Fortinet black logo

Cookbook

Reliable web filter statistics

Copy Link
Copy Doc ID 30be976a-bbb3-11ee-8673-fa163e15d75b:588649
Download PDF

Reliable web filter statistics

FortiOS 6.2 provides command line tools to view the Web Filter statistics report. These command line tools currently fall into either proxy-based or flow-based Web Filter statistics commands.

Proxy-based Web Filter statistics report

  • The proxy-based Web Filter statistics command line tools are as follows. These commands are available in both global or per-VDOM command lines.
    #diagnose wad filter   <----define the interested objects for output
    (global) # diagnose wad ?
    console-log    Send WAD log messages to the console.
    debug          Debug setting.
    stats          Show statistics.
    filter         Filter for listing sessions or tunnels. <----use filter to filter-out interested object and output
    kxp            SSL KXP diagnostics.
    user           User diagnostics.
    memory         WAD memory diagnostics.
    restore        Restore configuration defaults.
    history        Statistics history.
    session        Session diagnostics.
    tunnel         Tunnel diagnostics.
    webcache       Web cache statistics.
    worker         Worker diagnostics.
    csvc           Cache service diagnostics.
     
    #diagnose wad stat filter list/clear <----list/clear Web Filter/DLP statistics report
  • In the example below, there are two VDOMs using proxy-based policies which have Web Filter profiles enabled. The command line can be used to view the proxy-based Web Filter statistics report.
    (global) # diagnose wad filter ?
    list                    Display current filter.
    clear                   Erase current filter settings.
    src                     Source address range to filter by.
    dst                     Destination address range to filter by.
    sport                   Source port range to filter by.
    dport                   Destination port range to filter by.
    vd                      Virtual Domain Name.  <----filter for per-vdom or global statistics report
    explicit-policy         Index of explicit-policy. -1 matches all.
    firewall-policy         Index of firewall-policy. -1 matches all.
    drop-unknown-session    Enable drop message unknown sessions.
    negate                  Negate the specified filter parameter.
    protocol                Select protocols to filter by.
     
    FGT_600D-ICAP-NAT (global) # diagnose wad filter vd 
    <vdom>    Virtual Domain Name.
    ALL     all vdoms
    root    vdom
    vdom1   vdom
    
    FGT_600D-ICAP-NAT (global) # diagnose wad filter vd root  <----filter-out root vdom statistics  
    Drop_unknown_session is enabled.
    
    FGT_600D-ICAP-NAT (global) # diagnose wad stats filter list
    filtering of vdom root  <----Displayed the WF statistics for root vdom
      dlp          = 0      <----Number of Reuqest that DLP Sensor processed;
      content-type = 0      <----Number of Reuqest that matching content-type filter;
      urls:
        examined = 6  <----Number of Request that Proxy Web-Filter(all wad daemons) examined;
        allowed = 3   <----Number of Request that be allowed in the examined requests;
        blocked = 0   <----Number of Request that be blocked in the examined requests;
        logged = 0    <----Number of Request that be logged in the examined requests;
        overridden = 0 <----Number of Request that be overrided to another Web Filter profile in the examined requests;
    
    FGT_600D-ICAP-NAT (global) # diagnose wad filter vd vdom1  <----filter-out vdom1 statistics
    
    FGT_600D-ICAP-NAT (global) # diagnose wad stats filter list
    filtering of vdom vdom1  <----Displayed the WF statistics for vdom1
      dlp          = 0
      content-type = 0
      urls:
        examined = 13
        allowed = 2
        blocked = 9
        logged = 8
        overridden = 0
    
    FGT_600D-ICAP-NAT (global) # diagnose wad filter vd ALL 
    
    FGT_600D-ICAP-NAT (global) # diagnose wad stats filter list
    filtering of all accessible vdoms  <----global statistics is sum of two VDOMs
      dlp          = 0
      content-type = 0
      urls:
        examined = 19
        allowed = 5
        blocked = 9
        logged = 8
        overridden = 0

