Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Cookbook

    6.2.5
    6.2.16
    6.2.15
    6.2.14
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.0
    6.0.0
    5.6.0
    5.4.0

    FortiView from disk

    FortiView from disk

    Prerequisites

    All FortiGates with an SSD disk.

    Restrictions

    • Desktop models (for example: under 100D) with SSD only supports five minutes and one hour view.
    • Medium models (for example: 200D, 500D) with SSD supports up to 24 hours view.
    • Large models (for example: 1500D and above) with SSD supports up to seven days view.
      • To enable seven days view:

        config log setting

        set fortiview-weekly-data enable

        end

    Configuration

    A firewall policy needs to be in place with traffic logging enabled. For best operation with FortiView, internal interface roles should be clearly defined as LAN; DMZ and internet facing or external interface roles should be defined as WAN.

    To enable FortiView from Disk:
    1. Enable disk logging from the FortiGate GUI.
      1. Go to Log & Report > Log Settings > Local Log.
      2. Select the checkbox next to Disk.
    2. Enable historical FortiView from the FortiGate GUI.
      1. Go to Log & Report > Log Settings > Local Log.
      2. Select the checkbox next to Enable Historical FortiView.

    3. Click Apply.
    To include sniffer traffic and local-deny traffic when FortiView from Disk:

    This feature is only supported through the CLI.

    config report setting

    set report-source forward-traffic sniffer-traffic local-deny-traffic

    end

    Source View

    Top Level

    Sample entry:

    Time
    • Realtime or Now entries are determined by the FortiGate's system session list.
    • Historical or 5 minutes and later entries are determined by traffic logs, with additional information coming from UTM logs.
    Graph
    • The graph shows the bytes sent/received in the time frame. Realtime does not include a chart.
    • Users can customize the time frame by selecting a time period within the graph.
    Bubble Chart
    • Bubble chart shows the same information as the table, but in a different graphical manner.
    Columns
    • Source shows the IP address (and user as well as user avatar if configured) of the source device.
    • Device shows the device information as listed in User & Device > Device Inventory. Device detection should be enabled on the applicable interfaces for best function.
    • Threat Score is the threat score of the source based on UTM features such as Web Filter and antivirus. It shows threat scores allowed and threat scores blocked.
    • Bytes is the accumulated bytes sent/received. In realtime, this is calculated from the session list, and in historical it is from logs.
    • Sessions is the total sessions blocked/allowed. In realtime, this is calculated from the session list, and in historical it is from logs.
    • Source is a simplified version of the first column, including only the IP address without extra information.
    • Source Interface is the interface from which the traffic originates. In realtime, this is calculated from the session list, and in historical it is from the logs.
    • More information can be shown in a tooltip while hovering over these entries.
    • For realtime, two more columns are available, Bandwidth and Packets, both of which come from the session list.

    Drilldown Level

    Sample entry:

    Graph
    • The graph shows the bytes sent/received in the time frame. Realtime does not include a chart.
    • Users can customize the time frame by selecting a time period within the graph.
    Summary Information
    • Shows information such as the user/avatar, avatar/source IP, bytes, and sessions total for the time period.
    • Can quarantine host (access layer quarantine) if they are behind a FortiSwitch or FortiAP.
    • Can ban IP addresses, adds the source IP address into the quarantine list.
    Tabs
    • Drilling down entries in any of these tabs (except sessions tab) will take you to the underlying traffic log in the sessions tab.
    • Applications shows a list of the applications attributed to the source IP. This can include scanned applications (using Application Control in a firewall policy or unscanned applications.

      config log gui-display

      set fortiview-unscanned-apps enable

      end

    • Destinations shows destinations grouped by IP address/FQDN.
    • Threats lists the threats caught by UTM profiles. This can be from antivirus, IPS, Web Filter, Application Control, etc.
    • Web Sites contains the websites which were detected either with webfilter, or through FQDN in traffic logs.
    • Web Categories groups entries into their categories as dictated by the Web Filter Database.
    • Search Phrases shows entries of search phrases on search engines captured by a Web Filter UTM profile, with deep inspection enabled in firewall policy.
    • Policies groups the entries into which polices they passed through or were blocked by.
    • Sessions shows the underlying logs (historical) or sessions (realtime). Drilldowns from other tabs end up showing the underlying log located in this tab.
    • More information can be shown in a tooltip while hovering over these entries.

    Troubleshooting

    • Use diagnose debug application httpsd -1 to check which filters were passed through httpsd.
      For example:

      [httpsd 3163 - 1546543360 info] api_store_parameter[227] -- add API parameter 'filter': '{ "source": "10.1.100.30", "application": "TCP\/5228", "srcintfrole": [ "lan", "dmz", "undefined" ] }' (type=object)

    • Use diagnose debug application miglogd 0x70000 to check what the SQL command is that is passed to the underlying SQL database.
      For example:

      fortiview_request_data()-898: total:31 start:1546559580 end:1546563179
      _dump_sql()-799: dataset=fv.general.chart, sql:select a.timestamp1,ses_al,ses_bk,r,s,ifnull(sc_l,0),ifnull(sc_m,0),ifnull(sc_h,0),ifnull(sc_c,0) from (select timestamp-(timestamp%60) timestamp1 ,sum(case when passthrough<>'block' then sessioncount else 0 end) ses_al,sum(case when passthrough='block' then sessioncount else 0 end) ses_bk,sum(rcvdbyte) r,sum(sentbyte) s from grp_traffic_all_src where timestamp BETWEEN 1546559580 and 1546563179 and 1=1 AND srcip in ('10.1.100.11') AND srcintfrole in ('lan','dmz','undefined') group by timestamp1 ) a left join (select timestamp-(timestamp%60) timestamp1 ,sum(case when threat_level=1 then crscore else 0 end) sc_l,sum(case when threat_level=2 then crscore else 0 end) sc_m,sum(case when threat_level=3 then crscore else 0 end) sc_h,sum(case when threat_level=4 then crscore else 0 end) sc_c from grp_threat where timestamp BETWEEN 1546559580 and 1546563179 and 1=1 AND srcip in ('10.1.100.11') AND srcintfrole in ('lan','dmz','undefined') group by timestamp1 ) b on a.timestamp1 = b.timestamp1;
      takes 40(ms), agggr:0(ms)

    • Use execute report flush-cache and execute report recreate-db to clear up any irregularities that may be caused by upgrading or cache issues.
    Previous
    Next

    FortiView from disk

    FortiView from disk

    Prerequisites

    All FortiGates with an SSD disk.

    Restrictions

    • Desktop models (for example: under 100D) with SSD only supports five minutes and one hour view.
    • Medium models (for example: 200D, 500D) with SSD supports up to 24 hours view.
    • Large models (for example: 1500D and above) with SSD supports up to seven days view.
      • To enable seven days view:

        config log setting

        set fortiview-weekly-data enable

        end

    Configuration

    A firewall policy needs to be in place with traffic logging enabled. For best operation with FortiView, internal interface roles should be clearly defined as LAN; DMZ and internet facing or external interface roles should be defined as WAN.

    To enable FortiView from Disk:
    1. Enable disk logging from the FortiGate GUI.
      1. Go to Log & Report > Log Settings > Local Log.
      2. Select the checkbox next to Disk.
    2. Enable historical FortiView from the FortiGate GUI.
      1. Go to Log & Report > Log Settings > Local Log.
      2. Select the checkbox next to Enable Historical FortiView.

    3. Click Apply.
    To include sniffer traffic and local-deny traffic when FortiView from Disk:

    This feature is only supported through the CLI.

    config report setting

    set report-source forward-traffic sniffer-traffic local-deny-traffic

    end

    Source View

    Top Level

    Sample entry:

    Time
    • Realtime or Now entries are determined by the FortiGate's system session list.
    • Historical or 5 minutes and later entries are determined by traffic logs, with additional information coming from UTM logs.
    Graph
    • The graph shows the bytes sent/received in the time frame. Realtime does not include a chart.
    • Users can customize the time frame by selecting a time period within the graph.
    Bubble Chart
    • Bubble chart shows the same information as the table, but in a different graphical manner.
    Columns
    • Source shows the IP address (and user as well as user avatar if configured) of the source device.
    • Device shows the device information as listed in User & Device > Device Inventory. Device detection should be enabled on the applicable interfaces for best function.
    • Threat Score is the threat score of the source based on UTM features such as Web Filter and antivirus. It shows threat scores allowed and threat scores blocked.
    • Bytes is the accumulated bytes sent/received. In realtime, this is calculated from the session list, and in historical it is from logs.
    • Sessions is the total sessions blocked/allowed. In realtime, this is calculated from the session list, and in historical it is from logs.
    • Source is a simplified version of the first column, including only the IP address without extra information.
    • Source Interface is the interface from which the traffic originates. In realtime, this is calculated from the session list, and in historical it is from the logs.
    • More information can be shown in a tooltip while hovering over these entries.
    • For realtime, two more columns are available, Bandwidth and Packets, both of which come from the session list.

