Fortinet white logo
Fortinet white logo

Administration Guide

Reports

Reports

FortiWeb can generate reports based on:

  • traffic statistics collected by policies (see Bot analysis)
  • attack, event, and traffic log messages
  • vulnerability scans for PCI compliance

When generating a log-based or scan-based report, FortiWeb appliances collate information collected from log files and scan results, and present the information in tabular and graphical format.

Before it can generate a report, in addition to log files and scan results, FortiWeb appliances require a report profile in order to generate a report. A report profile is a group of settings that contains the report name, file format, subject matter, and other aspects that the FortiWeb appliance considers when generating the report.

FortiWeb appliances can generate reports automatically, according to the schedule that you configure in the report profile, or manually, when you click the Run now icon in the report profile list.

Consider sending reports to your web developers to provide feedback. If your organization develops web applications in-house, this can be a useful way to quickly provide them information on how to improve the security of the application.

Generating reports can be resource intensive. To avoid traffic processing performance impacts, you may want to generate reports during times with low traffic volume, such as at night or weekends. For details about scheduling the generation of reports, see Scheduling reports. To determine the current traffic volume, see HTTP Throughput Monitor widget.
To configure a report profile

Before you generate a report, collect log data and/or vulnerability scan data that will be the basis of the report. For details about enabling logging to the local hard disk, see Configuring logging and Vulnerability scans.

Go to Log&Report > Report > Report Config.

To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Log & Report category. For details, see Permissions.

Click Create New.

In Report Name, type the name of the report as it will be referenced in the configuration. The name cannot contain spaces and is limited to 63 characters.

Select one of the below Types:

On Schedule: Select to run the report at configured intervals. To configure a schedule, see Scheduling reports.

On Demand: Select to run the report after you complete the configuration.

For on-demand reports, the FortiWeb appliance does not save the report profile after the generating the report. If you want to save the report profile, but do not want to generate the report at regular intervals, select On Schedule, but then in the Schedule section, select Not Scheduled.

In Report Title, type a display name that will appear in the title area of the report. The title may include spaces and is limited to 42 characters.

In Description, type a comment or other description. There is a 199 character limit.

Click the blue expansion arrow next to each section, and configure these settings:

Properties Select to add logos, headers, footers and company information to customize the report. For details, see Customizing the report’s headers, footers, & logo.
Report Scope Select the time span of log messages from which to generate the report. You can also create a data filter to include in the report only those logs that match a set of criteria. For details, see Restricting the report’s scope.
Report Types Select one or more subject matters to include in the report. For details, see Choosing the type & format of a report profile.
Report Format Select the number of top items to include in ranked report subtypes, and other advanced features. For details, see Choosing the type & format of a report profile.
Schedule

Select when the FortiWeb appliance will run the report, such as weekly or monthly. For details, see Scheduling reports.

This section is available only if Type is On Schedule.

Output Select the file formats and destination email addresses, if any, of reports generated from this report profile. For details, see Selecting the report’s file type & delivery options.

Click OK.

On-demand reports are generated immediately. Scheduled reports are generated at intervals set in the schedule. For details about viewing generated reports, see Viewing & downloading generated reports.

To generate a report immediately

Mark the check box of the report.

Click Run now.

See also

Customizing the report’s headers, footers, & logo

When configuring a report profile, you can provide text and logos to customize the appearance of reports generated from the profile.

To upload a logo file

Go to Log&Report > Report > Report Config.

Click Create New or select an existing Report Config.

Expand the Properties section.

Configure these settings:

Company Name Type the name of your company or other organization.
Header Comment Type a title or other information to include in the header.
Footer Comment

Select which information to include in the footer:

  • Report Title—Use the text from Report Name.
  • Custom—Use other text that you type into the field to the right of this option.
Title Page Logo

Select No Logo to omit the title page logo.

Select Custom to include a logo, then click Select to locate the logo file, and click Upload to save it to the FortiWeb appliance’s hard disk for use in the report title page.

Header Logo

Select No Logo to omit the header logo.

Select Custom to include a logo, then click Select to locate the logo file, and click Upload to save it to the FortiWeb appliance’s hard disk for use in the report header. The header logo will appear on every page in PDF- and Microsoft Word (RTF)-formatted reports, and at the top of the page in HTML-formatted reports.

Click OK.

The name of the logo appears next to Custom on the Report Config.

When adding a logo to the report, select a logo file format that is compatible with your selected file format outputs. If you select a logo that is not supported for a file format, the logo will not appear in that output. For example, if you provide a logo graphic in WMF format, it will not appear in PDF or HTML output.

Report file formats and their supported logo file formats
PDF reports JPG, PNG, GIF
RTF reports JPG, PNG, GIF, WMF
HTML reports JPG, PNG, GIF
To delete a logo file

Go to Log&Report > Report > Report Config.

Select a Report Config within which you want to delete a logo file.

Expand the Properties section of the Report Config dialog.

Click the Select link beside the logo name you want to remove in either Title Page Logo or Header Logo.

Select the logo to remove.

Click Delete.

Restricting the report’s scope

When configuring a report profile, you can select the time span of log messages from which to generate the report. You can also filter out log messages that you do not want to include in the report. To start at the beginning of the report configuration instructions, see To configure a report profile.

Go to Log&Report > Report > Report Config.

Click Create New or select an existing Report Config.

Expand the Report Scope section. Also expand the Time Period and Data Filter sections.

Configure these settings:

Time Period

Select the time span of the report, such as This Month or Last N Days.

Alternatively, select and configure the From Date and To Date.

Past N Hours

Past N Days

Past N Weeks

Enter the number N of the appliance of time.

This option appears only when you have selected Last N Hours, Last N Days, or Last N Weeks from Time Period, and therefore must define N.

From Date

Hour

Select and configure the beginning of the time span. For example, you may want the report to include log messages starting from May 5, 2006 at 6 PM. You must also configure To Date.

To Date

Hour

Select to configure the end of the time span. For example, you may want the report to include log messages up to May 6, at 12 AM. You must also select and configure From Date.
None Select this option to include all log messages within the time span.
Include logs that match the following criteria

Select this option to include only the log messages whose values match your filter criteria, such as Priority. Also select whether log messages must meet every other configured criteria (all) or if meeting any one of them is sufficient (any) to be included.

To exclude the log messages which match a criterion, mark its not check box, located on the right-hand side of the criterion.

Priority Mark the check box to filter by log severity threshold (in raw logs, the pri field), then select the name of the severity, such as Emergency, and whether to include logs that are greater than or equal to (>=), equal to (=), or less than or equal to (<=) that severity.
Source(s)

Type the source IP address (in raw logs, the src field) that log messages must match.

Note: Source(s) may be the IP address according to an HTTP header such as X-Forwarded-For: instead of the SRC at the IP layer. For details, see Defining your proxies, clients, & X-headers.

Destination(s) Type the destination IP address (in raw logs, the dst field) that log messages must match.
Http Method(s) Type the HTTP method (in raw logs, the http_method field) that log messages must match, such as get or post.

HTTP Host(s)

Type the HTTP host (in raw logs, the host field) that log messages must match.

HTTP URL(s)

Type the HTTP URL that log messages must match.
Only fuzzy matching is supported. For example, "/this/is/a/test/url3/" is supported, while "/this/is/a/test/url3/?oramon.inioramon.ini" will cause the filtering fail.

User(s) Type the administrator account name (in raw logs, the user field) that log messages must match, such as admin.
Action(s) Type the action (in raw logs, the action field) that log messages must match, such as login or Alert.
Sub Type(s) Type the subtype (in raw logs, the subtype field) that log messages must match, such as waf_information.
Policy(s) Type the policy name (in raw logs, the policy field) that log messages must match.
Service(s) Type the service name (in raw logs, the src field) that log messages must match, such as http or https.
Message(s) Type the message (in raw logs, the msg field) that log messages must match.
Signature Subclass Type(s) Type the signature subclass type (in raw logs, the signature_subclass field) that log messages must match.
Signature ID(s) Type the signature ID value (in raw logs, the signature_id field) that log messages must match.
Source Country(s) Type the source country value (in raw logs, the srccountry field) that log messages must match.

