IPS and WAF security events are not displayed in Fortigate and FAZ

unknown1020 · ‎04-19-2024

friends a question.

Why do security event logs not appear in a publication (VIP)?

In my policy I have enabled the IPS, WAF, SSL certificate inspection security profiles; and still no IPS or WAF logs are displayed. I have a FortiAnalyzer and events are not displayed either.

The strange thing is that I have other policies with the same security profiles and it does show me logs (attack signatures, etc.).

What could be the reason?

adambomb1219 · ‎04-19-2024

Do you have logging enabled on the policy? Are you seeing any logs at all? Looks like you have a filter for Policy ID enabled?

AEK · ‎04-20-2024

Also if the policy didn't catch any attack yet then nothing will be displayed.

You can simulate an attack in the policy's flow direction and see if it displayed in the logs.

AEK

vraev · ‎04-22-2024

HI @unknown1020 ,

Confirm the Antivirus profile’s protocol settings under config antivirus profile:

Ensure that 'set options scan' is enabled on CDR-supported protocols.

If 'set options av-monitor' is configured on a CDR-supported protocol, it overrides the config content-disarm detect-only setting (and CDR will not occur).

If the CDR configuration is properly applied for the concerned traffic but the disarmed file is not stored locally on FortiAnalyzer the below CLI command can be executed on FortiAnalyzer:

Use all for <permission>.

execute log device permissions <device_id> <permission> {enable | disable}

- Confirm that the Inspection Mode is set to 'proxy' under System -> Settings (in FortiGates versions prior to 7.0).

- Additionally, check that the Antivirus profile inspection mode is set to 'proxy' using the CLI console:

config antivirus profile

edit default

set inspection-mode proxy

Best,

V.R.