Fortinet black logo

Cookbook

FortiView — subnet filters

Copy Link
Copy Doc ID af0e75e9-211f-11ea-9384-00505692583a:633212
Download PDF

FortiView — subnet filters

In FortiView, you can filter source IPs or destination IPs with a subnet mask using the x.x.x.x/x format. You can view the results in real-time or historical mode.

Note

Both logging from disk and logging from FortiAnalyzer are supported.

Sample configuration of filtering IPs with a subnet mask

This example shows how to filter destination IPs with a subnet mask using the x.x.x.x/x format.

To filter destination IPs with a subnet mask:
  1. Go to FortiView > Destinations.
  2. Click Add Filter.
  3. In the dropdown menu, select Destination IP.
  4. Enter the subnet mask (in the example, 91.189.0.0/16).
  5. Press the Enter key. The filter results display.

To view results in the backend subnet filter:
# diagnose device application miglogd 0x70000
Debug messages will be on for unlimited time.

# fortiview_add_filter_field_ex()-1559: fortiview add filter field:"destination"=>"dstip" type:4 negate:0
fortiview_add_filter_field_ex()-1560: values:
fortiview_add_filter_field_ex()-1562: value[0]=91.189.0.0/16
fortiview_add_filter_field_ex()-1559: fortiview add filter field:"srcintfrole"=>"srcintfrole" type:4 negate:0
fortiview_add_filter_field_ex()-1560: values:
fortiview_add_filter_field_ex()-1562: value[0]=lan
fortiview_add_filter_field_ex()-1562: value[1]=dmz
fortiview_add_filter_field_ex()-1562: value[2]=undefined
__params_from_filter()-583: filter field:dstip  91.189.0.0/16
__params_from_filter()-583: filter field:srcintfrole  lan
__params_from_filter()-583: filter field:srcintfrole  dmz
__params_from_filter()-583: filter field:srcintfrole  undefined
fortiview_request_data()-896: dataset:fv.dest.group tabid:0
_dump_sql()-829: dataset=fv.dest.group, sql:select dstip, max(dstintf) dst_intf,max(dstdevtype) dst_devtype,max(dstmac) dst_mac,group_concat(distinct appid) appid,group_concat(distinct appservice||case when subapp is null then '' else '_'||subapp end) appname,sum(sessioncount) session_count, sum(case when passthrough<>'block' then sessioncount else 0 end) session_allow, sum(case when passthrough='block' then sessioncount else 0 end) session_block, sum(rcvdbyte) r, sum(sentbyte) s, sum(rcvdbyte + sentbyte) bandwidth ,sum(crscore) score, sum(case when passthrough<>'block' then crscore else 0 end) score_allow, sum(case when passthrough='block' then crscore else 0 end) score_block  from grp_traffic_all_dst  where timestamp between 1551397800 and 1551484200 and 1=1 AND ( ft_ipmask(dstip, 0, '91.189.0.0/16') )  AND srcintfrole  in ('lan','dmz','undefined')  group by dstip   order by bandwidth desc   limit 100;
 takes 10(ms), agggr:0(ms)

fortiview_request_data()-933: total:12 start:1551397800 end:1551484200
__params_from_filter()-583: filter field:dstip  91.189.0.0/16
__params_from_filter()-583: filter field:srcintfrole  lan
__params_from_filter()-583: filter field:srcintfrole  dmz
__params_from_filter()-583: filter field:srcintfrole  undefined
fortiview_request_data()-896: dataset:fv.general.chart tabid:0
_dump_sql()-829: dataset=fv.general.chart, sql:select a.timestamp1,ses_al,ses_bk,r,s,ifnull(sc_l,0),ifnull(sc_m,0),ifnull(sc_h,0),ifnull(sc_c,0) from (select timestamp-(timestamp%600) timestamp1 ,sum(case when passthrough<>'block' then sessioncount else 0 end) ses_al,sum(case when passthrough='block' then sessioncount else 0 end) ses_bk,sum(rcvdbyte) r,sum(sentbyte) s from grp_traffic_all_dst where  timestamp BETWEEN 1551397800 and 1551484199  and 1=1 AND ( ft_ipmask(dstip, 0, '91.189.0.0/16') )  AND srcintfrole  in ('lan','dmz','undefined')  group by timestamp1 ) a left join (select timestamp-(timestamp%600) timestamp1 ,sum(case when threat_level=1 then crscore else 0 end) sc_l,sum(case when threat_level=2 then crscore else 0 end) sc_m,sum(case when threat_level=3 then crscore else 0 end) sc_h,sum(case when threat_level=4 then crscore else 0 end) sc_c  from grp_threat where  timestamp BETWEEN 1551397800 and 1551484199  and 1=1 AND ( ft_ipmask(dstip, 0, '91.189.0.0/16') )  AND srcintfrole  in ('lan','dmz','undefined')  group by timestamp1 ) b on a.timestamp1 = b.timestamp1;
 takes 30(ms), agggr:0(ms)

fortiview_request_data()-933: total:47 start:1551397800 end:1551484199

FortiView — subnet filters

In FortiView, you can filter source IPs or destination IPs with a subnet mask using the x.x.x.x/x format. You can view the results in real-time or historical mode.

