Technical Tip: Destination IP for GeoIP vs Signature detection attack logs

FortiWeb generates attack logs according to the Webprotection profiles used.
Based on the features you are using inside the Webprotection profile you will get different outputs based on the functionality of that feature.

According to the log, the values of the HTTP Host and URL of the GEO IP attack log are 'none', this implies the TCP connection of this HTTP request was not established. The violation was detected in TCP connection establishment stage, not in the subsequent 'HTTP' stage.

In the TCP connection establishment stage, the daemon is not aware of HTTP real servers, the destination of the TCP connection between the client and FortiWebis the VIP, which means the source IP of the TCP connection is in the GEO IP database.

Both TCP connection establishment stage and the HTTP request stage have GEO IP detection. If the source IP of the TCP connection of an HTTP request is not in the GEO IP database, the TCP connection would be established and then it goes ahead to the HTTP request stage. However, FortiWeb scans the IP addresses in the XFF header at the HTTP layer by default.

So if the IP in its HTTP header XFF is in the GEO IP database, it would be a GEO IP violation as well, and for this case, the destination would be the real server IP.
Below is the screenshot, it is possible to see the example where Destination changed for the GeoIP attack and Signature-based attack.

Conclusion: For GeoIP attack logs destination IP will be VS IP.

Related document:

 https://docs.fortinet.com/document/fortiweb/7.2.1/administration-guide/226257/geo-ip-blocklisting-wh...