FortiView Guide

Applications

The Applications console provides information about the applications being used on your network.

This console can be filtered by Application, Country, Destination Interface, Policy, Result, and Source Interface. For more on filters, see Filtering options.

Specific devices and time periods can be selected and drilled down for deep inspection.

Scenario: Viewing application usage

A manager is interested in the office internet habits of their employees:

  1. Go to FortiView > Applications, to view the list of applications accessed by the users on your network. Use the time-frame options to view what applications were used in those time periods (from now, 5 minutes, 1 hour, or 24 hours).
  2. From Sessions (Blocked/Allowed) and Bytes (Sent/Received), you can see how much traffic has been generated. Click these columns to show the traffic in descending order.
  3. You notice that a social media application has created the most traffic of all the applications, and so it’s at the top of the list. Drill down into the application by double-clicking or right-clicking and select Drill Down to Details.
  4. You are directed to a summary page of the social media application. From here, you can see which specific user has made the most use of the application.

 

Cloud Applications

The Cloud Applications console provides information about the cloud applications being used on your network. This includes information such as:

l The names of videos viewed on YouTube (visible by hovering the cursor over the session entry) l Filed uploaded and downloaded from cloud hosting services such as Dropbox l Account names used for cloud services

Two different views are available for the Cloud Applications: Applications and Users (located in the top menu bar next to the time periods). Applications shows a list of the programs being used. Users shows information on the individual users of the cloud applications, including the username, if the FortiGate was able to view the login event.

This console can be filtered by Cloud Application and Result. For more on filters, see Filtering options.

In order for information to appear in the Cloud Applications console, an application control profile (that has Deep Inspection of Cloud Applications turned on) must be enabled in a policy, and SSL Inspection must use deep-inspection.

Scenario: Viewing cloud application usage data

From the Cloud Applications console, users can drill down to access detailed data on cloud application usage data. In this scenario, the console is used to determine the network’s most frequent user of YouTube over a 24hour period, and find out more about their usage patterns.

  1. Go to FortiView > Cloud Applications.
  2. Select Applications view from the top menu bar if it is not already selected.
  3. Select 24 Hours from the Time Display options.
  4. Find YouTube under the Application column and double-click it (or right-click and select Drill down for details…). This will open the YouTube stats window.
  5. To determine the user who has accessed YouTube the most frequently, sort the column entries by Sessions by selecting the column header of the same name.
  6. Double-click (or right-click and select Drill down for details…) the top-bandwidth YouTube user to view detailed stats, including the names of videos watched by the user and the date and time each video was accessed.

 

Web Sites

The Web Sites console lists the top allowed and top blocked web sites. You can view information by domain or by FortiGuard categories by using the options in the top right corner. Each FortiGuard category can be selected in order to see a description of the category and several example sites, with content loaded from FortiGuard on demand.

This console can be filtered by Domain and Result. For more on filters, see Filtering options.

Scenario: Investigating an instance of Proxy Avoidance

In this scenario, the Categories view will be used to investigate an instance of Proxy Avoidance, one of the Categories recognized by FortiOS. Proxy Avoidance denotes the use of a proxy site in order to access data that might otherwise be blocked by the server.

  1. Go to FortiView > Web Sites to open the Web Sites console.
  2. Select Categories from the top bar menu to enter Categories view.
  3. Scan the Categories column and locate the instance of Proxy Avoidance, then double-click it to enter its drilldown screen.

 

Threats

The Threats console lists the top users involved in incidents, as well as information on the top threats to your network.

The following incidents are considered threats:

l Risk applications detected by application control l Intrusion incidents detected by IPS l Malicious web sites detected by web filtering l Malware/botnets detected by antivirus

This console can be filtered by Country, Destination Interface, Policy, Result, Security Action, Source Interface, Threat, and Threat Type. For more on filters, see Filtering options.

Scenario: Monitoring Threats to the Network

Some users have high Threat Scores. The Threats console can be used to view all threats and discover why such high scores are being shown:

  1. Go to FortiView > Threats. In the graph display, click and drag across the peak that represents the spike in threat score.
  2. Sort the threats by score or level by selecting the Threat Score (Blocked/Allowed or the Threat Level headers respectively.
  3. You see that a specific threat’s Threat Level is at Critical. Drill down into the threat by double-clicking or rightclicking and select Drill down to details.
  4. From this summary page, you can view the source IPs and the number of sessions that came from this threat. Double-click on one of them.
  5. The following page shows a variety of statistics, including Reference. The URL next to it will link you to a FortiGuard page where it will display the description, affected products, and recommended actions, if you are not familiar with the particular threat.

 

WiFi Clients

The WiFi Clients console shows a list of all the devices connected to the WLAN. The type of device, source, number of sources blocked and allowed, and bytes sent and received are displayed. The source’s Service Set Identifier (SSID) is also displayed in the Source SSID column. An SSID is a case sensitive, 32 character alphanumerical identifier that acts as a password when a mobile device tries to connect to the WLAN.

This console can be filtered by AP, Device Type, Result, Source Device, Source IP, Source SSID, and User. For more on filters, see Filtering options.

Scenario: Determining the threat risk of an individual WiFi client

In this scenario,the administrator will use the WiFi Clients FortiView console to determine the risk levels associated with an individual WiFi client, and then drilldown into that client to determine where the risk originates and who might be the offending user/IP.

  1. Go to FortiView > WiFi Clients and view the device list table.
  2. Double-click on a device to filter on that source.
  3. Under the Risk column, identify the items that present the greatest risk (using the Applications, Destinations, Threats, and/or Sessions tabs, for example).
  4. Right-click these items for further action.

 

Traffic Shaping

The Traffic Shaping console provides information about FortiGate Traffic Shapers that are currently in effect. This console can be filtered by Traffic Shaper Name. For more on filters, see Filtering options.

A number of columns available in FortiView are only available in Traffic Shaping. For example, the Shaper column displays the name of the Shaper, which can be used to monitor the traffic being shaped by Bytes Sent, Received, and Dropped, so that bandwidth patterns and Shaper effectiveness can be analyzed.

 

System Events

The System Events console lists security events detected by FortiOS, providing a name and description for the events, an assessment of the event’s severity level (Alert, Critical, Emergency, Error, or Warning), and the number of instances the events were detected.

Two other FortiView pages from 5.4 have been wrapped into the System Events page as of 5.6: Admin Logins, and Failed Authentication.

This console can be filtered by Event Name, Result, and Severity. For more on filters, see Filtering options on page 37.

Scenario: Investigate network security events

System Events can be used in conjunction with All Sessions to see what network security events took place, and specifically see what action was taken upon their detection:

  1. Go to FortiView > System Events to see what and how many network events have taken place, as well as how severe they are in terms of the threat they pose to the network.
  2. You see that a particular event has warranted a severe rating, and has allowed traffic to bypass the firewall. Note when the event took place, and go to FortiView > All Sessions, to see more information pertaining to the security event.
  3. From this console, you can determine the system event’s source, how much traffic was sent and received, and the security action taken in response to this security event. These actions differ, depending upon the severity of the security event. See the entry for Security Action in Columns displayed on page 42.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in FortiView on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

5 thoughts on “FortiView Guide

  1. TOGE

    Hello Mike,

    Useful and interesting Post !

    I have some trouble with fortiview and i’d love to ask a questions,

    I have two FortiGate devices in two different companies, FG VM64 and FG-200E.
    Under fortiview / Traffic from LANDMZ / Sources, i want to see and filter logs by “user”.
    FG-200E can filter by username and also has many other options to filter logs, but FGVM64 has only “Source” and “Source Device” filter applicable.

    My question is: Doesn’t VM64 supports other filter options or do i have to turn something on to enable filter options ?

    Note: FG200E is logging in memory, whether FGVM64 has Disk logging enabled. Both of them has traffic logging enabled (Under policy / Logging option / Log Allowed Traffic / All Sessions) and both of them are using DC Agent to poll user database from AD. I know DC Agent is configured well because everything else is working fine and i can see users under Monitor / Firewall user monitor and under Log&Report / Forward traffic.

    I already tried using different Browsers.

    Regards.

    Reply
    1. Mike Post author

      So both FortiGates are configured the same? The only difference is the platform it is on? (appliance vs VM)

      Reply
      1. TOGE

        Hello and thanks for a quick response !

        No, configurations are different, but both are using DC agent to poll users from AD and then users are matched under different policies to give them different web access privileges.

        Under fortiview/source, Physical version has way more options to filter traffic, than VM version.

        But Yesterday i asked friend of mine, who has FG100E (no DC agent on it, used as transparent) and he also has no that additional filters available. So i dont think that its Physical/Virtual related.

        Could it be because of software version ?
        FG200E: v6.0.2
        FG100E and VM: v6.0.4

        Reply
  2. irabor

    Hello Mike,
    I configured fortigate to serve as web proxy, i configured the rules under proxy tab, no rules in the IPv4 policy section. I am not seeing logs in fortiview, but when i go to the proxy policy and i right-click and click on ‘show matching logs’, i can see see logs.
    What am i doing wrongly

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.