FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ppatel
Staff
Staff
Article Id 196635
Description
This article describes how to investigate if WAF is not generating logs for blocked traffic.

Solution
By default, creating a new web application firewall using GUI will create the new WAF profile with LOG disabled for all the main class signatures.
This is not visible in the web interface:





However, if the newly created profile is checked, it is possible to observe the following:
FGT_VM (root) # show waf profile test
# config waf profile

    edit "test"
        # config signature
        # config main-class 10000000

            set log disable             <----- Log is disabled.
            end
            # config main-class 20000000
                set log disable
            end
            # config main-class 30000000
                set status enable
                set action block
                set log disable
                set severity high
            end
            # config main-class 40000000
                set log disable
            end
This configuration cannot be modified from GUI, in order to fix it, login to CLI and enable logs:
# config waf profile  
    edit test 
# config signature
# config main-class 10000000

    set log enable                      <----- Set log to enable.
end
# config main-class 20000000
    set log enable
end
Follow the logic for the rest of the main-class signatures.

After enabling the logs, firewall will generate any detected signature with action 'block' or 'montior' and the logs can be viewed from GUI Log&report -> Web Application Firewall:




Contributors