    Drilldown Level

    Sample entry:

    Graph
    • The graph shows the bytes sent/received in the time frame. Realtime does not include a chart.
    • Users can customize the time frame by selecting a time period within the graph.
    Summary Information
    • Shows information such as the user/avatar, avatar/source IP, bytes, and sessions total for the time period.
    • Can quarantine host (access layer quarantine) if they are behind a FortiSwitch or FortiAP.
    • Can ban IP addresses, adds the source IP address into the quarantine list.
    Tabs
    • Drilling down entries in any of these tabs (except sessions tab) will take you to the underlying traffic log in the sessions tab.
    • Applications shows a list of the applications attributed to the source IP. This can include scanned applications (using Application Control in a firewall policy or unscanned applications.

      config log gui-display

      set fortiview-unscanned-apps enable

      end

    • Destinations shows destinations grouped by IP address/FQDN.
    • Threats lists the threats caught by UTM profiles. This can be from antivirus, IPS, Web Filter, Application Control, etc.
    • Web Sites contains the websites which were detected either with webfilter, or through FQDN in traffic logs.
    • Web Categories groups entries into their categories as dictated by the Web Filter Database.
    • Search Phrases shows entries of search phrases on search engines captured by a Web Filter UTM profile, with deep inspection enabled in firewall policy.
    • Policies groups the entries into which polices they passed through or were blocked by.
    • Sessions shows the underlying logs (historical) or sessions (realtime). Drilldowns from other tabs end up showing the underlying log located in this tab.
    • More information can be shown in a tooltip while hovering over these entries.

    Troubleshooting

    • Use diagnose debug application httpsd -1 to check which filters were passed through httpsd.
      For example:

      [httpsd 3163 - 1546543360 info] api_store_parameter[227] -- add API parameter 'filter': '{ "source": "10.1.100.30", "application": "TCP\/5228", "srcintfrole": [ "lan", "dmz", "undefined" ] }' (type=object)

    • Use diagnose debug application miglogd 0x70000 to check what the SQL command is that is passed to the underlying SQL database.
      For example:

      fortiview_request_data()-898: total:31 start:1546559580 end:1546563179
      _dump_sql()-799: dataset=fv.general.chart, sql:select a.timestamp1,ses_al,ses_bk,r,s,ifnull(sc_l,0),ifnull(sc_m,0),ifnull(sc_h,0),ifnull(sc_c,0) from (select timestamp-(timestamp%60) timestamp1 ,sum(case when passthrough<>'block' then sessioncount else 0 end) ses_al,sum(case when passthrough='block' then sessioncount else 0 end) ses_bk,sum(rcvdbyte) r,sum(sentbyte) s from grp_traffic_all_src where timestamp BETWEEN 1546559580 and 1546563179 and 1=1 AND srcip in ('10.1.100.11') AND srcintfrole in ('lan','dmz','undefined') group by timestamp1 ) a left join (select timestamp-(timestamp%60) timestamp1 ,sum(case when threat_level=1 then crscore else 0 end) sc_l,sum(case when threat_level=2 then crscore else 0 end) sc_m,sum(case when threat_level=3 then crscore else 0 end) sc_h,sum(case when threat_level=4 then crscore else 0 end) sc_c from grp_threat where timestamp BETWEEN 1546559580 and 1546563179 and 1=1 AND srcip in ('10.1.100.11') AND srcintfrole in ('lan','dmz','undefined') group by timestamp1 ) b on a.timestamp1 = b.timestamp1;
      takes 40(ms), agggr:0(ms)

    • Use execute report flush-cache and execute report recreate-db to clear up any irregularities that may be caused by upgrading or cache issues.
    Previous
    Next