Description
This article discusses how application Control generates two logs by default: 'Traffic' log and 'Application Control' log.
This article explains the differences between these log messages and explains how to disable one type of logging or the other.
This article explains the differences between these log messages and explains how to disable one type of logging or the other.
Scope
FortiGate, UTM Application control logging.
Solution
Traffic log message generated by UTM application control:
Application control log message:
These two log messages correspond to the same traffic flow.
The information found in only one type of log is:
In Traffic log only:
-
Volume of traffic (sent and received bytes, sent and received packets).
-
Traffic shaping counters.
-
NAT details (source and destination NAT).
-
VPN details.
In Application log only:
-
Application Control list.
-
Message.
-
Attack ID.
-
UTM type.
Disabling Application Control log (CLI only)
At the application control list level by using set log disable. For example:
At the application control list level by using set log disable. For example:
config application list
edit "test-appl"
config entries
edit 1
set action pass
set application 16339 15889
set log disable
next
edit "test-appl"
config entries
edit 1
set action pass
set application 16339 15889
set log disable
next
Disabling Traffic Log for Application Control events (CLI only)
At the policy level by using set logtraffic-app disable.
At the policy level by using set logtraffic-app disable.
For example:
config firewall policy
edit 572
set srcintf "port1"
set dstintf "port2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
set utm-status enable
set logtraffic-app disable
set application-list "test-appl"
set profile-protocol-options "default"
next
end
edit 572
set srcintf "port1"
set dstintf "port2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
set utm-status enable
set logtraffic-app disable
set application-list "test-appl"
set profile-protocol-options "default"
next
end
With v4.0 MR3 a new default logging behavior of application control was introduced: by default application control generates logs in 'Traffic Log' and in 'Application Control Log'.
With v5.0 this behavior will change and by default, the application log will generate a log only in 'Traffic Log':
With v5.0 this behavior will change and by default, the application log will generate a log only in 'Traffic Log':
