Technical Tip: Enabling extended logging option in UTM profiles

krajaa · ‎10-20-2020

Description

This article shows how to configure the extended logging option in UTM profiles.

Scope

For version 6.4.2.

Solution

Enable extended logging for the following UTM profiles:

Anti-virus.
Application.
DLP.
IPS.
WAF.
Web filter.

When the extended-log option is enabled for UTM profiles, all HTTP header information for HTTP-deny traffic is logged.

When the web-extended-all-action-log-enable option for the web filter profile is enabled, all HTTP header information for HTTP-allow traffic is logged.

Extended logging option in UTM profiles.

The extended-log option has been added to all UTM profiles, for example.

webfilter profile
config webfilter profile
   edit "test-webfilter"
        set extended-log enable
        set web-extended-all-action-log enable
   next
end
av profile
config antivirus profile
   edit "av-proxy-test"
        set extended-log enable
   next
end
waf profile
config waf profile
   edit "test-waf"
        set extended-log enable
   next
end

IPS profile

config ips sensor

edit test_profile

set extended-log enable

next

end

Syslog server mode.

The Syslog server mode changed to UDP, reliable, and legacy-reliable.

Set the mode to reliable to support extended logging, for example:

config log syslogd setting
   set status enable
   set server "<ip address>"
   set mode reliable
   set facility local6
end

Example of an extended log.

Following is an example extended log for a UTM log type with a web filter subtype for a reliable Syslog server.
The raw data field contains the extended log data.

Dec 18 15:40:15 10.6.30.254 date=2017-12-18 time=15:40:14
devname="600D-9" devid="FGT6HD3915800120" logid="0316013056"
type="utm"subtype="webfilter" eventtype="ftgd_blk"
level="warning" vd="vdom1" eventtime=1513640414 policyid=2
sessionid=440522 srcip=10.1.100.128 srcport=60995 srcintf="port2"
srcintfrole="lan" dstip=209.121.139.177 dstport=80 dstintf="port1"
dstintfrole="wan" proto=6 service="HTTP"
hostname="detectportal.firefox.com" profile="test-webfilter"
action="blocked" reqtype="direct" url="/success.txt" sentbyte=285
rcvdbyte=0 direction="outgoing" msg="URL belongs to a denied category in policy" method="domain" cat=52 catdesc="Information Technology" crscore=30 crlevel="high"
rawdata="Method=GET|User-Agent=Mozilla/5.0 (Windows NT 6.1; rv:57.0)
Gecko/20100101 Firefox/57.0"