Fortinet Document Library

Version:


Table of Contents

6.2.3
Download PDF
Copy Link

Log types

FortiWeb Manager provides three types of logs. You can select the log type to view related logs.

  • Attack Logs
  • Traffic Logs
  • Event Logs

Attack logs

Attack logs record attacks or intrusion attempts against the web servers protected by the FortiWeb appliance. This pane includes the following information:

Date/Time The date/time when the log is generated.
Device Name The name of the managed device.
Threat Level The level of the threat.
Action The actions that FortiWeb has taken.
Source The source IP address of the client where the attack comes from.
Destination The destination IP address where the attack happens.
HTTP Host The HTTP host name.
Method The HTTP method used, such as GET, POST, PUT, and DELETE, etc.
Main Type The signature detection category.
Sub Type The specific type of signature in the category.

Click any log item, and you can see the Log Details page.

When the Main Type is Signature Detection, two additional buttons appear on the Log Details page.

Click Signature View and you can see the signature details as below:

Click Add Exception, configure the settings below to add the signature exception rule per specific log to different group policies at the same time.

Signature Policy Name Click to select the group signature policy.
Disable Signature Enable if you do not want to detect such attacks.
Alert Only Enable this option if you want to receive only logs or alert email about detections, but do not want to block matching requests.
Add Exception Enable this option if you want to exempt specific host name/URL combinations. The following fields can be configured only when Add Exception option is enabled.
URI
  • String Match—Value is a literal URL, and it starts with a forward slash (/).
  • Regular Expression Match—Value is a regular expression that matches all and only the URLs that the exception applies to, and it does not require a forward slash ( / ).

This field is automatically configured as default value.

Do not include a domain name or parameters. To match a domain name, use the Host element type. To match a URL that includes parameters, use the Full URL type.
HOST
  • String Match—Value is a literal host name.
  • Regular Expression Match—Value is a regular expression that matches all and only the hosts that the exception applies to.

This field is automatically configured as default value.
Full URL
  • String Match—Value is a literal URL.
  • Regular Expression Match—Value is a regular expression that matches all and only the URLs that the exception applies to.
HTTP Method Select the methods to include or exclude from the signature exemption.
  • Include—FortiWeb does not perform a signature scan for requests that include the specified HTTP methods.
  • Exclude—FortiWeb only performs signature scans for requests that include the specified HTTP methods.
Client IP Specify the client IP address or IP range that FortiWeb uses to determine whether or not to perform a signature scan for the request.
  • Equal—FortiWeb does not perform a signature scan for requests with a client IP address or IP range that matches the value of Client IP.
  • Not Equal—FortiWeb only performs a signature scan for requests with a client IP address or IP range that matches the value of Client IP.
Parameter
  • String Match—Name is the literal name of a cookie.
  • Regular Expression Match—Name is a regular expression that matches all and only the name of the cookie that exception applies to.
Specify the name of the cookie and cookie value.
Cookie
  • String Match—Name is the literal name of a parameter.
  • Regular Expression Match—Name is a regular expression that matches all and only the name of the parameter that exception applies to.
Specify the name of the parameter and parameter value.

After you finish the settings, click Push to apply the signature exception rule to related FortiWeb device groups. See FortiWeb Administration Guide document in the Fortinet Document Library at https://docs.fortinet.com/fortiweb/admin-guides for more information about configuring signature exception rules.

When the Main Type is HTTP Protocol Constraints, one additional button Add Exception appears on the Log Details page.

Click Add Exception, configure the settings below to add the HTTP constraint exception rule per specific log.

HTTP Protocol Constraint Policy Name Click to select group HTTP protocol constraint policy.
URL Pattern
  • String Match—The literal URL, such as /index.php, that the HTTP request must contain in order to match the input rule. The URL must begin with a backslash ( / ).
  • Regular Expression Match—such as ^/*.php, matching all and only the URLs to which the input rule should apply. The pattern does not require a slash ( / ); however, it must at match URLs that begin with a slash, such as /index.cfm.

