Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiProxy 7.4.5 Administration Guide
    7.4.5
    7.6.0
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.0
    7.0.19
    7.0.17
    7.0.0
    2.0.0
    1.2.0
    1.1.0
    1.0.0

    Types of logs

    Types of logs

    The Log & Report menu allows you to view traffic logs, event logs, and security logs:

    Traffic logs

    Forward Traffic

    The forward traffic log includes log messages for traffic that passes through the FortiProxy device. It includes both traffic and security log messages so that messages about security events can be viewed alongside messages about the traffic at the time of the event.

    See also Logging client IP for forward traffic and HTTP transaction.

    HTTP Transaction

    HTTP transaction-related traffic log.

    To allow HTTP transaction log to appear here, make sure the Log HTTP Transaction option is not disabled when you Create or edit a policy.

    See also Logging client IP for forward traffic and HTTP transaction.

    Correlation Log

    Correlation log of forward traffic log(s) and HTTP transaction log(s) that have a common session ID.

    Sniffer Traffic

    The sniffer log records all traffic that passes through a particular interface that has been configured to act as a One-Armed Sniffer, so it can be examined separately from the rest of the traffic logs.

    ZTNA Traffic

    System Event logs

    System Events

    General system events.

    Router Events

    Events relating to layer-3 routing.

    VPN Events

    Events relating to VPN.

    User Events

    Events relating to users.

    HA Events

    Events relating to HA

    Security Rating Events

    Events relating to Security Rating.

    WAN Opt. & Cache Events

    Events relating to WAN optimization and cache.

    SDN Connector Events

    Events relating to Fabric connectors.

    CIFS Events

    Events relating to CIFS.

    REST API Events

    The REST API events log subtype logs POST, PUT, DELETE, and GET REST API requests. They can be enabled or disabled in the CLI:

    config log setting
    set rest-api-set {enable | disable}
    set rest-api-get {enable | disable}
end

    Security Event logs

    AntiVirus

    The antivirus log records when, during the antivirus scanning process, the FortiProxy unit finds a match within the antivirus profile, which includes the presence of a virus or grayware signature.

    Web Filter

    The web filter log records HTTP log rating errors, including web content blocking actions that the FortiProxy device performs. It also includes how long it takes to scan the HTTP request, the client request host header, the client request host inside of the request line, and the server response code.

    SSL

    Records detected and blocked malicious SSL connections.

    DNS Query

    The DNS query log messages include details of each DNS query and response. DNS log messages are recorded for all DNS traffic though the FortiProxy unit and originated by the FortiProxy unit.

    The detailed DNS log can be used for low-impact security investigation. Most network activity involves DNS activity of some kinds. Analyzing the DNS log can provide a lot of details about the activity on your network without using resource-intensive techniques.

    File Filter

    Records file filter events.

    Data Loss Prevention

    The data loss prevention (DLP) log provides valuable information about the sensitive data trying to get through to your network as well as any unwanted data trying to get into your network.

    The DLP log can record the following traffic types:

    • email (SMTP, POP3, or IMAP; if SSL content, SMTPS, POP3S, and IMAPS)

    • HTTP

    • HTTPS

    • FTP

    • NNTP

    • IM

    Application Control

    The Application Control log provides detailed information about the traffic that internet applications such as Skype are generating. The Application Control feature controls the flow of traffic from a specific application, and the FortiProxy unit examines this traffic for signatures that the application generates.

    The log messages that are recorded provide information such as the type of application being used (such as P2P software), and what type of action the FortiProxy unit took. These log messages can also help you to determine the top ten applications that are being used on your network. This feature is called Application Control monitoring and you can view the information from a widget on the Executive Summary page.

    The Application Control list that is used must have logging enabled within the list, as well as logging enabled within each application entry. Each application entry can also have packet logging enabled. Packet logging for Application Control records the packet when an application type is identified, similar to IPS packet logging.

    Logging of Application Control activity can only be recorded when an Application Control list is applied to a firewall policy, regardless of whether or not logging is enabled within the Application Control list.

    Intrusion Prevention

    The Intrusion Prevention log, also referred to as the attack log, records attacks that occurred against your network. Attack logs contain detailed information about whether the FortiProxy unit protected the network using anomaly-based defense settings or signature-based defense settings, as well as what the attack was.

    The Intrusion Prevention or attack log file is especially useful because the log messages that are recorded contain a link to the FortiGuard Center, where you can find more information about the attack. This is similar to antivirus logs, where a link to the FortiGuard Center is provided as well that informs you of the virus that was detected by the FortiProxy unit.

    An Intrusion Prevention sensor with log settings enabled must be applied to a firewall policy so that the FortiProxy unit can record the activity.

