Fortinet 545 FortiWeb 5.0 Patch 6 Administration Guide
To optimize logging performance and help you to notice important new information, within a
specific time frame, FortiWeb will only make one log entry for these repetitive events. It will not
log every occurrence.
•Period Block
Make 1 log per 3600 seconds per HTTP session cookie or client IP.
•DoS Protection > Application > HTTP Access Limit and
Web Protection > Advanced Protection > Custom Rule
•If Action is Alert or Alert & Deny, make 1 log / second / client IP.
•If Action is Period Block, make 1 log / block period / client IP.
•DoS Protection > Application > HTTP Flood
•If Action is Alert or Alert & Deny, make 1 log / 2 seconds / HTTP session cookie.
•If Action is Period Block, make 1 log / block period / HTTP session cookie.
•DoS Protection > Application > Malicious IPs
•If Action is Alert or Alert & Deny, make 1 log / 3600 seconds / HTTP session cookie,
assuming at least one TCP connection from the attack remains open. If all connections
close, then new connections resume the attack, which still use the same HTTP session
cookie, FortiWeb will make a second, new attack log entry, even though 3600 seconds
has not yet elapsed since the attack began.
•If Action is Period Block, make 1 log / block period / HTTP session cookie.
•DoS Protection > Network > TCP Flood Prevention
•If Action is Alert or Alert & Deny, make 1 log / 3600 seconds / client IP, assuming at least
one TCP connection from the attack remains open. If all connections close, then new
connections resume the attack, FortiWeb will make a second, new attack log entry, even
though 3600 seconds has not yet elapsed since the attack began.
•If Action is Period Block, make 1 log / 3600 seconds / client IP.
•DoS Protection > Network > Syn Cookie
Make 1 log per continuous TCP SYN flood.
Configuring loggingYou can configure the FortiWeb appliance to store log messages either locally (that is, in RAM or
to the hard disk) and or remotely (that is, on a Syslog server or FortiAnalyzer appliance). Your
choice of storage location may be affected by several factors, including the following.
• Rebooting the FortiWeb appliance clears logs stored in memory.
• Logging only locally may not satisfy your requirements for off-site log storage.
• Attack logs and traffic logs cannot be logged to local memory.
• Very frequent logging may cause undue wear when stored on the local hard drive. A low
severity threshold is one possible cause of frequent logging. For more information on
severity levels, see “Log severity levels” on page 544.
• Very frequent logging, such as when the severity level is low, may rapidly consume all
available log space when stored in memory. If the available space is consumed, and if the
FortiWeb appliance is configured to do so, it may store any new log message by overwriting
the oldest log message. For high traffic volumes, this may occur so rapidly that you cannot
view old log messages before they are replaced.
• Usually, fewer log messages can be stored in memory. Logging to a Syslog server or
FortiAnalyzer appliance may provide you with additional log storage space.
For information on viewing locally stored log messages, see “Viewing log messages” on
page 557.