Fortinet Document Library

Version:


Table of Contents

User Guide

Download PDF
Copy Link

Viewing attack logs

To view attack logs, you need to click into an application, then view the logs in Logs > Attack Logs.

A maximum of 10,000 logs are displayed per each filter. FortiWeb Cloud saves the attack logs for two months. After that, they will be deleted.

Unlike FortiView which displays threat data in different categories, Attack Logs straightforwardly lists all the threats.

In Attack Logs, You can click an entry to see threat details, or use Add Filter to filter out threats as desired. Click Reload to update the page with any logs that have been recorded since you previously loaded the page.

If you know that certain URL tends to falsely trigger violations by matching an attack signature during normal use, you can click Add Exception beside the signature ID. The traffic to the specified URL and/or parameter in the exception rule will not be treated as an attack even if it matches this particular signature. For Request URL and Parameter Name, you should enable at least one. Please wait several minutes for the configuration to take effect.

Request URL

Specify a URL value to match. For example, /testpage.php, which match requests for http://www.test.com/testpage.php.

  • If String Match is selected, ensure the value starts with a forward slash ( / ) (for example, /testpage.php). You can enter a precise URL, such as /floder1/index.htm or use wildcards to match multiple URLs, such as /floder1/* ,or /floder1/*/index.htm.
  • If Regular Expression Match is selected, the value does not require a forward slash ( / ). However, ensure that it can match values that contain a forward slash. For details, see Frequently used regular expressions.

Do not include a domain name because it's by default the domain name of this application.

Parameter Name

Specify a parameter name to match. For example, http://www.test.com/testpage.php?a=1, the parameter name is "a".

To create a regular expression, see Frequently used regular expressions.

Please note that the number of attacks displayed in Attack Logs, FortiView , and Blocked Requests widget on Dashboard are slightly different.

  • Certain attack types such as Bot and DDoS attacks generate a large amount of requests in a short time. To prevent numerous identical attack logs flooding the UI, FortiWeb Cloud only logs the first request in Attack Logs and FortiView , while it shows the actual count in Blocked Requests Widget so you can know how many actual attack requests were blocked.
  • To prevent Information Leakage, FortiWeb Cloud may cloak the error pages or erase sensitive HTTP headers in response packets. Such item are logged only once per minute in Attack Logs and FortiView for you to know the Information Leakage rule took effect. In the meanwhile, the actual count is recorded in Blocked Requests Widget.
  • If you have set FortiWeb Cloud to block attacks but do not generate a log when certain violation occurs, such as Deny(no log), then the attacks will not be logged in Attack Logs and FortiView , but will be counted in the Blocked Requests widget.

Viewing attack logs

To view attack logs, you need to click into an application, then view the logs in Logs > Attack Logs.

A maximum of 10,000 logs are displayed per each filter. FortiWeb Cloud saves the attack logs for two months. After that, they will be deleted.

Unlike FortiView which displays threat data in different categories, Attack Logs straightforwardly lists all the threats.

In Attack Logs, You can click an entry to see threat details, or use Add Filter to filter out threats as desired. Click Reload to update the page with any logs that have been recorded since you previously loaded the page.

If you know that certain URL tends to falsely trigger violations by matching an attack signature during normal use, you can click Add Exception beside the signature ID. The traffic to the specified URL and/or parameter in the exception rule will not be treated as an attack even if it matches this particular signature. For Request URL and Parameter Name, you should enable at least one. Please wait several minutes for the configuration to take effect.

Request URL

Specify a URL value to match. For example, /testpage.php, which match requests for http://www.test.com/testpage.php.

  • If String Match is selected, ensure the value starts with a forward slash ( / ) (for example, /testpage.php). You can enter a precise URL, such as /floder1/index.htm or use wildcards to match multiple URLs, such as /floder1/* ,or /floder1/*/index.htm.
  • If Regular Expression Match is selected, the value does not require a forward slash ( / ). However, ensure that it can match values that contain a forward slash. For details, see Frequently used regular expressions.

Do not include a domain name because it's by default the domain name of this application.

Parameter Name

Specify a parameter name to match. For example, http://www.test.com/testpage.php?a=1, the parameter name is "a".

To create a regular expression, see Frequently used regular expressions.

Please note that the number of attacks displayed in Attack Logs, FortiView , and Blocked Requests widget on Dashboard are slightly different.

  • Certain attack types such as Bot and DDoS attacks generate a large amount of requests in a short time. To prevent numerous identical attack logs flooding the UI, FortiWeb Cloud only logs the first request in Attack Logs and FortiView , while it shows the actual count in Blocked Requests Widget so you can know how many actual attack requests were blocked.
  • To prevent Information Leakage, FortiWeb Cloud may cloak the error pages or erase sensitive HTTP headers in response packets. Such item are logged only once per minute in Attack Logs and FortiView for you to know the Information Leakage rule took effect. In the meanwhile, the actual count is recorded in Blocked Requests Widget.
  • If you have set FortiWeb Cloud to block attacks but do not generate a log when certain violation occurs, such as Deny(no log), then the attacks will not be logged in Attack Logs and FortiView , but will be counted in the Blocked Requests widget.