Do not include the domain name, such as www.example.com, which is configured separately in the Host drop-down list.
Host Enter the IP address or fully qualified domain name (FQDN) of the protected host to which this exception applies.
Source IP Enable to check requests for matching the HTTP constraint exceptions rule by their source IP addresses.
Protocol Constraint(s) Select the protocol constraint(s) that you want to add to the exception rule according to the table below.

After you finish the settings, click Push to apply the HTTP constraint exception rule to related FortiWeb device groups. See FortiWeb Administration Guide document in the Fortinet Document Library at https://docs.fortinet.com/fortiweb/admin-guides for more information about configuring HTTP protocol constraint exceptions.

Traffic logs

Traffic logs record the traffic flowing through your FortiWeb device, such as HTTP/HTTTPS requests and responses. This pane includes the following information:

Date/Time The date/time when the log is generated.
Device Name The name of the managed device.
Source The source ID address of the client where the attack comes from.
Destination The destination IP address where the attack happens.
Service The web service used, such as HTTP, HTTPS.
Method The HTTP method used, such as GET, POST, PUT, and DELETE, etc.
Return Code The HTTP response codes returned from the web server.
Message The detailed traffic log information.

Event logs

Event logs display administrative events, such as downloading a backup copy of the configuration, and hardware failures. This pane includes the following information:

Date/Time The date/time when the log is generated.
Device Name The name of the managed device.
Level The level of the log, critical, information, and notice.
User Interface The interface the user uses, deamon, GUI or sshd.
Action The action items that FortiWeb has taken.
Message The detailed action information of FortiWeb.

Note: Log View can not show logs of managed devices that fail to communicate with FortiWeb Manager, and a red down arrow indicates such devices on Device Manager page.

tooltip icon

You can schedule automatic deletion of event logs from System Settings > File Management. Check the box for event logs, and set the time periods and deletion time accordingly.

If you enter a comment when you reboot or shut down a FortiWeb Manager device from Status > Status page, you can view such log.

Log types

FortiWeb Manager provides three types of logs. You can select the log type to view related logs.

  • Attack Logs
  • Traffic Logs
  • Event Logs

Attack logs

Attack logs record attacks or intrusion attempts against the web servers protected by the FortiWeb appliance. This pane includes the following information:

Date/Time The date/time when the log is generated.
Device Name The name of the managed device.
Threat Level The level of the threat.
Action The actions that FortiWeb has taken.
Source The source IP address of the client where the attack comes from.
Destination The destination IP address where the attack happens.
HTTP Host The HTTP host name.
Method The HTTP method used, such as GET, POST, PUT, and DELETE, etc.
Main Type The signature detection category.
Sub Type The specific type of signature in the category.

Click any log item, and you can see the Log Details page.

When the Main Type is Signature Detection, two additional buttons appear on the Log Details page.

Click Signature View and you can see the signature details as below:

Click Add Exception, configure the settings below to add the signature exception rule per specific log to different group policies at the same time.

Signature Policy Name Click to select the group signature policy.
Disable Signature Enable if you do not want to detect such attacks.
Alert Only Enable this option if you want to receive only logs or alert email about detections, but do not want to block matching requests.
Add Exception Enable this option if you want to exempt specific host name/URL combinations. The following fields can be configured only when Add Exception option is enabled.
URI
  • String Match—Value is a literal URL, and it starts with a forward slash (/).
  • Regular Expression Match—Value is a regular expression that matches all and only the URLs that the exception applies to, and it does not require a forward slash ( / ).

This field is automatically configured as default value.

Do not include a domain name or parameters. To match a domain name, use the Host element type. To match a URL that includes parameters, use the Full URL type.
HOST
  • String Match—Value is a literal host name.
  • Regular Expression Match—Value is a regular expression that matches all and only the hosts that the exception applies to.

