log threat-weight

Use log threat-weight to enable and customize the threat-weight feature, which assigns logs a threat score based on configurable factors.

Note: status must be enabled for the rest of the options to be available.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.2.

Command Description

Command	Description
set malware-detected {disable \| low \| medium \| high \| critical} set botnet-connection-detected {disable \| low \| medium \| high \| critical}	Removed `malware-detected` and `botnet-connection-detected` options from log threat-weight settings.
config malware set virus-infected {disable \| low \| medium \| high \| critical} set virus-blocked {disable \| low \| medium \| high \| critical} set command-blocked {disable \| low \| medium \| high \| critical} set oversized {disable \| low \| medium \| high \| critical} set virus-scan-error {disable \| low \| medium \| high \| critical} set switch-proto {disable \| low \| medium \| high \| critical} set mimefragmented {disable \| low \| medium \| high \| critical} set virus-file-type-executable {disable \| low \| medium \| high \| critical} set virus-outbreak-prevention {disable \| low \| medium \| high \| critical} set botnet-connection {disable \| low \| medium \| high \| critical}	Configuration method added for setting antivirus malware threat weight settings. The default values for each setting are as follows: `virus-infected`: critical `virus-blocked`: low `command-blocked`: disable `oversized`: disable `virus-scan-error`: high `switch-proto`: disable `mimefragmented`: disable `virus-filetype-executable`: medium `virus-outbreak-prevention`: high `botnet-connection`: critical

set malware-detected {disable | low | medium | high | critical}

set botnet-connection-detected {disable | low | medium | high | critical}

Removed malware-detected and botnet-connection-detected options from log threat-weight settings.

config malware

set virus-infected {disable | low | medium | high | critical}

set virus-blocked {disable | low | medium | high | critical}

set command-blocked {disable | low | medium | high | critical}

set oversized {disable | low | medium | high | critical}

set virus-scan-error {disable | low | medium | high | critical}

set switch-proto {disable | low | medium | high | critical}

set mimefragmented {disable | low | medium | high | critical}

set virus-file-type-executable {disable | low | medium | high | critical}

set virus-outbreak-prevention {disable | low | medium | high | critical}

set botnet-connection {disable | low | medium | high | critical}

Configuration method added for setting antivirus malware threat weight settings. The default values for each setting are as follows:

virus-infected: critical
virus-blocked: low
command-blocked: disable
oversized: disable
virus-scan-error: high
switch-proto: disable
mimefragmented: disable
virus-filetype-executable: medium
virus-outbreak-prevention: high
botnet-connection: critical

config log threat-weight
set status {enable | disable} Enable/disable the threat weight feature.
config level
set low {integer} Low level score value (1 - 100). range[1-100]
set medium {integer} Medium level score value (1 - 100). range[1-100]
set high {integer} High level score value (1 - 100). range[1-100]
set critical {integer} Critical level score value (1 - 100). range[1-100]
set blocked-connection {option} Threat weight score for blocked connections.
disable Disable threat weight scoring for blocked connections.
low Use the low level score for blocked connections.
medium Use the medium level score for blocked connections.
high Use the high level score for blocked connections.
critical Use the critical level score for blocked connections.
set failed-connection {option} Threat weight score for failed connections.
disable Disable threat weight scoring for failed connections.
low Use the low level score for failed connections.
medium Use the medium level score for failed connections.
high Use the high level score for failed connections.
critical Use the critical level score for failed connections.
set url-block-detected {option} Threat weight score for URL blocking.
disable Disable threat weight scoring for URL blocking.
low Use the low level score for URL blocking.
medium Use the medium level score for URL blocking.
high Use the high level score for URL blocking.
critical Use the critical level score for URL blocking.
config malware
set virus-infected {option} Threat weight score for virus (infected) detected.
disable Disable threat weight scoring for virus (infected) detected.
low Use the low level score for virus (infected) detected.
medium Use the medium level score for virus (infected) detected.
high Use the high level score for virus (infected) detected.
critical Use the critical level score for virus (infected) detected.
set virus-blocked {option} Threat weight score for virus (blocked) detected.
disable Disable threat weight scoring for virus (blocked) detected.
low Use the low level score for virus (blocked) detected.
medium Use the medium level score for virus (blocked) detected.
high Use the high level score for virus (blocked) detected.
critical Use the critical level score for virus (blocked) detected.
set command-blocked {option} Threat weight score for blocked command detected.
disable Disable threat weight scoring for blocked command detected.
low Use the low level score for blocked command detected.
medium Use the medium level score for blocked command detected.
high Use the high level score for blocked command detected.
critical Use the critical level score for blocked command detected.
set oversized {option} Threat weight score for oversized file detected.
disable Disable threat weight scoring for oversized file detected.
low Use the low level score for oversized file detected.
medium Use the medium level score for oversized file detected.
high Use the high level score for oversized file detected.
critical Use the critical level score for oversized file detected.
set virus-scan-error {option} Threat weight score for virus (scan error) detected.
disable Disable threat weight scoring for virus (scan error) detected.
low Use the low level score for virus (scan error) detected.
medium Use the medium level score for virus (scan error) detected.
high Use the high level score for virus (scan error) detected.
critical Use the critical level score for virus (scan error) detected.
set switch-proto {option} Threat weight score for switch proto detected.
disable Disable threat weight scoring for switch proto detected.
low Use the low level score for switch proto detected.
medium Use the medium level score for switch proto detected.
high Use the high level score for switch proto detected.
critical Use the critical level score for switch proto detected.
set mimefragmented {option} Threat weight score for mimefragmented detected.
disable Disable threat weight scoring for mimefragmented detected.
low Use the low level score for mimefragmented detected.
medium Use the medium level score for mimefragmented detected.
high Use the high level score for mimefragmented detected.
critical Use the critical level score for mimefragmented detected.
set virus-file-type-executable {option} Threat weight score for virus (filetype executable) detected.
disable Disable threat weight scoring for virus (filetype executable) detected.
low Use the low level score for virus (filetype executable) detected.
medium Use the medium level score for virus (filetype executable) detected.
high Use the high level score for virus (filetype executable) detected.
critical Use the critical level score for virus (filetype executable) detected.
set virus-outbreak-prevention {option} Threat weight score for virus (outbreak prevention) event.
disable Disable threat weight scoring for virus (outbreak prevention) event.
low Use the low level score for virus (outbreak prevention) event.
medium Use the medium level score for virus (outbreak prevention) event.
high Use the high level score for virus (outbreak prevention) event.
critical Use the critical level score for virus (outbreak prevention) event.
set botnet-connection {option} Threat weight score for detected botnet connections.
disable Disable threat weight scoring for detected botnet connections.
low Use the low level score for detected botnet connections.
medium Use the medium level score for detected botnet connections.
high Use the high level score for detected botnet connections.
critical Use the critical level score for detected botnet connections.
set content-disarm {option} Threat weight score for virus (content disarm) detected.
disable Disable threat weight scoring for virus (content disarm) detected.
low Use the low level score for virus (content disarm) detected.
medium Use the medium level score for virus (content disarm) detected.
high Use the high level score for virus (content disarm) detected.
critical Use the critical level score for virus (content disarm) detected.
config ips
set info-severity {option} Threat weight score for IPS info severity events.
disable Disable threat weight scoring for IPS info severity events.
low Use the low level score for IPS info severity events.
medium Use the medium level score for IPS info severity events.
high Use the high level score for IPS info severity events.
critical Use the critical level score for IPS info severity events.
set low-severity {option} Threat weight score for IPS low severity events.
disable Disable threat weight scoring for IPS low severity events.
low Use the low level score for IPS low severity events.
medium Use the medium level score for IPS low severity events.
high Use the high level score for IPS low severity events.
critical Use the critical level score for IPS low severity events.
set medium-severity {option} Threat weight score for IPS medium severity events.
disable Disable threat weight scoring for IPS medium severity events.
low Use the low level score for IPS medium severity events.
medium Use the medium level score for IPS medium severity events.
high Use the high level score for IPS medium severity events.
critical Use the critical level score for IPS medium severity events.
set high-severity {option} Threat weight score for IPS high severity events.
disable Disable threat weight scoring for IPS high severity events.
low Use the low level score for IPS high severity events.
medium Use the medium level score for IPS high severity events.
high Use the high level score for IPS high severity events.
critical Use the critical level score for IPS high severity events.
set critical-severity {option} Threat weight score for IPS critical severity events.
disable Disable threat weight scoring for IPS critical severity events.
low Use the low level score for IPS critical severity events.
medium Use the medium level score for IPS critical severity events.
high Use the high level score for IPS critical severity events.
critical Use the critical level score for IPS critical severity events.
config web
edit {id}
# Web filtering threat weight settings.
set id {integer} Entry ID. range[0-255]
set category {integer} Threat weight score for web category filtering matches. range[0-255]
set level {option} Threat weight score for web category filtering matches.
disable Disable threat weight scoring for web category filtering matches.
low Use the low level score for web category filtering matches.
medium Use the medium level score for web category filtering matches.
high Use the high level score for web category filtering matches.
critical Use the critical level score for web category filtering matches.
next
config geolocation
edit {id}
# Geolocation-based threat weight settings.
set id {integer} Entry ID. range[0-255]
set country {string} Country code. size[2]
set level {option} Threat weight score for Geolocation-based events.
disable Disable threat weight scoring for Geolocation-based events.
low Use the low level score for Geolocation-based events.
medium Use the medium level score for Geolocation-based events.
high Use the high level score for Geolocation-based events.
critical Use the critical level score for Geolocation-based events.
next
config application
edit {id}
# Application-control threat weight settings.
set id {integer} Entry ID. range[0-255]
set category {integer} Application category. range[0-65535]
set level {option} Threat weight score for Application events.
disable Disable threat weight scoring for Application events.
low Use the low level score for Application events.
medium Use the medium level score for Application events.
high Use the high level score for Application events.
critical Use the critical level score for Application events.
next
end

