FortiView
FortiWeb Cloud detects attacks to your application and displays the threats in
- Threat by OWASP TOP10: Displays threats by OWASP top10 to analyze the 10 most critical attacks targeted to your application.
- Threats by Types: Displays threats in specific types, such as Known Attacks, Information Leakage, etc.
- Blocked IPs: Displays IP addresses that have been blocked for security reasons, either by your application's security policy or by actions triggered by other applications that caused the load balancers to block them. See detailed instructions to Review and release blocked IP addresses below.
- Threat by Source IPs: Displays threats by source IP to provide a deep insight in the IP addresses from which attacks originate.
- Threats by Countries: Displays threats by countries in which attacks originate.
- Threat Map: Displays threats by geographic region. You can see a global map that shows threats in real-time from specific countries.
- Traffic Summary: Displays traffic statistics such as source IP addresses, URL, User Agent, Return Code, and Request Method.
You can see the overview of the threats, such as the total number of threats, threat scores, the types of actions FortiWeb Cloud carries out in response to specific types of attacks, and how severe attacks are.
You can also drill down from a high-level overview to a detailed analysis of particular threat. Below is an example using the Threats by Countries menu to illustrate how the filtering and drilling down process works.
To view the detailed analysis of a particular threat:
- Go to
FortiView > Threats by Countries. - Click Add Filter, select Country, and either enter the name of the country or select the country from the drop-down menu. In this case, United States is selected.
- Double-click the country row to view a summary of the threat data from this country.
- Select tabs to view the threat data categorized by Threats, Sources, HTTP Methods, URLs, CVE ID, and OWASP Top10.
- In this example, we double click the row of 3.83.218.56 to view the threats originated from this source IP address.
- Click the arrow icon to unfold the detailed analysis of a particular threat.
- If you know that certain URL tends to falsely trigger violations by matching an attack signature during normal use, you can click Add Exception beside the signature ID. The traffic to that URL will not be treated as an attack even if it matches this particular signature.
Please note that the number of attacks displayed in Attack Logs,
- Certain attack types such as Bot and DDoS attacks generate a large amount of requests in a short time. To prevent numerous identical attack logs flooding the UI, FortiWeb Cloud only logs the first request in Attack Logs and
FortiView , while it shows the actual count in Blocked Requests Widget so you can know how many actual attack requests were blocked. - To prevent Information Leakage, FortiWeb Cloud may cloak the error pages or erase sensitive HTTP headers in response packets. Such items are logged only once per minute in Attack Logs and
FortiView for you to know the Information Leakage rule took effect. In the meanwhile, the actual count is recorded in Blocked Requests Widget. - If you have set FortiWeb Cloud to block attacks but do not generate a log when certain violation occurs, such as Deny(no log), then the attacks will not be logged in Attack Logs and
FortiView , but will be counted in the Blocked Requests widget.
Review and release blocked IP addresses
This page displays the list of IP addresses that have been blocked by FortiWeb Cloud, either by your application's security rules or by actions triggered by other applications that caused the load balancers to block them.
When searching for a specific IP address on this list, you can click Add Filter to narrow down the number of IP addresses displayed on this page.
To remove an item from this list, click on the delete icon 
in the same row as the desired IP address to effectively unblock it.
