Drill-Down Options
Double-click, or right-click, on any entry in a FortiView console and select Drill Down to Details, to view the following columns (options vary depending on the console selected):
| Option | Description |
| Applications | Select to drill down by application to view application-related information, including the application name, sessions blocked and allowed, bytes sent and received, and the risk level.
You can sort entries by selecting the column header. |
| Sources | Select to drill down by rows to view source-related information, including IP address, device type, interface type, threat score, number of sessions blocked/allowed, and bytes sent/received. You can sort entries by selecting the column header. |
| Destinations | Select to drill down by destination to view destination-related information, including the IP address and geographic region, interface, threat score, number of sessions blocked and allowed, and bytes sent and received. You can sort entries by selecting the column header. |
| Countries | Select to drill down by country, including the number of sessions, bytes sent and received, and the bandwidth used.You can sort entries by selecting the column header. |
| Policies | Select to drill down by the policies in use, including source interface, destination interface, bytes sent and received, and bandwidth used. You can sort entries by selecting the column header. |
| Source
Interfaces |
Select to drill down by source interface, including bytes sent and received, and bandwidth used. You can sort entries by selecting the column header. |
| Destination Interfaces | Select to drill down by destination interface, including bytes sent and received, and bandwidth used. You can sort entries by selecting the column header. |
| Threats | Select to drill down by threat to view threat-related information, including the threat name, category, threat level, threat score, and number of sessions blocked and allowed. You can sort entries by selecting the column header. |
| Domains | Select to drill down by domain to view domain-related information, including domain name, category, browsing time, threat weight, number of sessions blocked/allowed, and bytes sent/received. You can sort entries by selecting the column header. |
Drill-Down Options
| Option | Description |
| Categories | Select to drill down by category to view category-related information, including category name, browsing time, threat score, number of sessions blocked/allowed, and bytes sent/received. You can sort entries by selecting the column header. |
| Sessions | Select to drill down by sessions to view session-related information, including date/time, source, destination IP address and geographic region, application name,security action, security event, and bytes sent/received. You can sort entries by selecting the column header. |
Columns displayed
The following columns appear in the initial window of the dashboards. Some columns may only be visible by selecting them from the column drop-down menu. Options vary depending on the dashboard selected.
| Column name | Description |
| Action | Displays the type of response taken to a security event. The types of possible actions are as follows:
l Allowed: No threat was detected and the connection was let through. l Blocked: A threat was detected and the connection was not let through. l Reset: A possible issue was detected and the connection was reset. l Traffic Shape: Some data packets may have been delayed to improve system-wide performance. Note: This column is only available in the All Sessions console. |
| Application | Displays the application name and service. When Time Display is set to now, you can access further information about an application by selecting the column entry. |
| Application Category | Displays the type of application used in the selected session, e.g. video player, social media.
Note: This column is only available in the All Sessions console. |
| Application ID | Displays the identification number associated with the application used in the selected session.
Note:This column is only available in the All Sessions console. |
| Column name | Description |
| Application Risk
Risk |
Displays the application risk level. You can hover the mouse cursor over the entry in the column for additional information, and select the column header to sort entries by level of risk.
Risk uses a 5-point risk rating. The rating system is as follows: l Critical: Applications that are used to conceal activity to evade detection. l High: Applications that can cause data leakage, are prone to vulnerabilities, or may download malware. l Medium: Applications that can be misused. l Elevated: Applications that are used for personal communications or can lower productivity. l Low: Business-related applications or other harmless applications. |
| Bandwidth | Displays information for bandwidth calculated on a per-session level, providing administrators the ability to sort realtime bandwidth usage in descending order. |
| Browsing Time | Displays the amount of time a user has spent browsing a web site (in seconds).
Note: This column is only available in the Web Sites console, in Categories view.. |
| Bytes
(Sent/Received) |
Displays the size of sent and received data packets, as measured in bytes. Select the column header to sort the entries by size.
Note: This information is available on some consoles as two separate columns: Sent and Received. |
| Category | Displays the category descriptor appropriate to whatever console is being displayed. For example, threat categories are displayed in the Threats console. |
| Cloud User | Displays the users accessing cloud applications by IP address.
Note: This column is only available in the Cloud Applications console, in Users view. |
| Configuration Changes | Displays the number of configuration changes made by the user. You can hover the mouse cursor over an entry for additional information.
Note: This column is only available in the Admin Logins console. |
| Column name | Description |
| Connections | Displays the number of VPN connections made by the selected user..
Note: This column is only available in the VPN console. |
| Country | Displays the country from which the selected traffic is originating.
Note: This column is only available in the Countries console. |
| Destination | Displays the destination name, IP address and geographic region. |
| Destination Country | Displays the country session data is being sent to.
Note: This column is only available in the All Sessions console. |
| Destination Interface | Displays which interface session data is being sent through, e.g. wan1. |
| Destination Port | Displays the port number of the destination server being used to accept data.
Note: This column is only available in the All Sessions console. |
| Device | Displays the device IP address or Fully Qualified Domain Name (FQDN). |
| Domain | Displays the domain associated with the selected web site, e.g.
google.com. Note: This column is only available in the Web Sites console. |
| DST Nat IP
NAT Destination |
Displays the Network Address Translation (NAT) IP address associated with the destination server.
Note: This column is only available in the All Sessions console. |
| DST Nat Port
NAT Destination Port |
Displays the Network Address Translation (NAT) port number associated with the destination server.
Note: This column is only available in the All Sessions console. |
| Duration | Displays the amount of time (in seconds) a user has been logged in.
Note: This column is only available in the Admin Logins console. |
| Event Name (Description) | Displays the name and description of the selected security event.
Note: This column is only available in the System Events console. |
| Column name | Description |
| Events | Displays the number of security events that occurred within a selected session.
Note: This column is only available in the System Events console. |
| Expires | Displays the amount of time a session has (in seconds) before it is set to expire.
Note: This column is only available in the All Sessions console, in now Time Display view. |
| Failed Logins | Displays the number of failed login attempts made by an administrator over the specified time period.
Note: This column is only available in the Admin Logins console. |
| Files (Up/Down) | Displays the number of files uploaded and downloaded. Hover the mouse cursor over the entry in the column for additional information.
Note: This column is only available in the Cloud Applications console. |
| FortiASIC | Displays the type of FortiASIC hardware acceleration used in the specified session, if present.
Note: This column is only available in the All Sessions console, in the now Time Display view. |
| Group | Displays the group ID associated with the selected session.
Note: This column is only available in the All Sessions console. |
| Last Connection Time | Displays the most recent instance of connection to the selected Virtual Private Network (VPN).
Note: This column is only available in the VPN console. |
| Level
Threat Level |
Displays the threat level. Select the column header to sort entries by threat level. |
| Log ID | Displays the identification number for the data log associated with this entry.
Note: This column is only available in the All Sessions console. |
| Column name | Description |
| Login IDs | Displays the number of login IDs associated with the selected cloud application.
Note: This column is only available in the Cloud Applications console, in Applications view. |
| Login Type | Displays the type of login (eg. WEP) associated with the displayed authentication attempt.
Note: This column is only available in the Failed Authentications console. |
| Logins | Displays the number of successful logins made by an administrator over the specified time period.
Note: This column is only available in the Admin Logins console. |
| Pending | Note: This column is only available in the FortiSandbox column, in Source view. |
| Policy ID | Displays the identification number of the policy under which the selected connection was allowed. |
| Security Action | Displays the action taken in response to the selected security event. The types of possible actions are as follows:
l Allowed: No threat was detected and the connection was let through. l Blocked: A threat was detected and the connection was not let through. l Reset: A possible issue was detected and the connection was reset. l Traffic Shape: Some data packets may have been delayed to improve system-wide performance. |
| Sessions | Displays the number of sessions associated with the selected destination.
Note: This column only appears in the Destinations console, in the now Time Display view. |
| Sessions
(Blocked/Allowed) |
Displays the number of sessions blocked and allowed by FortiOs.
In some consoles, entries can be sorted by number of sessions by selecting the column header.. |
| Severity | Displays the severity level (Critical, High, Medium or Low) associated with the selected security event. |
| Column name | Description |
| Source | Displays the source IP address and/or user ID, if applicable. |
| Source Interface | Displays which interface is being used by the destination server (eg. wan1). |
| Source Port | Displays the port number being used by the source server to send data. |
| Source SSID | Displays the Service Set Identifier (SSID) associated with the selected user.
Note: This column is only available in the Wifi Clients console. |
| Src NAT IP
NAT Source |
Displays the Network Address Translation (NAT) IP address associated with the source server. |
| Src NAT Port
NAT Source Port |
Displays the Network Address Translation (NAT) port number associated with the source server. |
| Status | The types of possible status’ are Malicious, High, Medium, Low, Clean, Unknown, and Pending.
Note: This console is only available in the FortiSandbox console, in Files view. |
| Submitted | Displays the number of files submitted to the FortiSandbox for assessment in the selected session.
Note: This column is only available in the FortiSandbox console, in Files view. |
| Threat | Displays the threat type detected in the selected session. |
| Threat Score
(Blocked/Allowed) |
Displays the threat score value, a measurement of the total number of threats detected over the course of the session. You can select the column header to sort entries by threat score. |
| Threat Weight | Displays the threat weight profile associated with the selected session. |
| Timestamp | Displays the selected session’s PHP timestamp. |
| User
User Name |
Displays the user name associated with the selected administrator. |
| Column name | Description |
| Videos Played | Displays the number of videos played via cloud applications.
Note: This column is only available in the Cloud Applications console. |
Risk level indicators
Risk level indicators
There are currently two consoles within FortiView that display the Risk associated with the console: Applications and Cloud Applications. Each application pose different levels of risk to the network, represented by a colour code.
The following table identifies each risk level, from least to most severe:
| Indicator | Risk | Description | |||
| Green:
Risk Level 1 |
These applications have little to no risk level, with no assigned risk definition. Application file-sharing may result in data leakage, which would be a typical example of a low level risk.
An example application would be the Google toolbar, or Dropbox. |
||||
| Blue:
Risk Level 2 |
These applications have an elevated risk level and typically use excessive bandwidth. High bandwidth consumption can lead to increased operational costs.
An example application would be Bittorrent. |
||||
| Yellow:
Risk Level 3 |
These applications have a low risk level and are typically evasive.
Evasive applications can lead to compliance risks, and could include applications such as JustinTV and GlypeProxy. |
||||
| Orange:
Risk Level 4
|
These applications have a high risk level, and are defined as using both excessive and evasive bandwidth.
Example applications would be AutoHideIP and PandoraTV.
|
Troubleshooting FortiView No logging data is
Troubleshooting FortiView
No logging data is displayed
In order for information to appear in the FortiView consoles, disk logging must be selected for the FortiGate unit. To select disk logging, go to Log & Report > Log Settings.
Disk logging is disabled by default for some FortiGate units. To enable disk logging, enter the following command in the CLI:
config log disk setting set status enable
end
Only certain FortiGate models support Disk Logging — refer to the FortiView Feature Support – Platform Matrix on page 9 for more information.
Logging is enabled, but data is not appearing
Some FortiView consoles require certain features to be enabled and working before they will display any data. For example, the Web Filtering FortiView page requires that a Web Filtering profile be configured in Security Profiles > Web Filter and then applied to a policy in Policy & Objects > IPv4 Policy.
First, ensure the feature is enabled in System > Feature Visibility, and then go to the appropriate page to make sure that the feature is being implemented. If it is working but is producing no data, FortiView will have nothing to display.
[1] For information on the Bubble Chart, refer to Bubble Chart Visualization on page 16.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
Hello Mike,
Useful and interesting Post !
I have some trouble with fortiview and i’d love to ask a questions,
I have two FortiGate devices in two different companies, FG VM64 and FG-200E.
Under fortiview / Traffic from LANDMZ / Sources, i want to see and filter logs by “user”.
FG-200E can filter by username and also has many other options to filter logs, but FGVM64 has only “Source” and “Source Device” filter applicable.
My question is: Doesn’t VM64 supports other filter options or do i have to turn something on to enable filter options ?
Note: FG200E is logging in memory, whether FGVM64 has Disk logging enabled. Both of them has traffic logging enabled (Under policy / Logging option / Log Allowed Traffic / All Sessions) and both of them are using DC Agent to poll user database from AD. I know DC Agent is configured well because everything else is working fine and i can see users under Monitor / Firewall user monitor and under Log&Report / Forward traffic.
I already tried using different Browsers.
Regards.
So both FortiGates are configured the same? The only difference is the platform it is on? (appliance vs VM)
Hello and thanks for a quick response !
No, configurations are different, but both are using DC agent to poll users from AD and then users are matched under different policies to give them different web access privileges.
Under fortiview/source, Physical version has way more options to filter traffic, than VM version.
But Yesterday i asked friend of mine, who has FG100E (no DC agent on it, used as transparent) and he also has no that additional filters available. So i dont think that its Physical/Virtual related.
Could it be because of software version ?
FG200E: v6.0.2
FG100E and VM: v6.0.4
Hello Mike,
I configured fortigate to serve as web proxy, i configured the rules under proxy tab, no rules in the IPv4 policy section. I am not seeing logs in fortiview, but when i go to the proxy policy and i right-click and click on ‘show matching logs’, i can see see logs.
What am i doing wrongly
What version of code are you running?