Skip to main content
awomack
awomack
Explorer
May 11, 2020
Question

"Block malicious URLs" in Intrusion Prevention - any way to log what URL was blocked?

  • May 11, 2020
  • 1 reply
  • 25120 views

I traffic that is being blocked by a Fortigate because it is matching a malicious URL in the Intrusion Preventions malicious URL list:

Blocking Malicious URLs

To use this IPS signature to block malicious URLs, select Block malicious URLs. This feature uses a local malicious URL database on the FortiGate to assist in drive-by exploits detection. The database contains all malicious URLs active in the last one month, and all drive-by exploit URLs active in the last three months. The number of URLs controlled are in the one million range.

 

Ref: https://help.fortinet.com...e%20IPS%20scanning.htm

 

However, the logs do not actually log the URL that was matched. Is there anyway to actually see these URLs? I have gone into the CLI and enabled extended-logging for the Intrusion Prevention security profile, but this only added the user agent string to the logs.

 

Just for reference, here is part of the log type that I am referring to:

type="utm",subtype="ips",eventtype="malicious-url",msg="URL blocked by malicious-url-list"

    1 reply

    tanr
    tanr
    New Member
    May 11, 2020

    Checking my own IPS logs (from FortiAnalyzer) the malicious URL log entries do include the host and url, of the form:

     

    attack=malicious-url eventtype=malicious-url hostname=www.theblacklist.click url=/g3nnn/quake3-textures.html 

     

    Do you have "Resolve Hostnames" turned on in Log Settings?  See https://kb.fortinet.com/kb/viewContent.do?externalId=FD40598&sliceId=1.

    awomack
    awomackAuthor
    Explorer
    May 11, 2020

    tanr wrote:

    Do you have "Resolve Hostnames" turned on in Log Settings?  See https://kb.fortinet.com/kb/viewContent.do?externalId=FD40598&sliceId=1.

    thanks for replying to my post. unfortunately this would not help me for these alerts as the destination IP is a cloud proxy service we use. besides, your log examples shows you are getting more than just a reverse DNS lookup as you have the URL's path after the hostname.

     

    can you confirm the "type" and "subtype" of this log example?

     

    type="utm",subtype="ips"
    tanr
    tanr
    New Member
    May 11, 2020

    Yes, for that same log enter: type=utm subtype=ips

    Pulling that from the raw logs on the FortiAnalyzer under Security > Intrusion Prevention.

     

     

    Terms & ConditionsAccessibility statement