Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiWeb 7.4.2 CLI Reference
    7.4.2
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.23
    6.3.19
    6.3.18
    6.3.17
    6.3.16
    6.3.15
    6.3.14
    6.3.13
    6.3.11
    6.3.10
    6.3.9
    6.3.7
    6.3.6
    6.3.5
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    5.7.0
    5.6.1
    5.6.0

    log attack log

    log attack-log

    Use this command to configure recording of attack log messages on the local FortiWeb disk.

    You must enable disk log storage and select log severity levels using log disk before any attack logs can be stored on disk.

    Also use this command to define specific packet payloads to retain when storing attack logs.

    Packet payloads can be retained for specific attack types or validation failures detected by the FortiWeb appliance. Packet payloads supplement the log message by providing the actual data that triggered the attack log, which may help you to fine-tune your regular expressions to prevent false positives. You can also examine changes to attack behavior for subsequent forensic analysis. Alternatively, for more extensive packet logging, you can run a packet trace. For details, see network sniffer.

    If the offending HTTP request exceeds 4 kilobytes (KB), the FortiWeb appliance retains only 4 KB’ of the part of the payload that triggered the log message.

    You can view attack log packet payloads from the Packet Log column using the web UI. For details, see the FortiWeb Administration Guide:

    http://docs.fortinet.com/fortiweb/admin-guides

    Packet payloads can contain sensitive information. You can prevent sensitive data from display in the packet payload by applying sensitivity rules that detect and obscure sensitive information. For details, see log sensitive.

    To use this command, your administrator account’s access control profile must have either w or rw permission to the loggrp area. For details, see Permissions.

    Syntax

    config log attack-log

    set status {enable | disable}

    set HTTP-parse-error-output {enable | disable}

    set packet-log {account-lockout-detection | anti-virus-detection | cookie-security | credential-db-detection | csrf-detection | custom-access | custom-protection-rule | fsa-detection | hidden-fields-failed | HTTP-protocol-constraints | illegal-file-type | illegal-filesize | cors-protection | json-protection | ip-intelligence | padding-oracle | parameter-rule-failed | signature-detection | trojan-detection | user-tracking-detection | xml-protection | machine-learning | openapi-validation | websocket-security | mobile-api-protection | malicious-bots | known-good-bots | syntax-based-detection}

    set no-ssl-error {enable | disable}

    set HTTP2-parse-error-output {enable | disable}

    set adjust-packet {enable | disable}

    end


    Variable Description Default

    status {enable | disable}

    Enable to record attack log messages on the disk.

    To record attack logs, disk log storage must be enabled, and the severity levels selected using the log disk command.

    		 enable

    HTTP-parse-error-output {enable | disable}

    		 Enable while debugging only, to log errors of the HTTP protocol parser. disable

    packet-log {account-lockout-detection | anti-virus-detection | cookie-security | credential-db-detection | csrf-detection | custom-access | custom-protection-rule | fsa-detection | hidden-fields-failed | HTTP-protocol-constraints | illegal-file-type | illegal-filesize | cors-protection | json-protection | ip-intelligence | padding-oracle | parameter-rule-failed | signature-detection | trojan-detection | user-tracking-detection | xml-protection | machine-learning | openapi-validation | websocket-security | mobile-api-protection | malicious-bots | known-good-bots | syntax-based-detection}

    Select one or more detected attack types or validation failures. FortiWeb keeps packet payloads from its HTTP parser buffer with their associated attack log message.

    Separate each attack type with a space. To add or remove a packet payload type, re-type the entire space-delimited list with the new option included or omitted.

    Some options have historical names. Correlations with current feature names are:

    • custom-protection-rule—Custom signature detection (not predefined)

    To empty this list and keep no packet payloads, effectively disabling the feature, enter unset packet-log.

    		 No default

    no-ssl-error {enable | disable}

    Enable to stop FortiWeb from logging SSL errors.

    This setting is useful when you use high-level security settings, which generate a high volume of these types of errors.

    		 disable

    HTTP2-parse-error-output {enable | disable}

    Enable while debugging only, to log errors of the HTTP/2 protocol parser.

    enable

    adjust-packet {enable | disable}

    When the attack packet log exceeds 4 KB, it will be truncated, removing the excess portion.

    To ensure that the matched attack pattern is consistently preserved, enable this option so that the truncation retains the relevant portion.

    disable

    Example

    This example enables log storage on the hard disk and sets information as the minimum severity level that a log message must meet in order for the log to be stored. It also enables retention of packet payloads that triggered custom protection rules along with their correlating attack logs. Conversely, it disables any other packet payload retention that may have been enabled before, because it completely replaces the list each time it is configured.

    config log disk

    set status enable

    set severity information

    end

    config log attack-log

    set status enable

    set packet-log custom-protection-rule

    end

    Related topics

    Previous
    Next

    log attack log

    log attack-log

    Use this command to configure recording of attack log messages on the local FortiWeb disk.