Note

Both logging from disk and logging from FortiAnalyzer are supported.

Sample configuration of filtering IPs with a subnet mask

This example shows how to filter destination IPs with a subnet mask using the x.x.x.x/x format.

To filter destination IPs with a subnet mask:
  1. Go to FortiView > Destinations.
  2. Click Add Filter.
  3. In the dropdown menu, select Destination IP.
  4. Enter the subnet mask (in the example, 91.189.0.0/16).
  5. Press the Enter key. The filter results display.

To view results in the backend subnet filter:
# diagnose device application miglogd 0x70000
Debug messages will be on for unlimited time.

# fortiview_add_filter_field_ex()-1559: fortiview add filter field:"destination"=>"dstip" type:4 negate:0
fortiview_add_filter_field_ex()-1560: values:
fortiview_add_filter_field_ex()-1562: value[0]=91.189.0.0/16
fortiview_add_filter_field_ex()-1559: fortiview add filter field:"srcintfrole"=>"srcintfrole" type:4 negate:0
fortiview_add_filter_field_ex()-1560: values:
fortiview_add_filter_field_ex()-1562: value[0]=lan
fortiview_add_filter_field_ex()-1562: value[1]=dmz
fortiview_add_filter_field_ex()-1562: value[2]=undefined
__params_from_filter()-583: filter field:dstip  91.189.0.0/16
__params_from_filter()-583: filter field:srcintfrole  lan
__params_from_filter()-583: filter field:srcintfrole  dmz
__params_from_filter()-583: filter field:srcintfrole  undefined
fortiview_request_data()-896: dataset:fv.dest.group tabid:0
_dump_sql()-829: dataset=fv.dest.group, sql:select dstip, max(dstintf) dst_intf,max(dstdevtype) dst_devtype,max(dstmac) dst_mac,group_concat(distinct appid) appid,group_concat(distinct appservice||case when subapp is null then '' else '_'||subapp end) appname,sum(sessioncount) session_count, sum(case when passthrough<>'block' then sessioncount else 0 end) session_allow, sum(case when passthrough='block' then sessioncount else 0 end) session_block, sum(rcvdbyte) r, sum(sentbyte) s, sum(rcvdbyte + sentbyte) bandwidth ,sum(crscore) score, sum(case when passthrough<>'block' then crscore else 0 end) score_allow, sum(case when passthrough='block' then crscore else 0 end) score_block  from grp_traffic_all_dst  where timestamp between 1551397800 and 1551484200 and 1=1 AND ( ft_ipmask(dstip, 0, '91.189.0.0/16') )  AND srcintfrole  in ('lan','dmz','undefined')  group by dstip   order by bandwidth desc   limit 100;
 takes 10(ms), agggr:0(ms)

fortiview_request_data()-933: total:12 start:1551397800 end:1551484200
__params_from_filter()-583: filter field:dstip  91.189.0.0/16
__params_from_filter()-583: filter field:srcintfrole  lan
__params_from_filter()-583: filter field:srcintfrole  dmz
__params_from_filter()-583: filter field:srcintfrole  undefined
fortiview_request_data()-896: dataset:fv.general.chart tabid:0
_dump_sql()-829: dataset=fv.general.chart, sql:select a.timestamp1,ses_al,ses_bk,r,s,ifnull(sc_l,0),ifnull(sc_m,0),ifnull(sc_h,0),ifnull(sc_c,0) from (select timestamp-(timestamp%600) timestamp1 ,sum(case when passthrough<>'block' then sessioncount else 0 end) ses_al,sum(case when passthrough='block' then sessioncount else 0 end) ses_bk,sum(rcvdbyte) r,sum(sentbyte) s from grp_traffic_all_dst where  timestamp BETWEEN 1551397800 and 1551484199  and 1=1 AND ( ft_ipmask(dstip, 0, '91.189.0.0/16') )  AND srcintfrole  in ('lan','dmz','undefined')  group by timestamp1 ) a left join (select timestamp-(timestamp%600) timestamp1 ,sum(case when threat_level=1 then crscore else 0 end) sc_l,sum(case when threat_level=2 then crscore else 0 end) sc_m,sum(case when threat_level=3 then crscore else 0 end) sc_h,sum(case when threat_level=4 then crscore else 0 end) sc_c  from grp_threat where  timestamp BETWEEN 1551397800 and 1551484199  and 1=1 AND ( ft_ipmask(dstip, 0, '91.189.0.0/16') )  AND srcintfrole  in ('lan','dmz','undefined')  group by timestamp1 ) b on a.timestamp1 = b.timestamp1;
 takes 30(ms), agggr:0(ms)

fortiview_request_data()-933: total:47 start:1551397800 end:1551484199