Fortinet black logo

Administration Guide

FAQ

FAQ

Why do I not see HTTP traffic in the logs?

Successful HTTP traffic logging depends on both FortiWeb configuration and the configuration of other network devices. If you do not see HTTP traffic in the traffic log, ensure that the configuration described in the following tables is correct.

Reverse Proxy mode

Configuration

What to look for

See

Logging

Ensure logging is enabled and configured.

By default, logging is not enabled.

"Configuring logging" on page 1

Servers

Ensure that the IP address of your physical server and the IP address of your virtual server are correct.

"Defining your web servers" on page 1

"Configuring virtual servers on your FortiWeb" on page 1

Server policy

Ensure that the server policy associates the appropriate virtual server with the correct physical servers (as members of a server pool).

"Configuring a server policy" on page 1

Network interfaces

Go to System > Network > Interface and ensure the ports for inbound and outbound traffic are up.

Use sniffing (packet capture) to ensure that you can see traffic on both inbound and outbound network interfaces.

Ensure that the network interfaces are configured with the correct IP addresses. In a typical configuration, port1 is configured for management (web UI access) and the remaining ports associated with the required subnets.

"Configuring the network interfaces" on page 1

How can I sniff FortiWeb packets (packet capture)? on page 21 (overview) or Packet capture on page 29

VLANs (if used)

Make sure that the VLAN is associated with the correct physical port (Interface setting).

"Adding VLAN subinterfaces" on page 1

Firewalls & routers

Communications between the FortiWeb appliance, clients, protected web servers, and FortiGuard Distribution Network (FDN) require that any routers and firewalls between them permit specific protocols and port numbers.

"Appendix A: Port numbers" on page 1

Load balancers

If the load balancer is in front of FortiWeb, the physical IP addresses on it are the FortiWeb virtual IP addresses. If the Load Balancer is behind the FortiWeb, the FortiWeb physical server is the virtual IP for the load balancer's virtual IP.

"External load balancers: before or after?" on page 1

Web server

Ensure that the web server is up and running by testing it without FortiWeb on the network.

Checking routing on page 39

Transparent modes

Configuration

What to look for

See

Logging

Ensure logging is enabled and configured.

By default, logging is not enabled.

"Configuring logging" on page 1

Server/server pool

Ensure that the configuration for the physical server in the server pool contains the correct IP address.

"Defining your web servers" on page 1

"Creating a server pool" on page 1

Server policy

Ensure that the server policy associates the appropriate virtual server with the correct physical servers (as a member of a server pool).

"Configuring a server policy" on page 1

Bridge (v-zone)

Ensure the v-zone is configured using the correct FortiWeb ports.

In the list of network interfaces (Global > System > Network > Interface), the Status column identifies interfaces that are members of a v-zone.

To ensure that the bridge is forwarding traffic, in the list of v-zones, under Interface, look for the status “forwarding” following the names of the ports.

"Configuring a bridge (V-zone)" on page 1

VLANs (if used)

Make sure that the VLAN is associated with the correct physical port (Interface setting).

"Adding VLAN subinterfaces" on page 1

Firewalls & routers

Communications between the FortiWeb appliance, clients, protected web servers, and FortiGuard Distribution Network (FDN) require that any routers and firewalls between them permit specific protocols and port numbers.

"Appendix A: Port numbers" on page 1

Web server

Ensure that the web server is up and running by testing it without FortiWeb on the network.

Checking routing on page 39

Offline mode

Configuration

What to look for

See

Logging

Ensure logging is enabled and configured.

By default, logging is not enabled.

"Configuring logging" on page 1

Server/server pool

Ensure that the configuration for the physical server in the server pool contains the correct IP address.

"Defining your web servers" on page 1

"Creating a server pool" on page 1

Server policy

Ensure that the server policy associates the appropriate virtual server with the correct physical servers (as members of a server pool).

"Configuring a server policy" on page 1

Bridge (v-zone)

Ensure the v-zone is configured using the correct FortiWeb ports.