status {enable | disable}

Enable threat-weight calculation in logs.

config level

Use the below subcommands to set the scores for the four levels of threats.

edit low <value>
edit medium <value>
edit high <value>
edit critical <value>

blocked-connection {disable | low | medium | high | critical}

Set the threat-weight score for blocked-connection errors. disable assigns no score.

failed-connection {disable | low | medium | high | critical}

Set the threat-weight score for failed-connection errors. disable assigns no score.

url-block-detected {disable | low | medium | high | critical}

Set the threat-weight score for URL blocking events. disable assigns no score.

config ips

Use the following subcommands to set the threat score assigned to IPS events at different severity levels:

set info-severity {disable | low | medium | high | critical}
set low-severity {disable | low | medium | high | critical}
set medium-severity {disable | low | medium | high | critical}
set high-severity {disable | low | medium | high | critical}
set critical-severity {disable | low | medium | high | critical}

config web

Specific FortiGuard Web Filtering Categories that might appear in logs can be assigned a threat score, using the below commands:

edit <id>

A table value for custom threat score assignments for Categories. Edit to create new and configure the custom assignments using the following commands:

category <value>

The Category that will have a threat score assigned to it. You can view a list of Categories by entering set category ?.

level {disable | low | medium | high | critical}

The threat score assigned to the Web Filtering Category.

config geolocation

Specific geographic locations that might appear in logs can be assigned a threat score, using the below commands:

edit <id>

A table value for custom threat score assignments for countries. Edit to create new and configure the custom assignments using the following commands:

country <country code>

The country that will have a threat score assigned to it. You can view a list of country codes by entering set country ?.

level {disable | low | medium | high | critical}

The threat score assigned to the country.

config application

Specific FortiGuard Application categories that might appear in logs can be assigned a threat score, using the below commands:

edit <id>

A table value for custom threat score assignments for categories. Edit to create new and configure the custom assignments using the following commands:

category <value>

The application category that will have a threat score assigned to it. You can view a list of categories by entering set category ?.

level {disable | low | medium | high | critical}

The threat score assigned to the Application category.