FortiView
FortiView from disk
Prerequisites
All FortiGates with an SSD disk.
Restrictions
- Desktop models (for example: under 100D) with SSD only supports five minutes and one hour view. l Medium models (for example: 200D, 500D) with SSD supports up to 24 hours view.
- Large models (for example: 1500D and above) with SSD supports up to seven days view.
- Confirm that the setting is enabled:
config log setting set fortiview-weekly-data enable
end
Configuration
A firewall policy needs to be in place with traffic logging enabled. For best operation with FortiView, internal interface roles should be clearly defined as LAN; DMZ and internet facing or external interface roles should be defined as WAN.
To enable FortiView from Disk:
- Enable disk logging from the FortiGate GUI.
- Go to Log & Report > Log Settings > Local Log.
- Select the checkbox next to Disk.
- Enable historical FortiView from the FortiGate GUI.
- Go to Log & Report > Log Settings > Local Log.
- Select the checkbox next to Enable Historical FortiView.
- Click Apply.
To include sniffer traffic and local-deny traffic when FortiView from Disk:
This feature is only supported through the CLI.
config report setting
set report-source forward-traffic sniffer-traffic local-deny-traffic
end
Source View
Top Level
Sample entry:
| Time | l | Realtime or Now entries are determined by the FortiGate’s system session list. |
| l | Historical or 5 minutes and later entries are determined by traffic logs, with additional information coming from UTM logs. | |
| Graph | l | The graph shows the bytes sent/received in the time frame. Realtime does not include a chart. |
| l | Users can customize the time frame by selecting a time period within the graph. | |
| Bubble Chart | l | Bubble chart shows the same information as the table, but in a different graphical manner. |
| Columns | l | Source shows the IP address (and user as well as user avatar if configured) of the source device. |
| l | Device shows the device information as listed in User& Device > Device Inventory. Device detection should be enabled on the applicable interfaces for best function. | |
| l | Threat Score is the threat score of the source based on UTM features such as web filter and antivirus. It shows threat scores allowed and threat scores blocked. | |
| l | Bytes is the accumulated bytes sent/received. In realtime, this is calculated from the session list, and in historical it is from logs. | |
| l | Sessions is the total sessions blocked/allowed. In realtime, this is calculated from the session list, and in historical it is from logs. | |
| l | Source is a simplified version of the first column, including only the IP address without extra information. | |
| l | Source Interface is the interface from which the traffic originates. In realtime, this is calculated from the session list, and in historical it is from the logs. | |
| l | More information can be shown in a tooltip while hovering over these entries. |
93
| l | For realtime, two more columns are available, Bandwidth and Packets, both of which come from the session list. |
Drilldown Level
Sample entry:
| Graph | l | The graph shows the bytes sent/received in the time frame. Realtime does not include a chart. |
| l | Users can customize the time frame by selecting a time period within the graph. | |
| Summary
Information |
l | Shows information such as the user/avatar, avatar/source IP, bytes, and sessions total for the time period. |
| l | Can quarantine host (access layer quarantine) if they are behind a FortiSwitch or FortiAP. | |
| l | Can ban IP addresses, adds the source IP address into the quarantine list. | |
| Tabs | l | Drilling down entries in any of these tabs (except sessions tab) will take you to the underlying traffic log in the sessions tab. |
| l | Applications shows a list of the applications attributed to the source IP. This can include scanned applications (using application control in a firewall policy or unscanned applications.
config log gui-display set fortiview-unscanned-apps enable end |
|
| l | Destinations shows destinations grouped by IP address/FQDN. | |
| l | Threats lists the threats caught by UTM profiles. This can be from antivirus, IPS, webfilter, application control, etc. | |
| l | Web Sites contains the websites which were detected either with webfilter, or through FQDN in traffic logs. | |
| l | Web Categories groups entries into their categories as dictated by the Web Filter Database. | |
| l | Search Phrases shows entries of search phrases on search engines captured by a web filter UTM profile, with deep inspection enabled in firewall policy. | |
| l | Policies groups the entries into which polices they passed through or were blocked by. | |
| l | Sessions shows the underlying logs (historical) or sessions (realtime). Drilldowns from other tabs end up showing the underlying log located in this tab. | |
| l | More information can be shown in a tooltip while hovering over these entries. |
Troubleshooting
- Use diagnose debug application httpsd -1 to check which filters were passed through httpsd.
For example:
[httpsd 3163 – 1546543360 info] api_store_parameter[227] — add API parameter ‘filter’: ‘{ “source”: “10.1.100.30”, “application”: “TCP\/5228”, “srcintfrole”: [ “lan”,
“dmz”, “undefined” ] }’ (type=object)
- Use diagnose debug application miglogd 0x70000 to check what the SQL command is that is passed to the underlying SQL database.
For example:
fortiview_request_data()-898: total:31 start:1546559580 end:1546563179
_dump_sql()-799: dataset=fv.general.chart, sql:select a.timestamp1,ses_al,ses_ bk,r,s,ifnull(sc_l,0),ifnull(sc_m,0),ifnull(sc_h,0),ifnull(sc_c,0) from (select timestamp-(timestamp%60) timestamp1 ,sum(case when passthrough<>’block’ then sessioncount else 0 end) ses_al,sum(case when passthrough=’block’ then sessioncount else 0 end) ses_bk,sum(rcvdbyte) r,sum(sentbyte) s from grp_traffic_all_src where timestamp BETWEEN 1546559580 and 1546563179 and 1=1 AND srcip in (‘10.1.100.11’) AND srcintfrole in (‘lan’,’dmz’,’undefined’) group by timestamp1 ) a left join (select timestamp-(timestamp%60) timestamp1 ,sum(case when threat_level=1 then crscore else 0 end) sc_l,sum(case when threat_level=2 then crscore else 0 end) sc_ m,sum(case when threat_level=3 then crscore else 0 end) sc_h,sum(case when threat_ level=4 then crscore else 0 end) sc_c from grp_threat where timestamp BETWEEN 1546559580 and 1546563179 and 1=1 AND srcip in (‘10.1.100.11’) AND srcintfrole in (‘lan’,’dmz’,’undefined’) group by timestamp1 ) b on a.timestamp1 = b.timestamp1; takes 40(ms), agggr:0(ms)
- Use exe report flush-cache and exe report recreate-db to clear up any irregularities that may be caused by upgrading or cache issues.