Description
This article describes how to investigate if WAF is not generating logs for blocked traffic.
Scope
FortiGate.
Solution
By default, creating a new web application firewall using the GUI will create a new WAF profile with LOG disabled for all the main class signatures.
This is not visible in the web interface.
However, if the newly created profile is checked, it is possible to observe the following:
FGT_VM (root) # show waf profile test
config waf profile
edit "test"
config signature
config main-class 10000000
set log disable <----- Log is disabled.
end
config main-class 20000000
set log disable
end
config main-class 30000000
set status enable
set action block
set log disable
set severity high
end
config main-class 40000000
set log disable
end
config waf profile
edit "test"
config signature
config main-class 10000000
set log disable <----- Log is disabled.
end
config main-class 20000000
set log disable
end
config main-class 30000000
set status enable
set action block
set log disable
set severity high
end
config main-class 40000000
set log disable
end
This configuration cannot be modified from GUI, in order to fix it, login to CLI and enable logs:
config waf profile
edit test
config signature
config main-class 10000000
set log enable <----- Set log to enable.
end
# config main-class 20000000
set log enable
end
edit test
config signature
config main-class 10000000
set log enable <----- Set log to enable.
end
# config main-class 20000000
set log enable
end
Follow the logic for the rest of the main-class signatures.
After enabling the logs, the firewall will generate any detected signature with action 'block' or 'monitor' and the logs can be viewed from GUI Log&report -> Web Application Firewall:
