Skip to main content
Fires
Fires
New Member
May 18, 2016
Solved

Enable UTM/Web filter log

  • May 18, 2016
  • 5 replies
  • 52625 views

Hi, how I can enable extended log of web filtering ?  

 

I got Fortigate 60D (firmware 5.2.5)

I enable webfilter

I add webfillter monitor-all to interface

 

But I do not have UTM under Log & Report :(

I try google  and CLI

# config dlp sensor  # edit [Name of Profil]  # set extended-utm-log [enable | disable]  # set dlp-log [enable | disable]  # set nac-quar-log [enable | disable]  # end 

 

 

BUT : 

# config webfilter profile  # edit [Name of Profil]  # set extended-utm-log [enable | disable] 

I get error -61 after this command. :(

 

Also I can't change profile under web filter in security profiles :(

 

Please advise.. 

 

Thanks

Best answer by AndreaSoliva

Hi

 

under FortiOS 5.2.x and above UTM Log is by standard enabled and you do not have to configure anything. This can also be tested in following way:

 

# diagnose log test

 

Log-out from your Web Gui and Log-In again and you will see that under log you have now the UTM logs for each UTM features. If you like to log everything based on webfilter do following:

 

--> Check that all categories which are allowed are on action "monitor" (which means actually allow but log)

--> All other categories which are not allow set to block or whatever

 

After that go on CLI and edit your corresponding profile for WebFilter and use/check the commands:

 

config webfilter profile edit [Name of your profile] set log-all-url enable set web-content-log enable  set web-filter-activex-log enable  set web-filter-command-block-log enable  set web-filter-cookie-log enable set web-filter-applet-log enable set web-filter-jscript-log enable set web-filter-js-log enable set web-filter-vbs-log enable set web-filter-unknown-log enable set web-filter-referer-log enable set web-filter-cookie-removal-log enable set web-url-log enable set web-invalid-domain-log enable set web-ftgd-err-log enable set web-ftgd-quota-usage enable end

 

After that check the firewall policy which is used for your WebFilter HTTP/HTTPS based traffic that log is enabled "all sessions".

 

Thats it.....make traffic and wait some 2/3 seconds...sometimes if log does not exist under Log for WebFilter you have to logout and login again or do a refresh in your browser.

 

hope this helps

 

have fun

 

Andrea

5 replies

AndreaSoliva
AndreaSolivaAnswer
New Member
May 19, 2016

Hi

 

under FortiOS 5.2.x and above UTM Log is by standard enabled and you do not have to configure anything. This can also be tested in following way:

 

# diagnose log test

 

Log-out from your Web Gui and Log-In again and you will see that under log you have now the UTM logs for each UTM features. If you like to log everything based on webfilter do following:

 

--> Check that all categories which are allowed are on action "monitor" (which means actually allow but log)

--> All other categories which are not allow set to block or whatever

 

After that go on CLI and edit your corresponding profile for WebFilter and use/check the commands:

 

config webfilter profile edit [Name of your profile] set log-all-url enable set web-content-log enable  set web-filter-activex-log enable  set web-filter-command-block-log enable  set web-filter-cookie-log enable set web-filter-applet-log enable set web-filter-jscript-log enable set web-filter-js-log enable set web-filter-vbs-log enable set web-filter-unknown-log enable set web-filter-referer-log enable set web-filter-cookie-removal-log enable set web-url-log enable set web-invalid-domain-log enable set web-ftgd-err-log enable set web-ftgd-quota-usage enable end

 

After that check the firewall policy which is used for your WebFilter HTTP/HTTPS based traffic that log is enabled "all sessions".

 

Thats it.....make traffic and wait some 2/3 seconds...sometimes if log does not exist under Log for WebFilter you have to logout and login again or do a refresh in your browser.

 

hope this helps

 

have fun

 

Andrea

Fires
FiresAuthor
New Member
May 19, 2016

Hi, thank you very mutch. After 

#diagnose log test

 

I see web-filter under Log & Report, I follow you instruction but I still do not have any traffic under web filter ( just testing logs ) .. 

 

I check profile - monitor-all ( factory from Fortinet  both version Proxy and Flow ) 

I check my firewall rule - what allow connection to internet, it is rule with big traffic

I check my log setting ( is set to memory ) 

I try logout multiple times

 

So it should be fine, but under web filter I got still  just testing records :(

 

Firewall rule in attachement

Fires
FiresAuthor
New Member
May 19, 2016

I see somethink strange - under Log & Report - Security Log - Web Filter  I see just record with action = blocked :( nothing else.  Some filter ?