    You must enable disk log storage and select log severity levels using log disk before any attack logs can be stored on disk.

    Also use this command to define specific packet payloads to retain when storing attack logs.

    Packet payloads can be retained for specific attack types or validation failures detected by the FortiWeb appliance. Packet payloads supplement the log message by providing the actual data that triggered the attack log, which may help you to fine-tune your regular expressions to prevent false positives. You can also examine changes to attack behavior for subsequent forensic analysis. Alternatively, for more extensive packet logging, you can run a packet trace. For details, see network sniffer.

    If the offending HTTP request exceeds 4 kilobytes (KB), the FortiWeb appliance retains only 4 KB’ of the part of the payload that triggered the log message.

    You can view attack log packet payloads from the Packet Log column using the web UI. For details, see the FortiWeb Administration Guide:

    http://docs.fortinet.com/fortiweb/admin-guides

    Packet payloads can contain sensitive information. You can prevent sensitive data from display in the packet payload by applying sensitivity rules that detect and obscure sensitive information. For details, see log sensitive.

    To use this command, your administrator account’s access control profile must have either w or rw permission to the loggrp area. For details, see Permissions.

    Syntax

    config log attack-log

    set status {enable | disable}

    set HTTP-parse-error-output {enable | disable}

    set packet-log {account-lockout-detection | anti-virus-detection | cookie-security | credential-db-detection | csrf-detection | custom-access | custom-protection-rule | fsa-detection | hidden-fields-failed | HTTP-protocol-constraints | illegal-file-type | illegal-filesize | cors-protection | json-protection | ip-intelligence | padding-oracle | parameter-rule-failed | signature-detection | trojan-detection | user-tracking-detection | xml-protection | machine-learning | openapi-validation | websocket-security | mobile-api-protection | malicious-bots | known-good-bots | syntax-based-detection}

    set no-ssl-error {enable | disable}

    set HTTP2-parse-error-output {enable | disable}

    set adjust-packet {enable | disable}

    end


    Variable Description Default

    status {enable | disable}

    Enable to record attack log messages on the disk.

    To record attack logs, disk log storage must be enabled, and the severity levels selected using the log disk command.

    		 enable

    HTTP-parse-error-output {enable | disable}

    		 Enable while debugging only, to log errors of the HTTP protocol parser. disable

    packet-log {account-lockout-detection | anti-virus-detection | cookie-security | credential-db-detection | csrf-detection | custom-access | custom-protection-rule | fsa-detection | hidden-fields-failed | HTTP-protocol-constraints | illegal-file-type | illegal-filesize | cors-protection | json-protection | ip-intelligence | padding-oracle | parameter-rule-failed | signature-detection | trojan-detection | user-tracking-detection | xml-protection | machine-learning | openapi-validation | websocket-security | mobile-api-protection | malicious-bots | known-good-bots | syntax-based-detection}

    Select one or more detected attack types or validation failures. FortiWeb keeps packet payloads from its HTTP parser buffer with their associated attack log message.

    Separate each attack type with a space. To add or remove a packet payload type, re-type the entire space-delimited list with the new option included or omitted.

    Some options have historical names. Correlations with current feature names are:

    • custom-protection-rule—Custom signature detection (not predefined)

    To empty this list and keep no packet payloads, effectively disabling the feature, enter unset packet-log.

    		 No default

    no-ssl-error {enable | disable}

    Enable to stop FortiWeb from logging SSL errors.

    This setting is useful when you use high-level security settings, which generate a high volume of these types of errors.

    		 disable

    HTTP2-parse-error-output {enable | disable}

    Enable while debugging only, to log errors of the HTTP/2 protocol parser.

    enable

    adjust-packet {enable | disable}

    When the attack packet log exceeds 4 KB, it will be truncated, removing the excess portion.

    To ensure that the matched attack pattern is consistently preserved, enable this option so that the truncation retains the relevant portion.

    disable

    Example

    This example enables log storage on the hard disk and sets information as the minimum severity level that a log message must meet in order for the log to be stored. It also enables retention of packet payloads that triggered custom protection rules along with their correlating attack logs. Conversely, it disables any other packet payload retention that may have been enabled before, because it completely replaces the list each time it is configured.

    config log disk

    set status enable

    set severity information

    end

    config log attack-log

    set status enable

    set packet-log custom-protection-rule

    end

    Related topics

    Previous
    Next