Fortinet white logo
Fortinet white logo

FortiOS Log Message Reference

30251 - LOGID_WAF_CUSTOM_SIGNATURE_BLOCK

30251 - LOGID_WAF_CUSTOM_SIGNATURE_BLOCK

Message ID: 30251

Message Description: LOGID_WAF_CUSTOM_SIGNATURE_BLOCK

Message Meaning: Web application firewall blocked application by custom signature

Type: WAF

Category: waf-custom-signature

Severity: Warning

Log Field Name

Description

Data Type

Length

vd

Virtual Domain Name

string

32

user

User Name

string

256

url

URL

string

512

unauthusersource

Unauthenticated user source

string

66

unauthuser

Unauthenticated user

string

66

tz

Time zone

string

5

type

Log Type

string

16

transid

uint32

10

time

Time

string

8

subtype

Log Subtype

string

20

srcuuid

string

37

srcport

Source Port

uint16

5

srcip

Source IP Address

ip

39

srcintfrole

Source Interface's assigned role (LAN, WAN, etc.)

string

10

srcintf

Source Interface

string

32

srcdomain

string

255

srccountry

string

64

severity

Severity

string

6

sessionid

Session ID

uint32

10

service

Service name

string

5

referralurl

string

512

rawdata

Raw Data

string

20480

ratemethod

string

4096

proto

Protocol

uint8

3

profile

Full profile name

string

64

poluuid

string

37

policytype

string

24

policyid

Policy ID

uint32

10

name

Method or custom signature name

string

64

msg

Log Message

string

4096

logid

Log ID

string

10

level

Log Level

string

11

httpmethod

string

20

group

User Group Name

string

512

fctuid

FortiClient UID

string

32

eventtype

Event Type

string

32

eventtime

Event Time, Time when WAF event detected

uint64

20

eventid

Event ID

uint32

10

dstuuid

string

37

dstuser

string

256

dstport

Destination Port

uint16

5

dstip

Destination IP Address

ip

39

dstintfrole

Destination Interface's assigned role (LAN, WAN, etc.)

string

10

dstintf

Destination Interface

string

32

dstcountry

string

64

dstauthserver

string

64

direction

Direction

string

4096

devid

Device ID

string

16

date

Date

string

10

constraint

WAF HTTP protocol restrictions

string

4096

authserver

Authentication Server

string

64

agent

Agent

string

1024

action

Status of the session. Uses following definition: - Deny = blocked by firewall policy. - Start = session start log (special option to enable logging at start of a session). This means firewall allowed. - All Others = allowed by Firewall Policy and the status indicates how it was closed.

string

17

30251 - LOGID_WAF_CUSTOM_SIGNATURE_BLOCK

30251 - LOGID_WAF_CUSTOM_SIGNATURE_BLOCK

Message ID: 30251

Message Description: LOGID_WAF_CUSTOM_SIGNATURE_BLOCK

Message Meaning: Web application firewall blocked application by custom signature

Type: WAF

Category: waf-custom-signature

Severity: Warning

Log Field Name

Description

Data Type

Length

vd

Virtual Domain Name

string

32

user

User Name

string

256

url

URL

string

512

unauthusersource

Unauthenticated user source

string

66

unauthuser

Unauthenticated user

string

66

tz

Time zone

string

5

type

Log Type

string

16

transid

uint32

10

time

Time

string

8

subtype

Log Subtype

string

20

srcuuid

string

37

srcport

Source Port

uint16

5

srcip

Source IP Address

ip

39

srcintfrole

Source Interface's assigned role (LAN, WAN, etc.)

string

10

srcintf

Source Interface

string

32

srcdomain

string

255

srccountry

string

64

severity

Severity

string

6

sessionid

Session ID

uint32

10

service

Service name

string

5

referralurl

string

512

rawdata

Raw Data

string

20480

ratemethod

string

4096

proto

Protocol

uint8

3

profile

Full profile name

string

64

poluuid

string

37

policytype

string

24

policyid

Policy ID

uint32

10

name

Method or custom signature name

string

64

msg

Log Message

string

4096

logid

Log ID

string

10

level

Log Level

string

11

httpmethod

string

20

group

User Group Name

string

512

fctuid

FortiClient UID

string

32

eventtype

Event Type

string

32

eventtime

Event Time, Time when WAF event detected

uint64

20

eventid

Event ID

uint32

10

dstuuid

string

37

dstuser

string

256

dstport

Destination Port

uint16

5

dstip

Destination IP Address

ip

39

dstintfrole

Destination Interface's assigned role (LAN, WAN, etc.)

string

10

dstintf

Destination Interface

string

32

dstcountry

string

64

dstauthserver

string

64

direction

Direction

string

4096

devid

Device ID

string

16

date

Date

string

10

constraint

WAF HTTP protocol restrictions

string

4096

authserver

Authentication Server

string

64

agent

Agent

string

1024

action

Status of the session. Uses following definition: - Deny = blocked by firewall policy. - Start = session start log (special option to enable logging at start of a session). This means firewall allowed. - All Others = allowed by Firewall Policy and the status indicates how it was closed.

string

17