Attack
Attack log messages record traffic that violated its matching policy. Log ID numbers of this type are listed in the table Attack logs by main type, subtype & ID.
The operating mode, network topology, and the rule’s configured Action can all affect how a policy responds to an attack, data leak, or server information disclosure. Depending on your configuration, violating traffic is either:
- blocked
- sanitized, then passed through
- allowed to continue unmodified (that is, logged only)
Attacks that generate log messages periodically
FortiWeb does not record the following types of attack logs individually. Instead, it records them periodically while the attack is ongoing, even if the attack has multiple sources:
- DoS attacks
- Padding oracle attacks
- HTTP/HTTPS protocol constraints
This aggregation prevents FortiWeb from flooding attack logs with identical or very similar messages. To differentiate logs caused by individual attacks from those caused by multiple attacks in the same category, FortiWeb records whether it generated the attack log message after matching multiple signatures.
In the attack log, the message field of aggregated log messages displays the message rule_name : Custom Access Violation
.
In aggregated attacks log, the type field displays the message Multiple Custom access rule Violations
.
Logging for threat scoring
By default, FortiWeb does not display all signature violations that contributed to a threat scoring attack log message as individual entries in the attack log. Instead, a single attack log message is displayed for the signature violations that contributed to a combined threat score that exceeded the maximum. However, all the signature violations that contributed to the score are displayed in the message details. (Double-click the message to display its details.)
Also by default, FortiWeb does not display messages for signature violations that generated a threat score but did not exceed the threat scoring threshold.
Use the following CLI command to display the signature violations that contributed to a threat scoring attack log message as individual entries and to display any signature violations that generated a threat score but did not exceed the threat scoring threshold:
config log attack-log
set show-all-log {enable | disable}
For more information on CLI commands, see FortiWeb CLI Reference:
http://docs.fortinet.com/fortiweb/reference
Threat scoring attack log messages are also displayed in the aggregated attacks log.
Attack log descriptions
To locate a description for an attack log message, match the ID (log_id
) field in the attack log message with that shown in the table Attack logs by main type, subtype & ID. All attack log messages have the same body fields, described in Attack log fields.
For attack log messages generated by a HTTP protocol constraint, the associated policy name is displayed in the raw view ([policy_name:<protocol_constraint_name>]) but not in the formatted view.
Attack logs by main type, subtype & ID
ID |
main type |
sub-type |
20000001 | Allow Method | N/A |
20000002 | Protected Hostnames | N/A |
20000003 | Page Access | N/A |
20000004 | Start Pages | N/A |
20000005 | Parameter Validation | N/A |
20000006 | Black IP List | N/A |
20000007 | URL Access | N/A |
20000008 | Signature Detection |
|
20000009 | Custom Signature Detection | N/A |
20000011 | Hidden Fields | N/A |
20000012 | Site Publish | Account Lockout |
20000014 | DoS Protection |
|
20000015 |
SYN Flood Protection |
N/A |
20000016 |
HTTPS Connection Failure |
N/A |
20000017 |
File Upload Restriction |
|
20000018 |
GEO IP |
N/A |
20000021 |
Custom Access |
|
20000022 |
IP Reputation |
|
20000023 |
Padding Oracle |
N/A |
20000024 |
CSRF Protection |
N/A |
20000025 |
Quarantined IPs |
N/A |
20000026 |
HTTP Protocol Constraints |
|
20000027 |
Credential Stuffing Defense |
|
20000028 |
User Tracking |
N/A |
20000029 |
XML Validation Violation |
|
20000030 | Cookie Security |
|
20000031 | FTP Command Restriction | N/A |
20000033 | Timeout Session | N/A |
20000035 | FTP File Security |
|
20000036 | FTPS Connection Failure | N/A |
20000037 | Machine Learning |
|
20000038 | Openapi Validation Violation |
|
20000039 | WebSocket Security |
|
20000040 | MiTB AJAX Security | N/A |
20000041 | Bot Detection | N/A |
20000042 | CORS Check Security |
|
20000043 | JSON Validation Security |
|