Fortiweb

LogZilla App Store application: Fortiweb

Overview

FortiWeb is a standalone Web Application Firewall (WAF) appliance produced by Fortinet. FortiWeb protects web applications and APIs against OWASP Top 10 threats, DDoS attacks, malicious bots, and other web-based attacks.

FortiWeb is a separate product from FortiGate. While FortiGate firewalls include a built-in WAF module (type="utm" subtype="waf"), FortiWeb is a dedicated WAF appliance with its own distinct log format.

App Function

  • Parse FortiWeb key/value pair log format
  • Extract high-value tags for analysis and alerting
  • Provide triggers for WAF attack detection and admin events
  • MITRE ATT&CK mapping for attack events (T1190) and admin access (T1078)

Vendor Documentation

Device Configuration

Configure the FortiWeb appliance to send syslog to LogZilla:

  1. Log into the FortiWeb web interface
  2. Navigate to Log & Report > Log Policy > Syslog Policy
  3. Click Create New
  4. Configure the syslog server:
    • Enter the LogZilla server IP address
    • Set port to 514 (or match the LogZilla configuration)
    • Set facility to local0
  5. Navigate to Log & Report > Log Policy > Log Settings
  6. Enable the log types to forward:
    • Attack Log (recommended)
    • Traffic Log (optional, high volume)
    • Event Log (recommended)
  7. Click OK to save

Verification

Generate web traffic through the FortiWeb, then verify events appear in LogZilla with the program name FortiWeb.

Incoming Log Format

FortiWeb uses a different KV format from FortiGate:

text
date=YYYY-MM-DD time=HH:MM:SS log_id=NNNNN msg_id=NNNNNN
device_id=FVVM... vd="value" type=attack pri=alert key=value ...

Key differences from FortiGate:

FieldFortiGateFortiWeb
Log IDlogid="0000000013"log_id=20000042
Severitylevel="warning"pri=alert
Typetype="utm" subtype="waf"type=attack
Device ID(none)device_id=FVVM...
Message ID(none)msg_id=000000001500
QuotingAll values quotedMixed

Parsed Metadata Fields

Global Tags

TagExampleDescription
VendorFortinetVendor name
ProductFortiWebProduct name
Event ClassSecurityCross-vendor classification
Event TypeThreatSpecific event type
MitreIdT1190MITRE ATT&CK technique ID
MITRE TacticInitial AccessMITRE ATT&CK tactic

Standardized Tags

TagExampleDescription
SrcIP198.51.100.23Source IP address
DstIP10.1.1.50Destination IP address
DstPorthttpsDestination port (service name)
UseradminUsername (admin events)
ActionDenyAction taken

FortiWeb-Specific Tags

TagExampleDescription
FortiWeb TypeattackLog type
FortiWeb SubtypesystemEvent subtype
FortiWeb StatussuccessEvent status
FortiWeb ServicehttpsService protocol
FortiWeb VDOMrootVirtual domain
FortiWeb Device IDFVVM020000012345Appliance serial
FortiWeb Threat LevelCriticalAttack severity
FortiWeb SignatureSQL InjectionOWASP signature
FortiWeb Policyowasp-top10WAF policy name
FortiWeb HTTP MethodPOSTHTTP method
FortiWeb HTTP Status200Response code
FortiWeb Server Poolapi-serversBackend pool
FortiWeb Content Switchapi-serverContent route
FortiWeb CountryRussiaSource country

High-Cardinality (HC) Tags

The following tags are declared as high-cardinality and excluded from indexing:

  • SrcIP
  • DstIP
  • User
  • FortiWeb Signature

Log Examples

Attack - SQL Injection Blocked

text
date=2026-03-01 time=14:22:15 log_id=20000042 msg_id=000000001500
device_id=FVVM020000012345 vd="root" timezone="(GMT-5:00)New_York"
type=attack pri=alert proto=tcp service=https
src=198.51.100.23 src_port=44100 dst=10.1.1.50 dst_port=443
http_method=POST http_url=/api/v1/users http_host=api.example.com
msg="SQL Injection detected" action=Deny policy="owasp-top10"
signature_subclass="SQL Injection" signature_id=060010001
threat_level=Critical signature_cve="CVE-2021-44228"

Traffic - Normal Web Request

text
date=2026-03-01 time=16:05:00 log_id=30000010 msg_id=000000001700
device_id=FVVM020000012347 vd="PROD" timezone="(GMT+9:00)Tokyo"
type=traffic pri=info proto=tcp service=https
src=192.0.2.88 src_port=61234 dst=10.3.3.50 dst_port=443
http_method=GET http_url=/dashboard/main http_host=app.corp.local
http_response_code=200 policy="web-protection-1"

Admin Login

text
date=2026-03-01 time=18:00:00 log_id=10000150 msg_id=000000001900
device_id=FVVM020000098765 vd="vdom1"
timezone="(GMT-8:00)Los_Angeles"
type=event subtype=admin pri=information
user="admin" ui="GUI(192.168.1.100)" action=login status=success
src=10.1.1.25 msg="Admin login successful"

MITRE ATT&CK Mapping

Event TypeTechniqueTactic
WAF AttackT1190Initial Access
Admin LoginT1078Defense Evasion

Triggers

TriggerDescription
FortiWeb: MITRE ATT&CK Threat DetectedMITRE-mapped events
FortiWeb: Attack BlockedBlocked attack events
FortiWeb: Attack Alert (Not Blocked)Alert-only attacks
FortiWeb: Critical ThreatCritical threat level
FortiWeb: SQL InjectionSQL injection attempts
FortiWeb: Cross-site ScriptingXSS attempts
FortiWeb: Command InjectionCommand injection
FortiWeb: Admin LoginAdmin access events
FortiWeb: System Configuration ChangeConfig changes
Fortiweb | LogZilla Documentation