Traffic

Traffic log messages record requests that a FortiWeb policy accepted or blocked. If the request was successful, it also includes the reply. Each log message represents its whole HTTP transaction.

Traffic logs do not record non-HTTP/HTTPS traffic such as FTP. This type of traffic is forwarded to your web servers if you have enabled IP-layer forwarding.

Traffic log messages are described below. For descriptions of header fields not mentioned here, see Header & body fields.

Meaning
Traffic matching and complying with a policy passed through or by FortiWeb. If there is an error in the message, however, and the request/response used HTTPS, FortiWeb could not scan it. Depending on the mode of operation, an attack could have bypassed FortiWeb.

Meaning

Traffic matching and complying with a policy passed through or by FortiWeb.

If there is an error in the message, however, and the request/response used HTTPS, FortiWeb could not scan it. Depending on the mode of operation, an attack could have bypassed FortiWeb.

Solution

Solution
Reponse times can often be improved, for example, by regular expression tuning, offloading SSL/TLS from your back-end server to your FortiWeb (especially if the model supports hardware acceleration), and/or offloading compression. For performance tips, see the FortiWeb Administration Guide. If HTTPS traffic is not flowing as you expect or not being inspected, and you have recently enabled HTTPS, typically this is due to a misconfiguration. The error message in the `msg` field will indicate the appropriate solution: `No Server Certificate for SSL Connection` — FortiWeb does not have the server certificate, so it cannot decode the SSL traffic. To fix this, upload the web server’s certificate to FortiWeb. `SSL Certificate Key Mismatch` — An X.509 server certificate was uploaded to FortiWeb, but its private key did not match the one used by this HTTPS session. To fix this, upload the back-end web server’s current certificate. `Ephemeral keys cannot be decrypted` — Ephemeral Diffie-Hellman key exchange can't be inspected due to the property of perfect forward secrecy, which makes real-time HTTPS inspection impossible. To fix this, disable ephemeral Diffie-Hellman on the back-end web server, and select a different key exchange method. `Unsupported Cipher for SSL Connection` — Either message digest (MAC) authentication failed or the MAC did not exist, or the transaction used an unsupported cipher suite. To fix this, on the back-end web server, disable cipher suites that are not supported by FortiWeb. `Unmonitored SSL Connection` — The HTTPS session was initiated before FortiWeb was deployed or before the server policy was enabled, so FortiWeb could not listen for the key exchange, and therefore cannot decrypt subsequent requests/responses in this HTTPS session. To fix this, on the back-end web server, clear HTTPS sessions and force clients to renegotiate. If your appliance was operating in reverse proxy or true transparent proxy mode, the traffic was blocked, and no attack could have passed through to your protected web servers. No action is required except to make sure that you have uploaded to FortiWeb the correct certificate for all protected web servers. Otherwise, if your appliance was: operating in offline protection or transparent inspection mode or configured only to monitor traffic (e.g. Monitor Mode was enabled or the Action is Alert, not Alert & Deny) examine the web server to determine whether or not an encrypted attack has passed through. You should also examine your web server’s HTTPS configuration and disable cipher suites and key exchanges that are not supported by FortiWeb so that during negotiation with clients, your web server does not agree to use encryption that FortiWeb cannot scan for attacks. By the nature of log-only actions, detected attack attempts are logged but not blocked. You may also want to determine if the attack is from a single source IP address or distributed: blacklisting an offending client may help you to efficiently prevent further attack attempts, improving performance, until you can take further action. By the nature of the network topology for offline protection mode (which can potentially cause differences in speeds of the separate routing paths), and asynchronous inspection for transparent inspection mode, blocking cannot be guaranteed and some key exchanges are not supported. For details, see the FortiWeb Administration Guide.

Reponse times can often be improved, for example, by regular expression tuning, offloading SSL/TLS from your back-end server to your FortiWeb (especially if the model supports hardware acceleration), and/or offloading compression. For performance tips, see the FortiWeb Administration Guide.

If HTTPS traffic is not flowing as you expect or not being inspected, and you have recently enabled HTTPS, typically this is due to a misconfiguration. The error message in the msg field will indicate the appropriate solution:

No Server Certificate for SSL Connection — FortiWeb does not have the server certificate, so it cannot decode the SSL traffic. To fix this, upload the web server’s certificate to FortiWeb.
SSL Certificate Key Mismatch — An X.509 server certificate was uploaded to FortiWeb, but its private key did not match the one used by this HTTPS session. To fix this, upload the back-end web server’s current certificate.
Ephemeral keys cannot be decrypted — Ephemeral Diffie-Hellman key exchange can't be inspected due to the property of perfect forward secrecy, which makes real-time HTTPS inspection impossible. To fix this, disable ephemeral Diffie-Hellman on the back-end web server, and select a different key exchange method.
Unsupported Cipher for SSL Connection — Either message digest (MAC) authentication failed or the MAC did not exist, or the transaction used an unsupported cipher suite. To fix this, on the back-end web server, disable cipher suites that are not supported by FortiWeb.
Unmonitored SSL Connection — The HTTPS session was initiated before FortiWeb was deployed or before the server policy was enabled, so FortiWeb could not listen for the key exchange, and therefore cannot decrypt subsequent requests/responses in this HTTPS session. To fix this, on the back-end web server, clear HTTPS sessions and force clients to renegotiate.

If your appliance was operating in reverse proxy or true transparent proxy mode, the traffic was blocked, and no attack could have passed through to your protected web servers. No action is required except to make sure that you have uploaded to FortiWeb the correct certificate for all protected web servers.

Otherwise, if your appliance was:

operating in offline protection or transparent inspection mode or
configured only to monitor traffic (e.g. Monitor Mode was enabled or the Action is Alert, not Alert & Deny)

examine the web server to determine whether or not an encrypted attack has passed through. You should also examine your web server’s HTTPS configuration and disable cipher suites and key exchanges that are not supported by FortiWeb so that during negotiation with clients, your web server does not agree to use encryption that FortiWeb cannot scan for attacks.

By the nature of log-only actions, detected attack attempts are logged but not blocked. You may also want to determine if the attack is from a single source IP address or distributed: blacklisting an offending client may help you to efficiently prevent further attack attempts, improving performance, until you can take further action.

By the nature of the network topology for offline protection mode (which can potentially cause differences in speeds of the separate routing paths), and asynchronous inspection for transparent inspection mode, blocking cannot be guaranteed and some key exchanges are not supported. For details, see the FortiWeb Administration Guide.

Field name Description

Field name	Description
ID (`log_id`)	`30000000` All traffic log messages share the same ID (`log_id`=`30000000`). See Log ID numbers.
Sub Type (`subtype`)	`http` All traffic log messages share the same subtype (`subtype=http`). See Subtypes.
Level (`pri`)	`notification` See Priority level.
Message (`msg`)	If the HTTP request triggered the FortiWeb web caching feature, the message begins with `[Replied by Cache]`. The HTTP/HTTPS request’s: method IP layer source and destination address and port numbers (IPv6 addresses are surrounded by square brackets to better demarcate the port number, e.g. `[2001:470:19:ad7:6::230]:443`) such as: `HTTP` GET `request from 10.0.2.5:8239 to 10.0.2.1:443` `HTTP` POST `request from 10.0.2.5:8100 to 10.0.2.1:80` If the transaction used HTTPS, and there was an error when either decoding it or participating in the handshake, there may be an error message instead of the HTTP method, such as: `HTTP request from 192.0.2.1:40170 to 10.0.2.1:443,` Ephemeral keys cannot be decrypted
Source Country (`srccountry`)	The country that is the source of the traffic.
HTTP Content Routing (`content_ switch_name`)	The name of the associated HTTP content routing policy.
Server Pool Name (`server_pool_name`)	The name of the server pool in the associated server policy.

(log_id)

30000000

All traffic log messages share the same ID (log_id=30000000). See Log ID numbers.

Sub Type

(subtype)

http

All traffic log messages share the same subtype (subtype=http). See Subtypes.

Level

(pri)

notification

See Priority level.

Message

(msg)

If the HTTP request triggered the FortiWeb web caching feature, the message begins with [Replied by Cache].

The HTTP/HTTPS request’s:

method
IP layer source and destination address and port numbers (IPv6 addresses are surrounded by square brackets to better demarcate the port number, e.g. [2001:470:19:ad7:6::230]:443)

such as:

HTTP GET request from 10.0.2.5:8239 to 10.0.2.1:443
HTTP POST request from 10.0.2.5:8100 to 10.0.2.1:80

If the transaction used HTTPS, and there was an error when either decoding it or participating in the handshake, there may be an error message instead of the HTTP method, such as:

HTTP request from 192.0.2.1:40170 to 10.0.2.1:443, Ephemeral keys cannot be decrypted

Source Country

(srccountry)

The country that is the source of the traffic.

HTTP Content Routing

(content_ switch_name)

The name of the associated HTTP content routing policy.

Server Pool Name

(server_pool_name)

The name of the server pool in the associated server policy.

Examples
date=2014-06-26 time=00:43:37 log_id=30000000 msg_id=000001351251 device_id=FV-1KD3A14800059 vd="root" timezone="(GMT-8:00)Pacific Time(US&Canada)" type=traffic subtype="http" pri=notice proto=tcp service=http status=success reason=none policy=Auto-policy src=10.0.8.103 src_port=8142 dst=10.20.8.22 dst_port=80 http_request_time=0 http_response_time=0 http_request_bytes=444 http_response_bytes=401 http_method=get http_url="/" http_host="10.0.8.22" http_agent="Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; " http_retcode=200 msg="HTTP GET request from 10.0.8.103:8142 to 10.20.8.22:80" srccountry="Reserved" content_switch_name="testa" server_pool_name="Auto-ServerFarm"
date=2014-04-11 time=09:26:22 log_id=30000000 msg_id=000000000156 device_id=FVVM00UNLICENSED vd="root" timezone="(GMT-5:00)Eastern Time(US & Canada)" type=traffic subtype="http" pri=notification proto=tcp service=https status=success reason="none" policy="policy1" src=172.20.120.47 src_port=53817 dst=172.20.120.47 dst_port=80 http_request_time=18 http_response_time=1 http_request_bytes=464 http_response_bytes=3060 http_method=get http_url="/index" http_host="172.20.120.48" http_agent="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0" http_retcode=200 msg="HTTPS GET request from 172.20.120.47:53817 to 172.20.120.47:80 " srccountry="United States" content_switch_name="testa" server_pool_name="Auto-ServerFarm"
date=2014-04-11 time=10:16:29 log_id=30000000 msg_id=000000000230 device_id=FVVM00UNLICENSED vd="root" timezone="(GMT-5:00)Eastern Time(US & Canada)" type=traffic subtype="http" pri=notification proto=tcp service=http status=success reason="none" policy="policy1" src=172.20.120.46 src_port=49234 dst=172.20.120.48 dst_port=80 http_request_time=0 http_response_time=0 http_request_bytes=257 http_response_bytes=0 http_method=get http_url="/admin" http_host="172.20.120.48" http_agent="Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)" http_retcode=500 msg="HTTP POST request from 172.20.120.46:49234 to 172.20.120.48:80 " srccountry="United States" content_switch_name="testa" server_pool_name="Auto-ServerFarm"

Open topic with navigation