| Description | This article shows authentication logs for web filter. |
| Scope | FortiGate. |
| Solution |
In this scenario, web filter profile is configured with authentication on few FortiGuard categories as shown in the picture. Authentication group is 'Test'. 
When a user tries to access these FortiGuard categories, user will see the FortiGuard web page block first and there will be an option presented to proceed further. If the authentication is successful against this category, logs for this event can be checked under Log & Reports -> System Events -> User Events -> Filter: Log Description = FortiGuard authentication override successful
Raw log:
date=2024-08-21 time=09:17:30 id=7405581254009028613 itime="2024-08-21 09:17:30" euid=3 epid=3 dsteuid=3 dstepid=3 logver=702091688 logid=0102043029 type="event" subtype="user" level="notice" srcip=10.10.30.12 dstip=X.X.X.X msg="User Test2 added webfilter warning entry from 10.10.30.12" logdesc="FortiGuard authentication override successful" status="success" reason="none" initiator="Test2" expiry="Wed Aug 21 09:22:30 2024" scope="ip" oldwprof="LAB_filter" category=28 eventtime=1724246250521380140 tz="-0400" devid="XXXX" vd="root" dtime="2024-08-21 09:17:30" itime_t=1724246250 devname="FGT"
Similarly, if there is a failed authentication within the FortiGuard category, the event will be generated with the log description FortiGuard override failed.
In other scenarios where a web filter has been configured with an override profile, refer to this article for log events with override web filter categories. |
