Fortinet black logo

Handbook

Using the security log

Using the security log

The Security Log table displays logs related to security features.

By default, the log is filtered to display IP Reputation logs, and the table lists the most recent records first.

You can use the following category filters to review logs of interest:

  • IP Reputation—Traffic logged by the IP Reputation feature
  • DoS—Traffic logged by the SYN Flood feature
  • WAF—Traffic logged by the WAF feature
  • Geo—Traffic logged by the Geo IP block list feature
  • AV—Traffic logged by the AV feature

Within each category, you can use Filter Setting controls to filter the table based on the values of matching data:

  • Date
  • Time
  • Proto
  • Service
  • Src
  • Src_port
  • Dst
  • Dst_port
  • Vs Name
  • Action

The last column in each table includes a link to log details.

Before you begin:

  • You must have Read-Write permission for Log & Report settings.
To view and filter the log:
  1. Go to Log & Report > Log Browsing.
  2. Click the Security Logs tab to display the attack log.
  3. Click Filter Settings to display the filter tools.
  4. Use the tools to filter on key columns and values.
  5. Click OK to apply the filter and redisplay the log.

IP Reputation log to Geo IP log list the log columns in the order in which they appear in the log.

IP Reputation log

Column Example Description
date date=2014-12-02 Log date.
time time=10:27:01 Log time.
log_id log_id=0200004230 Log ID.
type type=attack Log type: attack.
subtype subtype=ip_reputation Log subtype: ip_reputation.
pri pri=warning Log level.
vd vd=root Virtual domain.
msg_id msg_id=13065998 Message ID.
count count=1 For IP reputation, count=1.
severity severity=high Rule severity.
proto proto=6 Protocol.
service service=http Service.
src src=4.4.4.4 Source IP address.
src_port src_port=49301 Source port.
dst dst=2.2.2.2 Destination IP address.
dst_port dst_port=80 Destination port.
policy policy=vs1 Virtual server name.
action action=deny Policy action.
srccountry srccountry=cn Location of the source IP address.
dstcountry dstcountry=us Location of the destination IP address.
msg msg=msg

Security rule name, category, subcategory, and description of the attack.

DoS log

Column Example Description
date date=2014-12-02 Log date.
time time=10:27:01 Log time.
log_id log_id=0200004230 Log ID.
type type=attack Log type: attack.
subtype subtype=synflood Log subtype: synflood.
pri pri=warning Log level.
vd vd=root Virtual domain.
msg_id msg_id=13065998 Message ID.
count count=1 For DoS, number of timeouts sent per destination.
severity severity=high Always “high” for DoS.
proto proto=0 Protocol.
service service=http Service.
src src=173.177.99.94 Source IP address.
src_port src_port=49301 Source port.
dst dst=10.61.2.100 Destination IP address.
dst_port dst_port=80 Destination port.
policy policy=unknown For DoS, policy=unknown.
action action=deny Policy action.
srccountry srccountry=cn Location of the source IP address.
dstcountry dstcountry=us Location of the destination IP address.
msg msg=msg Security rule name, category, subcategory, and description of the attack.

WAF log

Column Example Description
date date=2015-07-22 Log date.
time time=10:27:01 Log time.
log_id log_id=0202008074 Log ID.
type type=attack Log type: attack.
subtype subtype=waf Log subtype: waf.
pri pri=alert Log level.
vd vd=root Virtual domain.
msg_id msg_id=1512 Message ID.
count count=1 Rule match count.
severity severity=low Rule severity.
proto proto=6 Protocol.
service service=http Service.
src src=1.1.1.1 Source IP address.
src_port src_port=34352 Source port.
dst dst=2.2.2.2 Destination IP address.
dst_port dst_port=80 Destination port.
policy policy=vs1 Virtual server name.
action action=pass Policy action.
sigid sigid=1 Attack signature ID.
subcat subcat=waf_subtype WAF module: waf_web_attack_signature, waf_url_access, waf_http_protocol_cont and waf_sql_xss_injection_detect.
http_host http_host=192.168.1.140:8080 HTTP Host header in HTTP request. Maximum length is 64. Longer URIs are truncated and appended with ....
http_url http_url=/bigdata URI in HTTP request. Maximum length is 128. Longer URIs are truncated and appended with ....
pkt_hdr pkt_hdr=header Contents of the packet header that matched the attack signature.
srccountry srccountry=Australia Location of the source IP address.
dstcountry dstcountry=France Location of the destination IP address.
msg msg="Find Attack ID: 1010010001 NAME: "HTTP Method Violation" CATEGORY: "HTTP Protocol Constraint" SUB_CATEGORY: "Request Method Rule"" Security rule name, category, subcategory, and description of the attack.

example

GET /etc/passwd HTTP/1.1

Host: www.example.com

Connection: keep-alive

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml

Referer: https://www.example.com/login.html

Accept-Encoding: gzip, deflate, br

Accept-Language: zh-CN,zh;q=0.9

An example of what the WAF scan engine looks for. "/etc/passwd" is the signature in this example. The WAF scan engine inpsects HTTP packets and if the signature matches, it is logged.

Geo IP log

Column Example Description
date date=2014-12-02 Log date.
time time=10:27:01 Log time.
log_id log_id=0200004230 Log ID.
type type=attack Log type: attack.
subtype subtype=geo Log subtype: geo.
pri pri=warning Log level.
vd vd=root Virtual domain.
msg_id msg_id=13065998 Message ID.
count count=1 Rule match count.
severity severity=high Rule severity.
proto proto=0 Protocol.
service service=http Service.
src src=173.177.99.94 Source IP address.
src_port src_port=49301 Source port.
dst dst=10.61.2.100 Destination IP address.
dst_port dst_port=80 Destination port.
policy policy=vs1 Virtual server name.
action action=deny Policy action.
srccountry srccountry=cn Location of the source IP address.
dstcountry dstcountry=us Location of the destination IP address.
msg msg=msg Security rule name, category, subcategory, and description of the attack.

AV log

Column Example Description
date date=2014-12-02 Log date.
time time=10:27:01 Log time.
log_id log_id=0200004230 Log ID.
msg_id message id=362301459 Message ID
virus category virus category=N/A Virus Category.
count count=1 Rule match count.
severity severity=high Rule severity.
proto proto=0 Protocol.
service service=http Service.
src src=173.177.99.94 Source IP address.
src_port src_port=49301 Source port.
dst dst=10.61.2.100 Destination IP address.
dst_port dst_port=80 Destination port.
type type=attack Type
subtype subtype=av Sub Type
action action=deny Policy action.
srccountry srccountry=cn Location of the source IP address.
dstcountry dstcountry=us Location of the destination IP address.
msg msg=msg Security rule name, category, subcategory, and description of the attack.
sign_id sign_id=0 Signature ID
virus_id virus_id=0 Virus ID
av_anatype av_anatype=analytics AV AnaType
url url=none URL
virus/botnet virus/botnet=N/A Virus/Botnet
Submitted to FortiSandbox Submitted_to_Fortisandbox=no Submitted to FortiSandBox
quar file name quar_file_name=N/A Quar File Name
Proto Method proto_method=none Proto Method
AV Profile av_profile=AV1 AV Profile
FortiSandbox Checksum B08663FD9FC147D6ADBB3D70DCEC1271A4288C71D887D44811D93E366D91AD2C

Using the security log

The Security Log table displays logs related to security features.

By default, the log is filtered to display IP Reputation logs, and the table lists the most recent records first.

You can use the following category filters to review logs of interest:

  • IP Reputation—Traffic logged by the IP Reputation feature
  • DoS—Traffic logged by the SYN Flood feature
  • WAF—Traffic logged by the WAF feature
  • Geo—Traffic logged by the Geo IP block list feature
  • AV—Traffic logged by the AV feature

Within each category, you can use Filter Setting controls to filter the table based on the values of matching data:

  • Date
  • Time
  • Proto
  • Service
  • Src
  • Src_port
  • Dst
  • Dst_port
  • Vs Name
  • Action

The last column in each table includes a link to log details.

Before you begin:

  • You must have Read-Write permission for Log & Report settings.
To view and filter the log:
  1. Go to Log & Report > Log Browsing.
  2. Click the Security Logs tab to display the attack log.
  3. Click Filter Settings to display the filter tools.
  4. Use the tools to filter on key columns and values.
  5. Click OK to apply the filter and redisplay the log.

IP Reputation log to Geo IP log list the log columns in the order in which they appear in the log.

IP Reputation log

Column Example Description
date date=2014-12-02 Log date.
time time=10:27:01 Log time.
log_id log_id=0200004230 Log ID.
type type=attack Log type: attack.
subtype subtype=ip_reputation Log subtype: ip_reputation.
pri pri=warning Log level.
vd vd=root Virtual domain.
msg_id msg_id=13065998 Message ID.
count count=1 For IP reputation, count=1.
severity severity=high Rule severity.
proto proto=6 Protocol.
service service=http Service.
src src=4.4.4.4 Source IP address.
src_port src_port=49301 Source port.
dst dst=2.2.2.2 Destination IP address.
dst_port dst_port=80 Destination port.
policy policy=vs1 Virtual server name.
action action=deny Policy action.
srccountry srccountry=cn Location of the source IP address.
dstcountry dstcountry=us Location of the destination IP address.
msg msg=msg

Security rule name, category, subcategory, and description of the attack.

