Reports
FortiWeb can generate reports based on:
- traffic statistics collected by policies (see Bot analysis)
- attack, event, and traffic log messages
- vulnerability scans for PCI compliance
When generating a log-based or scan-based report, FortiWeb appliances collate information collected from log files and scan results, and present the information in tabular and graphical format.
Before it can generate a report, in addition to log files and scan results, FortiWeb appliances require a report profile in order to generate a report. A report profile is a group of settings that contains the report name, file format, subject matter, and other aspects that the FortiWeb appliance considers when generating the report.
FortiWeb appliances can generate reports automatically, according to the schedule that you configure in the report profile, or manually, when you click the Run now icon in the report profile list.
Consider sending reports to your web developers to provide feedback. If your organization develops web applications in-house, this can be a useful way to quickly provide them information on how to improve the security of the application.
|
Generating reports can be resource intensive. To avoid traffic processing performance impacts, you may want to generate reports during times with low traffic volume, such as at night or weekends. For details about scheduling the generation of reports, see Scheduling reports. To determine the current traffic volume, see HTTP Throughput Monitor widget. |
To configure a report profile
Before you generate a report, collect log data and/or vulnerability scan data that will be the basis of the report. For details about enabling logging to the local hard disk, see Configuring logging and Vulnerability scans.
Go to Log&Report > Report > Report Config.
To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Log & Report category. For details, see Permissions.
Click Create New.
In Report Name, type the name of the report as it will be referenced in the configuration. The name cannot contain spaces and is limited to 63 characters.
Select one of the below Types:
On Schedule: Select to run the report at configured intervals. To configure a schedule, see Scheduling reports.
On Demand: Select to run the report after you complete the configuration.
|
|
For on-demand reports, the FortiWeb appliance does not save the report profile after the generating the report. If you want to save the report profile, but do not want to generate the report at regular intervals, select On Schedule, but then in the Schedule section, select Not Scheduled. |
In Report Title, type a display name that will appear in the title area of the report. The title may include spaces and is limited to 42 characters.
In Description, type a comment or other description. There is a 199 character limit.
Click the blue expansion arrow next to each section, and configure these settings:
| Properties | Select to add logos, headers, footers and company information to customize the report. For details, see Customizing the report’s headers, footers, & logo. |
| Report Scope | Select the time span of log messages from which to generate the report. You can also create a data filter to include in the report only those logs that match a set of criteria. For details, see Restricting the report’s scope. |
| Report Types | Select one or more subject matters to include in the report. For details, see Choosing the type & format of a report profile. |
| Report Format | Select the number of top items to include in ranked report subtypes, and other advanced features. For details, see Choosing the type & format of a report profile. |
| Schedule |
Select when the FortiWeb appliance will run the report, such as weekly or monthly. For details, see Scheduling reports. This section is available only if Type is On Schedule. |
| Output | Select the file formats and destination email addresses, if any, of reports generated from this report profile. For details, see Selecting the report’s file type & delivery options. |
Click OK.
On-demand reports are generated immediately. Scheduled reports are generated at intervals set in the schedule. For details about viewing generated reports, see Viewing & downloading generated reports.
To generate a report immediately
Mark the check box of the report.
Click Run now.
See also
- Customizing the report’s headers, footers, & logo
- Restricting the report’s scope
- Choosing the type & format of a report profile
- Scheduling reports
- Selecting the report’s file type & delivery options
Customizing the report’s headers, footers, & logo
When configuring a report profile, you can provide text and logos to customize the appearance of reports generated from the profile.
To upload a logo file
Go to Log&Report > Report > Report Config.
Click Create New or select an existing Report Config.
Expand the Properties section.
Configure these settings:
| Company Name | Type the name of your company or other organization. |
| Header Comment | Type a title or other information to include in the header. |
| Footer Comment |
Select which information to include in the footer:
|
| Title Page Logo |
Select No Logo to omit the title page logo. Select Custom to include a logo, then click Select to locate the logo file, and click Upload to save it to the FortiWeb appliance’s hard disk for use in the report title page. |
| Header Logo |
Select No Logo to omit the header logo. Select Custom to include a logo, then click Select to locate the logo file, and click Upload to save it to the FortiWeb appliance’s hard disk for use in the report header. The header logo will appear on every page in PDF- and Microsoft Word (RTF)-formatted reports, and at the top of the page in HTML-formatted reports. |
Click OK.
The name of the logo appears next to Custom on the Report Config.
When adding a logo to the report, select a logo file format that is compatible with your selected file format outputs. If you select a logo that is not supported for a file format, the logo will not appear in that output. For example, if you provide a logo graphic in WMF format, it will not appear in PDF or HTML output.
Report file formats and their supported logo file formats
| PDF reports | JPG, PNG, GIF |
| RTF reports | JPG, PNG, GIF, WMF |
| HTML reports | JPG, PNG, GIF |
To delete a logo file
Go to Log&Report > Report > Report Config.