In the list of network interfaces (Global > System > Network > Interface), the Status column identifies interfaces that are members of a v-zone.

To ensure that the bridge is forwarding traffic, in the list of v-zones, under Interface, look for the status “forwarding” following the names of the ports.

"Configuring a bridge (V-zone)" on page 1

VLANs (if used)

Make sure that the VLAN is associated with the correct physical port (Interface setting).

"Adding VLAN subinterfaces" on page 1

Network interfaces

Use sniffing (packet capture) to ensure that you can see traffic on both inbound and outbound network interfaces.

"Configuring the network interfaces" on page 1

How can I sniff FortiWeb packets (packet capture)? on page 21 (overview) or Packet capture on page 29

Web server

Ensure that the web server is up and running by testing it without FortiWeb on the network.

Checking routing on page 39

Why do I see HTTP traffic in the logs but not HTTPS traffic?

Use the following steps to troubleshoot HTTPS traffic logging:

1.Ensure FortiWeb has the certificates it needs to offload or inspect HTTPS.

2.Use sniffing (packet capture) to look for errors in HTTPS traffic.

How do I store traffic log messages on the appliance hard disk?

You can configure FortiWeb to store traffic log messages on its hard disk.

In most environments, and especially environments with high traffic volume, enabling this option for long periods of time can cause the hard disk to fail prematurely. Do not enable it unless it is necessary and disable it as soon as you no longer need it.

To enable logging to the hard disk via the CLI, log in using an account with either w or rw permission to the loggrp area and enter the following commands:

config log traffic-log

set disk-log enable

Use the following commands to verify the new configuration:

get log traffic-log

A response that is similar to the following message is displayed:

status : enable

packet-log : enable

disk-log : enable

Alternatively, use the following command to display a sampling of traffic log messages:

diagnose log tlog show

A response that is similar to the following message is displayed:

Total time span is 39.252285 seconds

Time spent on waiting is 13.454448 seconds

Time spent on preprocessing is 3.563218 seconds

traffic log processed: 69664

where:

  • Total time span is the total amount of time of the logd process handle logs (that is, receiving messages from other process, filtering messages, outputting in standard format, writing the logs to the local database, and so on).

  • Time spent on waiting is the amount of time of the logd process waited to receive messages from other processes.

  • Time spent on preprocessing is the amount of time the logd process spent filtering and formating messages.

  • traffic log processed is the total number of logs that the logd process handled in this cycle.

For more information about the config log traffic-log and diagnose log tlog show commands, see the FortiWeb CLI Reference: HTTPs://docs.fortinet.com/product/fortiweb/

Why is the most recent log message not displayed in the Aggregated Attack log?

If recent log messages do not appear in the Aggregated Attack log as expected, complete the following troubleshooting steps:

1.Use the dashboard to see if the appliance is busy.

When FortiWeb generates an attack log, the appliance writes it to and reads it from the hard disk and then updates the logging database.

The process that retrieves Aggregated Attack log information from the database (indexd) has a lower priority than the processes that analyze and direct traffic. Therefore, increased demand for FortiWeb processing resources (for example, when traffic levels increase) can delay updates to the log.

2.Rebuild the logging database.

Events such as a power outage can corrupt the logging database. Use the following command to rebuild it:

exec db rebuild

Why is the number of cookies reported in my attack log message different from the number of cookies that message detail displays?

When FortiWeb generates an attack log message because a request exceeds the maximum number of cookies it permits, the message value includes the number of cookies found in the request. In addition, the message details include the actual cookie values.

For performance reasons, FortiWeb limits the size of the attack log message. If the amount of cookie value information exceeds the limit for cookies in the attack log, the appliance displays only some of the cookies the message detail.

Why does the attack log message display the virtual server IP address as the destination IP instead of the IP address of the back-end server that was the target of the attack?

In some cases, FortiWeb blocks attacks before the packet is routed to a server pool member. When this happens, the destination IP is the virtual server IP.