False Positive Mitigation

Type the specific signature being applied with False Positive Mitigation. The log messages must match the specified signature.

HTTP Referer

Type the HTTP referer value that log messages must match.

HTTP Version

Type the HTTP version that log messages must match.

Day of Week Mark the check boxes for the days of the week whose log messages you want to include.

Click OK.

Choosing the type & format of a report profile

When configuring a report profile, you can select one or more queries or query groups that define the subject matter of the report.

When configuring a report profile, you can configure various advanced options that affect how many log messages are used to formulate ranked report subtypes, and how results will be displayed.

To start at the beginning of the report configuration instructions, see To configure a report profile.

Go to Log&Report > Report > Report Config.

Click Create New or select an existing Report Config.

Expand the Report Type(s) and Report Format sections.

Configure these settings:

Report Types

Each query group contains multiple individual queries, each of which correspond to a chart that will appear in the generated report. You can select all queries within the group by marking the check box of the query group, or you can expand the query group and then individually select each query that you want to include:

  • PCI Reports
  • Attack Activity
  • Traffic Activity
  • Event activity

For example:

  • If you want the report to include charts about both normal traffic and attacks, you might enable both of the query groups Attack Activity and Event Activity.
  • If you want the report to specifically include only a chart about top system event types, you might expand the query group Event Activity, then enable only the individual query Top Event Types.
Report Format
Include reports with no matching data Enable to include reports for which there is no data. A blank report will appear in the summary. You might enable this option to verify inclusion of report types selected in the report profile when filter criteria or absent logs would normally cause the report type to be omitted.
Advanced
In ‘Ranked Reports’ show top

Ranked reports (top x, or top y of top x) can include a different number of results per cross-section, then combine remaining results under “Others.” For example, in Top Sources By Top Destination, the report includes the top x destination IP addresses, and their top y source IP addresses, then groups the remaining results. You can configure both x and y in the Advanced section of Report Format

In ranked reports, (“top x” report types, such as Top Attack Type), you can specify how many items from the top rank will be included in the report. For example, you could set the Top Attack URLs report to include up to 30 of the top x denied URLs by entering 30 for values of the first variable 1.. 30.

Some ranked reports rank not just one aspect, but two, such as Top Sources By Top Destination: this report ranks top source IP addresses for each of the top destination IP addresses. For these double ranked reports, you can also configure the rank threshold of the second aspect by entering the second threshold in values of the second variable for each value of the first variable 1..30.

Note: Reports that do not include “Top” in their name display all results. Changing the ranked reports values will not affect these reports.

values of the first variable 1.. 30 Type the value of x.
values of the second variable for each value of the first variable 1.. 30

Type the value of y.

This value is only considered if the report rankings are nested (i.e. top y of top x).

Include Summary Information Enable to include a listing of the report profile settings.
Include Table of Contents Enable to include a table of contents for the report.

Click OK.

Scheduling reports

When configuring a report profile, you can select whether the FortiWeb appliance will generate the report on demand or according to the schedule that you configure.

To start at the beginning of the report configuration instructions, see To configure a report profile.

Generating reports can be resource-intensive. To improve performance, schedule reports during times when traffic volume is low, such as at night or during weekends. To determine the current traffic volumes, see HTTP Throughput Monitor widget.

Go to Log&Report > Report > Report Config.

Click Create New or select an existing Report Config.

Expand the Schedule section.

Configure these settings:

Schedules
Not Scheduled

Select if you do not want the FortiWeb appliance to generate the report automatically according to a schedule.

If you select this option, the report will only be generated on demand, when you manually click the Run now icon from the report profile list.

Daily Select to generate the report each day. Also configure Time.
These Days Select to generate the report on specific days of each week, then mark the check boxes for those days. Also configure Time.
These Dates

Select to generate the report on specific date of each month, then enter those date numbers. Separate multiple date numbers with a comma. Also configure Time.

