Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
unknown1020
New Contributor III

IPS and WAF security events are not displayed in Fortigate and FAZ

friends a question.

 

Why do security event logs not appear in a publication (VIP)?

In my policy I have enabled the IPS, WAF, SSL certificate inspection security profiles; and still no IPS or WAF logs are displayed. I have a FortiAnalyzer and events are not displayed either.

The strange thing is that I have other policies with the same security profiles and it does show me logs (attack signatures, etc.).

 

Screenshot_9.png

 

What could be the reason?

3 REPLIES 3
adambomb1219
SuperUser
SuperUser

Do you have logging enabled on the policy?  Are you seeing any logs at all?  Looks like you have a filter for Policy ID enabled?

AEK
SuperUser
SuperUser

Also if the policy didn't catch any attack yet then nothing will be displayed.

You can simulate an attack in the policy's flow direction and see if it displayed in the logs.

AEK
AEK
vraev
Staff
Staff

HI @unknown1020 ,

 

Confirm the Antivirus profile’s protocol settings under config antivirus profile:

 

Ensure that 'set options scan' is enabled on CDR-supported protocols.

If 'set options av-monitor' is configured on a CDR-supported protocol, it overrides the config content-disarm detect-only setting (and CDR will not occur).

 

If the CDR configuration is properly applied for the concerned traffic but the disarmed file is not stored locally on FortiAnalyzer the below CLI command can be executed on FortiAnalyzer:

 Use all for <permission>.

execute log device permissions <device_id> <permission> {enable | disable}

 

- Confirm that the Inspection Mode is set to 'proxy' under System -> Settings (in FortiGates versions prior to 7.0).

- Additionally, check that the Antivirus profile inspection mode is set to 'proxy' using the CLI console:

 

config antivirus profile

    edit default

        set inspection-mode proxy

    next

end

 

Best,

V.R.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors