Fortinet white logo
Fortinet white logo

Administration Guide

Network Alerts

Network Alerts

Network alerts show detected connection attempts to known botnets, attacks to hosts on your network, and harmful websites visited from your network.

To view network alerts (Attacker, Botnet, and URL), go to Network Alerts. You can drill down the information displayed and apply search filters. You can select to create a PDF or CSV format snapshot report for specific types of network alert files. Search filters will be applied to the detailed report and will be displayed in the Filtering Criteria section.

This page has the following options:

Time Period

Select the time period from the dropdown list. Select one of the following: 24 Hours, 7 Days, or 4 Weeks.

You can select the time period to filter the information displayed in the GUI. This selection is also applied to exported data for the snapshot report.

Alert Type

Select Attacker, Botnet, or URL from the dropdown list. You can select the alert type to filter the information displayed in the GUI. This selection is also applied to exported data for the snapshot report.

Attacker

Shows attacks against hosts on your network. When selecting Attacker from the dropdown list, the following information is displayed:

  • Detected: The date and time that the attack was detected by FortiSandbox.
  • Backdoor: The name of the attack.
  • Source: The attacker’s IP address.
  • Destination: The attacked host IP address.

All columns include a filter to allow you to sort the entries in ascending or descending order.

Botnet

Shows detected connections to knows botnets. When selecting Botnet from the dropdown list, the following information is displayed:

  • Detected: The date and time that the botnet contact was detected by FortiSandbox.
  • Name: The botnet name.
  • Source: The IP address of the infected host.
  • Destination: The botnet command and control IP address.

The Detected, Name, and Source columns include a filter to allow you to sort the entries in ascending or descending order.

URL

Shows visited suspicious websites from your network. When selecting URL from the dropdown list, the following information is displayed:

  • Detected: The date and time that the malicious URL was visited.
  • Rating: The severity of the visiting activity.
  • Category: The URL’s web filtering category.
  • Host: The host IP address. The first level domain name of the URL.
  • URL: The visited URL address.
  • Type: The URL type, http or https
  • Source: The IP address of the host who visited the malicious URL.

The Detected, Category, Hostname, URL, Type, and Source columns include a filter to allow you to sort the entries in ascending or descending order.

Tooltip: Certain URL categories are set as Benign by default. To view and change, go to Scan Policy and Object > Web Category.

Export Data

Select to create a PDF or CSV snapshot report. The time to generate the report is dependent on the number of events selected. You can wait till the report is ready to view, or navigate away and find the report later on the Log & Report > Report Center page.

Refresh

Click the icon to refresh the log message list.

Search

Show or hide the search filter field.

Add Search Filter

Click the search filter field to add search filters. Click the close icon in the search filter field to remove the search filter.

Search filters can be used to filter the information displayed in the GUI.

To create a snapshot report for all network alert files:
  1. Select a time period from the first dropdown list.
  2. Select Attacker, Botnet, or URL from the second dropdown list.
  3. Select to apply search filters to further drill down the information in the report.
  4. Click the Export Data button in the toolbar. The Report Generator window opens.
  5. Select either PDF or CSV for the report type.
  6. Click the Generate Report button to create the report.

    When the report generation is completed, select the Download button to save the file to your management computer.

  7. You can wait till the report is ready to view, or navigate away and find the report later on the Log & Report > Report Center page.
Note

If Delete all traces of jobs of Malicious or Suspicious rating after is configured in System > Settings, the network alert records will be deleted after the specified time. Otherwise, the record deletion period is 32 days.

Network Alerts

Network Alerts

Network alerts show detected connection attempts to known botnets, attacks to hosts on your network, and harmful websites visited from your network.

To view network alerts (Attacker, Botnet, and URL), go to Network Alerts. You can drill down the information displayed and apply search filters. You can select to create a PDF or CSV format snapshot report for specific types of network alert files. Search filters will be applied to the detailed report and will be displayed in the Filtering Criteria section.

This page has the following options:

Time Period

Select the time period from the dropdown list. Select one of the following: 24 Hours, 7 Days, or 4 Weeks.

You can select the time period to filter the information displayed in the GUI. This selection is also applied to exported data for the snapshot report.

Alert Type

Select Attacker, Botnet, or URL from the dropdown list. You can select the alert type to filter the information displayed in the GUI. This selection is also applied to exported data for the snapshot report.

Attacker

Shows attacks against hosts on your network. When selecting Attacker from the dropdown list, the following information is displayed:

  • Detected: The date and time that the attack was detected by FortiSandbox.
  • Backdoor: The name of the attack.
  • Source: The attacker’s IP address.
  • Destination: The attacked host IP address.

All columns include a filter to allow you to sort the entries in ascending or descending order.

Botnet

Shows detected connections to knows botnets. When selecting Botnet from the dropdown list, the following information is displayed:

  • Detected: The date and time that the botnet contact was detected by FortiSandbox.
  • Name: The botnet name.
  • Source: The IP address of the infected host.
  • Destination: The botnet command and control IP address.

The Detected, Name, and Source columns include a filter to allow you to sort the entries in ascending or descending order.

URL

Shows visited suspicious websites from your network. When selecting URL from the dropdown list, the following information is displayed:

  • Detected: The date and time that the malicious URL was visited.
  • Rating: The severity of the visiting activity.
  • Category: The URL’s web filtering category.
  • Host: The host IP address. The first level domain name of the URL.
  • URL: The visited URL address.
  • Type: The URL type, http or https
  • Source: The IP address of the host who visited the malicious URL.

The Detected, Category, Hostname, URL, Type, and Source columns include a filter to allow you to sort the entries in ascending or descending order.

Tooltip: Certain URL categories are set as Benign by default. To view and change, go to Scan Policy and Object > Web Category.

Export Data

Select to create a PDF or CSV snapshot report. The time to generate the report is dependent on the number of events selected. You can wait till the report is ready to view, or navigate away and find the report later on the Log & Report > Report Center page.

Refresh

Click the icon to refresh the log message list.

Search

Show or hide the search filter field.

Add Search Filter

Click the search filter field to add search filters. Click the close icon in the search filter field to remove the search filter.

Search filters can be used to filter the information displayed in the GUI.

To create a snapshot report for all network alert files:
  1. Select a time period from the first dropdown list.
  2. Select Attacker, Botnet, or URL from the second dropdown list.
  3. Select to apply search filters to further drill down the information in the report.
  4. Click the Export Data button in the toolbar. The Report Generator window opens.
  5. Select either PDF or CSV for the report type.
  6. Click the Generate Report button to create the report.

    When the report generation is completed, select the Download button to save the file to your management computer.

  7. You can wait till the report is ready to view, or navigate away and find the report later on the Log & Report > Report Center page.
Note

If Delete all traces of jobs of Malicious or Suspicious rating after is configured in System > Settings, the network alert records will be deleted after the specified time. Otherwise, the record deletion period is 32 days.