FortiView interface

FortiView lets you access information about the traffic activity on your FortiGate, visually and textually. FortiView is broken up into several consoles, each of which features a top menu bar and a graph window, as seen in the following image:

FortiView Application console sorted by Sessions (Blocked/Allowed)

The top menu bar features:

• a Refresh button, which updates the data displayed, l a Filter button, for filtering the data by category, l a Settings button (containing additional viewing settings and a link to the Threat Weight menu).
• a drop-down menu of different views:
• Time Display (options: now, 5 minutes, 1 hour, or 24 hours), l Table View l Timeline View l Bubble Chart ^[1]l Country Map

interface

The FortiView graph

The graph window can be hidden using the X in the top right corner, and re-added by selecting Show Graph. To zoom in on a particular section of the graph, click and drag from one end of the desired section to the other. This will appear in the Time Display options as a Custom selection. The minimum selection size is 60 seconds.

Bubble Chart Visualization

Notes about the Bubble Chart:

• It is possible to sort on the Bubble Chart using the Sort By: dropdown menu. l The size of each bubble represents the related amount of data.
• Place your cursor over a bubble to display a tool-tip with detailed info on that item. l You can click on a bubble to drilldown into greater (filtered) detail.

interface

Links created between FortiView and View/Create Policy

The Policy column in FortiView consoles and the Log Viewer pages includes a link, which navigates to the IPv4 or IPv6 policy list and highlights the policy.

Right-clicking on a row in FortiView or the Log Viewer has menu items for Block Source, Block Destination and Quarantine Source where appropriate columns are available to determine these values. When multiple rows are selected, the user will be prompted to create a named Address Group to contain the new addresses.

When the user clicks Block Source or Block Destination they are taken to a policy creation page with enough information filled in to create a policy blocking the requested IP traffic.

The policy page will feature an informational message block at the top describing the actions that will be taken. Once the user submits the form, the requisite addresses, groups and policy will be created at once.

If the user clicks on Quarantine User then they will be prompted for a duration. They may also check a box for a Permanent Ban. The user can manage quarantined users under Monitor > Quarantine Monitor.

Visualization support for the Admin Logins page

A useful chart is generated for Admin login events under FortiView > Admin Logins. You can view the information in either Table View or Timeline View (shown below). In Timeline View, each line represents on administrator, with individual sessions indicated per administrator line. When you hover over a particular timeline, detailed information appears in a tooltip.

Realtime visualization

To enable realtime visualization:

1. Click on the Settings icon next to the upper right-hand corner and select Auto update realtime visualizations.

An option is displayed to set the Interval (seconds). The maximum value is 300.

2. Enter a desired Interval and click Apply.

Accelerated sessions

When viewing sessions in the All Sessions console, information pertaining to NP4/ NP6 acceleration is now reflected via an appropriate icon in the table. The tooltip for the icon includes the NP chip type and its total number of accelerated sessions.

Filtering on accelerated sessions

You can filter the console on ‘FortiASIC’ (‘Accelerated’ versus ‘Not Accelerated’) sessions.

interface

WHOIS Lookup anchor for public IPv4 addresses

A Reverse IP lookup is possible using the WHOIS lookup icon available when you mouse over a public IP address in a FortiView log. If you left-click on the lookup icon, a new tab is opened in your browser for www.networksolutions.com, and a lookup is performed on the selected IP address (this option persists after drilling down one level in FortiView).

 

FortiView consoles

This section describes the following log filter consoles available in FortiView:

• Sources on page 20 displays detailed information on the sources of traffic passing through the FortiGate, and the section covers how you can investigate an unusual spike in traffic to determine which user is responsible.
• Destinations on page 21 displays detailed information on user destination-accessing through the use of drill down functionality.
• Applications on page 22 displays Applications used on the network that have been recognized by Application Control, and this section shows how you can view what sort of applications individual employees are using.
• Cloud Applications on page 23 displays Web/Cloud Applications used on the network, and this section shows how you can drill down to access detailed data on cloud application usage, e.g. YouTube.
• Web Sites on page 24 displays websites visited as part of network traffic that have been recognized by Web Filtering, and this section shows how you can investigate instances of proxy avoidance, which is the act of circumventing blocks using proxies.
• Threats on page 25 monitors threats to the network, both in terms of their Threat Score and Threat Level. l WiFi Clients on page 26 displays a list of all the devices connected to the WLAN.
• “Traffic Shaping” on page 27 displays a list of existing Traffic Shapers, detailing their bandwidth use and which traffic is being shaped by each shaper.
• System Events on page 28 displays security events detected by FortiOS, providing a name and description for the events, an assessment of the event’s severity level, and the number of instances the events were detected. l VPN on page 29 displays how users can access information on any VPNs associated with their FortiGate.
• “Endpoint Vulnerability” on page 30 displays a list of Vulnerability events detected by the FortiGate on networked devices, along with links to further vulnerability information and databases.
• Threat Map on page 31 provides a geographical display of threats, in realtime, from international sources as they arrive at your FortiGate.
• Policies on page 32 displays what policies are in affect on your network, what their source and destination interfaces are, how many sessions are in each policy, and what sort of traffic is occurring.
• Interfaces on page 33 displays the number of interfaces connected to your network, how many sessions there are in each interface, and what sort of traffic is occurring.
• FortiSandbox on page 34 displays FortiSandbox activity. FortiSandbox detects and analyzes advanced attacks designed to bypass traditional security defenses, and has a wide array of features that allow it to prevent future attacks from occurring again.
• All Sessions on page 35 displays complete information on all FortiGate sessions, with the ability to filter sessions by port number and application type.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!