Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
awomack
New Contributor

"Block malicious URLs" in Intrusion Prevention - any way to log what URL was blocked?

I traffic that is being blocked by a Fortigate because it is matching a malicious URL in the Intrusion Preventions malicious URL list:

Blocking Malicious URLs

To use this IPS signature to block malicious URLs, select Block malicious URLs. This feature uses a local malicious URL database on the FortiGate to assist in drive-by exploits detection. The database contains all malicious URLs active in the last one month, and all drive-by exploit URLs active in the last three months. The number of URLs controlled are in the one million range.

 

Ref: https://help.fortinet.com...e%20IPS%20scanning.htm

 

However, the logs do not actually log the URL that was matched. Is there anyway to actually see these URLs? I have gone into the CLI and enabled extended-logging for the Intrusion Prevention security profile, but this only added the user agent string to the logs.

 

Just for reference, here is part of the log type that I am referring to:

type="utm",subtype="ips",eventtype="malicious-url",msg="URL blocked by malicious-url-list"
4 REPLIES 4
tanr
Valued Contributor II

Checking my own IPS logs (from FortiAnalyzer) the malicious URL log entries do include the host and url, of the form:

 

attack=malicious-url eventtype=malicious-url hostname=www.theblacklist.click url=/g3nnn/quake3-textures.html 

 

Do you have "Resolve Hostnames" turned on in Log Settings?  See https://kb.fortinet.com/kb/viewContent.do?externalId=FD40598&sliceId=1.

awomack
New Contributor

tanr wrote:

Do you have "Resolve Hostnames" turned on in Log Settings?  See https://kb.fortinet.com/kb/viewContent.do?externalId=FD40598&sliceId=1.

thanks for replying to my post. unfortunately this would not help me for these alerts as the destination IP is a cloud proxy service we use. besides, your log examples shows you are getting more than just a reverse DNS lookup as you have the URL's path after the hostname.

 

can you confirm the "type" and "subtype" of this log example?

 

type="utm",subtype="ips"
tanr
Valued Contributor II

Yes, for that same log enter: type=utm subtype=ips

Pulling that from the raw logs on the FortiAnalyzer under Security > Intrusion Prevention.

 

 

tanr
Valued Contributor II

On your FortiGate do you have both

 

config log gui-display     set resolve-host enable end   and   config log setting     set resolve-ip enable end

 

I believe you need the second one to get the actual host/url added to the log, if the FortiGate has it.

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors