Fortinet black logo

Cookbook

FortiView from disk

Copy Link
Copy Doc ID 30be976a-bbb3-11ee-8673-fa163e15d75b:520221
Download PDF

FortiView from disk

Prerequisites

All FortiGates with an SSD disk.

Restrictions

  • Desktop models (for example: under 100D) with SSD only supports five minutes and one hour view.
  • Medium models (for example: 200D, 500D) with SSD supports up to 24 hours view.
  • Large models (for example: 1500D and above) with SSD supports up to seven days view.
    • To enable seven days view:

      config log setting

      set fortiview-weekly-data enable

      end

Configuration

A firewall policy needs to be in place with traffic logging enabled. For best operation with FortiView, internal interface roles should be clearly defined as LAN; DMZ and internet facing or external interface roles should be defined as WAN.

To enable FortiView from Disk:
  1. Enable disk logging from the FortiGate GUI.
    1. Go to Log & Report > Log Settings > Local Log.
    2. Select the checkbox next to Disk.
  2. Enable historical FortiView from the FortiGate GUI.
    1. Go to Log & Report > Log Settings > Local Log.
    2. Select the checkbox next to Enable Historical FortiView.

  3. Click Apply.
To include sniffer traffic and local-deny traffic when FortiView from Disk:

This feature is only supported through the CLI.

config report setting

set report-source forward-traffic sniffer-traffic local-deny-traffic

end

Source View

Top Level

Sample entry:

Time
  • Realtime or Now entries are determined by the FortiGate's system session list.
  • Historical or 5 minutes and later entries are determined by traffic logs, with additional information coming from UTM logs.
Graph
  • The graph shows the bytes sent/received in the time frame. Realtime does not include a chart.
  • Users can customize the time frame by selecting a time period within the graph.
Bubble Chart
  • Bubble chart shows the same information as the table, but in a different graphical manner.
Columns
  • Source shows the IP address (and user as well as user avatar if configured) of the source device.
  • Device shows the device information as listed in User & Device > Device Inventory. Device detection should be enabled on the applicable interfaces for best function.
  • Threat Score is the threat score of the source based on UTM features such as Web Filter and antivirus. It shows threat scores allowed and threat scores blocked.
  • Bytes is the accumulated bytes sent/received. In realtime, this is calculated from the session list, and in historical it is from logs.
  • Sessions is the total sessions blocked/allowed. In realtime, this is calculated from the session list, and in historical it is from logs.
  • Source is a simplified version of the first column, including only the IP address without extra information.
  • Source Interface is the interface from which the traffic originates. In realtime, this is calculated from the session list, and in historical it is from the logs.
  • More information can be shown in a tooltip while hovering over these entries.
  • For realtime, two more columns are available, Bandwidth and Packets, both of which come from the session list.

Drilldown Level

Sample entry:

Graph
  • The graph shows the bytes sent/received in the time frame. Realtime does not include a chart.
  • Users can customize the time frame by selecting a time period within the graph.
Summary Information
  • Shows information such as the user/avatar, avatar/source IP, bytes, and sessions total for the time period.
  • Can quarantine host (access layer quarantine) if they are behind a FortiSwitch or FortiAP.
  • Can ban IP addresses, adds the source IP address into the quarantine list.
Tabs
  • Drilling down entries in any of these tabs (except sessions tab) will take you to the underlying traffic log in the sessions tab.
  • Applications shows a list of the applications attributed to the source IP. This can include scanned applications (using Application Control in a firewall policy or unscanned applications.

    config log gui-display

    set fortiview-unscanned-apps enable

    end

  • Destinations shows destinations grouped by IP address/FQDN.
  • Threats lists the threats caught by UTM profiles. This can be from antivirus, IPS, Web Filter, Application Control, etc.
  • Web Sites contains the websites which were detected either with webfilter, or through FQDN in traffic logs.
  • Web Categories groups entries into their categories as dictated by the Web Filter Database.
  • Search Phrases shows entries of search phrases on search engines captured by a Web Filter UTM profile, with deep inspection enabled in firewall policy.
  • Policies groups the entries into which polices they passed through or were blocked by.
  • Sessions shows the underlying logs (historical) or sessions (realtime). Drilldowns from other tabs end up showing the underlying log located in this tab.
  • More information can be shown in a tooltip while hovering over these entries.

Troubleshooting

  • Use diagnose debug application httpsd -1 to check which filters were passed through httpsd.
    For example:

    [httpsd 3163 - 1546543360 info] api_store_parameter[227] -- add API parameter 'filter': '{ "source": "10.1.100.30", "application": "TCP\/5228", "srcintfrole": [ "lan", "dmz", "undefined" ] }' (type=object)

  • Use diagnose debug application miglogd 0x70000 to check what the SQL command is that is passed to the underlying SQL database.
    For example:

    fortiview_request_data()-898: total:31 start:1546559580 end:1546563179
    _dump_sql()-799: dataset=fv.general.chart, sql:select a.timestamp1,ses_al,ses_bk,r,s,ifnull(sc_l,0),ifnull(sc_m,0),ifnull(sc_h,0),ifnull(sc_c,0) from (select timestamp-(timestamp%60) timestamp1 ,sum(case when passthrough<>'block' then sessioncount else 0 end) ses_al,sum(case when passthrough='block' then sessioncount else 0 end) ses_bk,sum(rcvdbyte) r,sum(sentbyte) s from grp_traffic_all_src where timestamp BETWEEN 1546559580 and 1546563179 and 1=1 AND srcip in ('10.1.100.11') AND srcintfrole in ('lan','dmz','undefined') group by timestamp1 ) a left join (select timestamp-(timestamp%60) timestamp1 ,sum(case when threat_level=1 then crscore else 0 end) sc_l,sum(case when threat_level=2 then crscore else 0 end) sc_m,sum(case when threat_level=3 then crscore else 0 end) sc_h,sum(case when threat_level=4 then crscore else 0 end) sc_c from grp_threat where timestamp BETWEEN 1546559580 and 1546563179 and 1=1 AND srcip in ('10.1.100.11') AND srcintfrole in ('lan','dmz','undefined') group by timestamp1 ) b on a.timestamp1 = b.timestamp1;
    takes 40(ms), agggr:0(ms)

  • Use execute report flush-cache and execute report recreate-db to clear up any irregularities that may be caused by upgrading or cache issues.

FortiView from disk

Prerequisites

All FortiGates with an SSD disk.

Restrictions

  • Desktop models (for example: under 100D) with SSD only supports five minutes and one hour view.
  • Medium models (for example: 200D, 500D) with SSD supports up to 24 hours view.
  • Large models (for example: 1500D and above) with SSD supports up to seven days view.
    • To enable seven days view:

      config log setting

      set fortiview-weekly-data enable

      end

Configuration

A firewall policy needs to be in place with traffic logging enabled. For best operation with FortiView, internal interface roles should be clearly defined as LAN; DMZ and internet facing or external interface roles should be defined as WAN.

To enable FortiView from Disk:
  1. Enable disk logging from the FortiGate GUI.
    1. Go to Log & Report > Log Settings > Local Log.
    2. Select the checkbox next to Disk.
  2. Enable historical FortiView from the FortiGate GUI.
    1. Go to Log & Report > Log Settings > Local Log.
    2. Select the checkbox next to Enable Historical FortiView.

  3. Click Apply.
To include sniffer traffic and local-deny traffic when FortiView from Disk:

This feature is only supported through the CLI.

config report setting

set report-source forward-traffic sniffer-traffic local-deny-traffic

end

Source View

Top Level

Sample entry:

Time
  • Realtime or Now entries are determined by the FortiGate's system session list.
  • Historical or 5 minutes and later entries are determined by traffic logs, with additional information coming from UTM logs.
Graph
  • The graph shows the bytes sent/received in the time frame. Realtime does not include a chart.
  • Users can customize the time frame by selecting a time period within the graph.
Bubble Chart
  • Bubble chart shows the same information as the table, but in a different graphical manner.
Columns
  • Source shows the IP address (and user as well as user avatar if configured) of the source device.
  • Device shows the device information as listed in User & Device > Device Inventory. Device detection should be enabled on the applicable interfaces for best function.
  • Threat Score is the threat score of the source based on UTM features such as Web Filter and antivirus. It shows threat scores allowed and threat scores blocked.
  • Bytes is the accumulated bytes sent/received. In realtime, this is calculated from the session list, and in historical it is from logs.
  • Sessions is the total sessions blocked/allowed. In realtime, this is calculated from the session list, and in historical it is from logs.
  • Source is a simplified version of the first column, including only the IP address without extra information.
  • Source Interface is the interface from which the traffic originates. In realtime, this is calculated from the session list, and in historical it is from the logs.
  • More information can be shown in a tooltip while hovering over these entries.
  • For realtime, two more columns are available, Bandwidth and Packets, both of which come from the session list.

Drilldown Level

Sample entry:

Graph
  • The graph shows the bytes sent/received in the time frame. Realtime does not include a chart.
  • Users can customize the time frame by selecting a time period within the graph.
Summary Information
  • Shows information such as the user/avatar, avatar/source IP, bytes, and sessions total for the time period.
  • Can quarantine host (access layer quarantine) if they are behind a FortiSwitch or FortiAP.
  • Can ban IP addresses, adds the source IP address into the quarantine list.
Tabs
  • Drilling down entries in any of these tabs (except sessions tab) will take you to the underlying traffic log in the sessions tab.
  • Applications shows a list of the applications attributed to the source IP. This can include scanned applications (using Application Control in a firewall policy or unscanned applications.

    config log gui-display

    set fortiview-unscanned-apps enable

    end

  • Destinations shows destinations grouped by IP address/FQDN.
  • Threats lists the threats caught by UTM profiles. This can be from antivirus, IPS, Web Filter, Application Control, etc.
  • Web Sites contains the websites which were detected either with webfilter, or through FQDN in traffic logs.
  • Web Categories groups entries into their categories as dictated by the Web Filter Database.
  • Search Phrases shows entries of search phrases on search engines captured by a Web Filter UTM profile, with deep inspection enabled in firewall policy.
  • Policies groups the entries into which polices they passed through or were blocked by.
  • Sessions shows the underlying logs (historical) or sessions (realtime). Drilldowns from other tabs end up showing the underlying log located in this tab.
  • More information can be shown in a tooltip while hovering over these entries.

Troubleshooting

  • Use diagnose debug application httpsd -1 to check which filters were passed through httpsd.
    For example:

    [httpsd 3163 - 1546543360 info] api_store_parameter[227] -- add API parameter 'filter': '{ "source": "10.1.100.30", "application": "TCP\/5228", "srcintfrole": [ "lan", "dmz", "undefined" ] }' (type=object)

  • Use diagnose debug application miglogd 0x70000 to check what the SQL command is that is passed to the underlying SQL database.
    For example:

    fortiview_request_data()-898: total:31 start:1546559580 end:1546563179
    _dump_sql()-799: dataset=fv.general.chart, sql:select a.timestamp1,ses_al,ses_bk,r,s,ifnull(sc_l,0),ifnull(sc_m,0),ifnull(sc_h,0),ifnull(sc_c,0) from (select timestamp-(timestamp%60) timestamp1 ,sum(case when passthrough<>'block' then sessioncount else 0 end) ses_al,sum(case when passthrough='block' then sessioncount else 0 end) ses_bk,sum(rcvdbyte) r,sum(sentbyte) s from grp_traffic_all_src where timestamp BETWEEN 1546559580 and 1546563179 and 1=1 AND srcip in ('10.1.100.11') AND srcintfrole in ('lan','dmz','undefined') group by timestamp1 ) a left join (select timestamp-(timestamp%60) timestamp1 ,sum(case when threat_level=1 then crscore else 0 end) sc_l,sum(case when threat_level=2 then crscore else 0 end) sc_m,sum(case when threat_level=3 then crscore else 0 end) sc_h,sum(case when threat_level=4 then crscore else 0 end) sc_c from grp_threat where timestamp BETWEEN 1546559580 and 1546563179 and 1=1 AND srcip in ('10.1.100.11') AND srcintfrole in ('lan','dmz','undefined') group by timestamp1 ) b on a.timestamp1 = b.timestamp1;
    takes 40(ms), agggr:0(ms)

  • Use execute report flush-cache and execute report recreate-db to clear up any irregularities that may be caused by upgrading or cache issues.