i. Web Application Firewall (WAF)
- Svetlana Sheptiy
- Karein Directo (Unlicensed)
Records web application firewall information for FortiWeb appliances and virtual appliances.
Sample Events
date=2019-07-14 time=14:18:56 devname="fw1a" devid="FGT60EXXXXXXXX" logid="1201030252" type="utm" subtype="waf" eventtype="waf-custom-signature" level="warning" vd="DC" eventtime=1563070736 policyid=96 sessionid=2375021 profile="WAF-CloudFront-Header" srcip=11.22.33.44 srcport=52433 dstip=172.16.20.14 dstport=80 srcintf="VL100-DC" srcintfrole="wan" dstintf="VL200-DC" dstintfrole="lan" proto=6 service="HTTP" url="http://myapp.domain.tld/" severity="medium" action="passthrough" direction="request" agent="Firefox/68.0" name="x-cf-auth"
date=2018-12-27 time=14:55:20 logid="1203030258" type="utm" subtype="waf" eventtype="waf-http-constraint" level="warning" vd="vdom1" eventtime=1545951320 policyid=1 sessionid=13614 user="bob" profile="waf_test" srcip=10.1.100.11 srcport=57304 dstip=172.16.200.55 dstport=80 srcintf="port12" srcintfrole="lan" dstintf="port11" dstintfrole="wan" proto=6 service="HTTP" url="http://172.16.200.55/index.html?a=0123456789&b=0123456789&c=0123456789" severity="medium" action="passthrough" direction="request" agent="curl/7.47.0" constraint="url-param-num" rawdata="Method=GET|User-Agent=curl/7.47.0"
Fields
Field | Description |
|---|---|
DATE | Event date, in the format YYYY-MM-DD |
TIME | Event time, in the format HH:MM:SS |
SYSTEM | The source system |
TABLE | FortiGateWAF |
CRITICALITY |
|
LOGID | Unique 10-digit identifier (log type, subtype/event type and message ID) for that specific log and includes information about the log entry |
TYPE | Represented by the first two digits of the log ID |
SUBTYPE | Represented by the first/second two digits of the log ID |
EVENTTYPE | Represented by the second two digits of the log ID |
DEVNAME |
|
DEVID | Serial number of the device for the traffic's origin |
LEVEL | Security level rating |
VD | Name of the virtual domain in which the log message was recorded |
EVENTTIME | Epoch time the log was triggered by FortiGate |
POLICYID | Policy ID |
SESSIONID | Session ID |
USER | User name |
PROFILE | Full profile name |
SRCIP | Source IP Address |
SRCPORT | Source Port |
SRCINTF | Source Interface |
SRCINTFROLE |
|
DSTIP | Destination IP Address |
DSTPORT | Destination Port |
DSTINTF | Destination Interface |
DSTINTFROLE |
|
PROTO | Protocol |
SERVICE | Service name |
URL |
|
SEVERITY | Severity |
ACTION | Security action performed by WF |
EVENTID | Event ID |
DIRECTION | Direction of the web traffic |
AGENT | User agent - eg. agent="Mozilla/5.0" |
NAME |
|
CONSTRAINT |
|
RAWDATA |
|
MSG | Log message |
SNAREDATAMAP | All other data in the event will be pushed to this field |
Notes
Log Message Reference Documentation: https://docs.fortinet.com/document/fortigate/6.4.2/fortios-log-message-reference