Select a Report Config within which you want to delete a logo file.
Expand the Properties section of the Report Config dialog.
Click the Select link beside the logo name you want to remove in either Title Page Logo or Header Logo.
Select the logo to remove.
Click Delete.
Restricting the report’s scope
When configuring a report profile, you can select the time span of log messages from which to generate the report. You can also filter out log messages that you do not want to include in the report. To start at the beginning of the report configuration instructions, see To configure a report profile.
Go to Log&Report > Report > Report Config.
Click Create New or select an existing Report Config.
Expand the Report Scope section. Also expand the Time Period and Data Filter sections.
Configure these settings:
| Time Period |
Select the time span of the report, such as This Month or Last N Days. Alternatively, select and configure the From Date and To Date. |
|
|
Past N Hours Past N Days Past N Weeks |
Enter the number N of the appliance of time. This option appears only when you have selected Last N Hours, Last N Days, or Last N Weeks from Time Period, and therefore must define N. |
|
|
Hour |
Select and configure the beginning of the time span. For example, you may want the report to include log messages starting from May 5, 2006 at 6 PM. You must also configure To Date. | |
|
Hour |
Select to configure the end of the time span. For example, you may want the report to include log messages up to May 6, at 12 AM. You must also select and configure From Date. | |
| None | Select this option to include all log messages within the time span. | |
| Include logs that match the following criteria |
Select this option to include only the log messages whose values match your filter criteria, such as Priority. Also select whether log messages must meet every other configured criteria (all) or if meeting any one of them is sufficient (any) to be included. To exclude the log messages which match a criterion, mark its not check box, located on the right-hand side of the criterion. |
|
| Priority | Mark the check box to filter by log severity threshold (in raw logs, the pri field), then select the name of the severity, such as Emergency, and whether to include logs that are greater than or equal to (>=), equal to (=), or less than or equal to (<=) that severity. |
|
| Source(s) |
Type the source IP address (in raw logs, the Note: Source(s) may be the IP address according to an HTTP header such as |
|
| Destination(s) | Type the destination IP address (in raw logs, the dst field) that log messages must match. |
|
| Http Method(s) | Type the HTTP method (in raw logs, the http_method field) that log messages must match, such as get or post. |
|
| User(s) | Type the administrator account name (in raw logs, the user field) that log messages must match, such as admin. |
|
| Action(s) | Type the action (in raw logs, the action field) that log messages must match, such as login or Alert. |
|
| Subtype(s) | Type the subtype (in raw logs, the subtype field) that log messages must match, such as waf_information. |
|
| Policy(s) | Type the policy name (in raw logs, the policy field) that log messages must match. |
|
| Service(s) | Type the service name (in raw logs, the src field) that log messages must match, such as http or https. |
|
| Message(s) | Type the message (in raw logs, the msg field) that log messages must match. |
|
| Signature Subclass Type(s) | Type the signature subclass type (in raw logs, the signature_subclass field) that log messages must match. |
|
| Signature ID(s) | Type the signature ID value (in raw logs, the signature_id field) that log messages must match. |
|
| Source Country(s) | Type the source country value (in raw logs, the srccountry field) that log messages must match. |
|
| Day of Week | Mark the check boxes for the days of the week whose log messages you want to include. | |
Click OK.
Choosing the type & format of a report profile
When configuring a report profile, you can select one or more queries or query groups that define the subject matter of the report.
When configuring a report profile, you can configure various advanced options that affect how many log messages are used to formulate ranked report subtypes, and how results will be displayed.
To start at the beginning of the report configuration instructions, see To configure a report profile.
Go to Log&Report > Report > Report Config.
Click Create New or select an existing Report Config.
Expand the Report Type(s) and Report Format sections.
Configure these settings:
| Report Types |
Each query group contains multiple individual queries, each of which correspond to a chart that will appear in the generated report. You can select all queries within the group by marking the check box of the query group, or you can expand the query group and then individually select each query that you want to include:
For example:
|
||
| Report Format | |||
| Include reports with no matching data | Enable to include reports for which there is no data. A blank report will appear in the summary. You might enable this option to verify inclusion of report types selected in the report profile when filter criteria or absent logs would normally cause the report type to be omitted. | ||
| Advanced | |||
| In ‘Ranked Reports’ show top |
Ranked reports (top x, or top y of top x) can include a different number of results per cross-section, then combine remaining results under “Others.” For example, in Top Sources By Top Destination, the report includes the top x destination IP addresses, and their top y source IP addresses, then groups the remaining results. You can configure both x and y in the Advanced section of Report Format In ranked reports, (“top x” report types, such as Top Attack Type), you can specify how many items from the top rank will be included in the report. For example, you could set the Top Attack URLs report to include up to 30 of the top x denied URLs by entering Some ranked reports rank not just one aspect, but two, such as Top Sources By Top Destination: this report ranks top source IP addresses for each of the top destination IP addresses. For these double ranked reports, you can also configure the rank threshold of the second aspect by entering the second threshold in values of the second variable for each value of the first variable 1..30. Note: Reports that do not include “Top” in their name display all results. Changing the ranked reports values will not affect these reports. |
||
| values of the first variable 1.. 30 | Type the value of x. | ||
| values of the second variable for each value of the first variable 1.. 30 |
Type the value of y. This value is only considered if the report rankings are nested (i.e. top y of top x). |
||
| Include Summary Information | Enable to include a listing of the report profile settings. | ||
| Include Table of Contents | Enable to include a table of contents for the report. | ||
Click OK.
Scheduling reports
When configuring a report profile, you can select whether the FortiWeb appliance will generate the report on demand or according to the schedule that you configure.
To start at the beginning of the report configuration instructions, see To configure a report profile.
|
|
Generating reports can be resource-intensive. To improve performance, schedule reports during times when traffic volume is low, such as at night or during weekends. To determine the current traffic volumes, see HTTP Throughput Monitor widget. |
Go to Log&Report > Report > Report Config.
Click Create New or select an existing Report Config.
Expand the Schedule section.
Configure these settings:
Click OK.
Selecting the report’s file type & delivery options
When you configure a report profile, you can select one or more file formats in which to save reports generated from the profile. You can also configure the FortiWeb appliance to email the reports to specific recipients or send them to an FTP or TFTP server.
To start at the beginning the report configuration instructions, see To configure a report profile.
Go to Log&Report > Report > Report Config.
Click Create New or select an existing Report Config.
Expand the Output section.
Configure these settings:
| File Output |
Enable file formats that you want to generate and store on the FortiWeb appliance’s hard drive. FortiWeb always generates HTML file format reports (as indicated by the permanently enabled check box), but you can also choose to generate reports in:
|
|
| Email Output | Enable file formats that you want to generate for an email that will be mailed to the recipients defined by the email settings. | |
| Email Policy |
Select the predefined email settings that you want to associate with the report output. This determines who receives the report email. For details about configuring email settings, see Configuring email settings. |
|
| Email Subject | Type the subject line of the email. | |
| Email Body | Type the message body of the email. | |
| Email Attachment Name | Type a file name that will be used for the attached reports. | |
| Compress Report Files | Enable to enclose the generated report formats in a compressed archive, as a single attachment. | |
| FTP/TFTP Output | Select the formats for files that FortiWeb sends to the FTP or TFTP server specified by FTP/TFTP Policy. | |
| FTP/TFTP Policy | Select the policy that defines a connection to the appropriate server. For details, see Configuring FTP/TFTP policies. | |
Click OK.
Viewing & downloading generated reports
Log&Report > Report Browse > Report Browse displays a list of generated reports that you can view, delete, and download.
|
|
In FortiWeb HA clusters, generated reports (PDFs, HTML, RTFs, plain text, or MHT) are recorded on their originating appliance. If you cannot locate a report that should have been generated, a failover may have occurred. Reports generated during that period will be stored on the other appliance. To view those reports, switch to the other appliance. |
To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Log & Report category. For details, see Permissions.
Log&Report > Report > Report Browse
|
Refresh (icon) |
Click to refresh the display with the current list of completed, generated reports. |
|
Rename (icon) |
Select the check box next to a report and click Rename to rename it. |
| Report Files |
Displays the name of the generated report, the date and time at which it was generated, and, if necessary to distinguish it from other reports generated at that time, a sequence number. For example, To view the report in HTML format, click the name of the report. The report appears in a pop-up window. To view only an individual section of the report in HTML format, click the blue triangle next to the report name to expand the list of HTML files that comprise the report, then click one of the file names. |
| Started | Displays the data and time when the FortiWeb appliance started to generate the report. |
| Finished | Displays the date and time when the FortiWeb appliance completed the generated report. |
| Size (bytes) |
Displays the file size in bytes of each of the HTML files that comprise an HTML-formatted report. This column is empty for the overall report, and contains sizes only for its component files. To see the component files, click the blue expansion arrow. |
|
Other Formats (links) |
Click the name of an alternative file format, if any were configured to be generated by the report profile, to download the report in that file format. |
See also
Bot analysis
Log&Report > Monitor > Bot Analysis displays statistics on access by automated clients such as search engine indexers, content scrapers, and other tools. Statistics are gathered by DoS prevention in anti-DoS rules, Bad Robot and Allow Known Search Engines. Based on this data, if an automated tool is abusing access, you can configure rate limiting such as with Combination access control & rate limiting.
See also
Blocked users
Monitor > Blocked Users displays information about clients for which FortiWeb is currently blocking requests. You can filter blocked users according to the user tracking rule, site publish rule, or server policy that the user violated. From this window, you can also release blocked users so that FortiWeb no longer blocks request from those users. To do so, click the release icon in the Release column.