Attack logs

Attack logs

Unlike FortiView which displays threat data in different categories, Attack Logs straightforwardly lists all the threats.

Attack log now displays logs from all applications. In Attack Logs, You can click an entry to see threat details, or use Add Filter to filter out threats as desired. Click Reload to update the page with any logs that have been recorded since you previously loaded the page.

A maximum of 10,000 logs are displayed per each filter. FortiWeb Cloud saves the attack logs for two months. After that, they will be deleted.

If you know that certain URL tends to falsely trigger violations by matching an attack signature during normal use, you can click Add Exception beside the signature ID. The traffic to the specified URL and/or parameter in the exception rule will not be treated as an attack even if it matches this particular signature. For Request URL and Parameter Name, you should enable at least one. Please wait several minutes for the configuration to take effect.

Request URL

Specify a URL value to match. For example, /testpage.php, which match requests for http://www.test.com/testpage.php.

If String Match is selected, ensure the value starts with a forward slash ( / ) (for example, /testpage.php). You can enter a precise URL, such as /floder1/index.htm or use wildcards to match multiple URLs, such as /floder1/* ,or /floder1/*/index.htm.
If Regular Expression Match is selected, the value does not require a forward slash ( / ). However, ensure that it can match values that contain a forward slash. For details, see Frequently used regular expressions.

Do not include a domain name because it's by default the domain name of this application.

Parameter Name

Specify a parameter name to match. For example, http://www.test.com/testpage.php?a=1, the parameter name is "a".

To create a regular expression, see Frequently used regular expressions.

Please note that the number of attacks displayed in Attack Logs, FortiView , and Blocked Requests widget on Dashboard are slightly different.

Certain attack types such as Bot and DDoS attacks generate a large amount of requests in a short time. To prevent numerous identical attack logs flooding the UI, FortiWeb Cloud only logs the first request in Attack Logs and FortiView , while it shows the actual count in Blocked Requests Widget so you can know how many actual attack requests were blocked.
To prevent Information Leakage, FortiWeb Cloud may cloak the error pages or erase sensitive HTTP headers in response packets. Such items are logged only once per minute in Attack Logs and FortiView for you to know the Information Leakage rule took effect. In the meanwhile, the actual count is recorded in Blocked Requests Widget.

If you have set FortiWeb Cloud to block attacks but not generate a log when certain violation occurs, such as Alert & Deny (no log), then the attacks will not be logged in Attack Logs and FortiView , but will be counted in the Blocked Requests widget.
To identify the security feature blocking your request, map the Attack ID value to the corresponding description in the table below.

Attack ID	Security Rule
20000001	Allow Method
20000002	Protected Hostnames
20000003	Page Access
20000004	Start Pages
20000005	Parameter Validation
20000006	Black IP List
20000007	URL Access
20000008	Signature Detection
20000009	Custom Signature Detection
20000011	Hidden Fields
20000012	Site Publish
20000013	HTTP Parsing Error
20000014	DoS Protection
20000015	SYN Flood Protection
20000016	HTTPS Connection Failure
20000017	File Upload Restriction
20000018	GEO IP
20000019	Illegal XML Format
20000020	Illegal JSON Format
20000021	Custom Access
20000022	IP Reputation
20000023	Padding Oracle
20000024	CSRF Protection
20000025	Quarantined IPs
20000026	HTTP Protocol Constraints
20000027	Credential Stuffing Defense
20000028	User Tracking
20000029	XML Validation Violation
20000030	Cookie Security
20000031	FTP Command Restriction
20000032	FTP Parsing Error
20000033	Timeout Session
20000034	Other Attacks
20000035	FTP File Security
20000036	FTPS Connection Failure
20000037	Anomaly Detection
20000038	OpenAPI Validation Violation
20000039	WebSocket Security
20000040	MITB AJAX Security
20000041	Bot Detection
20000042	CORS Check Security
20000043	JSON Validation Security
20000044	Mobile API Protection
20000045	Bot Deception
20000046	Biometrics Based Detection
20000047	Threshold Based Detection
20000048	API Gateway
20000049	URL Encryption
20000050	SQL/XSS Syntax Based Detection
20000051	Known Bots Detection
20000053	Allow Only IP List
20000200	Known Attacks
20000201	Information Leakage
20000202	Cookie Security
20000203	File Protection
20000204	Client Security
20000205	Request Limits
20000206	URL Access
20000207	IP Protection
20000208	Bot Mitigation
20000209	DDoS Prevention
20000210	XML Security
20000211	OpenAPI Validation
20000212	WebSocket Security
20000213	Known Bots Detection
20000214	API Gateway
20000215	Mobile API
20000216	JSON Security

Attack logs

Unlike FortiView which displays threat data in different categories, Attack Logs straightforwardly lists all the threats.

A maximum of 10,000 logs are displayed per each filter. FortiWeb Cloud saves the attack logs for two months. After that, they will be deleted.

Request URL

Specify a URL value to match. For example, /testpage.php, which match requests for http://www.test.com/testpage.php.

If String Match is selected, ensure the value starts with a forward slash ( / ) (for example, /testpage.php). You can enter a precise URL, such as /floder1/index.htm or use wildcards to match multiple URLs, such as /floder1/* ,or /floder1/*/index.htm.
If Regular Expression Match is selected, the value does not require a forward slash ( / ). However, ensure that it can match values that contain a forward slash. For details, see Frequently used regular expressions.

Do not include a domain name because it's by default the domain name of this application.

Parameter Name

Specify a parameter name to match. For example, http://www.test.com/testpage.php?a=1, the parameter name is "a".

To create a regular expression, see Frequently used regular expressions.

Please note that the number of attacks displayed in Attack Logs, FortiView , and Blocked Requests widget on Dashboard are slightly different.

Certain attack types such as Bot and DDoS attacks generate a large amount of requests in a short time. To prevent numerous identical attack logs flooding the UI, FortiWeb Cloud only logs the first request in Attack Logs and FortiView , while it shows the actual count in Blocked Requests Widget so you can know how many actual attack requests were blocked.
To prevent Information Leakage, FortiWeb Cloud may cloak the error pages or erase sensitive HTTP headers in response packets. Such items are logged only once per minute in Attack Logs and FortiView for you to know the Information Leakage rule took effect. In the meanwhile, the actual count is recorded in Blocked Requests Widget.

Attack ID	Security Rule
20000001	Allow Method
20000002	Protected Hostnames
20000003	Page Access
20000004	Start Pages
20000005	Parameter Validation
20000006	Black IP List
20000007	URL Access
20000008	Signature Detection
20000009	Custom Signature Detection
20000011	Hidden Fields
20000012	Site Publish
20000013	HTTP Parsing Error
20000014	DoS Protection
20000015	SYN Flood Protection
20000016	HTTPS Connection Failure
20000017	File Upload Restriction
20000018	GEO IP
20000019	Illegal XML Format
20000020	Illegal JSON Format
20000021	Custom Access
20000022	IP Reputation
20000023	Padding Oracle
20000024	CSRF Protection
20000025	Quarantined IPs
20000026	HTTP Protocol Constraints
20000027	Credential Stuffing Defense
20000028	User Tracking
20000029	XML Validation Violation
20000030	Cookie Security
20000031	FTP Command Restriction
20000032	FTP Parsing Error
20000033	Timeout Session
20000034	Other Attacks
20000035	FTP File Security
20000036	FTPS Connection Failure
20000037	Anomaly Detection
20000038	OpenAPI Validation Violation
20000039	WebSocket Security
20000040	MITB AJAX Security
20000041	Bot Detection
20000042	CORS Check Security
20000043	JSON Validation Security
20000044	Mobile API Protection
20000045	Bot Deception
20000046	Biometrics Based Detection
20000047	Threshold Based Detection
20000048	API Gateway
20000049	URL Encryption
20000050	SQL/XSS Syntax Based Detection
20000051	Known Bots Detection
20000053	Allow Only IP List
20000200	Known Attacks
20000201	Information Leakage
20000202	Cookie Security
20000203	File Protection
20000204	Client Security
20000205	Request Limits
20000206	URL Access
20000207	IP Protection
20000208	Bot Mitigation
20000209	DDoS Prevention
20000210	XML Security
20000211	OpenAPI Validation
20000212	WebSocket Security
20000213	Known Bots Detection
20000214	API Gateway
20000215	Mobile API
20000216	JSON Security

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

User Guide

Attack logs

Attack logs

Attack logs