Hot!no web filtering and no web-filtering logs in fortiOS 5.6 in flow mode

Author
sebastan_bach
Silver Member
  • Total Posts : 90
  • Scores: 1
  • Reward points: 0
  • Joined: 2008/04/03 11:04:47
  • Status: offline
2018/03/08 13:02:03 (permalink)
0

no web filtering and no web-filtering logs in fortiOS 5.6 in flow mode

Hi, 
 
I am not sure if I am hitting a bug as always. I am trying to using basic url-filtering in the new flow mode in 5.6. Latest firmware GA version.
 
policy-1 allow service dns & icmp
policy-2 allow service http/https, no application, allow certain URL-categories (log)
policy-3 deny service http/https, no application, blocked certain categories (log)
policy-4 deny all
 
Under logs and reports in web-filter there is no logs. traffic is getting denied or permitted based on applications though I have not used them in the policy. 
 
does this thing really work as mentioned. 
 
has anyone got web-filtering to work in FortiOS 5.6 in flow mode. Please help.
 
Sebastan
#1

13 Replies Related Threads

    emnoc
    Expert Member
    • Total Posts : 4829
    • Scores: 294
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: online
    Re: no web filtering and no web-filtering logs in fortiOS 5.6 in flow mode 2018/03/08 13:50:44 (permalink)
    0
    I believe you have a bug,  what model are you on? I found no  traffic logs for a FGT80C  but the local-in are working correcting. This was for memory or syslog logging. I will test your problem also and reported back tomorrow.
     
    Ken
     

    PCNSE6,PCNSE7, ACE, CCNP,FCNSP,FCESP,Linux+,CEH,ECSA,SCSA,SCNA,CISCA email/web
    #2
    romanr
    Platinum Member
    • Total Posts : 903
    • Scores: 26
    • Reward points: 0
    • Joined: 2004/06/08 08:29:56
    • Location: Vienna/Austria
    • Status: offline
    Re: no web filtering and no web-filtering logs in fortiOS 5.6 in flow mode 2018/03/08 14:05:17 (permalink)
    0
    sebastan_bach
    policy-1 allow service dns & icmp
    policy-2 allow service http/https, no application, allow certain URL-categories (log)
    policy-3 deny service http/https, no application, blocked certain categories (log)
    policy-4 deny all



    Hey,
     
    are you on NGFW firewall mode or on profile based firewall mode?
    - with profile based, this doesn't really make sense...
     
    Which FortiOS version are you running?
     
    Do you have full logging enabled - or only UTM logging?
    If you have only UTM logging, you need to set web-filter to monitor and not to allow, otherwise no log will be generated!
     
    Br,
    Roman
    post edited by romanr - 2018/03/08 14:07:00
    #3
    sebastan_bach
    Silver Member
    • Total Posts : 90
    • Scores: 1
    • Reward points: 0
    • Joined: 2008/04/03 11:04:47
    • Status: offline
    Re: no web filtering and no web-filtering logs in fortiOS 5.6 in flow mode 2018/03/08 14:38:00 (permalink)
    0
    Hi, 
     
    Thanks for your quick reply. Sorry for the confusion. yes i am running in NGFW mode which default to flow mode. I am running FortiOS v5.6.3 build1547 (GA) . This is the latest firmware. All my rules are with logging enabled. how do I ensure that I have full logging enabled. Is there any command I can check on Cli. 
     
    Any help would be greatly appreciated. 
     
    Sebastan
    #4
    sebastan_bach
    Silver Member
    • Total Posts : 90
    • Scores: 1
    • Reward points: 0
    • Joined: 2008/04/03 11:04:47
    • Status: offline
    Re: no web filtering and no web-filtering logs in fortiOS 5.6 in flow mode 2018/03/08 14:52:19 (permalink)
    0
    I have logging enabled for all sessions and not just security events in the rules. 
     
    Sebastan
    #5
    emnoc
    Expert Member
    • Total Posts : 4829
    • Scores: 294
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: online
    Re: no web filtering and no web-filtering logs in fortiOS 5.6 in flow mode 2018/03/08 15:09:47 (permalink)
    0
    Did you query the logs from the command line
     
     
    e.g
     
    cli-cmd
    /*  populate the appropriate numbers for the ?marks 
    execute log filter  category ?
    execute log  filter deice ?
     
    execute log  display 
     
     
    I found no logs in my  logging outside of   system.events, also make sure your global log filters are not set for  disable
     
    I believe the cli-cmd is  config log global  or config log setting ( sorry not at my  console  to confirm the cmds )
     
     
    I will test on my  FGT90D tonight permitting if I have the time, but earlier testings showed no logs.
     
    Ken
     
    post edited by emnoc - 2018/03/08 15:11:22

    PCNSE6,PCNSE7, ACE, CCNP,FCNSP,FCESP,Linux+,CEH,ECSA,SCSA,SCNA,CISCA email/web
    #6
    romanr
    Platinum Member
    • Total Posts : 903
    • Scores: 26
    • Reward points: 0
    • Joined: 2004/06/08 08:29:56
    • Location: Vienna/Austria
    • Status: offline
    Re: no web filtering and no web-filtering logs in fortiOS 5.6 in flow mode 2018/03/08 15:15:01 (permalink)
    0
    Hi,
     
    first of all: I wouldn't use NGFW mode for production in 5.6. This is still somehow beta and I don't think someone at FTNT would speak against that kind of statement.
     
    Do you see traffic logs? In terms of tcp sessions?
     