For example, to generate a report on the first and 30th day of every month, enter 1,30.

Time

Select the time of the day when the report will be generated.

This option does not apply if you have selected Not Scheduled.

Click OK.

Selecting the report’s file type & delivery options

When you configure a report profile, you can select one or more file formats in which to save reports generated from the profile. You can also configure the FortiWeb appliance to email the reports to specific recipients or send them to an FTP or TFTP server.

To start at the beginning the report configuration instructions, see To configure a report profile.

Go to Log&Report > Report > Report Config.

Click Create New or select an existing Report Config.

Expand the Output section.

Configure these settings:

File Output

Enable file formats that you want to generate and store on the FortiWeb appliance’s hard drive.

FortiWeb always generates HTML file format reports (as indicated by the permanently enabled check box), but you can also choose to generate reports in:

  • PDF
  • MS Word (RTF)
  • plain text (Text), and
  • MIME HTML (MHT, which can be included in email)
Email Output Enable file formats that you want to generate for an email that will be mailed to the recipients defined by the email settings.
Email Policy

Select the predefined email settings that you want to associate with the report output. This determines who receives the report email.

For details about configuring email settings, see Configuring email settings.

Email Subject Type the subject line of the email.
Email Body Type the message body of the email.
Email Attachment Name Type a file name that will be used for the attached reports.
Compress Report Files Enable to enclose the generated report formats in a compressed archive, as a single attachment.
FTP/TFTP Output Select the formats for files that FortiWeb sends to the FTP or TFTP server specified by FTP/TFTP Policy.
FTP/TFTP Policy Select the policy that defines a connection to the appropriate server. For details, see Configuring FTP/TFTP policies.

Click OK.

Viewing & downloading generated reports

Log&Report > Report Browse > Report Browse displays a list of generated reports that you can view, delete, and download.

In FortiWeb HA clusters, generated reports (PDFs, HTML, RTFs, plain text, or MHT) are recorded on their originating appliance. If you cannot locate a report that should have been generated, a failover may have occurred. Reports generated during that period will be stored on the other appliance. To view those reports, switch to the other appliance.

To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Log & Report category. For details, see Permissions.

Log&Report > Report > Report Browse

Refresh

(icon)

Click to refresh the display with the current list of completed, generated reports.

Rename

(icon)

Select the check box next to a report and click Rename to rename it.
Report Files

Displays the name of the generated report, the date and time at which it was generated, and, if necessary to distinguish it from other reports generated at that time, a sequence number.

For example, Report_1-2008-03-31-2112_018 is a report named “Report_1”, generated on March 31, 2008 at 9:12 PM. It was the nineteenth report generated at that date and time (the first report generated at that time did not have a sequence number).

To view the report in HTML format, click the name of the report. The report appears in a pop-up window.

To view only an individual section of the report in HTML format, click the blue triangle next to the report name to expand the list of HTML files that comprise the report, then click one of the file names.

Started Displays the data and time when the FortiWeb appliance started to generate the report.
Finished Displays the date and time when the FortiWeb appliance completed the generated report.
Size (bytes)

Displays the file size in bytes of each of the HTML files that comprise an HTML-formatted report.

This column is empty for the overall report, and contains sizes only for its component files. To see the component files, click the blue expansion arrow.

Other Formats

(links)

Click the name of an alternative file format, if any were configured to be generated by the report profile, to download the report in that file format.
See also

Bot analysis

Log&Report > Monitor > Bot Analysis displays statistics on access by automated clients such as search engine indexers, content scrapers, and other tools. Statistics are gathered by DoS prevention in anti-DoS rules, Bad Robot and Allow Known Search Engines. Based on this data, if an automated tool is abusing access, you can configure rate limiting such as with Combination access control & rate limiting.

See also

Blocked users

Monitor > Blocked Users displays information about clients for which FortiWeb is currently blocking requests. You can filter blocked users according to the user tracking rule, site publish rule, or server policy that the user violated. From this window, you can also release blocked users so that FortiWeb no longer blocks request from those users. To do so, click the release icon in the Release column.

See also

Reports

Reports

FortiWeb can generate reports based on:

  • traffic statistics collected by policies (see Bot analysis)
  • attack, event, and traffic log messages
  • vulnerability scans for PCI compliance

When generating a log-based or scan-based report, FortiWeb appliances collate information collected from log files and scan results, and present the information in tabular and graphical format.

Before it can generate a report, in addition to log files and scan results, FortiWeb appliances require a report profile in order to generate a report. A report profile is a group of settings that contains the report name, file format, subject matter, and other aspects that the FortiWeb appliance considers when generating the report.

FortiWeb appliances can generate reports automatically, according to the schedule that you configure in the report profile, or manually, when you click the Run now icon in the report profile list.

Consider sending reports to your web developers to provide feedback. If your organization develops web applications in-house, this can be a useful way to quickly provide them information on how to improve the security of the application.

Generating reports can be resource intensive. To avoid traffic processing performance impacts, you may want to generate reports during times with low traffic volume, such as at night or weekends. For details about scheduling the generation of reports, see Scheduling reports. To determine the current traffic volume, see HTTP Throughput Monitor widget.
To configure a report profile

Before you generate a report, collect log data and/or vulnerability scan data that will be the basis of the report. For details about enabling logging to the local hard disk, see Configuring logging and Vulnerability scans.

Go to Log&Report > Report > Report Config.

To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Log & Report category. For details, see Permissions.

Click Create New.

In Report Name, type the name of the report as it will be referenced in the configuration. The name cannot contain spaces and is limited to 63 characters.

Select one of the below Types:

On Schedule: Select to run the report at configured intervals. To configure a schedule, see Scheduling reports.

On Demand: Select to run the report after you complete the configuration.

For on-demand reports, the FortiWeb appliance does not save the report profile after the generating the report. If you want to save the report profile, but do not want to generate the report at regular intervals, select On Schedule, but then in the Schedule section, select Not Scheduled.

In Report Title, type a display name that will appear in the title area of the report. The title may include spaces and is limited to 42 characters.

In Description, type a comment or other description. There is a 199 character limit.

Click the blue expansion arrow next to each section, and configure these settings:

Properties Select to add logos, headers, footers and company information to customize the report. For details, see Customizing the report’s headers, footers, & logo.
Report Scope Select the time span of log messages from which to generate the report. You can also create a data filter to include in the report only those logs that match a set of criteria. For details, see Restricting the report’s scope.
Report Types Select one or more subject matters to include in the report. For details, see Choosing the type & format of a report profile.
Report Format Select the number of top items to include in ranked report subtypes, and other advanced features. For details, see Choosing the type & format of a report profile.
Schedule

Select when the FortiWeb appliance will run the report, such as weekly or monthly. For details, see Scheduling reports.

This section is available only if Type is On Schedule.

Output Select the file formats and destination email addresses, if any, of reports generated from this report profile. For details, see Selecting the report’s file type & delivery options.

Click OK.

On-demand reports are generated immediately. Scheduled reports are generated at intervals set in the schedule. For details about viewing generated reports, see Viewing & downloading generated reports.

To generate a report immediately

Mark the check box of the report.

Click Run now.

See also

Customizing the report’s headers, footers, & logo

When configuring a report profile, you can provide text and logos to customize the appearance of reports generated from the profile.

To upload a logo file

Go to Log&Report > Report > Report Config.

Click Create New or select an existing Report Config.

Expand the Properties section.

Configure these settings:

Company Name Type the name of your company or other organization.
Header Comment Type a title or other information to include in the header.
Footer Comment

Select which information to include in the footer:

  • Report Title—Use the text from Report Name.
  • Custom—Use other text that you type into the field to the right of this option.
Title Page Logo

Select No Logo to omit the title page logo.

Select Custom to include a logo, then click Select to locate the logo file, and click Upload to save it to the FortiWeb appliance’s hard disk for use in the report title page.

Header Logo

Select No Logo to omit the header logo.

Select Custom to include a logo, then click Select to locate the logo file, and click Upload to save it to the FortiWeb appliance’s hard disk for use in the report header. The header logo will appear on every page in PDF- and Microsoft Word (RTF)-formatted reports, and at the top of the page in HTML-formatted reports.

Click OK.

The name of the logo appears next to Custom on the Report Config.

When adding a logo to the report, select a logo file format that is compatible with your selected file format outputs. If you select a logo that is not supported for a file format, the logo will not appear in that output. For example, if you provide a logo graphic in WMF format, it will not appear in PDF or HTML output.

Report file formats and their supported logo file formats
PDF reports JPG, PNG, GIF
RTF reports JPG, PNG, GIF, WMF
HTML reports JPG, PNG, GIF
To delete a logo file

Go to Log&Report > Report > Report Config.

Select a Report Config within which you want to delete a logo file.

Expand the Properties section of the Report Config dialog.

Click the Select link beside the logo name you want to remove in either Title Page Logo or Header Logo.

Select the logo to remove.

Click Delete.

Restricting the report’s scope

When configuring a report profile, you can select the time span of log messages from which to generate the report. You can also filter out log messages that you do not want to include in the report. To start at the beginning of the report configuration instructions, see To configure a report profile.

Go to Log&Report > Report > Report Config.

Click Create New or select an existing Report Config.

Expand the Report Scope section. Also expand the Time Period and Data Filter sections.

Configure these settings:

Time Period

Select the time span of the report, such as This Month or Last N Days.

Alternatively, select and configure the From Date and To Date.

Past N Hours

Past N Days

Past N Weeks

Enter the number N of the appliance of time.

This option appears only when you have selected Last N Hours, Last N Days, or Last N Weeks from Time Period, and therefore must define N.

From Date

Hour

Select and configure the beginning of the time span. For example, you may want the report to include log messages starting from May 5, 2006 at 6 PM. You must also configure To Date.

To Date

Hour

Select to configure the end of the time span. For example, you may want the report to include log messages up to May 6, at 12 AM. You must also select and configure From Date.
None Select this option to include all log messages within the time span.
Include logs that match the following criteria

Select this option to include only the log messages whose values match your filter criteria, such as Priority. Also select whether log messages must meet every other configured criteria (all) or if meeting any one of them is sufficient (any) to be included.

To exclude the log messages which match a criterion, mark its not check box, located on the right-hand side of the criterion.

Priority Mark the check box to filter by log severity threshold (in raw logs, the pri field), then select the name of the severity, such as Emergency, and whether to include logs that are greater than or equal to (>=), equal to (=), or less than or equal to (<=) that severity.
Source(s)

Type the source IP address (in raw logs, the src field) that log messages must match.

Note: Source(s) may be the IP address according to an HTTP header such as X-Forwarded-For: instead of the SRC at the IP layer. For details, see Defining your proxies, clients, & X-headers.

Destination(s) Type the destination IP address (in raw logs, the dst field) that log messages must match.
Http Method(s) Type the HTTP method (in raw logs, the http_method field) that log messages must match, such as get or post.

HTTP Host(s)

Type the HTTP host (in raw logs, the host field) that log messages must match.

HTTP URL(s)

Type the HTTP URL that log messages must match.
Only fuzzy matching is supported. For example, "/this/is/a/test/url3/" is supported, while "/this/is/a/test/url3/?oramon.inioramon.ini" will cause the filtering fail.

User(s) Type the administrator account name (in raw logs, the user field) that log messages must match, such as admin.
Action(s) Type the action (in raw logs, the action field) that log messages must match, such as login or Alert.
Sub Type(s) Type the subtype (in raw logs, the subtype field) that log messages must match, such as waf_information.
Policy(s) Type the policy name (in raw logs, the policy field) that log messages must match.
Service(s) Type the service name (in raw logs, the src field) that log messages must match, such as http or https.
Message(s) Type the message (in raw logs, the msg field) that log messages must match.
Signature Subclass Type(s) Type the signature subclass type (in raw logs, the signature_subclass field) that log messages must match.
Signature ID(s) Type the signature ID value (in raw logs, the signature_id field) that log messages must match.
Source Country(s) Type the source country value (in raw logs, the srccountry field) that log messages must match.

False Positive Mitigation

Type the specific signature being applied with False Positive Mitigation. The log messages must match the specified signature.

HTTP Referer

Type the HTTP referer value that log messages must match.

HTTP Version

Type the HTTP version that log messages must match.

Day of Week Mark the check boxes for the days of the week whose log messages you want to include.

Click OK.

Choosing the type & format of a report profile

When configuring a report profile, you can select one or more queries or query groups that define the subject matter of the report.

When configuring a report profile, you can configure various advanced options that affect how many log messages are used to formulate ranked report subtypes, and how results will be displayed.

To start at the beginning of the report configuration instructions, see To configure a report profile.

Go to Log&Report > Report > Report Config.

Click Create New or select an existing Report Config.

Expand the Report Type(s) and Report Format sections.

Configure these settings:

Report Types

Each query group contains multiple individual queries, each of which correspond to a chart that will appear in the generated report. You can select all queries within the group by marking the check box of the query group, or you can expand the query group and then individually select each query that you want to include:

  • PCI Reports
  • Attack Activity
  • Traffic Activity
  • Event activity

For example:

  • If you want the report to include charts about both normal traffic and attacks, you might enable both of the query groups Attack Activity and Event Activity.
  • If you want the report to specifically include only a chart about top system event types, you might expand the query group Event Activity, then enable only the individual query Top Event Types.
Report Format
Include reports with no matching data Enable to include reports for which there is no data. A blank report will appear in the summary. You might enable this option to verify inclusion of report types selected in the report profile when filter criteria or absent logs would normally cause the report type to be omitted.
Advanced
In ‘Ranked Reports’ show top

Ranked reports (top x, or top y of top x) can include a different number of results per cross-section, then combine remaining results under “Others.” For example, in Top Sources By Top Destination, the report includes the top x destination IP addresses, and their top y source IP addresses, then groups the remaining results. You can configure both x and y in the Advanced section of Report Format

In ranked reports, (“top x” report types, such as Top Attack Type), you can specify how many items from the top rank will be included in the report. For example, you could set the Top Attack URLs report to include up to 30 of the top x denied URLs by entering 30 for values of the first variable 1.. 30.

Some ranked reports rank not just one aspect, but two, such as Top Sources By Top Destination: this report ranks top source IP addresses for each of the top destination IP addresses. For these double ranked reports, you can also configure the rank threshold of the second aspect by entering the second threshold in values of the second variable for each value of the first variable 1..30.

Note: Reports that do not include “Top” in their name display all results. Changing the ranked reports values will not affect these reports.

values of the first variable 1.. 30 Type the value of x.
values of the second variable for each value of the first variable 1.. 30

Type the value of y.

This value is only considered if the report rankings are nested (i.e. top y of top x).

Include Summary Information Enable to include a listing of the report profile settings.
Include Table of Contents Enable to include a table of contents for the report.

Click OK.

Scheduling reports

When configuring a report profile, you can select whether the FortiWeb appliance will generate the report on demand or according to the schedule that you configure.

To start at the beginning of the report configuration instructions, see To configure a report profile.

Generating reports can be resource-intensive. To improve performance, schedule reports during times when traffic volume is low, such as at night or during weekends. To determine the current traffic volumes, see HTTP Throughput Monitor widget.

Go to Log&Report > Report > Report Config.

Click Create New or select an existing Report Config.

Expand the Schedule section.

Configure these settings:

Schedules
Not Scheduled

Select if you do not want the FortiWeb appliance to generate the report automatically according to a schedule.

If you select this option, the report will only be generated on demand, when you manually click the Run now icon from the report profile list.

Daily Select to generate the report each day. Also configure Time.
These Days Select to generate the report on specific days of each week, then mark the check boxes for those days. Also configure Time.
These Dates

Select to generate the report on specific date of each month, then enter those date numbers. Separate multiple date numbers with a comma. Also configure Time.

For example, to generate a report on the first and 30th day of every month, enter 1,30.

Time

Select the time of the day when the report will be generated.

This option does not apply if you have selected Not Scheduled.

Click OK.

Selecting the report’s file type & delivery options

When you configure a report profile, you can select one or more file formats in which to save reports generated from the profile. You can also configure the FortiWeb appliance to email the reports to specific recipients or send them to an FTP or TFTP server.

To start at the beginning the report configuration instructions, see To configure a report profile.

Go to Log&Report > Report > Report Config.

Click Create New or select an existing Report Config.

Expand the Output section.

Configure these settings:

File Output

Enable file formats that you want to generate and store on the FortiWeb appliance’s hard drive.

FortiWeb always generates HTML file format reports (as indicated by the permanently enabled check box), but you can also choose to generate reports in:

  • PDF
  • MS Word (RTF)
  • plain text (Text), and
  • MIME HTML (MHT, which can be included in email)
Email Output Enable file formats that you want to generate for an email that will be mailed to the recipients defined by the email settings.
Email Policy

Select the predefined email settings that you want to associate with the report output. This determines who receives the report email.

For details about configuring email settings, see Configuring email settings.

Email Subject Type the subject line of the email.
Email Body Type the message body of the email.
Email Attachment Name Type a file name that will be used for the attached reports.
Compress Report Files Enable to enclose the generated report formats in a compressed archive, as a single attachment.
FTP/TFTP Output Select the formats for files that FortiWeb sends to the FTP or TFTP server specified by FTP/TFTP Policy.
FTP/TFTP Policy Select the policy that defines a connection to the appropriate server. For details, see Configuring FTP/TFTP policies.

Click OK.

Viewing & downloading generated reports

Log&Report > Report Browse > Report Browse displays a list of generated reports that you can view, delete, and download.

In FortiWeb HA clusters, generated reports (PDFs, HTML, RTFs, plain text, or MHT) are recorded on their originating appliance. If you cannot locate a report that should have been generated, a failover may have occurred. Reports generated during that period will be stored on the other appliance. To view those reports, switch to the other appliance.

To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Log & Report category. For details, see Permissions.

Log&Report > Report > Report Browse

Refresh

(icon)

Click to refresh the display with the current list of completed, generated reports.

Rename

(icon)

Select the check box next to a report and click Rename to rename it.
Report Files

Displays the name of the generated report, the date and time at which it was generated, and, if necessary to distinguish it from other reports generated at that time, a sequence number.

For example, Report_1-2008-03-31-2112_018 is a report named “Report_1”, generated on March 31, 2008 at 9:12 PM. It was the nineteenth report generated at that date and time (the first report generated at that time did not have a sequence number).

To view the report in HTML format, click the name of the report. The report appears in a pop-up window.

To view only an individual section of the report in HTML format, click the blue triangle next to the report name to expand the list of HTML files that comprise the report, then click one of the file names.

Started Displays the data and time when the FortiWeb appliance started to generate the report.
Finished Displays the date and time when the FortiWeb appliance completed the generated report.
Size (bytes)

Displays the file size in bytes of each of the HTML files that comprise an HTML-formatted report.

This column is empty for the overall report, and contains sizes only for its component files. To see the component files, click the blue expansion arrow.

Other Formats

(links)

Click the name of an alternative file format, if any were configured to be generated by the report profile, to download the report in that file format.
See also

Bot analysis

Log&Report > Monitor > Bot Analysis displays statistics on access by automated clients such as search engine indexers, content scrapers, and other tools. Statistics are gathered by DoS prevention in anti-DoS rules, Bad Robot and Allow Known Search Engines. Based on this data, if an automated tool is abusing access, you can configure rate limiting such as with Combination access control & rate limiting.

See also

Blocked users

Monitor > Blocked Users displays information about clients for which FortiWeb is currently blocking requests. You can filter blocked users according to the user tracking rule, site publish rule, or server policy that the user violated. From this window, you can also release blocked users so that FortiWeb no longer blocks request from those users. To do so, click the release icon in the Release column.

See also