FAQ

Why do I not see HTTP traffic in the logs?

Successful HTTP traffic logging depends on both FortiWeb configuration and the configuration of other network devices. If you do not see HTTP traffic in the traffic log, ensure that the configuration described in the following tables is correct.

Reverse Proxy mode

Configuration

What to look for

See

Logging

Ensure logging is enabled and configured.

By default, logging is not enabled.

"Configuring logging" on page 1

Servers

Ensure that the IP address of your physical server and the IP address of your virtual server are correct.

"Defining your web servers" on page 1

"Configuring virtual servers on your FortiWeb" on page 1

Server policy

Ensure that the server policy associates the appropriate virtual server with the correct physical servers (as members of a server pool).

"Configuring a server policy" on page 1

Network interfaces

Go to System > Network > Interface and ensure the ports for inbound and outbound traffic are up.

Use sniffing (packet capture) to ensure that you can see traffic on both inbound and outbound network interfaces.

Ensure that the network interfaces are configured with the correct IP addresses. In a typical configuration, port1 is configured for management (web UI access) and the remaining ports associated with the required subnets.

"Configuring the network interfaces" on page 1

How can I sniff FortiWeb packets (packet capture)? on page 21 (overview) or Packet capture on page 29

VLANs (if used)

Make sure that the VLAN is associated with the correct physical port (Interface setting).

"Adding VLAN subinterfaces" on page 1

Firewalls & routers

Communications between the FortiWeb appliance, clients, protected web servers, and FortiGuard Distribution Network (FDN) require that any routers and firewalls between them permit specific protocols and port numbers.

"Appendix A: Port numbers" on page 1

Load balancers

If the load balancer is in front of FortiWeb, the physical IP addresses on it are the FortiWeb virtual IP addresses. If the Load Balancer is behind the FortiWeb, the FortiWeb physical server is the virtual IP for the load balancer's virtual IP.

"External load balancers: before or after?" on page 1

Web server

Ensure that the web server is up and running by testing it without FortiWeb on the network.

Checking routing on page 39

Transparent modes

Configuration

What to look for

See

Logging

Ensure logging is enabled and configured.

By default, logging is not enabled.

"Configuring logging" on page 1

Server/server pool

Ensure that the configuration for the physical server in the server pool contains the correct IP address.

"Defining your web servers" on page 1

"Creating a server pool" on page 1

Server policy

Ensure that the server policy associates the appropriate virtual server with the correct physical servers (as a member of a server pool).

"Configuring a server policy" on page 1

Bridge (v-zone)

Ensure the v-zone is configured using the correct FortiWeb ports.

In the list of network interfaces (Global > System > Network > Interface), the Status column identifies interfaces that are members of a v-zone.

To ensure that the bridge is forwarding traffic, in the list of v-zones, under Interface, look for the status “forwarding” following the names of the ports.

"Configuring a bridge (V-zone)" on page 1

VLANs (if used)

Make sure that the VLAN is associated with the correct physical port (Interface setting).

"Adding VLAN subinterfaces" on page 1

Firewalls & routers

Communications between the FortiWeb appliance, clients, protected web servers, and FortiGuard Distribution Network (FDN) require that any routers and firewalls between them permit specific protocols and port numbers.

"Appendix A: Port numbers" on page 1

Web server

Ensure that the web server is up and running by testing it without FortiWeb on the network.

Checking routing on page 39

Offline mode

Configuration

What to look for

See

Logging

Ensure logging is enabled and configured.

By default, logging is not enabled.

"Configuring logging" on page 1

Server/server pool

Ensure that the configuration for the physical server in the server pool contains the correct IP address.

"Defining your web servers" on page 1

"Creating a server pool" on page 1

Server policy

Ensure that the server policy associates the appropriate virtual server with the correct physical servers (as members of a server pool).

"Configuring a server policy" on page 1

Bridge (v-zone)

Ensure the v-zone is configured using the correct FortiWeb ports.