    Br,
    Roman
     
    #7
    sebastan_bach
    Silver Member
    • Total Posts : 90
    • Scores: 1
    • Reward points: 0
    • Joined: 2008/04/03 11:04:47
    • Status: offline
    Re: no web filtering and no web-filtering logs in fortiOS 5.6 in flow mode 2018/03/08 15:27:36 (permalink)
    0
    Thanks a lot Ken, 
     
    I followed your steps. of setting a display filter for utm-webfilter as the category and used the display command there no webfilter logs. 
     
    but when I followed the same steps for utm-app-ctrl i can see the logs. It means the firewall is using app-ctrl for identifying sites and not using webfilter at all.  
     
    In the Gui under forward logs I can see the details of the sessions which displays the event type is app-ctrl and not webfilter. 
     
    looks like need to switch back to profile mode the ngfw mode is buggy. I would like to know your test results on the same. 
     
    Sebastan
    #8
    sebastan_bach
    Silver Member
    • Total Posts : 90
    • Scores: 1
    • Reward points: 0
    • Joined: 2008/04/03 11:04:47
    • Status: offline
    Re: no web filtering and no web-filtering logs in fortiOS 5.6 in flow mode 2018/03/08 15:29:08 (permalink)
    0
    Hi Roman, 
     
    I am not sure why you made the statement that 5.6 is beta if that was the case why the firmware version on my fortigate is mentioning that the version is GA and not beta. 
     
    FortiOS v5.6.3 build1547 (GA) (This is from my fortigate firmware page)
     
    Sebastan
     
    #9
    romanr
    Platinum Member
    • Total Posts : 903
    • Scores: 26
    • Reward points: 0
    • Joined: 2004/06/08 08:29:56
    • Location: Vienna/Austria
    • Status: offline
    Re: no web filtering and no web-filtering logs in fortiOS 5.6 in flow mode 2018/03/09 00:56:13 (permalink)
    0
    Hey,
     
    I did not state that 5.6 is beta.
    I did state that NGFW firewall mode is somehow beta. This is a totally new feature set and I am not aware of anyone using it in production right now - if there is anyone using it and has good experience I would like to get corrected.
     
    Br,
    Roman
    #10
    emnoc
    Expert Member
    • Total Posts : 4829
    • Scores: 294
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: online
    Re: no web filtering and no web-filtering logs in fortiOS 5.6 in flow mode 2018/03/09 05:57:49 (permalink)
    0
    I have to agree with  roman, I would avoid any  critical NGFW features in  v5.6.x . This is really  a " try and  hope it works"  and  YMMV. Back on the logging, I did NOT seen URL logs either even tho my  sites where blocked. I didn't spend too much time since I got home late. I'll try more  actions this weekend.
     
    Ken
     

    PCNSE6,PCNSE7, ACE, CCNP,FCNSP,FCESP,Linux+,CEH,ECSA,SCSA,SCNA,CISCA email/web
    #11
    sebastan_bach
    Silver Member
    • Total Posts : 90
    • Scores: 1
    • Reward points: 0
    • Joined: 2008/04/03 11:04:47
    • Status: offline
    Re: no web filtering and no web-filtering logs in fortiOS 5.6 in flow mode 2018/03/09 09:01:17 (permalink)
    0
    Hi ken, 
     
    You can see the logs details and it will show you that the blocking is because of an app-ctrl event and not web-filter event. So it's pretty obvious that web filtering is not working in NGFW mode for sure no matter what you try. 
     
    Sebastan
    #12
    emnoc
    Expert Member
    • Total Posts : 4829
    • Scores: 294
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: online
    Re: no web filtering and no web-filtering logs in fortiOS 5.6 in flow mode 2018/03/09 09:59:59 (permalink)
    0
    What do yo have on your fwpolicy ?
    Can you do a cmd  show  firewall policy <####>  ?

    PCNSE6,PCNSE7, ACE, CCNP,FCNSP,FCESP,Linux+,CEH,ECSA,SCSA,SCNA,CISCA email/web
    #13
    sebastan_bach
    Silver Member
    • Total Posts : 90
    • Scores: 1
    • Reward points: 0
    • Joined: 2008/04/03 11:04:47
    • Status: offline
    Re: no web filtering and no web-filtering logs in fortiOS 5.6 in flow mode 2018/03/09 10:21:06 (permalink)
    0
    Hi Emnoc, 
     
    below are the firewall policies 
     
    Show firewall policy 5 
    config firewall policy
        edit 5
            set name "Allow-DNS & ICMP"
            set uuid 35d302de-0ad1-51e8-97eb-69e7544dfe32
            set srcintf "Lan"
            set dstintf "Wan"
            set srcaddr "Lan"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "DNS" "ALL_ICMP"
            set logtraffic disable
     
    show firewall policy 7
    config firewall policy
        edit 7
            set name "Allow-Web"
            set uuid c87d5c94-2311-51e8-687d-74e995853e25
            set srcintf "Lan"
            set dstintf "Wan"
            set srcaddr "Lan"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set logtraffic all
            set url-category 24 25 23
     
    There is an implicit deny rule with logging enabled. 
     
    if possible please try to replicate the same and you will see the traffic which is blocked by the deny rule the event is application control and not web-filter. I even tried using the url-webfilter in the filter for displaying logs and there will be no logs. but you can see the same logs when the filter is set to app-ctrl for logs. 
     
    Sebastan
    #14
    Jump to:
    © 2018 APG vNext Commercial Version 5.5