Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
IrbkOrrum
Contributor

Created on ‎03-27-2025 09:38 AM

Originally accessed website in logs

I'm trying to lock down some of my web rules.  The issue is many of the server owners don't understand what web access they "need" so I resort to turning on full logging.  I put a more restrictive rule above the less restrictive rule, and check the logs on the less restrictive rule. The end goal being that eventually there will be no more traffic on the less restrictive rule and I can remove it.  I've got logging turned on, but sometimes the logs can be a bit deceiving.  For example

wdcp.microsoft.com

resolves to something like
wd-prod-cp-us-east-<number>-fe.<east or west>us.cloudapp.azure.com

Often times I'll see in the logs that the server accessed wd-prod-cp-us-east-<number>-fe.<east or west>us.cloudapp.azure.com when, in fact, they actually accessed wdcp.microsoft.com (but I don't know that fact).  I'll put *.<east or west>us.cloudapp.azure.com in the rule that I use above the more restrictive rule, but then the next day I see more traffic in the less restrictive rule to wd-prod-cp-us-east-<number>-fe.<east or west>us.cloudapp.azure.com because I'm not realizing that traffic is actually going to wdcp.microsoft.com.

Is there some way through the logs that I can see what the actual site that the server tried to visit was when the logs are giving me 'less than completely truthful' URLs with the IPs?

 

236
0 Kudos
5 REPLIES 5
ebrlima
Staff
Staff

Created on ‎03-27-2025 11:19 AM

I think the best way to get the info you want is applying webfilter profile to your rules. The action per category should be at least monitor, so you can have webfiltering logs, which contain hostnames and full url information. Don't use the "allow" action, but use monitor instead. 

Eudes Lima
218
IrbkOrrum
Contributor
In response to ebrlima

Created on ‎03-27-2025 12:25 PM

Oh, I'd not thought of that.  Where does that end up in logs?  Is that under a specific location or does it still end up under the "show matching logs" when you right click on a rule?  

208
0 Kudos
ebrlima
Staff
Staff
In response to IrbkOrrum

Created on ‎03-27-2025 12:32 PM

Check this KB @IrbkOrrum 

 

How to get a complete URL log - Fortinet Community

Eudes Lima
203
IrbkOrrum
Contributor
In response to ebrlima

Created on ‎03-28-2025 06:00 AM

Ok, I've created a duplicate of my web filtering policy but set everything that was 'allow' to 'monitor'.  I'll see what happens.  Thanks!

152
0 Kudos
dingjerry_FTNT
Staff
Staff

Created on ‎03-27-2025 12:58 PM Edited on ‎03-27-2025 12:59 PM

> nslookup wdcp.microsoft.com 8.8.8.8
Server: dns.google
Address: 8.8.8.8

Non-authoritative answer:
Name: wd-prod-cp-us-east-1-fe.eastus.cloudapp.azure.com
Address: 48.211.71.194
Aliases: wdcp.microsoft.com
wd-prod-cp.trafficmanager.net

 

So the web server for the URL wdcp.microsoft.com is hosted on a Azure Cloud server. Actually, I would say, it is an entry pointing to something like a server farm.

 

And the alias "wd-prod-cp.trafficmanager.net" is for MicroSoft Azure Traffic Manager. 

 

So it seems that wdcp.microsoft.com is just an entry for one server farm and the backend balancer will distribute your traffic to some server in the Azure cloud.

 

I think that you are not using SSL Deep Inspection.  You may try to use it and it will detect the real URL wdcp.microsoft.com you are accessing.

 

Regards,

Jerry
196
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.