    SSH

    Content Analyses

    Previous
    Next

    Types of logs

    Types of logs

    The Log & Report menu allows you to view traffic logs, event logs, and security logs:

    Traffic logs

    Forward Traffic

    The forward traffic log includes log messages for traffic that passes through the FortiProxy device. It includes both traffic and security log messages so that messages about security events can be viewed alongside messages about the traffic at the time of the event.

    See also Logging client IP for forward traffic and HTTP transaction.

    HTTP Transaction

    HTTP transaction-related traffic log.

    To allow HTTP transaction log to appear here, make sure the Log HTTP Transaction option is not disabled when you Create or edit a policy.

    See also Logging client IP for forward traffic and HTTP transaction.

    Correlation Log

    Correlation log of forward traffic log(s) and HTTP transaction log(s) that have a common session ID.

    Sniffer Traffic

    The sniffer log records all traffic that passes through a particular interface that has been configured to act as a One-Armed Sniffer, so it can be examined separately from the rest of the traffic logs.

    ZTNA Traffic

    System Event logs

    System Events

    General system events.

    Router Events

    Events relating to layer-3 routing.

    VPN Events

    Events relating to VPN.

    User Events

    Events relating to users.

    HA Events

    Events relating to HA

    Security Rating Events

    Events relating to Security Rating.

    WAN Opt. & Cache Events

    Events relating to WAN optimization and cache.

    SDN Connector Events

    Events relating to Fabric connectors.

    CIFS Events

    Events relating to CIFS.

    REST API Events

    The REST API events log subtype logs POST, PUT, DELETE, and GET REST API requests. They can be enabled or disabled in the CLI:

    config log setting
    set rest-api-set {enable | disable}
    set rest-api-get {enable | disable}
end

    Security Event logs

    AntiVirus

    The antivirus log records when, during the antivirus scanning process, the FortiProxy unit finds a match within the antivirus profile, which includes the presence of a virus or grayware signature.

    Web Filter

    The web filter log records HTTP log rating errors, including web content blocking actions that the FortiProxy device performs. It also includes how long it takes to scan the HTTP request, the client request host header, the client request host inside of the request line, and the server response code.

    SSL

    Records detected and blocked malicious SSL connections.

    DNS Query

    The DNS query log messages include details of each DNS query and response. DNS log messages are recorded for all DNS traffic though the FortiProxy unit and originated by the FortiProxy unit.

    The detailed DNS log can be used for low-impact security investigation. Most network activity involves DNS activity of some kinds. Analyzing the DNS log can provide a lot of details about the activity on your network without using resource-intensive techniques.

    File Filter

    Records file filter events.

    Data Loss Prevention

    The data loss prevention (DLP) log provides valuable information about the sensitive data trying to get through to your network as well as any unwanted data trying to get into your network.

    The DLP log can record the following traffic types:

    • email (SMTP, POP3, or IMAP; if SSL content, SMTPS, POP3S, and IMAPS)

    • HTTP

    • HTTPS

    • FTP

    • NNTP

    • IM

    Application Control

    The Application Control log provides detailed information about the traffic that internet applications such as Skype are generating. The Application Control feature controls the flow of traffic from a specific application, and the FortiProxy unit examines this traffic for signatures that the application generates.

    The log messages that are recorded provide information such as the type of application being used (such as P2P software), and what type of action the FortiProxy unit took. These log messages can also help you to determine the top ten applications that are being used on your network. This feature is called Application Control monitoring and you can view the information from a widget on the Executive Summary page.

    The Application Control list that is used must have logging enabled within the list, as well as logging enabled within each application entry. Each application entry can also have packet logging enabled. Packet logging for Application Control records the packet when an application type is identified, similar to IPS packet logging.

    Logging of Application Control activity can only be recorded when an Application Control list is applied to a firewall policy, regardless of whether or not logging is enabled within the Application Control list.

    Intrusion Prevention

    The Intrusion Prevention log, also referred to as the attack log, records attacks that occurred against your network. Attack logs contain detailed information about whether the FortiProxy unit protected the network using anomaly-based defense settings or signature-based defense settings, as well as what the attack was.

    The Intrusion Prevention or attack log file is especially useful because the log messages that are recorded contain a link to the FortiGuard Center, where you can find more information about the attack. This is similar to antivirus logs, where a link to the FortiGuard Center is provided as well that informs you of the virus that was detected by the FortiProxy unit.

    An Intrusion Prevention sensor with log settings enabled must be applied to a firewall policy so that the FortiProxy unit can record the activity.

    SSH

    Content Analyses

    Previous
    Next