Fortinet black logo

Administration Guide

How to check traffic logs in FortiWeb

How to check traffic logs in FortiWeb

Traffic logs display traffic flow information, such as HTTP/HTTPS requests and responses.

Enabling Traffic Log

We need to avoid recording highly frequent log types such as traffic logs to the local hard disk for an extended period of time. Excessive logging frequency can cause undue wear on the hard disk and may cause premature failure. So if not necessary or the application traffic is heavy, it’s better to keep the traffic log disabled by default.

On 6.4.15 and previous builds, traffic log can be enabled by just turning on the global option via CLI or GUI:

FWB # show log traffic-log

config log traffic-log

set status enable

end

On 6.4.16 / 7.0.0 and later builds, besides turning on the global option, traffic log needs to be also enabled per server-policy via CLI:

FWB # show full-configuration server-policy policy

config server-policy policy

edit "SP_01"

set tlog enable

next

end

On 7.0.1 and newer builds, the global traffic-log option is removed from GUI so can be only set via CLI.

Enabling Traffic Packet Log

By default, traffic logs only display headers, while you can also enable packet-log to check more details for body contents. It may help you to fine-tune your regular expressions to prevent false negatives, or to examine changes to attack behavior for subsequent forensic analysis.

Unlike attack packet payloads, only HTTP request traffic packets are retained (not HTTP responses), and only the first 4 KB of the payload from the buffer of FortiWeb’s HTTP parser.

Please note that retaining traffic packet payloads is resource intensive, so only enable it when necessary.

You can enable this option via Log&Report > Log Config > Other Log Settings or CLI as below:

FWB # show log traffic-log

config log traffic-log

set status enable

set packet-log enable

end

Enabling Retain Packet Payload For

If you enabled retention of packet payloads from FortiWeb’s HTTP parser for attack and traffic logs, you can view a part of the payload as dissected by the HTTP parser, in table form, via the web UI.

Packet payload tables display the decoded packet payload associated with the log message that it caused. This supplements the log message by providing the actual data that triggered the regular expression, which may help you to fine-tune your regular expressions to prevent false positives, or aid in forensic analysis.

How to check traffic logs in FortiWeb

How to check traffic logs in FortiWeb

Traffic logs display traffic flow information, such as HTTP/HTTPS requests and responses.

Enabling Traffic Log

We need to avoid recording highly frequent log types such as traffic logs to the local hard disk for an extended period of time. Excessive logging frequency can cause undue wear on the hard disk and may cause premature failure. So if not necessary or the application traffic is heavy, it’s better to keep the traffic log disabled by default.

On 6.4.15 and previous builds, traffic log can be enabled by just turning on the global option via CLI or GUI:

FWB # show log traffic-log

config log traffic-log

set status enable

end

On 6.4.16 / 7.0.0 and later builds, besides turning on the global option, traffic log needs to be also enabled per server-policy via CLI:

FWB # show full-configuration server-policy policy

config server-policy policy

edit "SP_01"

set tlog enable

next

end

On 7.0.1 and newer builds, the global traffic-log option is removed from GUI so can be only set via CLI.

Enabling Traffic Packet Log

By default, traffic logs only display headers, while you can also enable packet-log to check more details for body contents. It may help you to fine-tune your regular expressions to prevent false negatives, or to examine changes to attack behavior for subsequent forensic analysis.

Unlike attack packet payloads, only HTTP request traffic packets are retained (not HTTP responses), and only the first 4 KB of the payload from the buffer of FortiWeb’s HTTP parser.

Please note that retaining traffic packet payloads is resource intensive, so only enable it when necessary.

You can enable this option via Log&Report > Log Config > Other Log Settings or CLI as below:

FWB # show log traffic-log

config log traffic-log

set status enable

set packet-log enable

end

Enabling Retain Packet Payload For

If you enabled retention of packet payloads from FortiWeb’s HTTP parser for attack and traffic logs, you can view a part of the payload as dissected by the HTTP parser, in table form, via the web UI.

Packet payload tables display the decoded packet payload associated with the log message that it caused. This supplements the log message by providing the actual data that triggered the regular expression, which may help you to fine-tune your regular expressions to prevent false positives, or aid in forensic analysis.