FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
ojacinto
Staff
Staff
Description
Web Application Firewall profiles can be created with a variety of options (Signatures and Constraints), similar to other security profiles.  Once options are enabled, their Action can be set to Allow, Monitor, or Block, and their Severity can be set to High, Medium, or Low.

This article describes how to see the Web Application Firewall (WAF) logs in the FortiAnalyzer device.

Scope
It is assumed the FortiGate device has a Firmware version 5.4.0 or later and its logs are already sent to a FortiAnalyzer device running a firmware version 5.4.0 or later.

Solution
In order to see the logs for the Web application Firewall profile in the FortiAnalyzer, the log option must be enabled in every signature of the Web application Firewall profile configured into the FortiGate.

For example in the following WAF profile:
config firewall waf-profile
     edit "waf5"
     config signature
         config main-class 60000000
             set status enable
             set action block
             set log enable
             set severity medium
         config main-class 70000000
             set status enable
             set action block
             set log enable
             set severity medium
         end
         set disabled-sub-class 50140000
         set disabled-signature 20000182 30000108 40000108 60030001 80080005 80200001 80200004
         set credit-card-detection-threshold 3
         end
     config constraint
end
next
end

After all the log options have been enabled  in the Web Firewall Application, the WAF tab will show the security logs on the FortiAnalyzer under Logview > Security > Web Application Firewall.

ojacinto_FD40296_tn_FD40296.jpg

Contributors