Help
FortiWeb
A FortiWeb can be configured to join a Security Fabric through the root or downstream FortiGate.
opetr_FTNT
Staff
Staff

Created on ‎01-17-2024 01:52 AM

Article Id 294547

Troubleshooting Tip: FortiWeb packet header details forwarding to FortiAnalyzer

Description

 

This article describes how to configure and troubleshoot FortiWeb packet header details forwarding to FortiAnalyzer.

 

Scope

 

FortiWeb.

 

Solution
 

Configuration:

To forward the below Packet Header information to FortiAnalyzer.

 

2024-01-17_10-29.png

 

Enable traffic packet forwarding via CLI.

 

config log forti-analyzer
    set traffic_packet enable
end

 

Configure the FortiAnalyzer destination then FortiWeb will start sending logs.

On FortiAnalyzer, it is possible to display the Packet Header information by selecting 'View Data' next to the 'Data' field.

 

2024-01-17_10-39.png

 

Note: FortiAnalyzer 7.4.2 and higher can display the packet log.
Mantis bug_id=0924749

 

Troubleshooting:

To confirm what information is sent, it is possible to run the following debug:

 

diag deb app logd 7
diag deb ena

 

The debug log then looks like:

[Logd][01-17-10:18:29][INFO][log_format_faz_msg][1809]: FAZ Detail = date=2024-01-17 time=10:18:29 log_id=30000001 msg_id=000008855881 device_id=FVVM08TM22000169 eventtime=1705483109484559538 vd="root" timezone="(GMT+1:00)Brussels,Copenhagen,Madrid,Paris" timezone_dayst="GMTc-1" type=traffic subtype="http" pri=notice proto=tcp service=http status=success reason=none policy="lab_spolicy" original_src=172.26.52.4 src=172.26.52.4 src_port=62924 dst=10.198.3.30 dst_port=80 http_request_time=1 http_response_time=0 http_request_bytes=80 http_response_bytes=347 http_method=get http_url="/" http_agent="curl/8.4.0" http_retcode=200 msg="HTTP get request from 172.26.52.4:62924 to 10.198.3.30:80" original_srccountry="Reserved" srccountry="Reserved" content_switch_name="none" server_pool_name="vl198_spool" http_host="vip1.internal.lab" user_name="Unknown" http_refer="none" http_version="1.x" dev_id=469472A579649814CF88B26F7C1C77D24E7E cipher_suite="none" x509_cert_subject="none" data="G3sAABQhSefgulJfSCfxQcAGnPIAug8yDYSRng5lVaXmCz72HjICBiRQkdsqtUyNJM8dXt5GD9Tt6jFFY8K2mtNU0+/jEoeayrnX5fM+MY21Fp+KKVK8vdw4NL5wrWxmj169z/IeqNiTlRoJdlMrJmz1+HCXkNt75MEf" data_format="b64/brt"

 

The packet detail is stored in the 'data=' field. It is the combination of base64 and brotli, it can be decoded as below:

 

% echo "G3sAABQhSefgulJfSCfxQcAGnPIAug8yDYSRng5lVaXmCz72HjICBiRQkdsqtUyNJM8dXt5GD9Tt6jFFY8K2mtNU0+/jEoeayrnX5fM+MY21Fp+KKVK8vdw4NL5wrWxmj169z/IeqNiTlRoJdlMrJmz1+HCXkNt75MEf" | base64 -d | brotli -d -c | jq -r '.http_body' | base64 -d
GET / HTTP/1.1
Host: vip1.internal.lab
User-Agent: curl/8.4.0
Accept: */*

231
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.