Description
This article clarifies the configuration needed for logging search phrases and search limitations.
Scope
FortiOS 5.6, 6.0, 6.2, 7.0, 7.2
Search engines: Google, Bing, Yandex, Yahoo, Baidu.
Solution
To log search words, a FortiGate needs to have proxy inspection enabled. The method to enable proxy inspection varies depending on the version of FortiGate:
- 5.6 and 6.0: FortiGate inspection mode should be set to proxy under System > Settings > System Operation Settings.
- 6.2: set the traffic policy inspection mode to 'proxy' (on the policy editing page).
- 6.4, 7.0, 7.2: set both the WebFilter profile and policy inspection mode to 'proxy'.
Next, enable Log all search keywords under Web Filter > Search Engines:
In 5.6 and 6.0, use the following CLI commands:
config webfilter profile
edit <name of the WebFilter>
set log-all-url enable
end
The respective traffic policy should also have the SSL/SSH deep inspection profile (make sure to import the certificate into the PC/browser store for all users).
Results
The logged search phrases are visible under Webfilter logs. It's possible to add the 'Key Word' column to the logs page for ease of access:
More information can be seen in the Log Details panel:
A 'Key Word' search filter is also available in the search bar on top:
Important note
Search phrases from other search engines not mentioned in this article (such as DuckDuckGo) are not logged.
The majority of websites have search bars (such as YouTube, shopping websites, etc), but the search phrases are not logged separately in the current FortiOS design.
