Hi, how I can enable extended log of web filtering ?
I got Fortigate 60D (firmware 5.2.5)
I enable webfilter
I add webfillter monitor-all to interface
But I do not have UTM under Log & Report :(
I try google and CLI
# config dlp sensor # edit [Name of Profil] # set extended-utm-log [enable | disable] # set dlp-log [enable | disable] # set nac-quar-log [enable | disable] # end
BUT :
# config webfilter profile # edit [Name of Profil] # set extended-utm-log [enable | disable]
I get error -61 after this command. :(
Also I can't change profile under web filter in security profiles :(
Please advise..
Thanks
Solved! Go to Solution.
Hi
under FortiOS 5.2.x and above UTM Log is by standard enabled and you do not have to configure anything. This can also be tested in following way:
# diagnose log test
Log-out from your Web Gui and Log-In again and you will see that under log you have now the UTM logs for each UTM features. If you like to log everything based on webfilter do following:
--> Check that all categories which are allowed are on action "monitor" (which means actually allow but log)
--> All other categories which are not allow set to block or whatever
After that go on CLI and edit your corresponding profile for WebFilter and use/check the commands:
config webfilter profile edit [Name of your profile] set log-all-url enable set web-content-log enable set web-filter-activex-log enable set web-filter-command-block-log enable set web-filter-cookie-log enable set web-filter-applet-log enable set web-filter-jscript-log enable set web-filter-js-log enable set web-filter-vbs-log enable set web-filter-unknown-log enable set web-filter-referer-log enable set web-filter-cookie-removal-log enable set web-url-log enable set web-invalid-domain-log enable set web-ftgd-err-log enable set web-ftgd-quota-usage enable end
After that check the firewall policy which is used for your WebFilter HTTP/HTTPS based traffic that log is enabled "all sessions".
Thats it.....make traffic and wait some 2/3 seconds...sometimes if log does not exist under Log for WebFilter you have to logout and login again or do a refresh in your browser.
hope this helps
have fun
Andrea
Hi
under FortiOS 5.2.x and above UTM Log is by standard enabled and you do not have to configure anything. This can also be tested in following way:
# diagnose log test
Log-out from your Web Gui and Log-In again and you will see that under log you have now the UTM logs for each UTM features. If you like to log everything based on webfilter do following:
--> Check that all categories which are allowed are on action "monitor" (which means actually allow but log)
--> All other categories which are not allow set to block or whatever
After that go on CLI and edit your corresponding profile for WebFilter and use/check the commands:
config webfilter profile edit [Name of your profile] set log-all-url enable set web-content-log enable set web-filter-activex-log enable set web-filter-command-block-log enable set web-filter-cookie-log enable set web-filter-applet-log enable set web-filter-jscript-log enable set web-filter-js-log enable set web-filter-vbs-log enable set web-filter-unknown-log enable set web-filter-referer-log enable set web-filter-cookie-removal-log enable set web-url-log enable set web-invalid-domain-log enable set web-ftgd-err-log enable set web-ftgd-quota-usage enable end
After that check the firewall policy which is used for your WebFilter HTTP/HTTPS based traffic that log is enabled "all sessions".
Thats it.....make traffic and wait some 2/3 seconds...sometimes if log does not exist under Log for WebFilter you have to logout and login again or do a refresh in your browser.
hope this helps
have fun
Andrea
Hi, thank you very mutch. After
#diagnose log test
I see web-filter under Log & Report, I follow you instruction but I still do not have any traffic under web filter ( just testing logs ) ..
I check profile - monitor-all ( factory from Fortinet both version Proxy and Flow )
I check my firewall rule - what allow connection to internet, it is rule with big traffic
I check my log setting ( is set to memory )
I try logout multiple times
So it should be fine, but under web filter I got still just testing records :(
Firewall rule in attachement
I see somethink strange - under Log & Report - Security Log - Web Filter I see just record with action = blocked :( nothing else. Some filter ?
Hi
Check if your WebFilter ist correct licensed otherwise all will be blocked which means check status over dashboard on the Gui First Page if you login (what is there written regarding WebFiler License)!
Second check log configuration (example for memory logging)
########################### # Log Settings ########################### config log setting set resolve-ip enable set resolve-port enable set log-user-in-upper disable set fwpolicy-implicit-log enable set fwpolicy6-implicit-log disable set log-invalid-packet disable set local-in-allow enable set local-in-deny-unicast disable set local-in-deny-broadcast disable set local-out disable set daemon-log disable set neighbor-event disable set brief-traffic-format disable set user-anonymize disable end ########################### # Log Settings Gui ########################### config log gui-display set resolve-hosts enable set resolve-apps enable set fortiview-unscanned-apps enable set fortiview-local-traffic enable set location memory end
########################### # Log Settings Device Memory ########################### config log memory setting set status enable set diskfull overwrite end
If license is active, log config is done as the webfilter is configured you should see logs....
hope it helps
have fun
Andrea
Again me...addtional check if this firewall policy rule with the webfilter is really this firewall policy rule which is used. It seems to be that this firewall policy is not hiting your traffic. This could be the reason you see only block without webfilter profile used etc. look to the interfaces like source, destination etc.
hope it helps have fun Andrea
Hi,
Web FilteringLicensed (Expires 2017-01-13)so licence is ok ..
I try your command to setup log.. But result is still same.. I see just blocked.
Are the logs under Log & Report -> Security Log -> Web Filter ??
About firewall I try add static url filter on this rule and it block it ok .. So think it is 99% that rule.
Hi
you do deep-inspection which means https.........I expect you imported the certificated from FGT to you local host for trusted certificate authorities IE and FireFox seperat. If so you rule is indicating service all but http is not covered because I do not see any profile for protocol options which means http?
Within the tests you are using https only.....? Are you testing http and/or https
Add to the rule a http profile protocol option.
From log point of view meaning memory it should be fine also defining as gui memory also fine. Drop me also a printscreen of your webfilter and a log printscreen where I can see a log entry for webfilter and for forward log.
Andrea
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.