Flow-based Web Filter statistics report

  • The flow-based Web Filter statistics command line tools are as follows. These commands are available in global command lines only.
    (global) # diagnose test application ipsmonitor 
    
    IPS Engine Test Usage:
    
        1: Display IPS engine information
        2: Toggle IPS engine enable/disable status
        3: Display restart log
        4: Clear restart log
        5: Toggle bypass status
        6: Submit attack characteristics now
       10: IPS queue length
       11: Clear IPS queue length
       12: IPS L7 socket statistics
       13: IPS session list
       14: IPS NTurbo statistics
       15: IPSA statistics
       18: Display session info cache
       19: Clear session info cache
       21: Reload FSA malicious URL database
       22: Reload whitelist URL database
       24: Display Flow AV statistics
       25: Reset Flow AV statistics
       27: Display Flow urlfilter statistics
       28: Reset Flow urlfilter statistics
       29: Display global Flow urlfilter statistics  <----List the Flow Web Filter Statistics
       30: Reset global Flow urlfilter statistics    <----Reset the Flow Web Filter Statistics
       96: Toggle IPS engines watchdog timer
       97: Start all IPS engines
       98: Stop all IPS engines
       99: Restart all IPS engines and monitor
  • In the example below, there are two VDOMs using flow-based policies which have Web Filter profiles enabled. The command line can be used to view the flow-based Web Filter statistics report.
    (global) # diagnose test application ipsmonitor 29
    Global URLF states:
     request: 14   <----Number of Requests that Flow Web-Filter(all ips engines) received;
     response: 14  <----Number of Response that Flow Web-Filter(all ips engines) sent;
     pending: 0    <----Number of Requests that under processing at that moment;
     request error: 0     <----Number of Request that have error;
     response timeout: 0  <----Number of response that ips engine not been received in-time;
     blocked: 12          <----Number of Request that Flow Web-Filter blocked;
     allowed: 2           <----Number of Request that Flow Web-Filter allowed;

Reliable web filter statistics

FortiOS 6.2 provides command line tools to view the Web Filter statistics report. These command line tools currently fall into either proxy-based or flow-based Web Filter statistics commands.

Proxy-based Web Filter statistics report

  • The proxy-based Web Filter statistics command line tools are as follows. These commands are available in both global or per-VDOM command lines.
    #diagnose wad filter   <----define the interested objects for output
    (global) # diagnose wad ?
    console-log    Send WAD log messages to the console.
    debug          Debug setting.
    stats          Show statistics.
    filter         Filter for listing sessions or tunnels. <----use filter to filter-out interested object and output
    kxp            SSL KXP diagnostics.
    user           User diagnostics.
    memory         WAD memory diagnostics.
    restore        Restore configuration defaults.
    history        Statistics history.
    session        Session diagnostics.
    tunnel         Tunnel diagnostics.
    webcache       Web cache statistics.
    worker         Worker diagnostics.
    csvc           Cache service diagnostics.
     
    #diagnose wad stat filter list/clear <----list/clear Web Filter/DLP statistics report
  • In the example below, there are two VDOMs using proxy-based policies which have Web Filter profiles enabled. The command line can be used to view the proxy-based Web Filter statistics report.
    (global) # diagnose wad filter ?
    list                    Display current filter.
    clear                   Erase current filter settings.
    src                     Source address range to filter by.
    dst                     Destination address range to filter by.
    sport                   Source port range to filter by.
    dport                   Destination port range to filter by.
    vd                      Virtual Domain Name.  <----filter for per-vdom or global statistics report
    explicit-policy         Index of explicit-policy. -1 matches all.
    firewall-policy         Index of firewall-policy. -1 matches all.
    drop-unknown-session    Enable drop message unknown sessions.
    negate                  Negate the specified filter parameter.
    protocol                Select protocols to filter by.
     
