Fortinet 5.0 Patch 6

Fortinet 558 FortiWeb 5.0 Patch 6 Administration Guide

Depending on the type of log, some log messages cannot be viewed from the web UI.

Log messages are in human-readable format, where each column’s name, such as Source (src

in Raw view), indicates its contents.

An attack’s origin is not always the same as the IP that appears in your logs. Network

address translation (NAT) at various points between a web browser and your web servers can

mask the original IP address of the attacker. Depending on your configuration of Use X-Header

to Identify Original Client’s IP, attack logs’ Source column may contain the IP address of the

client according to X-Forwarded-For: or a similar header in the HTTP layer, not the SRC field

in the IP header. In that case, the corresponding traffic log’s Source column will not match,

since it reflects the IP layer. (Typically in that scenario, the connection has been relayed by a

load balancer or proxy, and therefore the IP would be that of the load balancer, which is not the

real origin of the attack.) Relatedly, if Shared IP is enabled, FortiWeb will attempt to differentiate

innocent clients that share the same public address with an attacker according to the IP layer

SRC field due to NAT.

Not all attack detections will be logged. In some cases, only one entry will be logged when

there are many attack instances. See “Log rate limits” on page 544. Relatedly, server

information disclosure detections will not be logged if you have configured Action to be Erase,

no Alert. See “Blocking known attacks & data leaks” on page 387.

To view log messages

1. Go to one of the log types:

•Log&Report > Log Access > Attack

•Log&Report > Log Access > Event

•Log&Report > Log Access > Traffic

To access this part of the web UI, your administrator’s account access profile must have

Read and Write permission to items in the Log & Report category. For details, see

“Permissions” on page 47.

Columns and appearance varies slightly by the log type. For details on structure or

interpretations of and troubleshooting suggestions for individual log messages, see the

FortiWeb Log Reference.

Initially, the page displays the most recent log messages for that log type. Contents of the

Message column may vary by your selection of Raw or Formatted view.

Table 50:Availability of each log type via the web UI

Storage method Log type

Event Traffic Attack

Local disk Yes Yes Ye s

Local memory Yes No No

Syslog server Yes Yes Ye s

FortiAnalyzer Yes Yes Ye s

In FortiWeb HA clusters, log messages are recorded on their originating appliance. If you notice

a gap in the logs, a failover may have occurred. Logs during that period will be stored on the

other appliance. To view those logs, switch to the other appliance.