FortiView — Subnet Filters
This version supports filtering source IPs or destination IPs with subnet mask in the format of x.x.x.x/x in both real-time and historical modes. Both logging from disk and logging from FortiAnalyzer are supported.
Sample configuration
Sample results in the backend subnet filter
FG201E4Q17900791 # di de application miglogd 0x70000 Debug messages will be on for unlimited time. FG201E4Q17900791 # fortiview_add_filter_field_ex()-1559: fortiview add filter field:"destination"=>"dstip" type:4 negate:0 fortiview_add_filter_field_ex()-1560: values: fortiview_add_filter_field_ex()-1562: value[0]=91.189.0.0/16 fortiview_add_filter_field_ex()-1559: fortiview add filter field:"srcintfrole"=>"srcintfrole" type:4 negate:0 fortiview_add_filter_field_ex()-1560: values: fortiview_add_filter_field_ex()-1562: value[0]=lan fortiview_add_filter_field_ex()-1562: value[1]=dmz fortiview_add_filter_field_ex()-1562: value[2]=undefined __params_from_filter()-583: filter field:dstip 91.189.0.0/16 __params_from_filter()-583: filter field:srcintfrole lan __params_from_filter()-583: filter field:srcintfrole dmz __params_from_filter()-583: filter field:srcintfrole undefined fortiview_request_data()-896: dataset:fv.dest.group tabid:0 _dump_sql()-829: dataset=fv.dest.group, sql:select dstip, max(dstintf) dst_intf,max(dstdevtype) dst_devtype,max(dstmac) dst_mac,group_concat(distinct appid) appid,group_concat(distinct appservice||case when subapp is null then '' else '_'||subapp end) appname,sum(sessioncount) session_count, sum(case when passthrough<>'block' then sessioncount else 0 end) session_allow, sum(case when passthrough='block' then sessioncount else 0 end) session_block, sum(rcvdbyte) r, sum(sentbyte) s, sum(rcvdbyte + sentbyte) bandwidth ,sum(crscore) score, sum(case when passthrough<>'block' then crscore else 0 end) score_allow, sum(case when passthrough='block' then crscore else 0 end) score_block from grp_traffic_all_dst where timestamp between 1551397800 and 1551484200 and 1=1 AND ( ft_ipmask(dstip, 0, '91.189.0.0/16') ) AND srcintfrole in ('lan','dmz','undefined') group by dstip order by bandwidth desc limit 100; takes 10(ms), agggr:0(ms) fortiview_request_data()-933: total:12 start:1551397800 end:1551484200 __params_from_filter()-583: filter field:dstip 91.189.0.0/16 __params_from_filter()-583: filter field:srcintfrole lan __params_from_filter()-583: filter field:srcintfrole dmz __params_from_filter()-583: filter field:srcintfrole undefined fortiview_request_data()-896: dataset:fv.general.chart tabid:0 _dump_sql()-829: dataset=fv.general.chart, sql:select a.timestamp1,ses_al,ses_bk,r,s,ifnull(sc_l,0),ifnull(sc_m,0),ifnull(sc_h,0),ifnull(sc_c,0) from (select timestamp-(timestamp%600) timestamp1 ,sum(case when passthrough<>'block' then sessioncount else 0 end) ses_al,sum(case when passthrough='block' then sessioncount else 0 end) ses_bk,sum(rcvdbyte) r,sum(sentbyte) s from grp_traffic_all_dst where timestamp BETWEEN 1551397800 and 1551484199 and 1=1 AND ( ft_ipmask(dstip, 0, '91.189.0.0/16') ) AND srcintfrole in ('lan','dmz','undefined') group by timestamp1 ) a left join (select timestamp-(timestamp%600) timestamp1 ,sum(case when threat_level=1 then crscore else 0 end) sc_l,sum(case when threat_level=2 then crscore else 0 end) sc_m,sum(case when threat_level=3 then crscore else 0 end) sc_h,sum(case when threat_level=4 then crscore else 0 end) sc_c from grp_threat where timestamp BETWEEN 1551397800 and 1551484199 and 1=1 AND ( ft_ipmask(dstip, 0, '91.189.0.0/16') ) AND srcintfrole in ('lan','dmz','undefined') group by timestamp1 ) b on a.timestamp1 = b.timestamp1; takes 30(ms), agggr:0(ms) fortiview_request_data()-933: total:47 start:1551397800 end:1551484199