AndreaSoliva
AndreaSoliva
New Member
May 19, 2016

Hi

 

Check if your WebFilter ist correct licensed otherwise all will be blocked which means check status over dashboard on the Gui First Page if you login (what is there written regarding WebFiler License)!

 

Second check log configuration (example for memory logging)

 

########################### # Log Settings ########################### config log setting set resolve-ip enable set resolve-port enable set log-user-in-upper  disable set fwpolicy-implicit-log enable set fwpolicy6-implicit-log disable set log-invalid-packet disable set local-in-allow enable set local-in-deny-unicast disable set local-in-deny-broadcast disable set local-out disable set daemon-log disable set neighbor-event disable set brief-traffic-format disable set user-anonymize disable end ########################### # Log Settings Gui ########################### config log gui-display set resolve-hosts enable set resolve-apps enable set fortiview-unscanned-apps enable set fortiview-local-traffic enable set location memory end

########################### # Log Settings Device Memory ########################### config log memory setting set status enable set diskfull overwrite end

 

If license is active, log config is done as the webfilter is configured you should see logs....

 

hope it helps

 

have fun

 

Andrea

AndreaSoliva
AndreaSoliva
New Member
May 19, 2016

Again me...addtional check if this firewall policy rule with the webfilter is really this firewall policy rule which is used. It seems to be that this firewall policy is not hiting your traffic. This could be the reason you see only block without webfilter profile used etc. look to the interfaces like source, destination etc.

 

hope it helps   have fun   Andrea

AndreaSoliva
AndreaSoliva
New Member
May 19, 2016

Hi

 

you do deep-inspection which means https.........I expect you imported the certificated from FGT to you local host for trusted certificate authorities IE and FireFox seperat. If so you rule is indicating service all but http is not covered because I do not see any profile for protocol options which means http?

 

Within the tests you are using https only.....? Are you testing http and/or https

 

Add to the rule a http profile protocol option.

 

From log point of view meaning memory it should be fine also defining as gui memory also fine. Drop me also a printscreen of your webfilter and a log printscreen where I can see a log entry for webfilter and for forward log.

 

Andrea

Fires
FiresAuthor
New Member
May 19, 2016

Hi, I do not install any certificate. I just need log all visited webpages.  

Here are screenshots. 

 

Fires
FiresAuthor
New Member
May 19, 2016

Log

AndreaSoliva
AndreaSoliva
New Member
May 19, 2016

 

Hi

 

ok I see you have actually no clou what your are using! Sorry to say this but "deep-inspection" is based on man in the middle technolgy this means breaking-out https traffic and looking into the traffic. For this the FGT must be playing man in the middle. From this point of view that on your site nothing is working as expected from beggining again and please copy/paste the commands into the console. For some commands you have to edit the profile name from this point of view look for the positions [Name of Profile] and replace the position with the name of the profile:

 

FULL LOG CONFIG WITH FILTER:

*************************

config log setting set resolve-ip enable set resolve-port enable set log-user-in-upper  disable set fwpolicy-implicit-log enable set fwpolicy6-implicit-log disable set log-invalid-packet disable set local-in-allow enable set local-in-deny-unicast disable set local-in-deny-broadcast disable set local-out disable set daemon-log disable set neighbor-event disable set brief-traffic-format disable set user-anonymize disable end

 

config log gui-display set resolve-hosts enable set resolve-apps enable set fortiview-unscanned-apps enable set fortiview-local-traffic enable set location memory end

 

config log memory setting set status enable set diskfull overwrite end # # If memory log is used set max-size as # warning threshold. # # For "max-size" value "bytes" are used. # # config log memory global-setting # set max-size 65536 # set full-final-warning-threshold 95 # set full-first-warning-threshold 75 # set full-second-warning-threshold 90 # end config log memory filter set severity information set forward-traffic enable set local-traffic enable set multicast-traffic enable set sniffer-traffic enable set anomaly enable set netscan-discovery enable set netscan-vulnerability enable set voip enable #set dlp-archive enable end

 

config log eventfilter set event enable set router enable set vpn enable set user enable set router enable set wireless-activity enable set wan-opt enable set endpoint enable set ha enable end config log threat-weight set status enable end

 

CONFIGURE A PROTOCOL PROFILE

****************************

config firewall profile-protocol-options edit [Name of your Profile] set comment "Unencrypted default profile" set oversize-log enable set switching-protocols-log enable config http set ports 80    set status enable     set inspect-all disable     set options clientcomfort     set comfort-interval 10    set comfort-amount 1    set fortinet-bar disable     set streaming-content-bypass enable     set switching-protocols bypass     set oversize-limit 10    set uncompressed-oversize-limit 10    set uncompressed-nest-limit 12    set scan-bzip2 disable     set block-page-status-code 200    set retry-count 0 end config ftp set ports 21    set status disable     set inspect-all disable     set options clientcomfort     set comfort-interval 10    set comfort-amount 1    set oversize-limit 10    set uncompressed-oversize-limit 10    set uncompressed-nest-limit 12    set scan-bzip2 disable end config imap set ports 143    set status disable     set inspect-all disable     set options fragmail     set oversize-limit 10    set uncompressed-oversize-limit 10    set uncompressed-nest-limit 12    set scan-bzip2 disable end config mapi set ports 135    set status disable     set options fragmail     set oversize-limit 10    set uncompressed-oversize-limit 10    set uncompressed-nest-limit 12    set scan-bzip2 disable end config pop3 set ports 110    set status disable     set inspect-all disable     set options fragmail     set oversize-limit 10    set uncompressed-oversize-limit 10    set uncompressed-nest-limit 12    set scan-bzip2 disable end config smtp set ports 25    set status disable     set inspect-all disable     set options fragmail     set oversize-limit 10    set uncompressed-oversize-limit 10    set uncompressed-nest-limit 12    set scan-bzip2 disable     set server-busy disable end config nntp set ports 119    set status disable     set inspect-all disable     set oversize-limit 10    set uncompressed-oversize-limit 10    set uncompressed-nest-limit 12    set scan-bzip2 disable end config dns set ports 53    set status enable end config mail-signature set status disable     end end

 

CONFIGURE A SSH-SSL PROTOCOL PROFILE

************************************

config firewall ssl-ssh-profile edit [Name of your Profile] set comment "Encrypted URL Scan Only default profile" set server-cert-mode re-sign set caname Fortinet_CA_SSLProxy set certname Fortinet_CA_SSLProxy set ssl-invalid-server-cert-log enable config ssl set inspect-all disable set allow-invalid-server-cert enable set ssl-ca-list disable end config https set ports 443 set status certificate-inspection set client-cert-request bypass set unsupported-ssl bypass set allow-invalid-server-cert enable set ssl-ca-list disable end config ftps set ports 990 set status disable set client-cert-request bypass set unsupported-ssl bypass set allow-invalid-server-cert enable set ssl-ca-list disable end config imaps set ports 993 set status disable set client-cert-request inspect set unsupported-ssl bypass set allow-invalid-server-cert enable set ssl-ca-list disable end config pop3s set ports 995 set status disable set client-cert-request inspect set unsupported-ssl bypass set allow-invalid-server-cert enable set ssl-ca-list disable end config smtps set ports 465 set status disable set client-cert-request inspect set unsupported-ssl bypass set allow-invalid-server-cert enable set ssl-ca-list disable end end

 

 

 

 

 

 

 

 

 

AndreaSoliva
AndreaSoliva
New Member
May 19, 2016

Sorry here is the rest of the commands this forum stuff has some limitations:

 

CONFIGURE A SSH-SSL PROTOCOL PROFILE

************************************

 

 

config firewall ssl-ssh-profile edit [Name of your Profile] set comment "Encrypted URL Scan Only default profile" set server-cert-mode re-sign set caname Fortinet_CA_SSLProxy set certname Fortinet_CA_SSLProxy set ssl-invalid-server-cert-log enable config ssl set inspect-all disable set allow-invalid-server-cert enable set ssl-ca-list disable end config https set ports 443 set status certificate-inspection set client-cert-request bypass set unsupported-ssl bypass set allow-invalid-server-cert enable set ssl-ca-list disable end config ftps set ports 990 set status disable set client-cert-request bypass set unsupported-ssl bypass set allow-invalid-server-cert enable set ssl-ca-list disable end config imaps set ports 993 set status disable set client-cert-request inspect set unsupported-ssl bypass set allow-invalid-server-cert enable set ssl-ca-list disable end config pop3s set ports 995 set status disable set client-cert-request inspect set unsupported-ssl bypass set allow-invalid-server-cert enable set ssl-ca-list disable end config smtps set ports 465 set status disable set client-cert-request inspect set unsupported-ssl bypass set allow-invalid-server-cert enable set ssl-ca-list disable end end 

