Attack logs

Unlike FortiView which displays threat data in different categories, Attack Logs straightforwardly lists all the threats.

Attack log now displays logs from all applications. In Attack Logs, You can click an entry to see threat details, or use Add Filter to filter out threats as desired. Click Reload to update the page with any logs that have been recorded since you previously loaded the page.

A maximum of 10,000 logs are displayed per each filter. FortiWeb Cloud saves the attack logs for two months. After that, they will be deleted.

If you know that certain URL tends to falsely trigger violations by matching an attack signature during normal use, you can click Add Exception beside the signature ID. The traffic to the specified URL and/or parameter in the exception rule will not be treated as an attack even if it matches this particular signature. For Request URL and Parameter Name, you should enable at least one. Please wait several minutes for the configuration to take effect.

Request URL

Specify a URL value to match. For example, /testpage.php, which match requests for http://www.test.com/testpage.php. If String Match is selected, ensure the value starts with a forward slash ( / ) (for example, /testpage.php). You can enter a precise URL, such as /floder1/index.htm or use wildcards to match multiple URLs, such as /floder1/* ,or /floder1/*/index.htm. If Regular Expression Match is selected, the value does not require a forward slash ( / ). However, ensure that it can match values that contain a forward slash. For details, see Frequently used regular expressions. Do not include a domain name because it's by default the domain name of this application.

Parameter Name

Specify a parameter name to match. For example, http://www.test.com/testpage.php?a=1, the parameter name is "a". To create a regular expression, see Frequently used regular expressions.

Please note that the number of attacks displayed in Attack Logs, FortiView , and Blocked Requests widget on Dashboard are slightly different.

• Certain attack types such as Bot and DDoS attacks generate a large amount of requests in a short time. To prevent numerous identical attack logs flooding the UI, FortiWeb Cloud only logs the first request in Attack Logs and FortiView , while it shows the actual count in Blocked Requests Widget so you can know how many actual attack requests were blocked.
• To prevent Information Leakage, FortiWeb Cloud may cloak the error pages or erase sensitive HTTP headers in response packets. Such items are logged only once per minute in Attack Logs and FortiView for you to know the Information Leakage rule took effect. In the meanwhile, the actual count is recorded in Blocked Requests Widget.
• If you have set FortiWeb Cloud to block attacks but not generate a log when certain violation occurs, such as Alert & Deny (no log), then the attacks will not be logged in Attack Logs and FortiView , but will be counted in the Blocked Requests widget.
  To identify the security feature blocking your request, map the Attack ID value to the corresponding description in the table below.

  Attack ID	Security Rule
  20000001	Allow Method
  20000002	Protected Hostnames
  20000003	Page Access
  20000004	Start Pages
  20000005	Parameter Validation
  20000006	Black IP List
  20000007	URL Access
  20000008	Signature Detection
  20000009	Custom Signature Detection
  20000011	Hidden Fields
  20000012	Site Publish
  20000013	HTTP Parsing Error
  20000014	DoS Protection
  20000015	SYN Flood Protection
  20000016	HTTPS Connection Failure
  20000017	File Upload Restriction
  20000018	GEO IP
  20000019	Illegal XML Format
  20000020	Illegal JSON Format
  20000021	Custom Access
  20000022	IP Reputation
  20000023	Padding Oracle
  20000024	CSRF Protection
  20000025	Quarantined IPs
  20000026	HTTP Protocol Constraints
  20000027	Credential Stuffing Defense
  20000028	User Tracking
  20000029	XML Validation Violation
  20000030	Cookie Security
  20000031	FTP Command Restriction
  20000032	FTP Parsing Error
  20000033	Timeout Session
  20000034	Other Attacks
  20000035	FTP File Security
  20000036	FTPS Connection Failure
  20000037	Anomaly Detection
  20000038	OpenAPI Validation Violation
  20000039	WebSocket Security
  20000040	MITB AJAX Security
  20000041	Bot Detection
  20000042	CORS Check Security
  20000043	JSON Validation Security
  20000044	Mobile API Protection
  20000045	Bot Deception
  20000046	Biometrics Based Detection
  20000047	Threshold Based Detection
  20000048	API Gateway
  20000049	URL Encryption
  20000050	SQL/XSS Syntax Based Detection
  20000051	Known Bots Detection
  20000053	Allow Only IP List
  20000200	Known Attacks
  20000201	Information Leakage
  20000202	Cookie Security
  20000203	File Protection
  20000204	Client Security
  20000205	Request Limits
  20000206	URL Access
  20000207	IP Protection
  20000208	Bot Mitigation
  20000209	DDoS Prevention
  20000210	XML Security
  20000211	OpenAPI Validation
  20000212	WebSocket Security
  20000213	Known Bots Detection
  20000214	API Gateway
  20000215	Mobile API
  20000216	JSON Security