Hi,
I am investigating UTM firewall logs and I see two different type of logs that I need to understand better.
I have drilled down to a specific domain and IP-address of interest.
- UTM: Web Filter logs domain information and the amount of bytes sent/received. - Traffic: records traffic flow information such as: HTTP/HTTPS request and response and also stores bytes sent/received.
Are the logs related to each other or are they not related at all?
I see the amount of connections between both type of logs is almost similar. But when I look at the total amount of bytes between both logs there is a huge difference (fields: rcvdbyte and sentbyte) The ports being used and looked at are only HTTP and HTTPS.
I hope somebody can shed some light on this.
Thank you in advance,
Dave
Anybody here who can assist with the question above?
Hmm, I suspect you see higher numbers in the traffic logs.
Webfilter (WF) is content inspection for HTTP only. Depending on the settings, all or only some traffic might be logged according to matching categories. Even with all categories on Monitor, there is web traffic not matching any of these. You may or may not block this 'unmatched' traffic in the WF.
Does this correspond to what you are seeing?
Ah that might answer my question, at least it makes a lot of sense. I did not configure the firewall so I will verify this next week.
Thank you for your swift answer!
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.