Help
FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
smkml
Staff
Staff

Created on ‎12-31-2024 08:02 AM

Article Id 367628

Technical Tip: FortiWeb Report showing 'None' output in Top Attack URLs Chart

Description

 

This article describes the output FortiWeb report for the Top Attack URLs chart showing 'none' output.

 

Top Attack URLs showing None.png

Scope

 

FortiWeb, FortiAnalyzer.

 

Solution

 

The output of the Chart is using default dataset (fwb-attack-Top-Attack-URLs), where the SQL query is as per below:

 

select
    http_host,
    http_url,
count(*) as totalnum
from
    $log
where
    $filter
    and http_host is not null
    and http_url is not null
group by
    http_host,
    http_url
order by
    totalnum desc

 

Using this information, searching Attack logs in Log View and checking the attributes http_host and http_url will show a 'none' value.

 

Example logs:

 

Line 413: date="2024-07-10" time="10:19:42" id=7389826158637875905 bid=8174286 dvid=1180 itime=1720577981 euid=3 epid=3 dsteuid=3 dstepid=101 log_id=20000016 type="attack" subtype="N/A" pri="alert" msg_id=1882323069 timezone="(GMT-7:00)" proto="tcp" service="https/tls1.2" src="64.62.122.144" src_port=59961 dst="10.0.3.32" dst_port=443 policy="financial-link-server-policy" action="Alert_Deny" http_method="none" http_url="none" http_host="none" http_agent="none" http_session_id="none" severity_level="Low" trigger_policy="N/A" msg="SSL Error(319) - ssl3 ext invalid servername" signature_subclass="N/A" signature_id="N/A" srccountry="United States" content_switch_name="none" server_pool_name="none" false_positive_mitigation="none" user_name="Unknown" monitor_status="Disabled" http_refer="none" http_version="1.x" dev_id="none" threat_weight=0 history_threat_weight=0 threat_level="Off" main_type="HTTP Connection Failure" ftp_mode="N/A" ftp_cmd="N/A" cipher_suite="none" signature_cve_id="N/A" ml_log_hmm_probability=0 ml_log_sample_prob_mean=0 ml_log_sample_arglen_mean=0 ml_log_arglen=0 ml_svm_log_main_types=0 ml_svm_log_match_types="none" ml_svm_accuracy="none" ml_domain_index=0 ml_url_dbid=0 ml_arg_dbid=0 ml_allow_method="none" matched_field="none" matched_pattern="name" owasp_top10="N/A" bot_info="none" backend_service="tcp" es=0 data="iwCAe30D" data_format="b64/brt" client_level="Unidentified" timezone_dayst="GMTc-8" device_id="FWBVMETM000000000" vd="LINK" devname="WAF"

 

This is because in FortiWeb logs setting 'Ignore SSL Errors' has been disabled, therefore, it will log all the failed SSL handshake connections into the attack logs.

 

The settings need to be enabled to eliminate most of the attack events logs with URL 'none' under FortiWeb -> Log&Report -> Log Config -> Other Log Settings -> Ignore SSL Errors.

 

fortiweb log configuration.png

288
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.