log-all-urls, extended-utm-log, web browsing Reporting, syslog ...

Forum|Forum|12 years ago
October 23, 2013
7 replies
11138 views

In another thread GembuL wrote

on FortiOS 5 you should enable extended-utm-log via CLI for each UTM profile to show your UTM logs, otherwise all of UTM logs will recognize as a normal traffic log

I' m confused about what the extended-utm-log setting does. By chance, I was talking to FortiNet tech support recently, and I think I understood them to tell me that, if I enable extended-utm-log in a web filter profile, then all URLs browsed will get logged. I want to avoid that both for volume and for employee privacy purposes. (This is separate from the config webfilter profile -> edit profilename -> set log-all-urls setting, which I assume would also log all URLs). But, is it that, if I don' t enable extended-utm-log, then I cannot get detailed reports on volumes of sites used? To be clear, I want detailed web browsing consumption reporting, but I' d like to avoid logging all actual URLs visited if possible, for data protection reasons. I' ve done some more experimentation with this. I noticed, in the FortiOS 5.0 Handbook (version 5.0.4, date Sept 27, 2013, page 647, section Viewing log messages and archives) that it says:

If you have configured either a Syslog or WebTrends server, you will not be able to view log messages from the web-based manager or CLI.

This seems odd. But it also seems true. I simply cannot find any URLs in the logs which I can view in the FortiGate' s own GUI. But URLs ARE being logged to my syslog server. And, in fact, as I have it configured presently, with both log-all-urls and extended-utm-log enabled, the nightly Reports from the FortiGate don' t include URL details. I' ll turn off syslog for the moment, and see if the nightly reports start including more details, and I can start seeing URLs in the logs in the FortiGate GUI. But it just seems weird. Anyone else have experience to share about this? .. and the different ' log all URLs' / ' enable extended utm log' settings? thanks,

Jay_LiboveAuthor

New Member

I think I have to retract this. I think I do now have both on-FortiGate logging, with viewed URLs visible in the Log & Report section and in the nightly security reports, and also to a syslogd server at the same time. The confusion, I think, is that the log-all-urls setting and the extended-utm-log setting seems to have some kind of relation, where turning off extended-utm-log will also automatically silently turn off log-all-url, and turning back on extended-utm-log will NOT automatically return log-all-url to its former setting.

Silver

New Member

Dear All, i have problem related to report on fortigate... 1) i want to have a full report of url visiting by each using and bandwidth consuming 2) normally the report only display for top 5 application or top 10 web but instead of that i want more like a full report more than top 10 . Is it possible 3) web url are not also display even enable extended utm log 4) i have decided to configure a syslog server with will running ivew softeware on the syslog server but its not working log are not generate can someone ever done it on cyberoam ivew software with fortigate fortinet firmware running v5 patch 1 model 100

Jay_LiboveAuthor

New Member

Hi Silver. First thing, apply the 5.0.5 update which came out a few days ago. v5.0 is very much a work-in-progress, and the earliest releases were problematic. Second, make sure that you have both extended-utm-log and also log-all-urls settings enabled. Both are necessary for detailed URL logs to be created. Third, about syslog: FG# config log syslogd setting FG(setting)# set status enable FG(setting)# set server " 11.22.33.44" <- " IP address of your syslogd server" FG(setting)# set source-ip 55.66.77.88 <- IP address on your FG from which to send syslog messages FG(setting)# end On the syslogd receiver - I have no specific experience with the cyberoam server you mention - make sure that a) the syslog server is configured to accept remote syslog messages from other systems at all. Many syslog servers by default do not listen for syslog messages being logged to them over the network. b) the firewall on the server where you are running the syslog server software is configured to accept UDP port 514 As for the ultimate goal you' ve stated, to have much more detailed reports, I do not know whether FortiOS supports such more detailed reports. It would be interesting to know. Do be careful about setting your users' privacy expectations correctly, both as a matter of good ethical practice, and as a matter of legal and regulatory compliance depending on your geography and the relevant laws.

Jay_LiboveAuthor

New Member

I notice (FortiOS 5.0.4) that the Log & Report -> Report -> Local menu allows generation of a report with <selectable> " Top Users By Bandwidth" . Perhaps that meets your needs, Silver?

Silver

New Member

Dear Jay Libove, Thank you very much for your input. The reason why i am looking to setup a syslog server is that i cannot get more that top then users for url visiting etc. its only give reporting for top 10 but not more than 10. is it possible to modify this on the local fortigate report. and can you tell me how to schedule a report from forticloud to send to my email plz thanks

Silver

New Member

Jay, while i enable extended-utm-log and log-all-url only extended-utm-log display while doing show command but log-all-url are not display enable while.

Jay_LiboveAuthor

New Member

I don' t use FortiCloud, so I can' t offer any help there. As for extended-utm-log and log-all-url, note that my experience is with 5.0.4. As noted elsewhere, the 5.0 series is very much evolving. I think I recall that you were on an earlier 5.0 release. This may be affected by updating. In 5.0.4, the log-all-url setting only appears after you enable extended-utm-log. So: # config webfilter profile (profile)# edit default (default)# set extended-utm-log enabled (default)# set log-all-url enabled (default)# end Note that log-all-url likely only appears in specific security profiles (webfilter, for one); in which config subsection are you trying to set log-all-url ?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded