Sources

The Sources console provides information about the sources of traffic on your FortiGate unit.

This console can be filtered by Country, Destination Interface, Policy, Result, Source, and Source Interface. For more on filters, see Filtering options.

Specific devices and time periods can be selected and drilled down for deep inspection.

Scenario: Investigating a spike in traffic

A system administrator notices a spike in traffic and wants to investigate it. From the Sources window, they can determine which user is responsible for the spike by following these steps:

1. Go to FortiView > Sources.

2. In the graph display, click and drag across the peak that represents the spike in traffic.

3. Sort the sources by bandwidth use by selecting the Bytes (Sent/Received) header.

4. Drill down into whichever source is associated with the highest amount of bandwidth use by double-clicking it.

From this screen, you have an overview of that source’s traffic activity.

5. Again, in either the Applications or Destinations view, select the Bytes (Sent/Received) header to sort by bandwidth use.

6. Double-click the top entry to drill down to the final inspection level, from which you can access further details on the application or destination, and/or apply a filter to prohibit or limit access.

Destinations

The Destinations console provides information about the destination IP addresses of traffic on your FortiGate unit, as well as the application used. You can drill down the displayed information, and also select the device and time period, and apply search filters.

This console can be filtered by Country, Destination Interface, Destination IP, Policy, Result, and Source Interface. For more on filters, see Filtering options.

Scenario: Monitoring destination data

The Destinations console can be used to access detailed information on user destination-accessing through the use of the console’s drilldown functionality. In this scenario, the console is used to find out more about a particular user’s Facebook usage patterns over a 24-hour period:

1. Go to FortiView > Destinations.

2. Select 1 hour from the Time Display options at the top right corner of the console.

3. The easiest way to locate most destinations is to scan the Applications column for the name of the application.

Once the session containing Facebook has been located, double-click it to access the Destination summary window.

4. Locate Facebook in the Applications column and double-click it to view the Facebook drilldown page. From here, detailed information regarding the user’s Facebook session can be accessed.

Only FortiGate models 100D and above support the 24 hour historical data.

Interfaces

The Interfaces console lists the total number of interfaces connected to your network, how many sessions there are in each interface, and what sort of traffic is occurring, represented in both bytes sent and received, and the

total bandwidth used.

This console can be filtered by Country, Destination Interface, Destination IP, Policy, Result, Source, and Source

Interface. For more on filters, see Filtering options.

Only FortiGate models 100D and above support the 24 hour historical data.

Scenario: Investigate traffic spikes per user

The wan1 interface is showing a higher amount of traffic than usual. A system administrator uses the console to inspect which user (as represented by an IP address) is creating the spike in traffic:

1. 1. Go to FortiView > Interfaces and double-click on wan1, or right click and select Drill Down to Details….
2. 2. The console will drill down to a summary page of wan1, showing how many bytes are being sent and received, how much bandwidth is being used, and how many sessions are currently using this interface. You see the

IP address of the user that is showing the most amount of traffic under Source.

3. 3. You can further drill down to see the IP destination, the device, and the applications being used, and other options.

Policies

The Policies console shows what policies are in affect on your network, what their source and destination interfaces are, how many sessions are in each policy, and what sort of traffic is occurring, represented in bytes sent and received.

This console can be filtered by Country, Destination Interface, Destination IP, Policy, Source, Source Device, and Source Interface. For more on filters, see Filtering options.

Only FortiGate models 100D and above support the 24 hour historical data.

Scenario: Investigate which policies are in effect

You can click on policy IDs to drill down to the policy list and see what policy’s are in effect for specific interfaces, how many sessions have occurred, how many of those with the policy have been blocked, and more:

1. Go to FortiView > Policies, and double-click on a policy ID to drill down.

2. You will be redirected to a summary screen of the policy ID. From here you can view the source IP of where the policy has been used, what source interface has been using the particular policy, and to verify what sort of threat scores have been measured, both blocked and allowed.

Countries

The Countriesconsole displays network activity by geographic region. This console features the same view options as the other consoles, as well as Country Map. This visually highlights the countries from which user access to the network has been detected on a map of the globe.

The Time Display options for this console are 5 minutes, 1 hour, and 24 hours. The Country Map can sort by various options using the Sort By: dropdown menu. You can place your cursor over any country to display a tool-tip with detailed info on that country’s traffic, and click on any country to drill down into greater (filtered) detail. The colour gradiant on the map indicates the traffic load, where red indicates the more critical load.

This console can be filtered by Country, Destination Interface, Policy, Result, and Security Interface. For more on filters, see Filtering options.

Only FortiGate models 100D and above support the 24 hour historical data.

Scenario: Investigate international source bandwidth usage

The Countries console can be used to investigate how much bandwidth specific international sources/IP addresses are using:

1. Go to FortiView > Countries to see what and how many countries are currently logged into the corporate network. You can also see how many sessions are taking place in each country, and how much traffic they are generating, shown by bytes sent and received, and total bandwidth usage.

2. To see how much specific bandwidth any particular session is using, drill down into a country, e.g. United States, and select the Destinations drill down option.

3. All current sessions from the United States are now shown in list format. From here you can select either Bytes (Sent/Received) and/or Bandwidth column headers to show which session is generating the most bandwidth, and exactly how much bandwidth is being used.

WiFi Clients

The WiFi Clients console shows a list of all the devices connected to the WLAN. The type of device, source, number of sources blocked and allowed, and bytes sent and received are displayed. The source’s Service Set Identifier (SSID) is also displayed in the Source SSID column. An SSID is a case sensitive, 32 character alphanumerical identifier that acts as a password when a mobile device tries to connect to the WLAN.

This console can be filtered by AP, Device Type, Result, Source Device, Source IP, Source SSID, and User. For more on filters, see Filtering options.

Scenario: Determining the threat risk of an individual WiFi client

In this scenario,the administrator will use the WiFi Clients FortiView console to determine the risk levels associated with an individual WiFi client, and then drilldown into that client to determine where the risk originates and who might be the offending user/IP.

1. Go to FortiView > WiFi Clients and view the device list table.

2. Double-click on a device to filter on that source.

3. Under the Risk column, identify the items that present the greatest risk (using the Applications, Destinations,

Threats, and/or Sessions tabs, for example).

4. Right-click these items for further action.

All Sessions

The All Sessions console provides information about all FortiGate traffic. This console can be filtered by Application, Country, Destination Interface, Destination IP, Destination Port, NAT Source IP, NAT Source Port, Policy, Protocol, Source, Source Interface, Source IP, and Source Port. For more on filters, see Filtering options.

This console has the greatest number of column options to choose from. To choose which columns you wish to view, select the column settings cog at the far right of the columns and select your desired columns. They can then be clicked and dragged in the order that you wish them to appear.

A number of columns available in FortiView are only available in All Sessions. For example, the Action column displays the type of response taken to a security event. This function can be used to review what sort of threats were detected, whether the connection was reset due to the detection of a possible threat, and so on. This would be useful to display alongside other columns such as the Source, Destination, and Bytes (Sent/Received) columns, as patterns or inconsistencies can be analyzed.

Similarly, there are a number of filters that are only available in All Sessions, one of which is Protocol. This allows you to display the protocol type associated with the selected session, e.g. TCP, FTP, HTTP, HTTPS, and so on.

Scenario: Filtering sessions by port number and application type

From the All Sessions console, a wide variety of filters can be applied to sort the session data. In this example, the All Sessions filters will be used to locate a specific user’s recent Skype activity.

1. Go to FortiView > All Sessions.

2. Select now from the Time Display options if it is not already selected.

3. Select the Filter button, then select Applications. This will open a drop-down menu listing the applications that appear in the master session list. From this list, locate and select Skype, or type “Skype” into the Search Bar and hit Enter. This will filter the session list to only feature Skype usage.

4. Select the Filter button again, then select Destination Port from the drop-down menu, then locate and select the desired port number. This will add a second filter which will restrict the results to presenting only the Skype data associated with that port number.

Only FortiGate models 100D and above support the 24 hour historical data.

Applications

The Applications console provides information about the applications being used on your network.

This console can be filtered by Application, Country, Destination Interface, Policy, Result, and Source Interface. For more on filters, see Filtering options.

Specific devices and time periods can be selected and drilled down for deep inspection.

In order for information to appear in the Applications console, Application Control must be enabled in a policy.

Scenario: Viewing application usage

A manager is interested in the office internet habits of their employees:

1. Go to FortiView > Applications, to view the list of applications accessed by the users on your network. Use the time-frame options to view what applications were used in those time periods (from now, 5 minutes, 1 hour, or 24 hours).

2. From Sessions (Blocked/Allowed) and Bytes (Sent/Received), you can see how much traffic has been generated. Click these columns to show the traffic in descending order.

3. You notice that a social media application has created the most traffic of all the applications, and so it’s at the top of the list. Drill down into the application by double-clicking or right-clicking and select Drill Down to Details.

4. You are directed to a summary page of the social media application. From here, you can see which specific user has made the most use of the application.

Only FortiGate models 100D and above support the 24 hour historical data.

Cloud Applications

The Cloud Applications console provides information about the cloud applications being used on your network. This includes information such as:

• The names of videos viewed on YouTube (visible by hovering the cursor over the session entry)
• Filed uploaded and downloaded from cloud hosting services such as Dropbox
• Account names used for cloud services

Two different views are available for the Cloud Applications: Applications and Users (located in the top menu bar next to the time periods). Applications shows a list of the programs being used. Users shows information on the individual users of the cloud applications, including the username, if the FortiGate was able to view the login event.

This console can be filtered by Cloud Application and Result. For more on filters, see Filtering options.

In order for information to appear in the Cloud Applications console, an application control profile (that has Deep Inspection of Cloud Applications turned on) must be

enabled in a policy, and SSL Inspection must use deep-inspection.

Scenario: Viewing cloud application usage data

From the Cloud Applications console, users can drill down to access detailed data on cloud application usage data. In this scenario, the console is used to determine the network’s most frequent user of YouTube over a 24- hour period, and find out more about their usage patterns.

1. Go to FortiView > Cloud Applications.

2. Select Applications view from the top menu bar if it is not already selected.

3. Select 24 Hours from the Time Display options.

4. Find YouTube under the Application column and double-click it (or right-click and select Drill down for details…). This will open the YouTube stats window.

5. To determine the user who has accessed YouTube the most frequently, sort the column entries by Sessions by selecting the column header of the same name.

6. Double-click (or right-click and select Drill down for details…) the top-bandwidth YouTube user to view detailed stats, including the names of videos watched by the user and the date and time each video was accessed.

Only FortiGate models 100D and above support the 24 hour historical data.

Web Sites

The Web Sites console lists the top allowed and top blocked web sites. You can view information by domain or by FortiGuard categories by using the options in the top right corner. Each FortiGuard category can be selected in order to see a description of the category and several example sites, with content loaded from FortiGuard on demand.

This console can be filtered by Domain and Result. For more on filters, see Filtering options.

In order for information to appear in the Web Sites console, web filtering must be enabled in a policy, with FortiGate Categories enabled.

Scenario: Investigating an instance of Proxy Avoidance

In this scenario, the Categories view will be used to investigate an instance of Proxy Avoidance, one of the Categories recognized by FortiOS. Proxy Avoidance denotes the use of a proxy site in order to access data that might otherwise be blocked by the server.

1. Go to FortiView > Web Sites to open the Web Sites console.

2. Select Categories from the top bar menu to enter Categories view.

3. Scan the Categories column and locate the instance of Proxy Avoidance, then double-click it to enter its drilldown screen.

Only FortiGate models 100D and above support the 24 hour historical data.

Threats

The Threats console lists the top users involved in incidents, as well as information on the top threats to your network.

The following incidents are considered threats:

• Risk applications detected by application control
• Intrusion incidents detected by IPS
• Malicious web sites detected by web filtering
• Malware/botnets detected by antivirus

This console can be filtered by Country, Destination Interface, Policy, Result, Security Action, Source Interface, Threat, and Threat Type. For more on filters, see Filtering options.

In order for information to appear in the Threats console, Threat Weight Tracking must be enabled.

Scenario: Monitoring Threats to the Network

Some users have high Threat Scores. The Threats console can be used to view all threats and discover why such high scores are being shown:

1. Go to FortiView > Threats. In the graph display, click and drag across the peak that represents the spike in threat score.

2. Sort the threats by score or level by selecting the Threat Score (Blocked/Allowed or the Threat Level headers respectively.

3. You see that a specific threat’s Threat Level is at Critical. Drill down into the threat by double-clicking or right- clicking and select Drill down to details.

4. From this summary page, you can view the source IPs and the number of sessions that came from this threat.

Double-click on one of them.

5. The following page shows a variety of statistics, including Reference. The URL next to it will link you to a FortiGuard page where it will display the description, affected products, and recommended actions, if you are not familiar with the particular threat.

Only FortiGate models 100D and above support the 24 hour historical data.

In case you guys have been under a rock for the past few days I thought you would enjoy seeing this. Fortinet signed a very important cybersecurity information sharing agreement with KISA. Fortinet has been making several hard pushes with competitors and other organizations to increase information security knowledge sharing. The more everyone knows the more secure we can be.

For full details on the signing and things of that nature check out the Fortinet Blog that has the details!

Threat Map

The Threat Map console displays network activity by geographic region. Threats from various international destinations will be shown, but only those arriving at your destination, as depicted by the FortiGate. You can place your cursor over the FortiGate’s location to display the device name, IP address, and the city name/location.

A visual lists of threats is shown at the bottom, displaying the location, severity, and nature of the attacks. The color gradient of the darts on the map indicate the traffic risk, where red indicates the more critical risk.

Unlike other FortiView consoles, this console has no filtering options, however you can click on any country to drill down into greater (filtered) detail.

Only FortiGate models 100D and above support the 24 hour historical data.

Scenario: Investigate various international threats

The Threat Map console can be used to regionalize areas that you are more interested in, and disregard regions that you are not interested in:

1. Go to FortiView > Threat Map to see a real-time map of the globe. This will show various incoming threats from multiple destinations around the world, depending upon where the FortiGate is placed on the map.

2. You are not interested with threats that are being sent to Eastern Europe, however you are concerned with threats that may be sent to a city in North America. Click and drag the FortiGate to the approximate location where you would like to monitor the incoming threats.

3. To see which countries are sending the more severe threats to your region/location, either see where the red darts are coming from, or check the visual lists of threats at the bottom.

Failed Authentication

The Failed Authentication console displays instances in which users attempted to connect to the server but were unsuccessful. Depending on the Time Display setting, the console will display instances from the last 5 minutes, 1 hour, or 24 hours. The results can be sorted by the number of instances a given user attempted to log in.

By double-clicking on any of the entries on the main Failed Authentication console, a drill down view appears, displaying more detailed information on that user’s authentication attempts, including the date and time of each login attempt, the message explaining the reason each authentication failed e.g. a mismatched password, and the source IP address.

This console can be filtered by Destination, Login Type, Result, Source, Type, and User. For more on filters, see Filtering options.

Only FortiGate models 100D and above support the 24 hour historical data.

Scenario: Investigating a user’s failed authentication attempts

The Failed Authentications console can be used to access information on individual users and their unsuccessful attempts to access the network. In this scenario, an administrator investigates a user’s multiple attempts via the console’s drill down capability.

1. Go to FortiView > Failed Authentication to access the Failed Authentication console.

2. Select the Failed Attempts column header to sort the entries by number of attempts.

3. Double-click the top entry to drill down to more detailed information on attempts made by the user with the highest number of attempts.

System Events

The System Events console lists security events detected by FortiOS, providing a name and description for the events, an assessment of the event’s severity level (Alert, Critical, Emergency, Error, or Warning), and the number of instances the events were detected.

This console can be filtered by Event Name, Result, and Severity. For more on filters, see Filtering options on page 1172.

Scenario: Investigate network security events

System Events can be used in conjunction with All Sessions to see what network security events took place, and specifically see what action was taken upon their detection:

1. Go to FortiView > System Events to see what and how many network events have taken place, as well as how severe they are in terms of the threat they pose to the network.

2. You see that a particular event has warranted a severe rating, and has allowed traffic to bypass the firewall. Note when the event took place, and go to FortiView > All Sessions, to see more information pertaining to the security event.

3. From this console, you can determine the system event’s source, how much traffic was sent and received, and the security action taken in response to this security event. These actions differ, depending upon the severity of the security event. See the entry for Security Action in Columns displayed on page 1175.

This is my first ever custom video so please take it easy on me. I get nervous and tend to ramble but I hit the high points. These videos will become very frequent and obviously the quality of the presentation will improve as I get more comfortable and in the groove. Anyways, here is a video that explains how to upgrade your Fortinet FortiGate to a newer version of firmware.

Something to consider: I didn’t mention this in the video but you need to verify you can upgrade to your destination Firmware from the version of code you currently have loaded. Sometimes, changes are drastic enough that you have to “step” your upgrade process. An example of this would be you have 5.2.3 loaded and you want to go to 5.2.8. You can’t do this until you have at least 5.2.6 loaded so you have to upgrade to 5.2.6 THEN upgrade to 5.2.8. These requirements are listed in the release notes so be sure to read those for your Firmware Version!

Admin Logins

Only FortiGate models 100D and above support the 24 hour historical data.

The Admin Logins console provides information on administrator interactions with the network, including the number of login instances, number of failed logins, and the length of time logged in. This console features the same view options as the other consoles, as well as Timeline View.

This console can be filtered by Result and User Name. For more on filters, see Filtering options.

Scenario: Scrutinizing Administrator Security

Admin Logins can be used in conjunction with System Events to see who was on during a system change that impacted performance and allowed a threat to persist/pass through the firewall:

1. Go to FortiView > System Events, to see what and how many network events have taken place, as well as how severe they are in terms of the threat they pose to the network.

2. You see that a particular event has warranted a severe rating, and has allowed traffic to bypass the firewall.

Double-click on the event to drill down.

3. Once drilled down, you can see the date and time that the system change took place.

4. Go to FortiView > Admin Logins, to see who has been logged in, how long they have been logged in, and what configuration changes they have made. Using the time graph, you can correlate the information from System Events with who was logged in at the time the threat was allowed.

Only FortiGate models 100D and above support the 24 hour historical data.

VPN

From the VPN console, users can access information on any VPNs associated with their FortiGate. From the initial window, a list of all the associated VPNs is provided, along with general information, such as number of user connections and VPN type. By double-clicking on an individual VPN (or right-clicking and selecting Drill down for details…), users can access more specific data on that VPN.

Logs in the VPN console can be sorted by number of connections, last connection time, or data sent/received by selecting the column headers.

This console can be filtered by Result, User Name, and VPN Type. For more on filters, see Filtering options on page 1172.

Certain dashboard options will not appear unless your FortiGate has Disk Logging enabled.

Furthermore, only certain FortiGate models support Disk Logging — refer to the FortiView Feature Support – Platform Matrix on page 1149 for more information.

To enable Disk Logging, go to Log & Report > Log Settings, and select the check- box next to Disk and apply the change.

Scenario: Investigating VPN user activity

The VPN console can be used to access detailed data on VPN-user activity via the use of the drill down windows. In this scenario, the administrator looks into the usage patterns of the IPsec user who has most frequently connected to the network.

1. Go to FortiView > VPN to view the VPN console.

2. Select the Connections column header to sort the entries by number of connections to the network.

3. Locate the top user whose VPN Type is ipsec and double-click the entry to enter that user’s drill down screen.

4. To get the most representative data possible, sort the entries by bandwidth use by selecting the Bytes (Sent/Received) column header. Double-click the top entry to enter the drill down window for that connection instance.

From this screen, the administrator can find out more about the specific session, including the date/time of access, the XAuth (Extensible Authentication) User ID, the session’s Tunnel ID, and more.

Only FortiGate models 100D and above support the 24 hour historical data.

Fortinet is introducing FortiHypervisor, a new generation of virtual CPE that facilitates the fast, customized delivery of services to enterprises, including their branches, campus, or data center.

FortiHypervisor is based on the Network Function Virtualization (NFV) architecture, which is a provider-led, standards-based movement that enables the deployment of physical network services as virtualized functions that are decoupled from hardware.  By decoupling software from hardware, NFV achieves key benefits: Click here to read the rest of the article

Reference

This section consists of reference information for the various consoles in FortiView. Each console has an assortment of filtering options, drilldown options, and columns that can be displayed. Since many of these options and columns persist through each console, the entire list of options and their descriptions is included below. Attempts have been made to identify the instances where an option or column is only available to a particular console.

This section includes:

Troubleshooting FortiView

No logging data is displayed

In order for information to appear in the FortiView consoles, disk logging must be selected for the FortiGate unit. To select disk logging, go to Log & Report > Log Settings.

Disk logging is disabled by default for some FortiGate units. To enable disk logging, enter the following command in the CLI:

config log disk setting set status enable

end

Only certain FortiGate models support Disk Logging — refer to the FortiView Feature Support – Platform Matrix on page 1149 for more information.