Troubleshooting Tip: Web filter logs only show blocked in FortiAnalyzer

There are multiple ways to check the web-filter logs in FortiAnalyzer.

1. One is through the Log view -> Logs -> Fortinet Logs -> FortiGate -> Security -> Web Filter.
2. The second method is through the FortiView -> Applications & Websites.

Each method has its own benefits. FortiView has the advantage of being graphically visual and more compact, while Log Browse contains a lot more information without visuals.

However, there may be an issue where it is only showing 'Blocked' websites, and the user requirement is to have all traffic be logged. The following steps can be followed to work on the issue:

1. Verify the issue.

• Check FortiGate to see if it is generating the logs. If FortiGate itself does not generate the logs, the issue is mainly on FortiGate. The command below can be used to generate test logs on FortiGate:

diagnose test log

2. Check the logging configuration.

• FortiGate has the capability to configure the logging to comply with the storage requirements. Sometimes, the logging is reduced to accommodate the small storage and is unable to log all traffic entries.
• If the FortiGate has VDOM enabled, it is worth checking the override-setting.

3. Check the policy configuration and profile configuration.

• Some configurations is policy or profile specific. In this case, with the web-filter profile, it is necessary to enable the following settings:

config webfilter profile

    edit "sniffer-profile" <----- Profile name.

        set web-url-log enable

        set log-all-url enable

    end

If all of the steps are complete and the situation remains the same, reach out to TAC for support to check the configuration in more details.

Create a ticket through the Support portal.

If the issue is identified as a FortiGate issue (Step #1), use the FortiGate serial number for the ticket creation. Otherwise, use the FortiAnalyzer ticket.

Attach the configuration backup file to the ticket.