This field is automatically configured as default value.
Full URL
  • String Match—Value is a literal URL.
  • Regular Expression Match—Value is a regular expression that matches all and only the URLs that the exception applies to.
HTTP Method Select the methods to include or exclude from the signature exemption.
  • Include—FortiWeb does not perform a signature scan for requests that include the specified HTTP methods.
  • Exclude—FortiWeb only performs signature scans for requests that include the specified HTTP methods.
Client IP Specify the client IP address or IP range that FortiWeb uses to determine whether or not to perform a signature scan for the request.
  • Equal—FortiWeb does not perform a signature scan for requests with a client IP address or IP range that matches the value of Client IP.
  • Not Equal—FortiWeb only performs a signature scan for requests with a client IP address or IP range that matches the value of Client IP.
Parameter
  • String Match—Name is the literal name of a cookie.
  • Regular Expression Match—Name is a regular expression that matches all and only the name of the cookie that exception applies to.
Specify the name of the cookie and cookie value.
Cookie
  • String Match—Name is the literal name of a parameter.
  • Regular Expression Match—Name is a regular expression that matches all and only the name of the parameter that exception applies to.
Specify the name of the parameter and parameter value.

After you finish the settings, click Push to apply the signature exception rule to related FortiWeb device groups. See FortiWeb Administration Guide document in the Fortinet Document Library at https://docs.fortinet.com/fortiweb/admin-guides for more information about configuring signature exception rules.

When the Main Type is HTTP Protocol Constraints, one additional button Add Exception appears on the Log Details page.

Click Add Exception, configure the settings below to add the HTTP constraint exception rule per specific log.

HTTP Protocol Constraint Policy Name Click to select group HTTP protocol constraint policy.
URL Pattern
  • String Match—The literal URL, such as /index.php, that the HTTP request must contain in order to match the input rule. The URL must begin with a backslash ( / ).
  • Regular Expression Match—such as ^/*.php, matching all and only the URLs to which the input rule should apply. The pattern does not require a slash ( / ); however, it must at match URLs that begin with a slash, such as /index.cfm.

Do not include the domain name, such as www.example.com, which is configured separately in the Host drop-down list.
Host Enter the IP address or fully qualified domain name (FQDN) of the protected host to which this exception applies.
Source IP Enable to check requests for matching the HTTP constraint exceptions rule by their source IP addresses.
Protocol Constraint(s) Select the protocol constraint(s) that you want to add to the exception rule according to the table below.

After you finish the settings, click Push to apply the HTTP constraint exception rule to related FortiWeb device groups. See FortiWeb Administration Guide document in the Fortinet Document Library at https://docs.fortinet.com/fortiweb/admin-guides for more information about configuring HTTP protocol constraint exceptions.

Traffic logs

Traffic logs record the traffic flowing through your FortiWeb device, such as HTTP/HTTTPS requests and responses. This pane includes the following information:

Date/Time The date/time when the log is generated.
Device Name The name of the managed device.
Source The source ID address of the client where the attack comes from.
Destination The destination IP address where the attack happens.
Service The web service used, such as HTTP, HTTPS.
Method The HTTP method used, such as GET, POST, PUT, and DELETE, etc.
Return Code The HTTP response codes returned from the web server.
Message The detailed traffic log information.

Event logs

Event logs display administrative events, such as downloading a backup copy of the configuration, and hardware failures. This pane includes the following information:

Date/Time The date/time when the log is generated.
Device Name The name of the managed device.
Level The level of the log, critical, information, and notice.
User Interface The interface the user uses, deamon, GUI or sshd.
Action The action items that FortiWeb has taken.
Message The detailed action information of FortiWeb.

Note: Log View can not show logs of managed devices that fail to communicate with FortiWeb Manager, and a red down arrow indicates such devices on Device Manager page.

tooltip icon

You can schedule automatic deletion of event logs from System Settings > File Management. Check the box for event logs, and set the time periods and deletion time accordingly.

If you enter a comment when you reboot or shut down a FortiWeb Manager device from Status > Status page, you can view such log.