Types of logs
The Log & Report menu allows you to view traffic logs, event logs, and security logs:
|
Traffic logs |
||
|
|
Forward Traffic |
The forward traffic log includes log messages for traffic that passes through the FortiProxy device. It includes both traffic and security log messages so that messages about security events can be viewed alongside messages about the traffic at the time of the event. See also Logging client IP for forward traffic and HTTP transaction. |
|
|
HTTP Transaction |
HTTP transaction-related traffic log. To allow HTTP transaction log to appear here, make sure the Log HTTP Transaction option is not disabled when you Create or edit a policy. See also Logging client IP for forward traffic and HTTP transaction. |
|
|
Correlation Log 7.0.7 |
Correlation log of forward traffic log(s) and HTTP transaction log(s) that have a common session ID. |
|
|
Local Traffic |
The local traffic log includes messages for traffic that terminates at the FortiProxy unit, either allowed or denied by a local policy. |
|
|
Sniffer Traffic |
The sniffer log records all traffic that passes through a particular interface that has been configured to act as a One-Armed Sniffer, so it can be examined separately from the rest of the traffic logs. |
|
|
ZTNA Traffic |
|
|
Event logs |
||
|
|
System Events |
General system events. |
|
|
Router Events |
Events relating to layer-3 routing. |
|
|
VPN Events |
Events relating to VPN. |
|
|
User Events |
Events relating to users. |
|
|
HA Events |
Events relating to HA |
|
|
Security Rating Events |
Events relating to Security Rating. |
|
|
WAN Opt. & Cache Events |
Events relating to WAN optimization and cache. |
|
|
SDN Connector Events |
Events relating to Fabric connectors. |
|
|
CIFS Events |
Events relating to CIFS. |
|
|
REST API Events |
The REST API events log subtype logs POST, PUT, DELETE, and GET REST API requests. They can be enabled or disabled in the CLI: config log setting
set rest-api-set {enable | disable}
set rest-api-get {enable | disable}
end
|
|
Security logs |
||
|
|
AntiVirus |
The antivirus log records when, during the antivirus scanning process, the FortiProxy unit finds a match within the antivirus profile, which includes the presence of a virus or grayware signature. |
|
|
Content Analyses |
|
|
|
Web Filter |
The web filter log records HTTP log rating errors, including web content blocking actions that the FortiProxy device performs. It also includes how long it takes to scan the HTTP request, the client request host header, the client request host inside of the request line, and the server response code. |
|
|
SSL |
Records detected and blocked malicious SSL connections. |
|
|
DNS Query |
The DNS query log messages include details of each DNS query and response. DNS log messages are recorded for all DNS traffic though the FortiProxy unit and originated by the FortiProxy unit. The detailed DNS log can be used for low-impact security investigation. Most network activity involves DNS activity of some kinds. Analyzing the DNS log can provide a lot of details about the activity on your network without using resource-intensive techniques. |
|
|
File Filter |
Records file filter events. |
|
|
Data Leak Prevention |
The data leak prevention (DLP) log provides valuable information about the sensitive data trying to get through to your network as well as any unwanted data trying to get into your network. The DLP log can record the following traffic types:
|
|
|
Application Control |
The Application Control log provides detailed information about the traffic that internet applications such as Skype are generating. The Application Control feature controls the flow of traffic from a specific application, and the FortiProxy unit examines this traffic for signatures that the application generates. The log messages that are recorded provide information such as the type of application being used (such as P2P software), and what type of action the FortiProxy unit took. These log messages can also help you to determine the top ten applications that are being used on your network. This feature is called Application Control monitoring and you can view the information from a widget on the Executive Summary page. The Application Control list that is used must have logging enabled within the list, as well as logging enabled within each application entry. Each application entry can also have packet logging enabled. Packet logging for Application Control records the packet when an application type is identified, similar to IPS packet logging. Logging of Application Control activity can only be recorded when an Application Control list is applied to a firewall policy, regardless of whether or not logging is enabled within the Application Control list. |
|
|
Intrusion Prevention |
The Intrusion Prevention log, also referred to as the attack log, records attacks that occurred against your network. Attack logs contain detailed information about whether the FortiProxy unit protected the network using anomaly-based defense settings or signature-based defense settings, as well as what the attack was. The Intrusion Prevention or attack log file is especially useful because the log messages that are recorded contain a link to the FortiGuard Center, where you can find more information about the attack. This is similar to antivirus logs, where a link to the FortiGuard Center is provided as well that informs you of the virus that was detected by the FortiProxy unit. An Intrusion Prevention sensor with log settings enabled must be applied to a firewall policy so that the FortiProxy unit can record the activity. |