   Low level score value (1 - 100). range[1-100]
        set medium {integer}   Medium level score value (1 - 100). range[1-100]
        set high {integer}   High level score value (1 - 100). range[1-100]
        set critical {integer}   Critical level score value (1 - 100). range[1-100]
    set blocked-connection {option}   Threat weight score for blocked connections.
            disable   Disable threat weight scoring for blocked connections.
            low       Use the low level score for blocked connections.
            medium    Use the medium level score for blocked connections.
            high      Use the high level score for blocked connections.
            critical  Use the critical level score for blocked connections.
    set failed-connection {option}   Threat weight score for failed connections.
            disable   Disable threat weight scoring for failed connections.
            low       Use the low level score for failed connections.
            medium    Use the medium level score for failed connections.
            high      Use the high level score for failed connections.
            critical  Use the critical level score for failed connections.
    set url-block-detected {option}   Threat weight score for URL blocking.
            disable   Disable threat weight scoring for URL blocking.
            low       Use the low level score for URL blocking.
            medium    Use the medium level score for URL blocking.
            high      Use the high level score for URL blocking.
            critical  Use the critical level score for URL blocking.
    config malware
        set virus-infected {option}   Threat weight score for virus (infected) detected.
                disable   Disable threat weight scoring for virus (infected) detected.
                low       Use the low level score for virus (infected) detected.
                medium    Use the medium level score for virus (infected) detected.
                high      Use the high level score for virus (infected) detected.
                critical  Use the critical level score for virus (infected) detected.
        set virus-blocked {option}   Threat weight score for virus (blocked) detected.
                disable   Disable threat weight scoring for virus (blocked) detected.
                low       Use the low level score for virus (blocked) detected.
                medium    Use the medium level score for virus (blocked) detected.
                high      Use the high level score for virus (blocked) detected.
                critical  Use the critical level score for virus (blocked) detected.
        set command-blocked {option}   Threat weight score for blocked command detected.
                disable   Disable threat weight scoring for blocked command detected.
                low       Use the low level score for blocked command detected.
                medium    Use the medium level score for blocked command detected.
                high      Use the high level score for blocked command detected.
                critical  Use the critical level score for blocked command detected.
        set oversized {option}   Threat weight score for oversized file detected.
                disable   Disable threat weight scoring for oversized file detected.
                low       Use the low level score for oversized file detected.
                medium    Use the medium level score for oversized file detected.
                high      Use the high level score for oversized file detected.
                critical  Use the critical level score for oversized file detected.
        set virus-scan-error {option}   Threat weight score for virus (scan error) detected.
                disable   Disable threat weight scoring for virus (scan error) detected.
                low       Use the low level score for virus (scan error) detected.
                medium    Use the medium level score for virus (scan error) detected.
                high      Use the high level score for virus (scan error) detected.
                critical  Use the critical level score for virus (scan error) detected.
        set switch-proto {option}   Threat weight score for switch proto detected.
                disable   Disable threat weight scoring for switch proto detected.
                low       Use the low level score for switch proto detected.
                medium    Use the medium level score for switch proto detected.
                high      Use the high level score for switch proto detected.
                critical  Use the critical level score for switch proto detected.
        set mimefragmented {option}   Threat weight score for mimefragmented detected.
                disable   Disable threat weight scoring for mimefragmented detected.
                low       Use the low level score for mimefragmented detected.
                medium    Use the medium level score for mimefragmented detected.
                high      Use the high level score for mimefragmented detected.
                critical  Use the critical level score for mimefragmented detected.
        set virus-file-type-executable {option}   Threat weight score for virus (filetype executable) detected.
                disable   Disable threat weight scoring for virus (filetype executable) detected.
                low       Use the low level score for virus (filetype executable) detected.
                medium    Use the medium level score for virus (filetype executable) detected.
                high      Use the high level score for virus (filetype executable) detected.
                critical  Use the critical level score for virus (filetype executable) detected.
        set virus-outbreak-prevention {option}   Threat weight score for virus (outbreak prevention) event.
                disable   Disable threat weight scoring for virus (outbreak prevention) event.
                low       Use the low level score for virus (outbreak prevention) event.
                medium    Use the medium level score for virus (outbreak prevention) event.
                high      Use the high level score for virus (outbreak prevention) event.
                critical  Use the critical level score for virus (outbreak prevention) event.
        set botnet-connection {option}   Threat weight score for detected botnet connections.
                disable   Disable threat weight scoring for detected botnet connections.
                low       Use the low level score for detected botnet connections.
                medium    Use the medium level score for detected botnet connections.
                high      Use the high level score for detected botnet connections.
                critical  Use the critical level score for detected botnet connections.
        set content-disarm {option}   Threat weight score for virus (content disarm) detected.
                disable   Disable threat weight scoring for virus (content disarm) detected.
                low       Use the low level score for virus (content disarm) detected.
                medium    Use the medium level score for virus (content disarm) detected.
                high      Use the high level score for virus (content disarm) detected.
                critical  Use the critical level score for virus (content disarm) detected.
    config ips
        set info-severity {option}   Threat weight score for IPS info severity events.
                disable   Disable threat weight scoring for IPS info severity events.
                low       Use the low level score for IPS info severity events.
                medium    Use the medium level score for IPS info severity events.
                high      Use the high level score for IPS info severity events.
                critical  Use the critical level score for IPS info severity events.
        set low-severity {option}   Threat weight score for IPS low severity events.
                disable   Disable threat weight scoring for IPS low severity events.
                low       Use the low level score for IPS low severity events.
                medium    Use the medium level score for IPS low severity events.
                high      Use the high level score for IPS low severity events.
                critical  Use the critical level score for IPS low severity events.
        set medium-severity {option}   Threat weight score for IPS medium severity events.
                disable   Disable threat weight scoring for IPS medium severity events.
                low       Use the low level score for IPS medium severity events.
                medium    Use the medium level score for IPS medium severity events.
                high      Use the high level score for IPS medium severity events.
                critical  Use the critical level score for IPS medium severity events.
        set high-severity {option}   Threat weight score for IPS high severity events.
                disable   Disable threat weight scoring for IPS high severity events.
                low       Use the low level score for IPS high severity events.
                medium    Use the medium level score for IPS high severity events.
                high      Use the high level score for IPS high severity events.
                critical  Use the critical level score for IPS high severity events.
        set critical-severity {option}   Threat weight score for IPS critical severity events.
                disable   Disable threat weight scoring for IPS critical severity events.
                low       Use the low level score for IPS critical severity events.
                medium    Use the medium level score for IPS critical severity events.
                high      Use the high level score for IPS critical severity events.
                critical  Use the critical level score for IPS critical severity events.
    config web
        edit {id}
        # Web filtering threat weight settings.
            set id {integer}   Entry ID. range[0-255]
            set category {integer}   Threat weight score for web category filtering matches. range[0-255]
            set level {option}   Threat weight score for web category filtering matches.
                    disable   Disable threat weight scoring for web category filtering matches.
                    low       Use the low level score for web category filtering matches.
                    medium    Use the medium level score for web category filtering matches.
                    high      Use the high level score for web category filtering matches.
                    critical  Use the critical level score for web category filtering matches.
        next
    config geolocation
        edit {id}
        # Geolocation-based threat weight settings.
            set id {integer}   Entry ID. range[0-255]
            set country {string}   Country code. size[2]
            set level {option}   Threat weight score for Geolocation-based events.
                    disable   Disable threat weight scoring for Geolocation-based events.
                    low       Use the low level score for Geolocation-based events.
                    medium    Use the medium level score for Geolocation-based events.
                    high      Use the high level score for Geolocation-based events.
                    critical  Use the critical level score for Geolocation-based events.
        next
    config application
        edit {id}
        # Application-control threat weight settings.
            set id {integer}   Entry ID. range[0-255]
            set category {integer}   Application category. range[0-65535]
            set level {option}   Threat weight score for Application events.
                    disable   Disable threat weight scoring for Application events.
                    low       Use the low level score for Application events.
                    medium    Use the medium level score for Application events.
                    high      Use the high level score for Application events.
                    critical  Use the critical level score for Application events.
        next
end

