Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Fullmoon
Contributor III

policy id and web filtering action

I executed these commands 

 

#diagnose debug urlfiler src-addr <source ip>

#diagnose debug app urlfilter -1

#diagnose debug debug enable

Debug messages will be on for 30 minutes.

 

 

......and these are the output I gathered. Looks great coz I can filtered the src ip address and the action of Web Filter. Is there a way to include in the logs the policy ID which it was hitting? Any help is much appreciated

msg="Cache miss" user="N/A" src=172.x.y.10 sport=57391 dst=13.35.99.49 dport=80 service="http" hostname="www.playboy.com" url="/"

action=10(ftgd-block) wf-act=3(BLOCK) user="N/A" src=172.x.y.10 sport=57391 dst=13.35.99.49 dport=80 service="http" cat=14 hostname="www.playboy.com" url="/"

msg="received a request /tmp/.ipsengine_723_0_0.url.socket, addr_len=37: d=www.playboy.com:80, id=2, cat=255, vfname='root', vfid=0, profile='default', type=0, client=172.x.y.10, url_source=1, url="/favicon.ico"

Fortigate Newbie

Fortigate Newbie
2 REPLIES 2
Toshi_Esumi
Esteemed Contributor III

I don't know if adding policy ID to the urlfilter debug output is possible. But if you know src/dst address, you can easily find it out in the session table.

# diag sys session filter clear

# diag sys session filter src 172.x.y.10

# diag sys session filter dst 13.35.99.49

# diag sys session list

 

It's in the 13th line like below

misc=0 policy_id=2 auth_info=0 chk_client_info=0 vd=0

Fullmoon

Got that command already, I was thinking I could inject add'l syntax to display policy id so that In a single execution I could get the info needed.

 

again, thanks a lot Toshi Esumi 

Fortigate Newbie

Fortigate Newbie
Labels
Top Kudoed Authors