Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Fires
New Contributor

Enable UTM/Web filter log

Hi, how I can enable extended log of web filtering ?  

 

I got Fortigate 60D (firmware 5.2.5)

I enable webfilter

I add webfillter monitor-all to interface

 

But I do not have UTM under Log & Report :(

I try google  and CLI

# config dlp sensor  # edit [Name of Profil]  # set extended-utm-log [enable | disable]  # set dlp-log [enable | disable]  # set nac-quar-log [enable | disable]  # end 

 

 

BUT : 

# config webfilter profile  # edit [Name of Profil]  # set extended-utm-log [enable | disable] 

I get error -61 after this command. :(

 

Also I can't change profile under web filter in security profiles :(

 

Please advise.. 

 

Thanks

1 Solution
AndreaSoliva
Contributor III

Hi

 

under FortiOS 5.2.x and above UTM Log is by standard enabled and you do not have to configure anything. This can also be tested in following way:

 

# diagnose log test

 

Log-out from your Web Gui and Log-In again and you will see that under log you have now the UTM logs for each UTM features. If you like to log everything based on webfilter do following:

 

--> Check that all categories which are allowed are on action "monitor" (which means actually allow but log)

--> All other categories which are not allow set to block or whatever

 

After that go on CLI and edit your corresponding profile for WebFilter and use/check the commands:

 

config webfilter profile edit [Name of your profile] set log-all-url enable set web-content-log enable  set web-filter-activex-log enable  set web-filter-command-block-log enable  set web-filter-cookie-log enable set web-filter-applet-log enable set web-filter-jscript-log enable set web-filter-js-log enable set web-filter-vbs-log enable set web-filter-unknown-log enable set web-filter-referer-log enable set web-filter-cookie-removal-log enable set web-url-log enable set web-invalid-domain-log enable set web-ftgd-err-log enable set web-ftgd-quota-usage enable end

 

After that check the firewall policy which is used for your WebFilter HTTP/HTTPS based traffic that log is enabled "all sessions".

 

Thats it.....make traffic and wait some 2/3 seconds...sometimes if log does not exist under Log for WebFilter you have to logout and login again or do a refresh in your browser.

 

hope this helps

 

have fun

 

Andrea

View solution in original post

13 REPLIES 13
Fires
New Contributor

Proxy setup

AndreaSoliva
Contributor III

 

Hi

 

ok I see you have actually no clou what your are using! Sorry to say this but "deep-inspection" is based on man in the middle technolgy this means breaking-out https traffic and looking into the traffic. For this the FGT must be playing man in the middle. From this point of view that on your site nothing is working as expected from beggining again and please copy/paste the commands into the console. For some commands you have to edit the profile name from this point of view look for the positions [Name of Profile] and replace the position with the name of the profile:

 

FULL LOG CONFIG WITH FILTER:

*************************

config log setting set resolve-ip enable set resolve-port enable set log-user-in-upper  disable set fwpolicy-implicit-log enable set fwpolicy6-implicit-log disable set log-invalid-packet disable set local-in-allow enable set local-in-deny-unicast disable set local-in-deny-broadcast disable set local-out disable set daemon-log disable set neighbor-event disable set brief-traffic-format disable set user-anonymize disable end

 

config log gui-display set resolve-hosts enable set resolve-apps enable set fortiview-unscanned-apps enable set fortiview-local-traffic enable set location memory end

 

config log memory setting set status enable set diskfull overwrite end # # If memory log is used set max-size as # warning threshold. # # For "max-size" value "bytes" are used. # # config log memory global-setting # set max-size 65536 # set full-final-warning-threshold 95 # set full-first-warning-threshold 75 # set full-second-warning-threshold 90 # end config log memory filter set severity information set forward-traffic enable set local-traffic enable set multicast-traffic enable set sniffer-traffic enable set anomaly enable set netscan-discovery enable set netscan-vulnerability enable set voip enable #set dlp-archive enable end

 

config log eventfilter set event enable set router enable set vpn enable set user enable set router enable set wireless-activity enable set wan-opt enable set endpoint enable set ha enable end config log threat-weight set status enable end

 

CONFIGURE A PROTOCOL PROFILE

****************************

config firewall profile-protocol-options edit [Name of your Profile] set comment "Unencrypted default profile" set oversize-log enable set switching-protocols-log enable config http set ports 80    set status enable     set inspect-all disable     set options clientcomfort     set comfort-interval 10    set comfort-amount 1    set fortinet-bar disable     set streaming-content-bypass enable     set switching-protocols bypass     set oversize-limit 10    set uncompressed-oversize-limit 10    set uncompressed-nest-limit 12    set scan-bzip2 disable     set block-page-status-code 200    set retry-count 0 end config ftp set ports 21    set status disable     set inspect-all disable     set options clientcomfort     set comfort-interval 10    set comfort-amount 1    set oversize-limit 10    set uncompressed-oversize-limit 10    set uncompressed-nest-limit 12    set scan-bzip2 disable end config imap set ports 143    set status disable     set inspect-all disable     set options fragmail     set oversize-limit 10    set uncompressed-oversize-limit 10    set uncompressed-nest-limit 12    set scan-bzip2 disable end config mapi set ports 135    set status disable     set options fragmail     set oversize-limit 10    set uncompressed-oversize-limit 10    set uncompressed-nest-limit 12    set scan-bzip2 disable end config pop3 set ports 110    set status disable     set inspect-all disable     set options fragmail     set oversize-limit 10    set uncompressed-oversize-limit 10    set uncompressed-nest-limit 12    set scan-bzip2 disable end config smtp set ports 25    set status disable     set inspect-all disable     set options fragmail     set oversize-limit 10    set uncompressed-oversize-limit 10    set uncompressed-nest-limit 12    set scan-bzip2 disable     set server-busy disable end config nntp set ports 119    set status disable     set inspect-all disable     set oversize-limit 10    set uncompressed-oversize-limit 10    set uncompressed-nest-limit 12    set scan-bzip2 disable end config dns set ports 53    set status enable end config mail-signature set status disable     end end

 

CONFIGURE A SSH-SSL PROTOCOL PROFILE

************************************

config firewall ssl-ssh-profile edit [Name of your Profile] set comment "Encrypted URL Scan Only default profile" set server-cert-mode re-sign set caname Fortinet_CA_SSLProxy set certname Fortinet_CA_SSLProxy set ssl-invalid-server-cert-log enable config ssl set inspect-all disable set allow-invalid-server-cert enable set ssl-ca-list disable end config https set ports 443 set status certificate-inspection set client-cert-request bypass set unsupported-ssl bypass set allow-invalid-server-cert enable set ssl-ca-list disable end config ftps set ports 990 set status disable set client-cert-request bypass set unsupported-ssl bypass set allow-invalid-server-cert enable set ssl-ca-list disable end config imaps set ports 993 set status disable set client-cert-request inspect set unsupported-ssl bypass set allow-invalid-server-cert enable set ssl-ca-list disable end config pop3s set ports 995 set status disable set client-cert-request inspect set unsupported-ssl bypass set allow-invalid-server-cert enable set ssl-ca-list disable end config smtps set ports 465 set status disable set client-cert-request inspect set unsupported-ssl bypass set allow-invalid-server-cert enable set ssl-ca-list disable end end

 

 

 

 

 

 

 

 

 

AndreaSoliva
Contributor III

Sorry here is the rest of the commands this forum stuff has some limitations:

 

CONFIGURE A SSH-SSL PROTOCOL PROFILE

************************************

 

 

config firewall ssl-ssh-profile edit [Name of your Profile] set comment "Encrypted URL Scan Only default profile" set server-cert-mode re-sign set caname Fortinet_CA_SSLProxy set certname Fortinet_CA_SSLProxy set ssl-invalid-server-cert-log enable config ssl set inspect-all disable set allow-invalid-server-cert enable set ssl-ca-list disable end config https set ports 443 set status certificate-inspection set client-cert-request bypass set unsupported-ssl bypass set allow-invalid-server-cert enable set ssl-ca-list disable end config ftps set ports 990 set status disable set client-cert-request bypass set unsupported-ssl bypass set allow-invalid-server-cert enable set ssl-ca-list disable end config imaps set ports 993 set status disable set client-cert-request inspect set unsupported-ssl bypass set allow-invalid-server-cert enable set ssl-ca-list disable end config pop3s set ports 995 set status disable set client-cert-request inspect set unsupported-ssl bypass set allow-invalid-server-cert enable set ssl-ca-list disable end config smtps set ports 465 set status disable set client-cert-request inspect set unsupported-ssl bypass set allow-invalid-server-cert enable set ssl-ca-list disable end end 

 

CONFIGURE WEBFILTER OPTIONS

***************************

 

 

config webfilter profile edit [Name of your Profile] set comment "Webfilter default profile" set inspection-mode proxy set https-replacemsg disable config web set safe-search url     set log-search enable end config ftgd-wf set max-quota-timeout 300 set rate-image-urls  enable set rate-javascript-urls enable set rate-css-urls enable set rate-crl-urls enable end set log-all-url enable set web-content-log enable  set web-filter-activex-log enable  set web-filter-command-block-log enable  set web-filter-cookie-log enable set web-filter-applet-log enable set web-filter-jscript-log enable set web-filter-js-log enable set web-filter-vbs-log enable set web-filter-unknown-log enable set web-filter-referer-log enable set web-filter-cookie-removal-log enable set web-url-log enable set web-invalid-domain-log enable set web-ftgd-err-log enable set web-ftgd-quota-usage enable end

 

CONTENT FILTER FOR BYPASS AV

***************************

 

config webfilter content-header edit 1 set comment "exempt from antivirus scanning" config entries edit "video\\/.*" set action exempt next edit "audio\\/.*" set action exempt next end set name "exempt-antivirus-scanning" next end config webfilter profile edit [Name of your Profile] config web set content-header-list 1 end next end

 

URL FILTER FOR WEBFILTER TO BYPASS UTM FEATURES

********************************************

 

 

 

 

config webfilter urlfilter edit 1 set name "urlfilter-bypass-av" set comment "URL Filter default profile" config entries edit 1 set url "*.apple.com" set type wildcard #set type simple set action exempt #set exempt av web-content activex-java-cookie dlp fortiguard range-block all next edit 2 set url "*.itunes.apple.com" set type wildcard #set type simple set action exempt #set exempt av web-content activex-java-cookie dlp fortiguard range-block all next edit 3 set url "*.phobos.apple.com" set type wildcard #set type simple set action exempt #set exempt av web-content activex-java-cookie dlp fortiguard range-block all next edit 4 set url "*.apple.com.edgesuite.net" set type wildcard #set type simple set action exempt #set exempt av web-content activex-java-cookie dlp fortiguard range-block all next edit 5 set url "*.windowsupdate.com" set type wildcard #set type simple set action exempt #set exempt av web-content activex-java-cookie dlp fortiguard range-block all next edit 6 set url "*.download.windowsupdate.com" set type wildcard #set type simple set action exempt #set exempt av web-content activex-java-cookie dlp fortiguard range-block all next edit 7 set url "*.stats.update.microsoft.com" set type wildcard #set type simple set action exempt #set exempt av web-content activex-java-cookie dlp fortiguard range-block all next edit 8 set url "*.msftncsi.com" set type wildcard #set type simple set action exempt #set exempt av web-content activex-java-cookie dlp fortiguard range-block all next edit 9 set url "*.microsoft.com" set type wildcard #set type simple set action exempt #set exempt av web-content activex-java-cookie dlp fortiguard range-block all next end next end

 

config webfilter profile edit [Name of your Profile] config web set urlfilter-table 1 end next end

 

Now go to your corresponding Firewall Policy Rule and add above the same rule as you delivered to me. Do not use the same rule as you delivered in printscreen really create another one above the existing one and do following:

 

 

--> Add service http as https (nothing else and DO NOT USE service ALL)

--> Add protocol option profile (the name of the profile you configured above with the commands "profile-protocol-options")

--> Add ssh-ssl option profile (the name of the profile you configured above with the commands "ssl-ssh-profile")

--> Add webfilter profile (Your WebFilter Profile Name which you used above with the commands "webfilter profile")

--> The rest of the firewall policy is as your delivered in the printscreen

  

Now test and check if you request is hiting the right new policy which is above your current policy.

  

have fun

  

Andrea

AndreaSoliva

Hi

 

again me :)

 

What you have now is HTTP WebFiler and HTTPS with URL Scan Only or also called Certificate Inspection. This means the FGT does not play man in the middle instead for HTTPS the certification CN (Common Name) is used to evaluate the categorisation of the WebFilter stuff etc. Do not add a AV Profile to this http/https rule because AV can not be done on HTTPS without deep-inspection. if you like deep-inspection this is another step but please do now this what I delivered.

 

Andrea

Top Kudoed Authors