Description
This article clarifies the configuration needed for logging search phrases and search limitations.
Note:
For v7.4.4 and v7.6.0: There is a currency issue where the log keywords are not being populated. This has been fixed on v7.4.5 and v7.6.1
Scope
FortiGate v5.6, v6.0, v6.2, v7.0, v7.2, v7.4, v7.6. Search engines: Google, Bing, Yandex, Yahoo, Baidu.
Solution
To log search words, a FortiGate needs to have proxy inspection enabled. The method to enable proxy inspection varies depending on the version of FortiGate:
- v5.6 and v6.0: FortiGate inspection mode should be set to proxy under System > Settings > System Operation Settings.
- v6.2: set the traffic policy inspection mode to 'proxy' (on the policy editing page).
- v6.4 to v7.4: set both the WebFilter profile and policy inspection mode to 'proxy'.
Enable Log all search keywords under Web Filter -> Search Engines:
In v5.6 and v6.0, use the following CLI commands:
config webfilter profile
edit <name of the WebFilter>
set log-all-url enable
end
The respective traffic policy should also have the SSL/SSH deep inspection profile (make sure to import the certificate into the PC/browser store for all users).
Results
The logged search phrases are visible under Webfilter logs. It's possible to add the 'Key Word' column to the logs page for ease of access:
More information can be seen in the Log Details panel:
A 'Key Word' search filter is also available in the search bar on top:
Important note:
Search phrases from other search engines not mentioned in this article (such as DuckDuckGo) are not logged. The majority of websites have search bars (such as YouTube, shopping websites, etc), but the search phrases are not logged separately in the current FortiOS design.
