/
b. Web Filter

b. Web Filter

Owned by Svetlana Sheptiy
Last updated: Jan 13, 2021 by Karein Directo (Unlicensed)
2 min read

Records web filter events.

 

Sample Events

date=2020-12-08 time=11:48:43 logid="0315012544" type="utm" subtype="webfilter" eventtype="urlfilter" level="warning" vd="vdom1" eventtime=1555958923322174610 urlfilteridx=0 urlsource="Local URLfilter Block" policyid=1 sessionid=649063 srcip=10.1.200.15 srcport=50472 srcintf="wan2" srcintfrole="wan" dstip=157.240.18.35 dstport=443 dstintf="wan1" dstintfrole="wan" proto=6 service="HTTPS" hostname="www.facebook.com" profile="webfilter" action="blocked" reqtype="direct" url="/" sentbyte=1171 rcvdbyte=141 direction="outgoing" msg="URL was blocked because it is in the URL filter list" crscore=30 craction=8 crlevel="high"

date=2020-12-08 time=10:18:44 logid="0315012547" type="utm" subtype="webfilter" eventtype="urlfilter" level="notice" vd="root" sessionid=88693251 user="anonymous" group="Samsung Tablets" srcip=172.16.12.78 srcport=64501 srcintf="Stadtschulen" dstip=85.17.177.245 dstport=80 dstintf="port8" service="HTTP" profile="Schulen" hostname="universal_lexikon.deacademic.com" action="blocked" reqtype="referral" msg="The HTTP request contained an invalid domain name." sentbyte=471 rcvdbyte=0 crscore=30 crlevel=high

date=2020-12-08 time=15:40:14 devname="600D-9" devid="FGT6HD3915800120" logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="vdom1" eventtime=1513640414 policyid=2 sessionid=440522 srcip=10.1.100.128 srcport=60995 srcintf="port2" srcintfrole="lan" dstip=209.121.139.177 dstport=80 dstintf="port1" dstintfrole="wan" proto=6 service="HTTP" hostname="detectportal.firefox.com" profile="test-webfilter" action="blocked" reqtype="direct" url="/success.txt" sentbyte=285 rcvdbyte=0 direction="outgoing" msg="URL belongs to a denied category in policy" method="domain" cat=52 catdesc="Information Technology" crscore=30 crlevel="high" rawdata="Method=GET|User-Agent=Mozilla/5.0 (Windows NT 6.1; rv:57.0) Gecko/20100101 Firefox/57.0"

date=2020-12-08 time=13:16:19 devname="FGT60D46150318" devid="FGT60D46150318" logid="0317013312" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="root" eventtime=1515262579 policyid=1 sessionid=4831248 srcip=192.168.69.110 srcport=62972 srcintf="internal" srcintfrole="lan" dstip=69.147.64.34 dstport=443 dstintf="wan1" dstintfrole="wan" proto=6 service="HTTPS" hostname="platform.tumblr.com" profile="default" action="passthrough" reqtype="referral" url="/v2/follow_button.html?type=follow&tumblelog=sony%20&color=blue" referralurl="https://www.sony.com/" sentbyte=1105 rcvdbyte=3698 direction="outgoing" msg="URL belongs to an allowed category in policy" method="domain" cat=80 catdesc="Personal Websites and Blogs"

Fields

Field

Description

Field

Description

DATE

Event date, in the format YYYY-MM-DD

TIME

Event time, in the format HH:MM:SS

SYSTEM

The source system

TABLE

FortiGateWebFilter

CRITICALITY

 

LOGID  

Unique 10-digit identifier (log type, subtype/event type and message ID) for that specific log and includes information about the log entry

TYPE  

Represented by the first two digits of the log ID

SUBTYPE  

Represented by the first/second two digits of the log ID

EVENTTYPE  

Represented by the second two digits of the log ID

DEVNAME  

 

DEVID  

Serial number of the device for the traffic's origin

LEVEL  

Security level rating

VD  

Name of the virtual domain in which the log message was recorded

EVENTTIME  

Epoch time the log was triggered by FortiGate

TZ

 

URLFILTERIDX

URL filter ID

URLSOURCE

 

POLICYID

Policy ID

TRANSID

 

SESSIONID

Session ID

USER

User name

GROUP

User group name

SRCIP

Source IP

SRCPORT

Source port

SRCINTF

Source interface

SRCINTFROLE

 

DSTIP

Destination IP

DSTPORT

Destination port

DSTINTF

Destination interface

DSTINTFROLE

 

PROTO

Protocol

SERVICE

Service name

HOSTNAME

The host name of a URL

PROFILE

Web filter profile name

ACTION

Security action performed by WF

REQTYPE

Request type

URL

The URL address

REFERRALURL

 

AGENT

User agent - eg. agent="Mozilla/5.0"

SENTBYTE

Sent bytes

RCVDBYTE

Received bytes

DIRECTION

Direction of the web traffic

METHOD

Rating override method by URL domain name or IP address

CAT

Web category ID

CATDESC

Web category description

CRSCORE

Client Reputation score

CRACTION

 

CRLEVEL

Client Reputation level

ERROR

URL rating error message

MSG

Log message

SNAREDATAMAP

All other data in the event will be pushed to this field

Notes

Log Message Reference Documentation: https://docs.fortinet.com/document/fortigate/6.4.2/fortios-log-message-reference

 

Related content

i. Web Application Firewall (WAF)
i. Web Application Firewall (WAF)
Snare Central v8 Documentation
More like this
p. Internet Content Adaptation Protocol (ICAP)
p. Internet Content Adaptation Protocol (ICAP)
Snare Central v8 Documentation
More like this
d. Email Filter
d. Email Filter
Snare Central v8 Documentation
More like this
o. File Filter
o. File Filter
Snare Central v8 Documentation
More like this
c. Intrusion Prevention Services (IPS)
c. Intrusion Prevention Services (IPS)
Snare Central v8 Documentation
More like this
m. Secure Socket Layer (SSL)
m. Secure Socket Layer (SSL)
Snare Central v8 Documentation
More like this