Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
krajaa
Staff
Staff

Created on ‎10-19-2020 11:59 PM Edited on ‎10-09-2025 09:40 PM By Community Manager

Article Id 193604

Technical Tip: Enabling Application Control and Web Filter logs in NGFW policy-based mode

Description

 

This article describes how traffic logging works on the FortiGate when running in NGFW policy-based mode, including when and where Application and URL category rating information will be logged.

 

Scope

 

FortiGate; NGFW policy-based mode

 

Solution

 

In NGFW policy-based mode, traffic will always be scanned by the IPS Engine as part of initial Security Policy assessment. If logging is enabled for the Security Policy that traffic is matched to (especially All Sessions), then Forward Traffic logs (available under Log & Report -> Forward Traffic) will be generated.

 

Notably, these Forward Traffic logs will generally include an entry under the Application Name section showing the Application signature that the session was matched to, but at the same time administrators may find that no Application Control logs (Log & Report -> Security Events -> Application Control) or Web Filter logs (Log & Report -> Security Events -> Web Filter) are being generated:

 

Forward_Traffic_Example_GUI.png

 

AppControl_Example_GUI.png

 

The reason this occurs is that in NGFW policy-based mode, these Security Event logs are only created if traffic matches a Security Policy that is configured with Application- and/or URL category-based filtering (for Application Control logs and Web Filter logs, respectively). If traffic matches to a Security Policy that does not include an Application or URL category filter then only Forward Traffic logs will be generated.

 

Ensure that an Application- and/or URL category-based Filter is applied to any Security Policy that a) should match based on that filter, and b) is required to generate Application Control and/or Web Filter security event logs. For guidance on adding these filters to Security Policies, refer to the following KB article: Technical Tip: How to block URL Category and Application in NGFW policy-based mode

 

The FortiGate still sends URL category rating requests to FortiGuard if at least one possibly-matching Security Policy includes any kind of URL category filter, even if traffic ends up matching a non-URL category-filtered policy, but the result of that request is only ever logged in Web Filter logs (never in Forward Traffic logs).

 

Example Scenario:

 

Consider the following example: Security Policies:

 

SecurityPolicy_Example_GUI.png

 

In the above screenshot, there are three Security Policies. Policy #2 (top) matches any traffic belonging to the 'Alcohol' URL category, Policy #3 (middle) matches traffic identified as the 'YouTube' Application signature, and Policy #1 (bottom) matches any/all other traffic. Depending on which policy is matched, the logging behavior will be slightly different:

 

  • If traffic matches Policy #2 (matching URL category), then:
    • A Forward Traffic entry will be generated and will likely include a matched Application,
    • An Application Control log will not be generated since there is no Application assigned to the policy, and
    • A Web Filter log will be generated (since the policy includes a URL category for matching).
  • If traffic matches Policy #3 (matching Application), then:
    • A Forward Traffic entry will be generated and will include the matched Application.
    • An Application Control log will be generated based on either the Application specified in the Security Policy or a child signature**, and
    • A Web Filter log will not be generated since there is no URL category filter assigned.
  • Finally, if traffic matches Policy #1 (no Application or URL category filters), then:
    • A Forward Traffic entry will be generated and will likely include the matched Application.
    • An Application Control log will not be generated since there is no Application assigned to the policy, and
    • A Web Filter log will not be generated since there is no URL category filter assigned.

**Application Control signatures are either standalone/parent signatures or child signatures of a broader parent. If parent signatures are included in Security Policies with the ACCEPT action then traffic may match either the parent or any associated child, whereas specifying a child signature only matches the child. For example, the 'SSL' parent signature includes the 'SSL_TLSv1.2' and 'SSL_TLSv1.3' child signatures.

 

Related Documents:

Technical Tip: NGFW policy-based mode Resource List

Technical Tip: How to block URL Category and Application in NGFW policy-based mode

3600
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.