status {enable | disable}

Enable threat-weight calculation in logs.

config level

Use the below subcommands to set the scores for the four levels of threats.

  • edit low <value>
  • edit medium <value>
  • edit high <value>
  • edit critical <value>

blocked-connection {disable | low | medium | high | critical}

Set the threat-weight score for blocked-connection errors. disable assigns no score.

failed-connection {disable | low | medium | high | critical}

Set the threat-weight score for failed-connection errors. disable assigns no score.

url-block-detected {disable | low | medium | high | critical}

Set the threat-weight score for URL blocking events. disable assigns no score.

config ips

Use the following subcommands to set the threat score assigned to IPS events at different severity levels:

  • set info-severity {disable | low | medium | high | critical}
  • set low-severity {disable | low | medium | high | critical}
  • set medium-severity {disable | low | medium | high | critical}
  • set high-severity {disable | low | medium | high | critical}
  • set critical-severity {disable | low | medium | high | critical}

config web

Specific FortiGuard Web Filtering Categories that might appear in logs can be assigned a threat score, using the below commands:

edit <id>

A table value for custom threat score assignments for Categories. Edit to create new and configure the custom assignments using the following commands:

category <value>

The Category that will have a threat score assigned to it. You can view a list of Categories by entering set category ?.

level {disable | low | medium | high | critical}

The threat score assigned to the Web Filtering Category.

config geolocation

Specific geographic locations that might appear in logs can be assigned a threat score, using the below commands:

edit <id>

A table value for custom threat score assignments for countries. Edit to create new and configure the custom assignments using the following commands:

country <country code>

The country that will have a threat score assigned to it. You can view a list of country codes by entering set country ?.

level {disable | low | medium | high | critical}

The threat score assigned to the country.

config application

Specific FortiGuard Application categories that might appear in logs can be assigned a threat score, using the below commands:

edit <id>

A table value for custom threat score assignments for categories. Edit to create new and configure the custom assignments using the following commands:

category <value>

The application category that will have a threat score assigned to it. You can view a list of categories by entering set category ?.

level {disable | low | medium | high | critical}

The threat score assigned to the Application category.