Reliable webfilter statistics

Reliable webfilter statistics

Introduction

FortiOS 6.2.0 provides command line tools to view the webfilter statistics report. These command line tools currently fall into either proxy-based or flow-based webfilter statistics commands.

Proxy-based webfilter statistics report

l The proxy-based webfilter statistics command line tools are as follows. These commands are available in both global or per-VDOM command lines.

#diagnose wad filter <—-define the interested objects for output (global) # diag wad ? console-log   Send WAD log messages to the console. debug  Debug setting. stats       Show statistics.

filter    Filter for listing sessions or tunnels. <—-use filter to filter-out interested object and output kxp    SSL KXP diagnostics. user  User diagnostics. memory    WAD memory diagnostics.

restore   Restore configuration defaults. history   Statistics history. session   Session diagnostics. tunnel       Tunnel diagnostics. webcache  Web cache statistics. worker    Worker diagnostics. csvc   Cache service diagnostics.

#diagnose wad stat filter list/clear <—-list/clear WebFiltering/DLP statistics report l In the example below, there are two VDOMs using proxy-based policies which have webfilter profiles enabled. The command line can be used to view the proxy-based webfilter statistics report.

(global) # diag wad filter ? list   Display current filter. clear     Erase current filter settings. src      Source address range to filter by. dst     Destination address range to filter by.

sport     Source port range to filter by. dport   Destination port range to filter by. vd   Virtual Domain Name. <—-filter for per-vdom or global statistics report explicit-policy   Index of explicit-policy. -1 matches all. firewall-policy Index of firewall-policy. -1 matches all. drop-unknown-session   Enable drop message unknown sessions. negate   Negate the specified filter parameter. protocol    Select protocols to filter by.

FGT_600D-ICAP-NAT (global) # diag wad filter vd <vdom>    Virtual Domain Name. ALL   all vdoms root      vdom vdom1 vdom

FGT_600D-ICAP-NAT (global) # diag wad filter vd root <—-filter-out root vdom statistics

Drop_unknown_session is enabled.

FGT_600D-ICAP-NAT (global) # diag wad stats filter list filtering of vdom root <—-Displayed the WF statistics for root vdom

dlp          = 0     <—-Number of Reuqest that DLP Sensor processed;

content-type = 0     <—-Number of Reuqest that matching content-type filter;

urls:  
examined = 6 examined; <—-Number of Request that Proxy Web-Filter(all wad daemons)
allowed = 3 <—-Number of Request that be allowed in the examined requests;
blocked = 0 <—-Number of Request that be blocked in the examined requests;
logged = 0 <—-Number of Request that be logged in the examined requests;

overridden = 0 <—-Number of Request that be overrided to another webfilter

profile in the examined requests;

FGT_600D-ICAP-NAT (global) # diag wad filter vd vdom1 <—-filter-out vdom1 statistics

FGT_600D-ICAP-NAT (global) # diag wad stats filter list filtering of vdom vdom1 <—-Displayed the WF statistics for vdom1 dlp   = 0 content-type = 0 urls:

examined = 13 allowed = 2 blocked = 9 logged = 8 overridden = 0 FGT_600D-ICAP-NAT (global) # diag wad filter vd ALL

FGT_600D-ICAP-NAT (global) # diag wad stats filter list

filtering of all accessible vdoms <—-global statistics is sum of two VDOMs dlp     = 0 content-type = 0 urls:

examined = 19 allowed = 5 blocked = 9 logged = 8 overridden = 0

Flow-based webfilter statistics report

  • The flow-based webfilter statistics command line tools are as follows. These commands are available in global command lines only.

(global) # diag test app ipsmonitor IPS Engine Test Usage:

1: Display IPS engine information

2: Toggle IPS engine enable/disable status

3: Display restart log

4: Clear restart log

5: Toggle bypass status

6: Submit attack characteristics now

10: IPS queue length

11: Clear IPS queue length

12: IPS L7 socket statistics

13: IPS session list

14: IPS NTurbo statistics

15: IPSA statistics

18: Display session info cache

19: Clear session info cache

21: Reload FSA malicious URL database

22: Reload whitelist URL database

24: Display Flow AV statistics

25: Reset Flow AV statistics

27: Display Flow urlfilter statistics

28: Reset Flow urlfilter statistics

 
29: Display global Flow urlfilter statistics Statistics <—-List the Flow Web Filtering
30: Reset global Flow urlfilter statistics

Statistics

96: Toggle IPS engines watchdog timer

97: Start all IPS engines

98: Stop all IPS engines

99: Restart all IPS engines and monitor

<—-Reset the Flow Web Filtering
  • In the example below, there are two VDOMs using flow-based policies which have webfilter profiles enabled. The command line can be used to view the flow-based webfilter statistics report.

(global) # diag test app ipsmonitor 29 Global URLF states: request: 14 <—-Number of Requests that Flow Web-Filter(all ips engines) received; response: 14 <—-Number of Response that Flow Web-Filter(all ips engines) sent; pending: 0       <—-Number of Requests that under processing at that moment; request error: 0       <—-Number of Request that have error; response timeout: 0 <—-Number of response that ips engine not been received in-

time;

blocked: 12    <—-Number of Request that Flow Web-Filter blocked; allowed: 2  <—-Number of Request that Flow Web-Filter allowed;

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.