Fortinet Document Library

Version:


Table of Contents

New Features

6.2.0
Download PDF
Copy Link

FortiView — Subnet Filters

This version supports filtering source IPs or destination IPs with subnet mask in the format of x.x.x.x/x in both real-time and historical modes. Both logging from disk and logging from FortiAnalyzer are supported.

Sample configuration

Sample results in the backend subnet filter
FG201E4Q17900791 # di de application miglogd 0x70000
Debug messages will be on for unlimited time.

FG201E4Q17900791 # fortiview_add_filter_field_ex()-1559: fortiview add filter field:"destination"=>"dstip" type:4 negate:0
fortiview_add_filter_field_ex()-1560: values:
fortiview_add_filter_field_ex()-1562: value[0]=91.189.0.0/16
fortiview_add_filter_field_ex()-1559: fortiview add filter field:"srcintfrole"=>"srcintfrole" type:4 negate:0
fortiview_add_filter_field_ex()-1560: values:
fortiview_add_filter_field_ex()-1562: value[0]=lan
fortiview_add_filter_field_ex()-1562: value[1]=dmz
fortiview_add_filter_field_ex()-1562: value[2]=undefined
__params_from_filter()-583: filter field:dstip  91.189.0.0/16
__params_from_filter()-583: filter field:srcintfrole  lan
__params_from_filter()-583: filter field:srcintfrole  dmz
__params_from_filter()-583: filter field:srcintfrole  undefined
fortiview_request_data()-896: dataset:fv.dest.group tabid:0
_dump_sql()-829: dataset=fv.dest.group, sql:select dstip, max(dstintf) dst_intf,max(dstdevtype) dst_devtype,max(dstmac) dst_mac,group_concat(distinct appid) appid,group_concat(distinct appservice||case when subapp is null then '' else '_'||subapp end) appname,sum(sessioncount) session_count, sum(case when passthrough<>'block' then sessioncount else 0 end) session_allow, sum(case when passthrough='block' then sessioncount else 0 end) session_block, sum(rcvdbyte) r, sum(sentbyte) s, sum(rcvdbyte + sentbyte) bandwidth ,sum(crscore) score, sum(case when passthrough<>'block' then crscore else 0 end) score_allow, sum(case when passthrough='block' then crscore else 0 end) score_block  from grp_traffic_all_dst  where timestamp between 1551397800 and 1551484200 and 1=1 AND ( ft_ipmask(dstip, 0, '91.189.0.0/16') )  AND srcintfrole  in ('lan','dmz','undefined')  group by dstip   order by bandwidth desc   limit 100;
 takes 10(ms), agggr:0(ms)

fortiview_request_data()-933: total:12 start:1551397800 end:1551484200
__params_from_filter()-583: filter field:dstip  91.189.0.0/16
__params_from_filter()-583: filter field:srcintfrole  lan
__params_from_filter()-583: filter field:srcintfrole  dmz
__params_from_filter()-583: filter field:srcintfrole  undefined
fortiview_request_data()-896: dataset:fv.general.chart tabid:0
_dump_sql()-829: dataset=fv.general.chart, sql:select a.timestamp1,ses_al,ses_bk,r,s,ifnull(sc_l,0),ifnull(sc_m,0),ifnull(sc_h,0),ifnull(sc_c,0) from (select timestamp-(timestamp%600) timestamp1 ,sum(case when passthrough<>'block' then sessioncount else 0 end) ses_al,sum(case when passthrough='block' then sessioncount else 0 end) ses_bk,sum(rcvdbyte) r,sum(sentbyte) s from grp_traffic_all_dst where  timestamp BETWEEN 1551397800 and 1551484199  and 1=1 AND ( ft_ipmask(dstip, 0, '91.189.0.0/16') )  AND srcintfrole  in ('lan','dmz','undefined')  group by timestamp1 ) a left join (select timestamp-(timestamp%600) timestamp1 ,sum(case when threat_level=1 then crscore else 0 end) sc_l,sum(case when threat_level=2 then crscore else 0 end) sc_m,sum(case when threat_level=3 then crscore else 0 end) sc_h,sum(case when threat_level=4 then crscore else 0 end) sc_c  from grp_threat where  timestamp BETWEEN 1551397800 and 1551484199  and 1=1 AND ( ft_ipmask(dstip, 0, '91.189.0.0/16') )  AND srcintfrole  in ('lan','dmz','undefined')  group by timestamp1 ) b on a.timestamp1 = b.timestamp1;
 takes 30(ms), agggr:0(ms)

fortiview_request_data()-933: total:47 start:1551397800 end:1551484199

FortiView — Subnet Filters

This version supports filtering source IPs or destination IPs with subnet mask in the format of x.x.x.x/x in both real-time and historical modes. Both logging from disk and logging from FortiAnalyzer are supported.

Sample configuration

Sample results in the backend subnet filter
FG201E4Q17900791 # di de application miglogd 0x70000
Debug messages will be on for unlimited time.

FG201E4Q17900791 # fortiview_add_filter_field_ex()-1559: fortiview add filter field:"destination"=>"dstip" type:4 negate:0
fortiview_add_filter_field_ex()-1560: values:
fortiview_add_filter_field_ex()-1562: value[0]=91.189.0.0/16
fortiview_add_filter_field_ex()-1559: fortiview add filter field:"srcintfrole"=>"srcintfrole" type:4 negate:0
fortiview_add_filter_field_ex()-1560: values:
fortiview_add_filter_field_ex()-1562: value[0]=lan
fortiview_add_filter_field_ex()-1562: value[1]=dmz
fortiview_add_filter_field_ex()-1562: value[2]=undefined
__params_from_filter()-583: filter field:dstip  91.189.0.0/16
__params_from_filter()-583: filter field:srcintfrole  lan
__params_from_filter()-583: filter field:srcintfrole  dmz
__params_from_filter()-583: filter field:srcintfrole  undefined
fortiview_request_data()-896: dataset:fv.dest.group tabid:0
_dump_sql()-829: dataset=fv.dest.group, sql:select dstip, max(dstintf) dst_intf,max(dstdevtype) dst_devtype,max(dstmac) dst_mac,group_concat(distinct appid) appid,group_concat(distinct appservice||case when subapp is null then '' else '_'||subapp end) appname,sum(sessioncount) session_count, sum(case when passthrough<>'block' then sessioncount else 0 end) session_allow, sum(case when passthrough='block' then sessioncount else 0 end) session_block, sum(rcvdbyte) r, sum(sentbyte) s, sum(rcvdbyte + sentbyte) bandwidth ,sum(crscore) score, sum(case when passthrough<>'block' then crscore else 0 end) score_allow, sum(case when passthrough='block' then crscore else 0 end) score_block  from grp_traffic_all_dst  where timestamp between 1551397800 and 1551484200 and 1=1 AND ( ft_ipmask(dstip, 0, '91.189.0.0/16') )  AND srcintfrole  in ('lan','dmz','undefined')  group by dstip   order by bandwidth desc   limit 100;
 takes 10(ms), agggr:0(ms)

fortiview_request_data()-933: total:12 start:1551397800 end:1551484200
__params_from_filter()-583: filter field:dstip  91.189.0.0/16
__params_from_filter()-583: filter field:srcintfrole  lan
__params_from_filter()-583: filter field:srcintfrole  dmz
__params_from_filter()-583: filter field:srcintfrole  undefined
fortiview_request_data()-896: dataset:fv.general.chart tabid:0
_dump_sql()-829: dataset=fv.general.chart, sql:select a.timestamp1,ses_al,ses_bk,r,s,ifnull(sc_l,0),ifnull(sc_m,0),ifnull(sc_h,0),ifnull(sc_c,0) from (select timestamp-(timestamp%600) timestamp1 ,sum(case when passthrough<>'block' then sessioncount else 0 end) ses_al,sum(case when passthrough='block' then sessioncount else 0 end) ses_bk,sum(rcvdbyte) r,sum(sentbyte) s from grp_traffic_all_dst where  timestamp BETWEEN 1551397800 and 1551484199  and 1=1 AND ( ft_ipmask(dstip, 0, '91.189.0.0/16') )  AND srcintfrole  in ('lan','dmz','undefined')  group by timestamp1 ) a left join (select timestamp-(timestamp%600) timestamp1 ,sum(case when threat_level=1 then crscore else 0 end) sc_l,sum(case when threat_level=2 then crscore else 0 end) sc_m,sum(case when threat_level=3 then crscore else 0 end) sc_h,sum(case when threat_level=4 then crscore else 0 end) sc_c  from grp_threat where  timestamp BETWEEN 1551397800 and 1551484199  and 1=1 AND ( ft_ipmask(dstip, 0, '91.189.0.0/16') )  AND srcintfrole  in ('lan','dmz','undefined')  group by timestamp1 ) b on a.timestamp1 = b.timestamp1;
 takes 30(ms), agggr:0(ms)

fortiview_request_data()-933: total:47 start:1551397800 end:1551484199