 

CONFIGURE WEBFILTER OPTIONS

***************************

 

 

config webfilter profile edit [Name of your Profile] set comment "Webfilter default profile" set inspection-mode proxy set https-replacemsg disable config web set safe-search url     set log-search enable end config ftgd-wf set max-quota-timeout 300 set rate-image-urls  enable set rate-javascript-urls enable set rate-css-urls enable set rate-crl-urls enable end set log-all-url enable set web-content-log enable  set web-filter-activex-log enable  set web-filter-command-block-log enable  set web-filter-cookie-log enable set web-filter-applet-log enable set web-filter-jscript-log enable set web-filter-js-log enable set web-filter-vbs-log enable set web-filter-unknown-log enable set web-filter-referer-log enable set web-filter-cookie-removal-log enable set web-url-log enable set web-invalid-domain-log enable set web-ftgd-err-log enable set web-ftgd-quota-usage enable end

 

CONTENT FILTER FOR BYPASS AV

***************************

 

config webfilter content-header edit 1 set comment "exempt from antivirus scanning" config entries edit "video\\/.*" set action exempt next edit "audio\\/.*" set action exempt next end set name "exempt-antivirus-scanning" next end config webfilter profile edit [Name of your Profile] config web set content-header-list 1 end next end

 

URL FILTER FOR WEBFILTER TO BYPASS UTM FEATURES

********************************************

 

 

 

 

config webfilter urlfilter edit 1 set name "urlfilter-bypass-av" set comment "URL Filter default profile" config entries edit 1 set url "*.apple.com" set type wildcard #set type simple set action exempt #set exempt av web-content activex-java-cookie dlp fortiguard range-block all next edit 2 set url "*.itunes.apple.com" set type wildcard #set type simple set action exempt #set exempt av web-content activex-java-cookie dlp fortiguard range-block all next edit 3 set url "*.phobos.apple.com" set type wildcard #set type simple set action exempt #set exempt av web-content activex-java-cookie dlp fortiguard range-block all next edit 4 set url "*.apple.com.edgesuite.net" set type wildcard #set type simple set action exempt #set exempt av web-content activex-java-cookie dlp fortiguard range-block all next edit 5 set url "*.windowsupdate.com" set type wildcard #set type simple set action exempt #set exempt av web-content activex-java-cookie dlp fortiguard range-block all next edit 6 set url "*.download.windowsupdate.com" set type wildcard #set type simple set action exempt #set exempt av web-content activex-java-cookie dlp fortiguard range-block all next edit 7 set url "*.stats.update.microsoft.com" set type wildcard #set type simple set action exempt #set exempt av web-content activex-java-cookie dlp fortiguard range-block all next edit 8 set url "*.msftncsi.com" set type wildcard #set type simple set action exempt #set exempt av web-content activex-java-cookie dlp fortiguard range-block all next edit 9 set url "*.microsoft.com" set type wildcard #set type simple set action exempt #set exempt av web-content activex-java-cookie dlp fortiguard range-block all next end next end

 

config webfilter profile edit [Name of your Profile] config web set urlfilter-table 1 end next end

 

Now go to your corresponding Firewall Policy Rule and add above the same rule as you delivered to me. Do not use the same rule as you delivered in printscreen really create another one above the existing one and do following:

 

 

--> Add service http as https (nothing else and DO NOT USE service ALL)

--> Add protocol option profile (the name of the profile you configured above with the commands "profile-protocol-options")

--> Add ssh-ssl option profile (the name of the profile you configured above with the commands "ssl-ssh-profile")

--> Add webfilter profile (Your WebFilter Profile Name which you used above with the commands "webfilter profile")

--> The rest of the firewall policy is as your delivered in the printscreen

  

Now test and check if you request is hiting the right new policy which is above your current policy.

  

have fun

  

Andrea

AndreaSoliva
AndreaSoliva
New Member
May 19, 2016

Hi

 

again me :)

 

What you have now is HTTP WebFiler and HTTPS with URL Scan Only or also called Certificate Inspection. This means the FGT does not play man in the middle instead for HTTPS the certification CN (Common Name) is used to evaluate the categorisation of the WebFilter stuff etc. Do not add a AV Profile to this http/https rule because AV can not be done on HTTPS without deep-inspection. if you like deep-inspection this is another step but please do now this what I delivered.

 

Andrea

Terms & ConditionsAccessibility statement