Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sebastan_bach
New Contributor

no web filtering and no web-filtering logs in fortiOS 5.6 in flow mode

Hi, 

 

I am not sure if I am hitting a bug as always. I am trying to using basic url-filtering in the new flow mode in 5.6. Latest firmware GA version.

 

policy-1 allow service dns & icmp

policy-2 allow service http/https, no application, allow certain URL-categories (log)

policy-3 deny service http/https, no application, blocked certain categories (log)

policy-4 deny all

 

Under logs and reports in web-filter there is no logs. traffic is getting denied or permitted based on applications though I have not used them in the policy. 

 

does this thing really work as mentioned. 

 

has anyone got web-filtering to work in FortiOS 5.6 in flow mode. Please help.

 

Sebastan

14 REPLIES 14
emnoc
Esteemed Contributor III

I believe you have a bug,  what model are you on? I found no  traffic logs for a FGT80C  but the local-in are working correcting. This was for memory or syslog logging. I will test your problem also and reported back tomorrow.

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
romanr
Valued Contributor

sebastan_bach wrote:

policy-1 allow service dns & icmp

policy-2 allow service http/https, no application, allow certain URL-categories (log)

policy-3 deny service http/https, no application, blocked certain categories (log)

policy-4 deny all

Hey,

 

are you on NGFW firewall mode or on profile based firewall mode?

- with profile based, this doesn't really make sense...

 

Which FortiOS version are you running?

 

Do you have full logging enabled - or only UTM logging?

If you have only UTM logging, you need to set web-filter to monitor and not to allow, otherwise no log will be generated!

 

Br,

Roman

sebastan_bach

Hi, 

 

Thanks for your quick reply. Sorry for the confusion. yes i am running in NGFW mode which default to flow mode. I am running FortiOS v5.6.3 build1547 (GA) . This is the latest firmware. All my rules are with logging enabled. how do I ensure that I have full logging enabled. Is there any command I can check on Cli. 

 

Any help would be greatly appreciated. 

 

Sebastan

sebastan_bach

I have logging enabled for all sessions and not just security events in the rules. 

 

Sebastan

emnoc
Esteemed Contributor III

Did you query the logs from the command line

 

 

e.g

 

cli-cmd

/*  populate the appropriate numbers for the ?marks 

execute log filter  category ?

execute log  filter deice ?

 

execute log  display 

 

 

I found no logs in my  logging outside of   system.events, also make sure your global log filters are not set for  disable

 

I believe the cli-cmd is  config log global  or config log setting ( sorry not at my  console  to confirm the cmds )

 

 

I will test on my  FGT90D tonight permitting if I have the time, but earlier testings showed no logs.

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
romanr
Valued Contributor

Hi,

 

first of all: I wouldn't use NGFW mode for production in 5.6. This is still somehow beta and I don't think someone at FTNT would speak against that kind of statement.

 

Do you see traffic logs? In terms of tcp sessions?

 

Br,

Roman

 

sebastan_bach

Thanks a lot Ken, 

 

I followed your steps. of setting a display filter for utm-webfilter as the category and used the display command there no webfilter logs. 

 

but when I followed the same steps for utm-app-ctrl i can see the logs. It means the firewall is using app-ctrl for identifying sites and not using webfilter at all.  

 

In the Gui under forward logs I can see the details of the sessions which displays the event type is app-ctrl and not webfilter. 

 

looks like need to switch back to profile mode the ngfw mode is buggy. I would like to know your test results on the same. 

 

Sebastan

sebastan_bach

Hi Roman, 

 

I am not sure why you made the statement that 5.6 is beta if that was the case why the firmware version on my fortigate is mentioning that the version is GA and not beta. 

 

FortiOS v5.6.3 build1547 (GA) (This is from my fortigate firmware page)

 

Sebastan

 

romanr

Hey,

 

I did not state that 5.6 is beta.

I did state that NGFW firewall mode is somehow beta. This is a totally new feature set and I am not aware of anyone using it in production right now - if there is anyone using it and has good experience I would like to get corrected.

 

Br,

Roman

Labels
Top Kudoed Authors