Log types
FortiWeb Manager provides three types of logs. You can select the log type to view related logs.
- Attack Logs
- Traffic Logs
- Event Logs
Attack logs
Attack logs record attacks or intrusion attempts against the web servers protected by the FortiWeb appliance. This pane includes the following information:
Date/Time | The date/time when the log is generated. |
Device Name | The name of the managed device. |
Threat Level | The level of the threat. |
Action | The actions that FortiWeb has taken. |
Source | The source IP address of the client where the attack comes from. |
Destination | The destination IP address where the attack happens. |
HTTP Host | The HTTP host name. |
Method | The HTTP method used, such as GET, POST, PUT, and DELETE, etc. |
Main Type | The signature detection category. |
Sub Type | The specific type of signature in the category. |
Click any log item, and you can see the Log Details page.
When the Main Type is Signature Detection, two additional buttons appear on the Log Details page.
Click Signature View and you can see the signature details as below:
Click Add Exception, configure the settings below to add the signature exception rule per specific log to different group policies at the same time.
Signature Policy Name | Click to select the group signature policy. |
Disable Signature | Enable if you do not want to detect such attacks. |
Alert Only | Enable this option if you want to receive only logs or alert email about detections, but do not want to block matching requests. |
Add Exception | Enable this option if you want to exempt specific host name/URL combinations. The following fields can be configured only when Add Exception option is enabled. |
URI |
Do not include a domain name or parameters. To match a domain name, use the Host element type. To match a URL that includes parameters, use the Full URL type. |
HOST |
|
Full URL |
|
HTTP Method |
Select the methods to include or exclude from the signature exemption.
|
Client IP |
Specify the client IP address or IP range that FortiWeb uses to
determine whether or not to perform a signature scan for the request.
|
Parameter |
|
Cookie |
|
After you finish the settings, click Push to apply the signature exception rule to related FortiWeb device groups. See FortiWeb Administration Guide document in the Fortinet Document Library at https://docs.fortinet.com/fortiweb/admin-guides for more information about configuring signature exception rules.
When the Main Type is HTTP Protocol Constraints, one additional button Add Exception appears on the Log Details page.
Click Add Exception, configure the settings below to add the HTTP constraint exception rule per specific log.
HTTP Protocol Constraint Policy Name | Click to select group HTTP protocol constraint policy. |
URL Pattern |
www.example.com ,
which is configured separately in the Host drop-down list. |
Host | Enter the IP address or fully qualified domain name (FQDN) of the protected host to which this exception applies. |
Source IP | Enable to check requests for matching the HTTP constraint exceptions rule by their source IP addresses. |
Protocol Constraint(s) | Select the protocol constraint(s) that you want to add to the exception rule according to the table below. |
After you finish the settings, click Push to apply the HTTP constraint exception rule to related FortiWeb device groups. See FortiWeb Administration Guide document in the Fortinet Document Library at https://docs.fortinet.com/fortiweb/admin-guides for more information about configuring HTTP protocol constraint exceptions.
Traffic logs
Traffic logs record the traffic flowing through your FortiWeb device, such as HTTP/HTTTPS requests and responses. This pane includes the following information:
Date/Time | The date/time when the log is generated. |
Device Name | The name of the managed device. |
Source | The source ID address of the client where the attack comes from. |
Destination | The destination IP address where the attack happens. |
Service | The web service used, such as HTTP, HTTPS. |
Method | The HTTP method used, such as GET, POST, PUT, and DELETE, etc. |
Return Code | The HTTP response codes returned from the web server. |
Message | The detailed traffic log information. |
Event logs
Event logs display administrative events, such as downloading a backup copy of the configuration, and hardware failures. This pane includes the following information:
Date/Time | The date/time when the log is generated. |
Device Name | The name of the managed device. |
Level | The level of the log, critical, information, and notice. |
User Interface | The interface the user uses, deamon, GUI or sshd. |
Action | The action items that FortiWeb has taken. |
Message | The detailed action information of FortiWeb. |
Note: Log View can not show logs of managed devices that fail to communicate with FortiWeb Manager, and a red down arrow indicates such devices on Device Manager page.
You can schedule automatic deletion of event logs from System Settings > File Management. Check the box for event logs, and set the time periods and deletion time accordingly. |
If you enter a comment when you reboot or shut down a FortiWeb Manager device from Status > Status page, you can view such log.