Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
xinger
New Contributor III

Web browsing times and catdesc are not fully populated

(I've made significant corrections to the original post.)

Many of my Fortigate 5.0.9 traffic logs seem to be missing values in the ebtime and catdesc fields.  Specifically,

[ul]
  • HTTPS / port 443 traffic logs never have ebtime values.  
  • HTTP / port 80 traffic logs have always had catdesc values until we deployed an AV + Sandbox security profile[ul]
  • About 80% of the HTTP logs in the traffic log are now missing catdesc, specifically when utmevent=virus (and utmaction=passthrough which I assume means that they are being passed through to the sandbox).  These logs have an ebtime value, but they are impossible to summarize by category because catdesc is blank.
  • The other 20% of the HTTP logs in the traffic log have utmevent=webfilter and they have catdesc and ebtime values as they've always had.[/ul][/ul]

    So I think I have two issues:  why are there no ebtime values for HTTPS traffic? and why are there no catdesc values for most of the HTTP traffic?  How can I address these?  Below are snippets of what I think are the relevant config settings, but let me know if left out any relevant settings.  I'm using 5.0.9 on a mix of 60D, 100D, and 500D devices.  I am viewing and reporting from a FortiAnalyzer 5.2.2.  Thanks in advance for helping me!

    config antivirus settings
    set grayware enable
    end

    config antivirus profile
    edit "default"
    set comment "scan and delete virus"
    config http
    set options scan
    end

    next

     

    edit "AV-SB"
    set block-botnet-connections enable
    set ftgd-analytics everything
    config http
    set options scan
    end

    config ftp
    set options scan
    end

    next

     

    config firewall policy

     

    edit 12
    set srcintf "lan"
    set dstintf "wan1"
    set srcaddr "all"
    set dstaddr "all"
    set action accept
    set schedule "always"
    set service "Outbound-Services"
    set utm-status enable
    set profile-protocol-options "default"
    set deep-inspection-options "SSLInspectProfile"
    set av-profile "AV-SB"
    set webfilter-profile "Default-WF"
    set nat enable
    next

  • 2 REPLIES 2
    xinger
    New Contributor III

    When I look at the FW rule in FortiManager (sorry, I don't have direct access to the Fortigates), I see four security profiles in the rule:

    [ul]
  • Antivirus profile
  • SSL inspection profile
  • Web filter profile
  • Protocol port mapping profile[/ul]

    Do they get processed in this order?  If so, can they be reordered such that the web filter profile is processed before the AV profile?  Do you see where I am heading?  It seems like the web filtering profile could then have the opportunity to assign the catdesc.  (It also seems like you could avoid some of the resource-intensive AV processing if it only had to process items allowed by the web filter, but that's an efficiency observation and unrelated to my catdesc issue.)

  • xinger
    New Contributor III

    Peifer wrote:

    About 80% of the HTTP logs in the traffic log are now missing catdesc, specifically when utmevent=virus and utmaction=passthrough

    How can I reduce the high volume of AV logs?  How can I log only significant utmactions?  I don't want to log AV events in the traffic log where utmevent=virus and utmaction=passthrough.  I only want to log events where utmevent=virus and utmevent!=passthrough.

    Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors