Skip to main content
xinger
xinger
New Member
September 9, 2015
Question

Web browsing times and catdesc are not fully populated

  • September 9, 2015
  • 2 replies
  • 3763 views

(I've made significant corrections to the original post.)

Many of my Fortigate 5.0.9 traffic logs seem to be missing values in the ebtime and catdesc fields.  Specifically,

[ul]
  • HTTPS / port 443 traffic logs never have ebtime values.  
  • HTTP / port 80 traffic logs have always had catdesc values until we deployed an AV + Sandbox security profile[ul]
  • About 80% of the HTTP logs in the traffic log are now missing catdesc, specifically when utmevent=virus (and utmaction=passthrough which I assume means that they are being passed through to the sandbox).  These logs have an ebtime value, but they are impossible to summarize by category because catdesc is blank.
  • The other 20% of the HTTP logs in the traffic log have utmevent=webfilter and they have catdesc and ebtime values as they've always had.[/ul][/ul]

    So I think I have two issues:  why are there no ebtime values for HTTPS traffic? and why are there no catdesc values for most of the HTTP traffic?  How can I address these?  Below are snippets of what I think are the relevant config settings, but let me know if left out any relevant settings.  I'm using 5.0.9 on a mix of 60D, 100D, and 500D devices.  I am viewing and reporting from a FortiAnalyzer 5.2.2.  Thanks in advance for helping me!

    config antivirus settings
    set grayware enable
    end

    config antivirus profile
    edit "default"
    set comment "scan and delete virus"
    config http
    set options scan
    end

    next

     

    edit "AV-SB"
    set block-botnet-connections enable
    set ftgd-analytics everything
    config http
    set options scan
    end

    config ftp
    set options scan
    end

    next

     

    config firewall policy

     

    edit 12
    set srcintf "lan"
    set dstintf "wan1"
    set srcaddr "all"
    set dstaddr "all"
    set action accept
    set schedule "always"
    set service "Outbound-Services"
    set utm-status enable
    set profile-protocol-options "default"
    set deep-inspection-options "SSLInspectProfile"
    set av-profile "AV-SB"
    set webfilter-profile "Default-WF"
    set nat enable
    next

    • 2 replies

    xinger
    xingerAuthor
    New Member
    September 9, 2015

    When I look at the FW rule in FortiManager (sorry, I don't have direct access to the Fortigates), I see four security profiles in the rule:

    [ul]
  • Antivirus profile
  • SSL inspection profile
  • Web filter profile
  • Protocol port mapping profile[/ul]

    Do they get processed in this order?  If so, can they be reordered such that the web filter profile is processed before the AV profile?  Do you see where I am heading?  It seems like the web filtering profile could then have the opportunity to assign the catdesc.  (It also seems like you could avoid some of the resource-intensive AV processing if it only had to process items allowed by the web filter, but that's an efficiency observation and unrelated to my catdesc issue.)

    • xinger
    xingerAuthor
    New Member
    September 14, 2015

    Peifer wrote:

    About 80% of the HTTP logs in the traffic log are now missing catdesc, specifically when utmevent=virus and utmaction=passthrough

    How can I reduce the high volume of AV logs?  How can I log only significant utmactions?  I don't want to log AV events in the traffic log where utmevent=virus and utmaction=passthrough.  I only want to log events where utmevent=virus and utmevent!=passthrough.

    Terms & ConditionsAccessibility statement