(I've made significant corrections to the original post.)
Many of my Fortigate 5.0.9 traffic logs seem to be missing values in the ebtime and catdesc fields. Specifically,
[ul]So I think I have two issues: why are there no ebtime values for HTTPS traffic? and why are there no catdesc values for most of the HTTP traffic? How can I address these? Below are snippets of what I think are the relevant config settings, but let me know if left out any relevant settings. I'm using 5.0.9 on a mix of 60D, 100D, and 500D devices. I am viewing and reporting from a FortiAnalyzer 5.2.2. Thanks in advance for helping me!
config antivirus settings
set grayware enable
end
config antivirus profile
edit "default"
set comment "scan and delete virus"
config http
set options scan
end
next
edit "AV-SB"
set block-botnet-connections enable
set ftgd-analytics everything
config http
set options scan
end
config ftp
set options scan
end
next
config firewall policy
edit 12
set srcintf "lan"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "Outbound-Services"
set utm-status enable
set profile-protocol-options "default"
set deep-inspection-options "SSLInspectProfile"
set av-profile "AV-SB"
set webfilter-profile "Default-WF"
set nat enable
next
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
When I look at the FW rule in FortiManager (sorry, I don't have direct access to the Fortigates), I see four security profiles in the rule:
[ul]Do they get processed in this order? If so, can they be reordered such that the web filter profile is processed before the AV profile? Do you see where I am heading? It seems like the web filtering profile could then have the opportunity to assign the catdesc. (It also seems like you could avoid some of the resource-intensive AV processing if it only had to process items allowed by the web filter, but that's an efficiency observation and unrelated to my catdesc issue.)
Peifer wrote:How can I reduce the high volume of AV logs? How can I log only significant utmactions? I don't want to log AV events in the traffic log where utmevent=virus and utmaction=passthrough. I only want to log events where utmevent=virus and utmevent!=passthrough.About 80% of the HTTP logs in the traffic log are now missing catdesc, specifically when utmevent=virus and utmaction=passthrough
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1517 | |
1013 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.