Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
m_raza
New Contributor

FAZ not logging URLs

We are using Forti-Analyzer 200D with Firmware version v5.4.2-build1151 161213 (GA). Our FAZ getting proper log from our Fortigate 200D but in all traffic logs it show blank in the column of URL. we are not getting any URL that our user opened.

 

In fortigate i enabled all logs and in web and application security i set Monitored for all allowed websites and applications but still failed to get any URLs.

 

Please guide me if i am missing something to get URL log.

5 REPLIES 5
emnoc
Esteemed Contributor III

try this from the FAZ  cli

 

"diag fortilogd   msgrate-type"

 

Does the "Web Filter" line show any status?

 

 

If not , than I would go back to the fortigate and review the webfllter  log status and the actual  fwpolic   set log-traffic value.

 

Ken

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
m_raza
New Contributor

Yes i am getting this status.. 

 

Web Filter.:      2.38      4.25      3.61

Traffic.:     19.24     20.57     18.57

emnoc
Esteemed Contributor III

Okay good

 

Now here's what you should do.

 

1: set memory logging for elimination

2: ensure your profile  has log enable

 

3: query memory for log messages? Does it log ?

 

 

e.g

execute log filter dev  3

execute log file cat 3

execute log display

3: date=2017-08-29 time=13:06:21 logid=0315012544 type=utm subtype=webfilter eventtype=urlfilter level=warning vd="root" urlfilteridx=0 policyid=1 sessionid=1451617118 user="" srcip=x.x.x.x  srcport=52969 srcintf="wan1" dstip=153.121.72.211 dstport=80 dstintf="wan1" proto=6 service=HTTP hostname="ifconfig.me" profile="SCHOOL" action=blocked reqtype=direct url="/" sentbyte=122 rcvdbyte=0 direction=outgoing msg="URL was blocked because it is in the URL filter list" crscore=30 crlevel=high

Ensure the firewall policy has log utm enable , ensure the url-flter profile has log enable

 

e.g

config webfilter profile     edit "SCHOOL"         set comment "ALLOW LIMITED"         set options block-invalid-url             config override                 set ovrd-user-group ""             end             config web                 set urlfilter-table 1             end             config ftgd-wf                     config filters                         edit 1                             set category 140                         next                         edit 2                             set category 141                         next                     end             end         set log-all-url enable     next end

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
m_raza
New Contributor

After executing log display i am getting these log where i am not getting any url details...

-------------------------------------------------------------------------------------------------------------

18: date=2017-08-29 time=23:59:59 logid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=192.168.1.48 srcport=61834 srcintf="port8" dstip=85.25.103.30 dstport=443 dstintf="wan1" poluuid=a45054aa-4576-51e5-b5c4-21d0763b8135 sessionid=254768951 proto=6 action=close policyid=52 dstcountry="Germany" srccountry="Reserved" trandisp=snat transip=[style="background-color: #000000;"]                      [/style]transport=61834 service="HTTPS" duration=5 sentbyte=0 rcvdbyte=52 sentpkt=0 rcvdpkt=1 appcat="unscanned"

 

19: date=2017-08-29 time=23:59:59 logid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=192.168.1.48 srcport=61836 srcintf="port8" dstip=85.25.103.30 dstport=80 dstintf="wan1" poluuid=a45054aa-4576-51e5-b5c4-21d0763b8135 sessionid=254768952 proto=6 action=close policyid=52 dstcountry="Germany" srccountry="Reserved" trandisp=snat transip=[style="background-color: #000000;"]                    [/style]  transport=61836 service="HTTP" duration=5 sentbyte=0 rcvdbyte=52 sentpkt=0 rcvdpkt=1 appcat="unscanned"

 

------------------------------------------------------------------------------------------------------------

I also ensure the url filter 

 

FG-Amim_Master (profile) # get Level\ 3 name : Level 3 comment : Junior Officers to Senior officers replacemsg-group : inspection-mode : proxy options : https-replacemsg : enable ovrd-perm : post-action : normal override: ovrd-scope : user profile-type : list ovrd-dur-mode : constant ovrd-dur : 15m ovrd-user-group: == [ ] name: profile: web: bword-threshold : 10 bword-table : 0 urlfilter-table : 4 content-header-list : 0 safe-search : log-search : disable keyword-match: ftgd-wf: options : redir-block category-override : g22 Local Categories 144 News - Almeezan 143 SSL_exempt 142 test

exempt-quota :

ovrd :

filters: == [ 1 ] id: 1 == [ 2 ] id: 2 == [ 3 ] id: 3 == [ 4 ] id: 4 == [ 5 ] id: 5 == [ 6 ] id: 6 == [ 7 ] id: 7 == [ 8 ] id: 8 == [ 9 ] id: 9 == [ 10 ] id: 10 == [ 11 ] id: 11 == [ 12 ] id: 12 == [ 13 ] id: 13 == [ 14 ] id: 14 == [ 15 ] id: 15 == [ 16 ] id: 16 == [ 17 ] id: 17 == [ 18 ] id: 18 == [ 19 ] id: 19 == [ 20 ] id: 20 == [ 21 ] id: 21 == [ 22 ] id: 22 == [ 23 ] id: 23 == [ 24 ] id: 24 == [ 25 ] id: 25 == [ 26 ] id: 26 == [ 77 ] id: 77 == [ 28 ] id: 28 == [ 29 ] id: 29 == [ 30 ] id: 30 == [ 31 ] id: 31 == [ 32 ] id: 32 == [ 33 ] id: 33 == [ 34 ] id: 34 == [ 35 ] id: 35 == [ 36 ] id: 36 == [ 37 ] id: 37 == [ 39 ] id: 39 == [ 40 ] id: 40 == [ 41 ] id: 41 == [ 42 ] id: 42 == [ 43 ] id: 43 == [ 45 ] id: 45 == [ 46 ] id: 46 == [ 47 ] id: 47 == [ 48 ] id: 48 == [ 50 ] id: 50 == [ 51 ] id: 51 == [ 52 ] id: 52 == [ 53 ] id: 53 == [ 56 ] id: 56 == [ 58 ] id: 58 == [ 59 ] id: 59 == [ 60 ] id: 60 == [ 63 ] id: 63 == [ 64 ] id: 64 == [ 65 ] id: 65 == [ 66 ] id: 66 == [ 68 ] id: 68 == [ 69 ] id: 69 == [ 70 ] id: 70 == [ 73 ] id: 73 == [ 74 ] id: 74 == [ 75 ] id: 75 == [ 78 ] id: 78 == [ 79 ] id: 79 == [ 80 ] id: 80 == [ 81 ] id: 81 == [ 82 ] id: 82 == [ 83 ] id: 83 == [ 84 ] id: 84 == [ 85 ] id: 85 == [ 86 ] id: 86 == [ 87 ] id: 87 == [ 88 ] id: 88 == [ 89 ] id: 89 == [ 90 ] id: 90 == [ 91 ] id: 91 == [ 92 ] id: 92 == [ 93 ] id: 93 == [ 94 ] id: 94 == [ 95 ] id: 95 quota: max-quota-timeout : 300 rate-image-urls : enable rate-javascript-urls: enable rate-css-urls : enable rate-crl-urls : enable log-all-url : enable web-content-log : enable web-filter-activex-log: enable web-filter-command-block-log: enable web-filter-cookie-log: enable web-filter-applet-log: enable web-filter-jscript-log: enable web-filter-js-log : enable web-filter-vbs-log : enable web-filter-unknown-log: enable web-filter-referer-log: enable web-filter-cookie-removal-log: enable web-url-log : enable web-invalid-domain-log: enable web-ftgd-err-log : enable web-ftgd-quota-usage: enable

emnoc
Esteemed Contributor III

Okay dumb question that policy  do you have  SSL- inspection enabled? I see service =HTTPS enabled, so can you do a cli "show full firewall policy 52"

 

And let us know, if the service is  HTTPS and no ssl inspections is enabled,  than I don't think you will get a log message but I could be wrong

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors