VPN
From the VPN console, users can access information on any VPNs associated with their FortiGate. From the initial window, a list of all the associated VPNs is provided, along with general information, such as number of user connections and VPN type. By double-clicking on an individual VPN (or right-clicking and selecting Drill down for details…), users can access more specific data on that VPN.
Logs in the VPN console can be sorted by number of connections, last connection time, or data sent/received by selecting the column headers.
This console can be filtered by Result, User Name, and VPN Type. For more on filters, see Filtering options on page 37.
Certain dashboard options will not appear unless your FortiGate has Disk Logging enabled.
Furthermore, only certain FortiGate models support Disk Logging — refer to the FortiView Feature Support – Platform Matrix on page 9 for more information.
To enable Disk Logging, go to Log & Report > Log Settings, and select the checkbox next to Disk and apply the change.
Scenario: Investigating VPN user activity
The VPN console can be used to access detailed data on VPN-user activity via the use of the drill down windows. In this scenario, the administrator looks into the usage patterns of the IPsec user who has most frequently connected to the network.
- Go to FortiView > VPN to view the VPN console.
- Select the Connections column header to sort the entries by number of connections to the network.
- Locate the top user whose VPN Type is ipsec and double-click the entry to enter that user’s drill down screen.
- To get the most representative data possible, sort the entries by bandwidth use by selecting the Bytes (Sent/Received) column header. Double-click the top entry to enter the drill down window for that connection instance.
From this screen, the administrator can find out more about the specific session, including the date/time of access, the XAuth (Extensible Authentication) User ID, the session’s Tunnel ID, and more.
Endpoint Vulnerability
The Endpoint Vulnerability console lists the top devices and vulnerabilities detected, organized either by frequency or risk level.
This console can be filtered by Vulnerabilty Name, Severity, Vulnerability Category, CVE-ID, or Host Count. For more on filters, see Filtering options.
The Vulnerabilities detected by the FortiGate use definitions created by FortiGuard, and every vulnerability in FortiView contains a link to the respective FortiGuard Labs documentation page (under the ‘Vulnerability ID‘ column) and the Common Vulnerabilities and Exposures documentation page (under the ‘CVE-ID‘ column.)
Scenario: Monitoring Vulnerabilities on the Network
When a vulnerability appears in log data, you can use the FortiView page to see more information about it. The Endpoint Vulnerability console can be used to view and track all historical vulnerabilities:
- Go to FortiView > Endpoint Vulnerability. In the upper right, select Vulnerability.
- Sort the threats by frequency by selecting the Host Count
- You see that a frequent vulnerability’s Severity is at Critical. Drill down into the threat by double-clicking or rightclicking and select Drill down to details.
- From this summary page, you can view the source IPs and devices on which this vulnerability was detected, and also the Scan Time. Double-click on one of them.
- The chart will be filtered to display the specific Endpoint and Vulnerability, offering more granular data about the vulnerability, including its Category and the FortiClient ID of the device. You can access the CVE and FortiGuard links from this page to learn more.
Threat Map
The Threat Map console displays network activity by geographic region. Threats from various international destinations will be shown, but only those arriving at your destination, as depicted by the FortiGate. You can place your cursor over the FortiGate’s location to display the device name, IP address, and the city name/location.
A visual lists of threats is shown at the bottom, displaying the location, severity, and nature of the attacks. The color gradient of the darts on the map indicate the traffic risk, where red indicates the more critical risk.
Unlike other FortiView consoles, this console has no filtering options, however you can click on any country to drill down into greater (filtered) detail.
Scenario: Investigate various international threats
The Threat Map console can be used to regionalize areas that you are more interested in, and disregard regions that you are not interested in:
- Go to FortiView > Threat Map to see a real-time map of the globe. This will show various incoming threats from multiple destinations around the world, depending upon where the FortiGate is placed on the map.
- You are not interested with threats that are being sent to Eastern Europe, however you are concerned with threats that may be sent to a city in North America. Click and drag the FortiGate to the approximate location where you would like to monitor the incoming threats.
- To see which countries are sending the more severe threats to your region/location, either see where the red darts are coming from, or check the visual lists of threats at the bottom.
Policies
The Policies console shows what policies are in affect on your network, what their source and destination interfaces are, how many sessions are in each policy, and what sort of traffic is occurring, represented in bytes sent and received.
This console can be filtered by Country, Destination Interface, Destination IP, Policy, Source, Source Device, and Source Interface. For more on filters, see Filtering options.
Scenario: Investigate which policies are in effect
You can click on policy IDs to drill down to the policy list and see what policy’s are in effect for specific interfaces, how many sessions have occurred, how many of those with the policy have been blocked, and more:
- Go to FortiView > Policies, and double-click on a policy ID to drill down.
- You will be redirected to a summary screen of the policy ID. From here you can view the source IP of where the policy has been used, what source interface has been using the particular policy, and to verify what sort of threat scores have been measured, both blocked and allowed.
Interfaces
The Interfaces console lists the total number of interfaces connected to your network, how many sessions there are in each interface, and what sort of traffic is occurring, represented in both bytes sent and received, and the total bandwidth used.
This console can be filtered by Country, Destination Interface, Destination IP, Policy, Result, Source, and Source Interface. For more on filters, see Filtering options.
Scenario: Investigate traffic spikes per user
The wan1 interface is showing a higher amount of traffic than usual. A system administrator uses the console to inspect which user (as represented by an IP address) is creating the spike in traffic:
- Go to FortiView > Interfaces and double-click on wan1, or right click and select Drill Down to Details….
- The console will drill down to a summary page of wan1, showing how many bytes are being sent and received, how much bandwidth is being used, and how many sessions are currently using this interface. You see the IP address of the user that is showing the most amount of traffic under Source.
- You can further drill down to see the IP destination, the device, and the applications being used, and other options.
FortiSandbox
The FortiSandbox console detects and analyzes advanced attacks designed to bypass traditional security defenses, and has a wide array of features that allow it to prevent future attacks from occurring again.
This console can be filtered by Checksum, File Name, Source, Status, and User Name. For more on filters, see Filtering options.
All Sessions
The All Sessions console provides information about all FortiGate traffic. This console can be filtered by Application, Country, Destination Interface, Destination IP, Destination Port, NAT Source IP, NAT Source Port, Policy, Protocol, Source, Source Interface, Source IP, and Source Port. For more on filters, see Filtering options.
This console has the greatest number of column options to choose from. To choose which columns you wish to view, select the column settings cog at the far right of the columns and select your desired columns. They can then be clicked and dragged in the order that you wish them to appear.
A number of columns available in FortiView are only available in All Sessions. For example, the Action column displays the type of response taken to a security event. This function can be used to review what sort of threats were detected, whether the connection was reset due to the detection of a possible threat, and so on. This would be useful to display alongside other columns such as the Source, Destination, and Bytes (Sent/Received) columns, as patterns or inconsistencies can be analyzed.
Similarly, there are a number of filters that are only available in All Sessions, one of which is Protocol. This allows you to display the protocol type associated with the selected session, e.g. TCP, FTP, HTTP, HTTPS, and so on.
Scenario: Filtering sessions by port number and application type
From the All Sessions console, a wide variety of filters can be applied to sort the session data. In this example, the All Sessions filters will be used to locate a specific user’s recent Skype activity.
- Go to FortiView > All Sessions.
- Select now from the Time Display options if it is not already selected.
- Select the Filter button, then select Applications. This will open a drop-down menu listing the applications that appear in the master session list. From this list, locate and select Skype, or type “Skype” into the Search Bar and hit Enter. This will filter the session list to only feature Skype usage.
- Select the Filter button again, then select Destination Port from the drop-down menu, then locate and select the desired port number. This will add a second filter which will restrict the results to presenting only the Skype data associated with that port number.
Reference
This section consists of reference information for the various consoles in FortiView. Each console has an assortment of filtering options, drilldown options, and columns that can be displayed. Since many of these options and columns persist through each console, the entire list of options and their descriptions is included below. Attempts have been made to identify the instances where an option or column is only available to a particular console.
This section includes:
Filtering options
Drill-Down Options
Columns displayed
Risk level indicators
Filtering options
Filtering options
When you select the Add Filter button, a drop-down list appears with a list of available filtering options. Available options differ based on which console is currently being viewed. The following table explains all of the available filtering options:
| Filter option | Description |
| Accelerated Sessions | You can filter the console on ‘FortiASIC’ (‘Accelerated’ versus ‘Not Accelerated’) sessions. |
| AP | Filter by Access Point (AP) identification number. |
| Application | Filter by application name. |
| Checksum | Filter by checksum value. Checksums are reference digits used to represent the correct datasum of a packet in order to detect errors. |
| Cloud Application | Filter by cloud application name.
Note: This filter is only available in the Cloud Applications console. |
| Country | Filter by the country from which the source accessed the server. |
| Destination Interface | Filter by the interface type used by the destination user, e.g. wan1. |
| Destination IP | Filter by the IP address used by the destination. |
| Destination Port | Filter by the port used by the destination.
Note: This filter is only available in the All Sessions console,(viewing the now time display). |
| Domain | Filter by domain name.
Note: This filter is only available in the Web Sites console. |
| Event Name | Filter by security event name.
Note: This filter is only available in the System Events console. |
| File Name | Filter by file name.
Note: This filter is only available in the FortiSandbox console. |
Filtering options
| Filter option | Description |
| Login Type | Filter by type of login (eg. WEP) associated with the displayed authentication attempt.
Note: This filter is only available in the Failed Authentications console. |
| NAT Source IP | Filter by the NAT-translated source IP address.
Note: This filter is only available in the All Sessions console,(viewing the now time display). |
| NAT Source Port | Filter by the NAT-translated source interface.
Note: This filter is only available in the All Sessions console,(viewing the now time display). |
| Policy | Filter by the policy identification number. |
| Protocol | Filter by the protocol used by the source, e.g. tcp or udp.
Note: This filter is only available in the All Sessions console,(viewing the now time display). |
| Result | Filter by the result of whatever security action was taken by FortiOs in the selected session, eg. Accept (all). |
| Security Action | Filter by the type of response taken to the security event. The types of possible actions are as follows:
Allowed: No threat was detected and the connection was let through. Blocked: A threat was detected and the connection was not let through. Reset: A possible issue was detected and the connection was reset. Traffic Shape: Some data packets may have been delayed to improve system-wide performance. |
| Severity | Filter by the severity level (Critical, High, Medium or Low) associated with a security event. |
| Source
Source IP |
Filter by the source IP address. |
| Source Device | Filter by source device type, e.g. mobile. |
| Source Interface | Filer by the interface type used by the source user, e.g. wan1. |
Filtering options
| Filter option | Description |
| Source Port | Filter by the source interface.
Note: This filter is only available in the All Sessions console,(viewing the now time display). |
| Source SSID | Filter by the Service Set Identifier (SSID) associated with the selected user. An SSID is a case sensitive, 32 character alphanumerical identifier that acts as a password attributed to a mobile device. |
| Status | Filter by the maliciousness of a file. The types of possible status’ are Malicious, High, Medium, Low, Clean, Unknown, and Pending.
Note: This filter is only available in the FortiSandbox console. |
| Threat | Filter by threat name and/or URL |
| Threat Type | Filter by threat category, e.g. Illegal/Unethical or P2P. |
| Type | Note: This filter is only available in the Failed Authentications console. |
| User Name | Filter by user name. |
| VPN Type | Filter by Virtual Private Network (VPN) protocol type, eg. PPTP.
Note: This filter is only available in the VPN console. |
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
Hello Mike,
Useful and interesting Post !
I have some trouble with fortiview and i’d love to ask a questions,
I have two FortiGate devices in two different companies, FG VM64 and FG-200E.
Under fortiview / Traffic from LANDMZ / Sources, i want to see and filter logs by “user”.
FG-200E can filter by username and also has many other options to filter logs, but FGVM64 has only “Source” and “Source Device” filter applicable.
My question is: Doesn’t VM64 supports other filter options or do i have to turn something on to enable filter options ?
Note: FG200E is logging in memory, whether FGVM64 has Disk logging enabled. Both of them has traffic logging enabled (Under policy / Logging option / Log Allowed Traffic / All Sessions) and both of them are using DC Agent to poll user database from AD. I know DC Agent is configured well because everything else is working fine and i can see users under Monitor / Firewall user monitor and under Log&Report / Forward traffic.
I already tried using different Browsers.
Regards.
So both FortiGates are configured the same? The only difference is the platform it is on? (appliance vs VM)
Hello and thanks for a quick response !
No, configurations are different, but both are using DC agent to poll users from AD and then users are matched under different policies to give them different web access privileges.
Under fortiview/source, Physical version has way more options to filter traffic, than VM version.
But Yesterday i asked friend of mine, who has FG100E (no DC agent on it, used as transparent) and he also has no that additional filters available. So i dont think that its Physical/Virtual related.
Could it be because of software version ?
FG200E: v6.0.2
FG100E and VM: v6.0.4
Hello Mike,
I configured fortigate to serve as web proxy, i configured the rules under proxy tab, no rules in the IPv4 policy section. I am not seeing logs in fortiview, but when i go to the proxy policy and i right-click and click on ‘show matching logs’, i can see see logs.
What am i doing wrongly
What version of code are you running?