In the list of network interfaces (Global > System > Network > Interface), the Status column identifies interfaces that are members of a v-zone.

To ensure that the bridge is forwarding traffic, in the list of v-zones, under Interface, look for the status “forwarding” following the names of the ports.

"Configuring a bridge (V-zone)" on page 1

VLANs (if used)

Make sure that the VLAN is associated with the correct physical port (Interface setting).

"Adding VLAN subinterfaces" on page 1

Network interfaces

Use sniffing (packet capture) to ensure that you can see traffic on both inbound and outbound network interfaces.

"Configuring the network interfaces" on page 1

How can I sniff FortiWeb packets (packet capture)? on page 21 (overview) or Packet capture on page 29

Web server

Ensure that the web server is up and running by testing it without FortiWeb on the network.

Checking routing on page 39

Why do I see HTTP traffic in the logs but not HTTPS traffic?

Use the following steps to troubleshoot HTTPS traffic logging:

1.Ensure FortiWeb has the certificates it needs to offload or inspect HTTPS.

2.Use sniffing (packet capture) to look for errors in HTTPS traffic.

How do I store traffic log messages on the appliance hard disk?

You can configure FortiWeb to store traffic log messages on its hard disk.

In most environments, and especially environments with high traffic volume, enabling this option for long periods of time can cause the hard disk to fail prematurely. Do not enable it unless it is necessary and disable it as soon as you no longer need it.

To enable logging to the hard disk via the CLI, log in using an account with either w or rw permission to the loggrp area and enter the following commands:

config log traffic-log

set disk-log enable

Use the following commands to verify the new configuration:

get log traffic-log

A response that is similar to the following message is displayed:

status : enable

packet-log : enable

disk-log : enable

Alternatively, use the following command to display a sampling of traffic log messages:

diagnose log tlog show

A response that is similar to the following message is displayed:

Total time span is 39.252285 seconds

Time spent on waiting is 13.454448 seconds

Time spent on preprocessing is 3.563218 seconds

traffic log processed: 69664

where:

  • Total time span is the total amount of time of the logd process handle logs (that is, receiving messages from other process, filtering messages, outputting in standard format, writing the logs to the local database, and so on).

  • Time spent on waiting is the amount of time of the logd process waited to receive messages from other processes.

  • Time spent on preprocessing is the amount of time the logd process spent filtering and formating messages.

  • traffic log processed is the total number of logs that the logd process handled in this cycle.

For more information about the config log traffic-log and diagnose log tlog show commands, see the FortiWeb CLI Reference: HTTPs://docs.fortinet.com/product/fortiweb/

Why is the most recent log message not displayed in the Aggregated Attack log?

If recent log messages do not appear in the Aggregated Attack log as expected, complete the following troubleshooting steps:

1.Use the dashboard to see if the appliance is busy.

When FortiWeb generates an attack log, the appliance writes it to and reads it from the hard disk and then updates the logging database.

The process that retrieves Aggregated Attack log information from the database (indexd) has a lower priority than the processes that analyze and direct traffic. Therefore, increased demand for FortiWeb processing resources (for example, when traffic levels increase) can delay updates to the log.

2.Rebuild the logging database.

Events such as a power outage can corrupt the logging database. Use the following command to rebuild it:

exec db rebuild

Why is the number of cookies reported in my attack log message different from the number of cookies that message detail displays?

When FortiWeb generates an attack log message because a request exceeds the maximum number of cookies it permits, the message value includes the number of cookies found in the request. In addition, the message details include the actual cookie values.

For performance reasons, FortiWeb limits the size of the attack log message. If the amount of cookie value information exceeds the limit for cookies in the attack log, the appliance displays only some of the cookies the message detail.

Why does the attack log message display the virtual server IP address as the destination IP instead of the IP address of the back-end server that was the target of the attack?

In some cases, FortiWeb blocks attacks before the packet is routed to a server pool member. When this happens, the destination IP is the virtual server IP.