Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Anonymous
Not applicable

Created on ‎03-30-2022 01:27 AM Edited on ‎12-23-2025 06:01 AM By Community Manager

Article Id 207911

Technical Tip: How to view allowed URLs in the web filter logs

Description This article describes how to log and view ALLOWED web requests in FortiGate Web Filter logs for both FortiGuard category-based filtering and Static URL Filter. It includes updated GUI paths for FortiOS 7.2+ and CLI options that avoid changing category actions to Monitor.
Scope Scope FortiGate (FortiOS 5.2 and later; GUI paths updated through FortiOS 7.6).
Solution

Prerequisites:

 

  • The traffic must match a firewall policy that has a Web Filter profile applied.
  • In that policy, enable logging for allowed traffic (recommended: All Sessions).
  • Ensure a log destination is configured (disk, FortiAnalyzer, FortiGate Cloud, or syslog).
  • For HTTPS: full URL visibility often requires SSL deep inspection; otherwise, logs may show only the hostname/SNI.

Method 1: 

  • Go to Policy & Objects -> Firewall Policy, edit the policy used for web access.
  • Under Logging Options, enable Log Allowed Traffic and select All Sessions.
  • Under Security Profiles, ensure Web Filter is enabled and the correct profile is selected.
  • Go to Security Profiles -> Web Filter and edit the profile applied to that policy.

 

log_allowed.PNG

 

nageentaj_1-1648628276519.png

 

FortiGuard Categories: change the action from Allow to Monitor for the categories desired to be audited.

 

To get to the FortiGuard Categories lookup page, click here

 

  • For Static URL Filter: In Static URL Filter -> URL Filter, set relevant entries to Monitor (instead of Allow).
  • Save the profile and generate test web traffic from a client.

 

Method 2:


This method logs allowed and blocked URLs broadly (but leads to very high log volume). Commands may vary by FortiOS version; use the symbol '?' to confirm available options.


CLI - Basic URL logging:

 

config webfilter profile

    edit "<profile-name>"

        set log-all-url enable

        set web-url-log enable

    next

end

 

If additional HTTP header details is needed, enable extended logging. Extended log data may be truncated depending on the log target.

 

CLI:

 

config webfilter profile

    edit "<profile-name>"

        set extended-log enable

        set web-extended-all-action-log enable

    next

end

 

Where to find the logs (FortiOS GUI):

 

  • FortiOS 7.2 / 7.4 / 7.6: Log & Report -> Security Events -> Web Filter (use the Security Events dropdown to pick Web Filter if needed).
  • Older FortiOS versions: Log & Report -> Web Filter.


Troubleshooting tips:

 

  • No allowed logs appear: confirm Log Allowed Traffic is set to All Sessions on the matching firewall policy (not only Security Events).
  • Only hostnames appear: confirm the policy uses an SSL/SSH inspection profile that performs deep inspection.
  • Large/trimmed logs: extended log data may be truncated on some log targets; reliable syslog is typically required to retain larger raw log payloads.

 

Related articles:

Technical Tip: How to get a complete URL log

Technical Tip: Log all user traffic URLs using web filter profile

Technical Tip: Explanation of the Allow, Block, Exempt, and Monitor static URL filter actions
11565
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.