Fortinet black logo

Handbook

Configuring report queries

Configuring Report Queries

The predefined list of queries covers the most common administrator and stakeholder interests. It includes the following:

  • SLB-Top-Policy-By-Bytes
  • SLB-Top-Source-By-Bytes
  • SLB-Top-Source-Country-By-Bytes
  • SLB-History-Flow-By-Bytes (total traffic over time)
  • LLB-Top-Link-by-Bytes
  • LLB-History-Flow-By-Bytes (total traffic over time)
  • DNS-Top-Policy-by-Count
  • DNS-Top-Source-by-Count
  • Attack-Top-Destination-For-IPReputation-By-Count
  • Attack-Top-Source-For-IPReputation-By-Count
  • Attack-Top-Source-Country-For-IPReputation-By-Count
  • Attack-Top-Destination-For-Synflood-By-Count
  • Attack-Top-Destination-For-GEO-By-Count
  • Attack-Top-Source-For-GEO-By-Count
  • Attack-Top-Source-Country-For-GEO-By-Count
  • Attack-Top-Destination-For-WAF-By-Count
  • Attack-Top-Source-For-WAF-By-Count
  • Attack-Top-Source-Country-For-WAF-By-Count
  • Event-Top-Admin-Login-By-Count
  • Event-Top-Failed-Admin-Login-By-Count
  • Event-Top-Admin-Config-By-Count

If necessary, you can create your own query configuration objects.

Before you begin:

  • You must have Read-Write permission for Log & Report settings.

After you have created a query configuration object, you can select it in the report configuration.

To configure report queries:
  1. Go to Log & Report > Report Config.
  2. The Report tab is displayed.

  3. Click the Query Set tab.
  4. Click Create New to display the configuration editor.
  5. Complete the configuration as described in Query configuration.
  6. Save the configuration.

Query configuration

Settings Guidelines

Name

Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. You reference this name in the zone configuration (if you use forwarders).

Note: After you initially save the configuration, you cannot edit the name.

Module

  • SLB
  • LLB
  • DNS
  • Attack
  • Event
SLB
SLB Submodule
  • All—Queryset will include all SLB queries
  • HTTP—Queryset will include only HTTP queries
SubType

Submodule All has the following subtypes:

  • top_policy (virtual server)
  • top_source
  • top_source_country
  • slb_history_flow (total traffic over time)

Submodule HTTP has the following subtypes:

  • top_policy (virtual server)
  • top_pool_member
Traffic Sort Type

Submodule All has the following Traffic Sort Types

  • sessions
  • bytes

Submodule HTTP has the following Traffic Sort Types:

  • sessions
  • bytes
  • CPS
  • RPS
  • BPS
  • Average Session Duration
  • Transaction Latency
LLB
Traffic Sort Type
  • sessions
  • bytes
LLB Subtype
  • top_link
  • slb_history_flow (total traffic over time)
DNS
DNS Sort Type Only count is applicable.
DNS Subtype
  • Top_Policy
  • top_source
Attack
Attack Sort Type Only count is applicable.
Attack Subtype
  • top_destip_for_geo
  • top_destip_for_ipreputation
  • top_destip_for_sysflood
  • top_destip_for_waf
  • top_source_country_for_geo
  • top_source_country_for_ipreputation
  • top_source_country_for_waf
  • top_source_for_geo
  • top_source_for_ipreputation
  • top_source_for_waf
Event
Event Sort Type Only count is applicable.
Event Subtype
  • top_admin_login
  • top_failed_admin_login
  • top_admin_config

Configuring Report Queries

The predefined list of queries covers the most common administrator and stakeholder interests. It includes the following:

  • SLB-Top-Policy-By-Bytes
  • SLB-Top-Source-By-Bytes
  • SLB-Top-Source-Country-By-Bytes
  • SLB-History-Flow-By-Bytes (total traffic over time)
  • LLB-Top-Link-by-Bytes
  • LLB-History-Flow-By-Bytes (total traffic over time)
  • DNS-Top-Policy-by-Count
  • DNS-Top-Source-by-Count
  • Attack-Top-Destination-For-IPReputation-By-Count
  • Attack-Top-Source-For-IPReputation-By-Count
  • Attack-Top-Source-Country-For-IPReputation-By-Count
  • Attack-Top-Destination-For-Synflood-By-Count
  • Attack-Top-Destination-For-GEO-By-Count
  • Attack-Top-Source-For-GEO-By-Count
  • Attack-Top-Source-Country-For-GEO-By-Count
  • Attack-Top-Destination-For-WAF-By-Count
  • Attack-Top-Source-For-WAF-By-Count
  • Attack-Top-Source-Country-For-WAF-By-Count
  • Event-Top-Admin-Login-By-Count
  • Event-Top-Failed-Admin-Login-By-Count
  • Event-Top-Admin-Config-By-Count

If necessary, you can create your own query configuration objects.

Before you begin:

  • You must have Read-Write permission for Log & Report settings.

After you have created a query configuration object, you can select it in the report configuration.

To configure report queries:
  1. Go to Log & Report > Report Config.
  2. The Report tab is displayed.

  3. Click the Query Set tab.
  4. Click Create New to display the configuration editor.
  5. Complete the configuration as described in Query configuration.
  6. Save the configuration.

Query configuration

Settings Guidelines

Name

Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. You reference this name in the zone configuration (if you use forwarders).

Note: After you initially save the configuration, you cannot edit the name.

Module

  • SLB
  • LLB
  • DNS
  • Attack
  • Event
SLB
SLB Submodule
  • All—Queryset will include all SLB queries
  • HTTP—Queryset will include only HTTP queries
SubType

Submodule All has the following subtypes:

  • top_policy (virtual server)
  • top_source
  • top_source_country
  • slb_history_flow (total traffic over time)

Submodule HTTP has the following subtypes:

  • top_policy (virtual server)
  • top_pool_member
Traffic Sort Type

Submodule All has the following Traffic Sort Types

  • sessions
  • bytes

Submodule HTTP has the following Traffic Sort Types:

  • sessions
  • bytes
  • CPS
  • RPS
  • BPS
  • Average Session Duration
  • Transaction Latency
LLB
Traffic Sort Type
  • sessions
  • bytes
LLB Subtype
  • top_link
  • slb_history_flow (total traffic over time)
DNS
DNS Sort Type Only count is applicable.
DNS Subtype
  • Top_Policy
  • top_source
Attack
Attack Sort Type Only count is applicable.
Attack Subtype
  • top_destip_for_geo
  • top_destip_for_ipreputation
  • top_destip_for_sysflood
  • top_destip_for_waf
  • top_source_country_for_geo
  • top_source_country_for_ipreputation
  • top_source_country_for_waf
  • top_source_for_geo
  • top_source_for_ipreputation
  • top_source_for_waf
Event
Event Sort Type Only count is applicable.
Event Subtype
  • top_admin_login
  • top_failed_admin_login
  • top_admin_config