| Description | This article describes how WAF logs and Geo-IP logs show up. |
| Scope | FortiADC, FortiADC-VM. |
| Solution |
It is possible sometimes to see the same IP security log generated by the WAF log and Geo-IP log. That is when the WAF profile and Geo-IP profile is configured for the same VS.
Example: WAF log for the same IP can show action as Alert while Geo-IP shows actions as Deny.
This is normal because the GEO IP scan and WAF work on different layers. One is in the Kernel layer (Geo-IP module) and another is in the APP layer (WAF module), and both points will be scanned.
GEO IP is not a WAF feature in the current design, so there are two different scan paths. FortiADC will be generating logs for each one.
WAF Log:
Geo-IP log:
Related article: |
