Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
krajaa
Staff
Staff

Created on ‎10-20-2020 02:24 AM Edited on ‎03-27-2025 05:43 AM By Moderator

Article Id 192373

Technical Tip: Enabling extended logging option in UTM profiles

Description

 

This article shows how to configure the extended logging option in UTM profiles.

Scope

 

FortiGate and FortiProxy.

Solution

 

Enable extended logging for the following UTM profiles:

  • Anti-virus.
  • Application.
  • DLP.
  • IPS.
  • WAF.
  • Web filter.


When the extended-log option is enabled for UTM profiles, all HTTP header information for HTTP-deny traffic is logged. When the web-extended-all-action-log-enable option for the web filter profile is enabled, all HTTP header information for HTTP-allow traffic is logged.

Extended logging option in UTM profiles.
The extended-log option has been added to all UTM profiles, for example.

 

Webfilter profile:

 

config webfilter profile
    edit "test-webfilter"
        set extended-log enable
        set web-extended-all-action-log enable
    next
end

 

Antivirus profile:


config antivirus profile
    edit "av-proxy-test"
        set extended-log enable
    next
end

 

WAF profile:


config waf profile
    edit "test-waf"
        set extended-log enable
    next
end

 

IPS profile:

 

config ips sensor 

    edit test_profile 

        set extended-log enable

    next 

end

 

Syslog server mode.
The Syslog server mode was changed to UDP, reliable, and legacy-reliable. Set the mode to reliable to support extended logging, for example:

 

config log syslogd setting
    set status enable
    set server "<ip address>"
    set mode reliable
    set facility local6
end

 

Example of an extended log.
The following is an example extended log for a UTM log type with a web filter subtype for a reliable Syslog server. The raw data field contains the extended log data.

 

Dec 18 15:40:15 10.6.30.254 date=2017-12-18 time=15:40:14
devname="600D-9" devid="FGT6HD3915800120" logid="0316013056"
type="utm"subtype="webfilter" eventtype="ftgd_blk"
level="warning" vd="vdom1" eventtime=1513640414 policyid=2
sessionid=440522 srcip=10.1.100.128 srcport=60995 srcintf="port2"
srcintfrole="lan" dstip=209.121.139.177 dstport=80 dstintf="port1"
dstintfrole="wan" proto=6 service="HTTP"
hostname="detectportal.firefox.com" profile="test-webfilter"
action="blocked" reqtype="direct" url="/success.txt" sentbyte=285
rcvdbyte=0 direction="outgoing" msg="URL belongs to a denied category in policy" method="domain" cat=52 catdesc="Information Technology" crscore=30 crlevel="high"
rawdata="Method=GET|User-Agent=Mozilla/5.0 (Windows NT 6.1; rv:57.0)
Gecko/20100101 Firefox/57.0"

Related documents:

Labels:
6995
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.