Description
Web Application Firewall profiles can be created with a variety of options (Signatures and Constraints), similar to other security profiles. Once options are enabled, their Action can be set to Allow, Monitor, or Block, and their Severity can be set to High, Medium, or Low.
This article describes how to see the Web Application Firewall (WAF) logs in the FortiAnalyzer device.
This article describes how to see the Web Application Firewall (WAF) logs in the FortiAnalyzer device.
Scope
It is assumed the FortiGate device has a Firmware version 5.4.0 or later and its logs are already sent to a FortiAnalyzer device running a firmware version 5.4.0 or later.
Solution
In order to see the logs for the Web application Firewall profile in the FortiAnalyzer, the log option must be enabled in every signature of the Web application Firewall profile configured into the FortiGate.
For example in the following WAF profile:
After all the log options have been enabled in the Web Firewall Application, the WAF tab will show the security logs on the FortiAnalyzer under Logview > Security > Web Application Firewall.
For example in the following WAF profile:
config firewall waf-profile
edit "waf5"
config signature
config main-class 60000000
set status enable
set action block
set log enable
set severity medium
config main-class 70000000
set status enable
set action block
set log enable
set severity medium
end
set disabled-sub-class 50140000
set disabled-signature 20000182 30000108 40000108 60030001 80080005 80200001 80200004
set credit-card-detection-threshold 3
end
config constraint
end
next
end
After all the log options have been enabled in the Web Firewall Application, the WAF tab will show the security logs on the FortiAnalyzer under Logview > Security > Web Application Firewall.