    FGT_600D-ICAP-NAT (global) # diagnose wad filter vd 
    <vdom>    Virtual Domain Name.
    ALL     all vdoms
    root    vdom
    vdom1   vdom
    
    FGT_600D-ICAP-NAT (global) # diagnose wad filter vd root  <----filter-out root vdom statistics  
    Drop_unknown_session is enabled.
    
    FGT_600D-ICAP-NAT (global) # diagnose wad stats filter list
    filtering of vdom root  <----Displayed the WF statistics for root vdom
      dlp          = 0      <----Number of Reuqest that DLP Sensor processed;
      content-type = 0      <----Number of Reuqest that matching content-type filter;
      urls:
        examined = 6  <----Number of Request that Proxy Web-Filter(all wad daemons) examined;
        allowed = 3   <----Number of Request that be allowed in the examined requests;
        blocked = 0   <----Number of Request that be blocked in the examined requests;
        logged = 0    <----Number of Request that be logged in the examined requests;
        overridden = 0 <----Number of Request that be overrided to another Web Filter profile in the examined requests;
    
    FGT_600D-ICAP-NAT (global) # diagnose wad filter vd vdom1  <----filter-out vdom1 statistics
    
    FGT_600D-ICAP-NAT (global) # diagnose wad stats filter list
    filtering of vdom vdom1  <----Displayed the WF statistics for vdom1
      dlp          = 0
      content-type = 0
      urls:
        examined = 13
        allowed = 2
        blocked = 9
        logged = 8
        overridden = 0
    
    FGT_600D-ICAP-NAT (global) # diagnose wad filter vd ALL 
    
    FGT_600D-ICAP-NAT (global) # diagnose wad stats filter list
    filtering of all accessible vdoms  <----global statistics is sum of two VDOMs
      dlp          = 0
      content-type = 0
      urls:
        examined = 19
        allowed = 5
        blocked = 9
        logged = 8
        overridden = 0

Flow-based Web Filter statistics report

  • The flow-based Web Filter statistics command line tools are as follows. These commands are available in global command lines only.
    (global) # diagnose test application ipsmonitor 
    
    IPS Engine Test Usage:
    
        1: Display IPS engine information
        2: Toggle IPS engine enable/disable status
        3: Display restart log
        4: Clear restart log
        5: Toggle bypass status
        6: Submit attack characteristics now
       10: IPS queue length
       11: Clear IPS queue length
       12: IPS L7 socket statistics
       13: IPS session list
       14: IPS NTurbo statistics
       15: IPSA statistics
       18: Display session info cache
       19: Clear session info cache
       21: Reload FSA malicious URL database
       22: Reload whitelist URL database
       24: Display Flow AV statistics
       25: Reset Flow AV statistics
       27: Display Flow urlfilter statistics
       28: Reset Flow urlfilter statistics
       29: Display global Flow urlfilter statistics  <----List the Flow Web Filter Statistics
       30: Reset global Flow urlfilter statistics    <----Reset the Flow Web Filter Statistics
       96: Toggle IPS engines watchdog timer
       97: Start all IPS engines
       98: Stop all IPS engines
       99: Restart all IPS engines and monitor
  • In the example below, there are two VDOMs using flow-based policies which have Web Filter profiles enabled. The command line can be used to view the flow-based Web Filter statistics report.
    (global) # diagnose test application ipsmonitor 29
    Global URLF states:
     request: 14   <----Number of Requests that Flow Web-Filter(all ips engines) received;
     response: 14  <----Number of Response that Flow Web-Filter(all ips engines) sent;
     pending: 0    <----Number of Requests that under processing at that moment;
     request error: 0     <----Number of Request that have error;
     response timeout: 0  <----Number of response that ips engine not been received in-time;
     blocked: 12          <----Number of Request that Flow Web-Filter blocked;
     allowed: 2           <----Number of Request that Flow Web-Filter allowed;