DoS log

Column Example Description
date date=2014-12-02 Log date.
time time=10:27:01 Log time.
log_id log_id=0200004230 Log ID.
type type=attack Log type: attack.
subtype subtype=synflood Log subtype: synflood.
pri pri=warning Log level.
vd vd=root Virtual domain.
msg_id msg_id=13065998 Message ID.
count count=1 For DoS, number of timeouts sent per destination.
severity severity=high Always “high” for DoS.
proto proto=0 Protocol.
service service=http Service.
src src=173.177.99.94 Source IP address.
src_port src_port=49301 Source port.
dst dst=10.61.2.100 Destination IP address.
dst_port dst_port=80 Destination port.
policy policy=unknown For DoS, policy=unknown.
action action=deny Policy action.
srccountry srccountry=cn Location of the source IP address.
dstcountry dstcountry=us Location of the destination IP address.
msg msg=msg Security rule name, category, subcategory, and description of the attack.

WAF log

Column Example Description
date date=2015-07-22 Log date.
time time=10:27:01 Log time.
log_id log_id=0202008074 Log ID.
type type=attack Log type: attack.
subtype subtype=waf Log subtype: waf.
pri pri=alert Log level.
vd vd=root Virtual domain.
msg_id msg_id=1512 Message ID.
count count=1 Rule match count.
severity severity=low Rule severity.
proto proto=6 Protocol.
service service=http Service.
src src=1.1.1.1 Source IP address.
src_port src_port=34352 Source port.
dst dst=2.2.2.2 Destination IP address.
dst_port dst_port=80 Destination port.
policy policy=vs1 Virtual server name.
action action=pass Policy action.
sigid sigid=1 Attack signature ID.
subcat subcat=waf_subtype WAF module: waf_web_attack_signature, waf_url_access, waf_http_protocol_cont and waf_sql_xss_injection_detect.
http_host http_host=192.168.1.140:8080 HTTP Host header in HTTP request. Maximum length is 64. Longer URIs are truncated and appended with ....
http_url http_url=/bigdata URI in HTTP request. Maximum length is 128. Longer URIs are truncated and appended with ....
pkt_hdr pkt_hdr=header Contents of the packet header that matched the attack signature.
srccountry srccountry=Australia Location of the source IP address.
dstcountry dstcountry=France Location of the destination IP address.
msg msg="Find Attack ID: 1010010001 NAME: "HTTP Method Violation" CATEGORY: "HTTP Protocol Constraint" SUB_CATEGORY: "Request Method Rule"" Security rule name, category, subcategory, and description of the attack.

example

GET /etc/passwd HTTP/1.1

Host: www.example.com

Connection: keep-alive

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml

Referer: https://www.example.com/login.html

Accept-Encoding: gzip, deflate, br

Accept-Language: zh-CN,zh;q=0.9

An example of what the WAF scan engine looks for. "/etc/passwd" is the signature in this example. The WAF scan engine inpsects HTTP packets and if the signature matches, it is logged.

Geo IP log

Column Example Description
date date=2014-12-02 Log date.
time time=10:27:01 Log time.
log_id log_id=0200004230 Log ID.
type type=attack Log type: attack.
subtype subtype=geo Log subtype: geo.
pri pri=warning Log level.
vd vd=root Virtual domain.
msg_id msg_id=13065998 Message ID.
count count=1 Rule match count.
severity severity=high Rule severity.
proto proto=0 Protocol.
service service=http Service.
src src=173.177.99.94 Source IP address.
src_port src_port=49301 Source port.
dst dst=10.61.2.100 Destination IP address.
dst_port dst_port=80 Destination port.
policy policy=vs1 Virtual server name.
action action=deny Policy action.
srccountry srccountry=cn Location of the source IP address.
dstcountry dstcountry=us Location of the destination IP address.
msg msg=msg Security rule name, category, subcategory, and description of the attack.

AV log

Column Example Description
date date=2014-12-02 Log date.
time time=10:27:01 Log time.
log_id log_id=0200004230 Log ID.
msg_id message id=362301459 Message ID
virus category virus category=N/A Virus Category.
count count=1 Rule match count.
severity severity=high Rule severity.
proto proto=0 Protocol.
service service=http Service.
src src=173.177.99.94 Source IP address.
src_port src_port=49301 Source port.
dst dst=10.61.2.100 Destination IP address.
dst_port dst_port=80 Destination port.
type type=attack Type
subtype subtype=av Sub Type
action action=deny Policy action.
srccountry srccountry=cn Location of the source IP address.
dstcountry dstcountry=us Location of the destination IP address.
msg msg=msg Security rule name, category, subcategory, and description of the attack.
sign_id sign_id=0 Signature ID
virus_id virus_id=0 Virus ID
av_anatype av_anatype=analytics AV AnaType
url url=none URL
virus/botnet virus/botnet=N/A Virus/Botnet
Submitted to FortiSandbox Submitted_to_Fortisandbox=no Submitted to FortiSandBox
quar file name quar_file_name=N/A Quar File Name
Proto Method proto_method=none Proto Method
AV Profile av_profile=AV1 AV Profile
FortiSandbox Checksum B08663FD9FC147D6ADBB3D70DCEC1271A4288C71D887D44811D93E366D91AD2C