FortiView Guide

Sources

The Sources console provides information about the sources of traffic on your FortiGate unit.

This console can be filtered by Country, Destination Interface, Policy, Result, Source, and Source Interface. For more on filters, see Filtering options.

Specific devices and time periods can be selected and drilled down for deep inspection.

Scenario: Investigating a spike in traffic

A system administrator notices a spike in traffic and wants to investigate it. From the Sources window, they can determine which user is responsible for the spike by following these steps:

  1. Go to FortiView > Sources.
  2. In the graph display, click and drag across the peak that represents the spike in traffic.
  3. Sort the sources by bandwidth use by selecting the Bytes (Sent/Received)
  4. Drill down into whichever source is associated with the highest amount of bandwidth use by double-clicking it. From this screen, you have an overview of that source’s traffic activity.
  5. Again, in either the Applications or Destinations view, select the Bytes (Sent/Received) header to sort by bandwidth use.
  6. Double-click the top entry to drill down to the final inspection level, from which you can access further details on the application or destination, and/or apply a filter to prohibit or limit access.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in FortiView on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

5 thoughts on “FortiView Guide

  1. TOGE

    Hello Mike,

    Useful and interesting Post !

    I have some trouble with fortiview and i’d love to ask a questions,

    I have two FortiGate devices in two different companies, FG VM64 and FG-200E.
    Under fortiview / Traffic from LANDMZ / Sources, i want to see and filter logs by “user”.
    FG-200E can filter by username and also has many other options to filter logs, but FGVM64 has only “Source” and “Source Device” filter applicable.

    My question is: Doesn’t VM64 supports other filter options or do i have to turn something on to enable filter options ?

    Note: FG200E is logging in memory, whether FGVM64 has Disk logging enabled. Both of them has traffic logging enabled (Under policy / Logging option / Log Allowed Traffic / All Sessions) and both of them are using DC Agent to poll user database from AD. I know DC Agent is configured well because everything else is working fine and i can see users under Monitor / Firewall user monitor and under Log&Report / Forward traffic.

    I already tried using different Browsers.

    Regards.

    Reply
    1. Mike Post author

      So both FortiGates are configured the same? The only difference is the platform it is on? (appliance vs VM)

      Reply
      1. TOGE

        Hello and thanks for a quick response !

        No, configurations are different, but both are using DC agent to poll users from AD and then users are matched under different policies to give them different web access privileges.

        Under fortiview/source, Physical version has way more options to filter traffic, than VM version.

        But Yesterday i asked friend of mine, who has FG100E (no DC agent on it, used as transparent) and he also has no that additional filters available. So i dont think that its Physical/Virtual related.

        Could it be because of software version ?
        FG200E: v6.0.2
        FG100E and VM: v6.0.4

        Reply
  2. irabor

    Hello Mike,
    I configured fortigate to serve as web proxy, i configured the rules under proxy tab, no rules in the IPv4 policy section. I am not seeing logs in fortiview, but when i go to the proxy policy and i right-click and click on ‘show matching logs’, i can see see logs.
    What am i doing wrongly

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.