Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Fires
New Contributor

Enable UTM/Web filter log

Hi, how I can enable extended log of web filtering ?  

 

I got Fortigate 60D (firmware 5.2.5)

I enable webfilter

I add webfillter monitor-all to interface

 

But I do not have UTM under Log & Report :(

I try google  and CLI

# config dlp sensor  # edit [Name of Profil]  # set extended-utm-log [enable | disable]  # set dlp-log [enable | disable]  # set nac-quar-log [enable | disable]  # end 

 

 

BUT : 

# config webfilter profile  # edit [Name of Profil]  # set extended-utm-log [enable | disable] 

I get error -61 after this command. :(

 

Also I can't change profile under web filter in security profiles :(

 

Please advise.. 

 

Thanks

1 Solution
AndreaSoliva
Contributor III

Hi

 

under FortiOS 5.2.x and above UTM Log is by standard enabled and you do not have to configure anything. This can also be tested in following way:

 

# diagnose log test

 

Log-out from your Web Gui and Log-In again and you will see that under log you have now the UTM logs for each UTM features. If you like to log everything based on webfilter do following:

 

--> Check that all categories which are allowed are on action "monitor" (which means actually allow but log)

--> All other categories which are not allow set to block or whatever

 

After that go on CLI and edit your corresponding profile for WebFilter and use/check the commands:

 

config webfilter profile edit [Name of your profile] set log-all-url enable set web-content-log enable  set web-filter-activex-log enable  set web-filter-command-block-log enable  set web-filter-cookie-log enable set web-filter-applet-log enable set web-filter-jscript-log enable set web-filter-js-log enable set web-filter-vbs-log enable set web-filter-unknown-log enable set web-filter-referer-log enable set web-filter-cookie-removal-log enable set web-url-log enable set web-invalid-domain-log enable set web-ftgd-err-log enable set web-ftgd-quota-usage enable end

 

After that check the firewall policy which is used for your WebFilter HTTP/HTTPS based traffic that log is enabled "all sessions".

 

Thats it.....make traffic and wait some 2/3 seconds...sometimes if log does not exist under Log for WebFilter you have to logout and login again or do a refresh in your browser.

 

hope this helps

 

have fun

 

Andrea

View solution in original post

13 REPLIES 13
AndreaSoliva
Contributor III

Hi

 

under FortiOS 5.2.x and above UTM Log is by standard enabled and you do not have to configure anything. This can also be tested in following way:

 

# diagnose log test

 

Log-out from your Web Gui and Log-In again and you will see that under log you have now the UTM logs for each UTM features. If you like to log everything based on webfilter do following:

 

--> Check that all categories which are allowed are on action "monitor" (which means actually allow but log)

--> All other categories which are not allow set to block or whatever

 

After that go on CLI and edit your corresponding profile for WebFilter and use/check the commands:

 

config webfilter profile edit [Name of your profile] set log-all-url enable set web-content-log enable  set web-filter-activex-log enable  set web-filter-command-block-log enable  set web-filter-cookie-log enable set web-filter-applet-log enable set web-filter-jscript-log enable set web-filter-js-log enable set web-filter-vbs-log enable set web-filter-unknown-log enable set web-filter-referer-log enable set web-filter-cookie-removal-log enable set web-url-log enable set web-invalid-domain-log enable set web-ftgd-err-log enable set web-ftgd-quota-usage enable end

 

After that check the firewall policy which is used for your WebFilter HTTP/HTTPS based traffic that log is enabled "all sessions".

 

Thats it.....make traffic and wait some 2/3 seconds...sometimes if log does not exist under Log for WebFilter you have to logout and login again or do a refresh in your browser.

 

hope this helps

 

have fun

 

Andrea

Fires

Hi, thank you very mutch. After 

#diagnose log test

 

I see web-filter under Log & Report, I follow you instruction but I still do not have any traffic under web filter ( just testing logs ) .. 

 

I check profile - monitor-all ( factory from Fortinet  both version Proxy and Flow ) 

I check my firewall rule - what allow connection to internet, it is rule with big traffic

I check my log setting ( is set to memory ) 

I try logout multiple times

 

So it should be fine, but under web filter I got still  just testing records :(

 

Firewall rule in attachement

Fires
New Contributor

I see somethink strange - under Log & Report - Security Log - Web Filter  I see just record with action = blocked :( nothing else.  Some filter ?

AndreaSoliva
Contributor III

Hi

 

Check if your WebFilter ist correct licensed otherwise all will be blocked which means check status over dashboard on the Gui First Page if you login (what is there written regarding WebFiler License)!

 

Second check log configuration (example for memory logging)

 

########################### # Log Settings ########################### config log setting set resolve-ip enable set resolve-port enable set log-user-in-upper  disable set fwpolicy-implicit-log enable set fwpolicy6-implicit-log disable set log-invalid-packet disable set local-in-allow enable set local-in-deny-unicast disable set local-in-deny-broadcast disable set local-out disable set daemon-log disable set neighbor-event disable set brief-traffic-format disable set user-anonymize disable end ########################### # Log Settings Gui ########################### config log gui-display set resolve-hosts enable set resolve-apps enable set fortiview-unscanned-apps enable set fortiview-local-traffic enable set location memory end

########################### # Log Settings Device Memory ########################### config log memory setting set status enable set diskfull overwrite end

 

If license is active, log config is done as the webfilter is configured you should see logs....

 

hope it helps

 

have fun

 

Andrea

AndreaSoliva

Again me...addtional check if this firewall policy rule with the webfilter is really this firewall policy rule which is used. It seems to be that this firewall policy is not hiting your traffic. This could be the reason you see only block without webfilter profile used etc. look to the interfaces like source, destination etc.

 

hope it helps   have fun   Andrea

Fires

Hi, 

Web FilteringLicensed (Expires 2017-01-13)

so licence is ok .. 

I try your command to setup log.. But result is still same.. I see just blocked.  

Are the logs under Log & Report -> Security Log -> Web Filter ?? 

About firewall I try add static url filter on this rule and it block it ok .. So think it is 99% that rule. 

AndreaSoliva
Contributor III

Hi

 

you do deep-inspection which means https.........I expect you imported the certificated from FGT to you local host for trusted certificate authorities IE and FireFox seperat. If so you rule is indicating service all but http is not covered because I do not see any profile for protocol options which means http?

 

Within the tests you are using https only.....? Are you testing http and/or https

 

Add to the rule a http profile protocol option.

 

From log point of view meaning memory it should be fine also defining as gui memory also fine. Drop me also a printscreen of your webfilter and a log printscreen where I can see a log entry for webfilter and for forward log.

 

Andrea

Fires

Hi, I do not install any certificate. I just need log all visited webpages.  

Here are screenshots. 

 

Fires
New Contributor

Log

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors