Versions Compared

Version Old Version 1 New Version Current
Changes made by

Svetlana Sheptiy

Karein Directo (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Records web application firewall information for FortiWeb appliances and virtual appliances.

Sample Events

date=2019-07-14 time=14:18:56 devname="fw1a" devid="FGT60EXXXXXXXX" logid="1201030252" type="utm" subtype="waf" eventtype="waf-custom-signature" level="warning" vd="DC" eventtime=1563070736 policyid=96 sessionid=2375021 profile="WAF-CloudFront-Header" srcip=11.22.33.44 srcport=52433 dstip=172.16.20.14 dstport=80 srcintf="VL100-DC" srcintfrole="wan" dstintf="VL200-DC" dstintfrole="lan" proto=6 service="HTTP" url="http://myapp.domain.tld/" severity="medium" action="passthrough" direction="request" agent="Firefox/68.0" name="x-cf-auth"

date=2018-12-27 time=14:55:20 logid="1203030258" type="utm" subtype="waf" eventtype="waf-http-constraint" level="warning" vd="vdom1" eventtime=1545951320 policyid=1 sessionid=13614 user="bob" profile="waf_test" srcip=10.1.100.11 srcport=57304 dstip=172.16.200.55 dstport=80 srcintf="port12" srcintfrole="lan" dstintf="port11" dstintfrole="wan" proto=6 service="HTTP" url="http://172.16.200.55/index.html?a=0123456789&b=0123456789&c=0123456789" severity="medium" action="passthrough" direction="request" agent="curl/7.47.0" constraint="url-param-num" rawdata="Method=GET|User-Agent=curl/7.47.0"

Fields

Field

Description

DATE

Event date, in the format YYYY-MM-DD

TIME

Event time, in the format HH:MM:SS

SYSTEM

The source system

TABLE

FortiGateWAF

CRITICALITY

LOGID  

Unique 10-digit identifier (log type, subtype/event type and message ID) for that specific log and includes information about the log entry

TYPE  

Represented by the first two digits of the log ID

SUBTYPE  

Represented by the first/second two digits of the log ID

EVENTTYPE  

Represented by the second two digits of the log ID

DEVNAME  

DEVID  

Serial number of the device for the traffic's origin

LEVEL  

Security level rating

VD  

Name of the virtual domain in which the log message was recorded

EVENTTIME  

Epoch time the log was triggered by FortiGate

POLICYID

Policy ID

SESSIONID

Session ID

USER

User name

PROFILE

Full profile name

SRCIP

Source IP Address

SRCPORT

Source Port

SRCINTF

Source Interface

SRCINTFROLE

DSTIP

Destination IP Address

DSTPORT

Destination Port

DSTINTF

Destination Interface

DSTINTFROLE

PROTO

Protocol

SERVICE

Service name

URL

SEVERITY

Severity

ACTION

Security action performed by WF

EVENTID

Event ID

DIRECTION

Direction of the web traffic

AGENT

User agent - eg. agent="Mozilla/5.0"

NAME

CONSTRAINT

RAWDATA

MSG

Log message

SNAREDATAMAP

All other data in the event will be pushed to this field

Notes

Log Message Reference Documentation: https://docs.fortinet.com/document/fortigate/6.4.2/fortios-log-message-reference