Fortinet 548 FortiWeb 5.0 Patch 6 Administration Guide
Enable Traffic
Packet Log
Enable to retain the packet payloads of all HTTP request traffic.
Unlike attack packet payloads, only HTTP request traffic packets are
retained (not HTTP responses), and only the first 4 KB of the p ayload.
Packet payloads supplement the log message by providing the actual
request body, which may help you to fine-tune your regular
expressions to prevent false negatives, or to examine changes to
attack behavior for subsequent forensic analysis.
To view packet payloads, see “Viewing packet payloads” on
page 563.
Tip: Retaining traffic packet payloads is resource intensive. To
improve performance, only enable this option while necessary.
Enable Event Log Enable to log local events, such as administrator logins or rebooting
the FortiWeb appliance.
Retain Packet
Payload For
Mark the check boxes of the attack types or validation failures to
retain packet information for applicable packets. Packet retention is
enabled by default for most types.
Packet payloads supplement the log message by providing part of
the actual data that matched the regular expression, which may help
you to fine-tune your regular expressions to prevent false positives, or
to examine changes to attack behavior for subsequent forensic
analysis.
To view packet payloads, see “Viewing packet payloads” on
page 563.
If packet payloads could contain sensitive information, you may need
to obscure those elements. For details, see “Obscuring sensitive data
in the logs” on page 552.
Note: FortiWeb retains only the first 4 KB of data from the offending
HTTP request payload that triggered the log message. If you require
forensic analysis of, for example, buffer overflow attacks that would
exceed this limit, you must implement it separately.
Persistent Server
Session
Select a threshold for the percentage (50% to 90%, at increments of
10%) of maximum allowed persistent server sessions that will trigger
an event log entry.
For example, if this option is set to 50%, and the maximum number of
persistent server sessions is 15,000, an event log will be recorded
when the actual number of persistent sessions reaches 50% of the
maximum number (7,500 persistent server sessions).
For specifications of your appliance’s maximum, see “Appendix B:
Maximum configuration values” on page 669.
Tip: You can limit each policy’s persistent server sessions using the
Persistent Server Sessions option.
CPU Utilization Select a threshold level (60% to 99%) beyond which CPU usage will
trigger an event log entry.
Memory
Utilization
Select a threshold level (60% to 99%) beyond which memory usage
will trigger an event log entry.
Trigger Action Select an trigger, if any, to use when memory usage, CPU usage or
persistent server sessions reach or exceeds their specified threshold.
Setting name Description