Skip to main content
A
Anonymous_User
Contributor
March 30, 2022

Technical Tip: How to view allowed URLs in the web filter logs

  • March 30, 2022
  • 0 replies
  • 13129 views
Description This article describes how to log and view ALLOWED web requests in FortiGate Web Filter logs for both FortiGuard category-based filtering and Static URL Filter. It includes updated GUI paths for FortiOS 7.2+ and CLI options that avoid changing category actions to Monitor.
Scope Scope FortiGate (FortiOS 5.2 and later; GUI paths updated through FortiOS 7.6).
Solution

Prerequisites:

 

  • The traffic must match a firewall policy that has a Web Filter profile applied.
  • In that policy, enable logging for allowed traffic (recommended: All Sessions).
  • Ensure a log destination is configured (disk, FortiAnalyzer, FortiGate Cloud, or syslog).
  • For HTTPS: full URL visibility often requires SSL deep inspection; otherwise, logs may show only the hostname/SNI.

Method 1: 

  • Go to Policy & Objects -> Firewall Policy, edit the policy used for web access.
  • Under Logging Options, enable Log Allowed Traffic and select All Sessions.
  • Under Security Profiles, ensure Web Filter is enabled and the correct profile is selected.
  • Go to Security Profiles -> Web Filter and edit the profile applied to that policy.

 

log_allowed.PNG

 

nageentaj_1-1648628276519.png

 

FortiGuard Categories: change the action from Allow to Monitor for the categories desired to be audited.

 

To get to the FortiGuard Categories lookup page, click here

 

  • For Static URL Filter: In Static URL Filter -> URL Filter, set relevant entries to Monitor (instead of Allow).
  • Save the profile and generate test web traffic from a client.

 

Method 2:


This method logs allowed and blocked URLs broadly (but leads to very high log volume). Commands may vary by FortiOS version; use the symbol '?' to confirm available options.


CLI - Basic URL logging:

 

config webfilter profile

    edit "<profile-name>"

        set log-all-url enable

        set web-url-log enable

    next

end

 

If additional HTTP header details is needed, enable extended logging. Extended log data may be truncated depending on the log target.

 

CLI:

 

config webfilter profile

    edit "<profile-name>"

        set extended-log enable

        set web-extended-all-action-log enable

    next

end

 

Where to find the logs (FortiOS GUI):

 

  • FortiOS 7.2 / 7.4 / 7.6: Log & Report -> Security Events -> Web Filter (use the Security Events dropdown to pick Web Filter if needed).
  • Older FortiOS versions: Log & Report -> Web Filter.


Troubleshooting tips:

 

  • No allowed logs appear: confirm Log Allowed Traffic is set to All Sessions on the matching firewall policy (not only Security Events).
  • Only hostnames appear: confirm the policy uses an SSL/SSH inspection profile that performs deep inspection.
  • Large/trimmed logs: extended log data may be truncated on some log targets; reliable syslog is typically required to retain larger raw log payloads.

 

Related articles:

Technical Tip: How to get a complete URL log

Technical Tip: Log all user traffic URLs using web filter profile

Technical Tip: Explanation of the Allow, Block, Exempt, and Monitor static URL filter actions
    Terms & ConditionsAccessibility statement