FortiView – FortiOS 6.2

FortiView

FortiView from disk

Prerequisites

All FortiGates with an SSD disk.

Restrictions

  • Desktop models (for example: under 100D) with SSD only supports five minutes and one hour view. l Medium models (for example: 200D, 500D) with SSD supports up to 24 hours view.
  • Large models (for example: 1500D and above) with SSD supports up to seven days view.
  • Confirm that the setting is enabled:

config log setting set fortiview-weekly-data enable

end

Configuration

A firewall policy needs to be in place with traffic logging enabled. For best operation with FortiView, internal interface roles should be clearly defined as LAN; DMZ and internet facing or external interface roles should be defined as WAN.

To enable FortiView from Disk:

  1. Enable disk logging from the FortiGate GUI.
    1. Go to Log & Report > Log Settings > Local Log.
    2. Select the checkbox next to Disk.
  2. Enable historical FortiView from the FortiGate GUI.
    1. Go to Log & Report > Log Settings > Local Log.
    2. Select the checkbox next to Enable Historical FortiView.
  3. Click Apply.

To include sniffer traffic and local-deny traffic when FortiView from Disk:

This feature is only supported through the CLI.

config report setting

set report-source forward-traffic sniffer-traffic local-deny-traffic

end

Source View

Top Level

Sample entry:

Time l Realtime or Now entries are determined by the FortiGate’s system session list.
  l Historical or 5 minutes and later entries are determined by traffic logs, with additional information coming from UTM logs.
Graph l The graph shows the bytes sent/received in the time frame. Realtime does not include a chart.
  l Users can customize the time frame by selecting a time period within the graph.
Bubble Chart l Bubble chart shows the same information as the table, but in a different graphical manner.
Columns l Source shows the IP address (and user as well as user avatar if configured) of the source device.
  l Device shows the device information as listed in User& Device > Device Inventory. Device detection should be enabled on the applicable interfaces for best function.
  l Threat Score is the threat score of the source based on UTM features such as web filter and antivirus. It shows threat scores allowed and threat scores blocked.
  l Bytes is the accumulated bytes sent/received. In realtime, this is calculated from the session list, and in historical it is from logs.
  l Sessions is the total sessions blocked/allowed. In realtime, this is calculated from the session list, and in historical it is from logs.
  l Source is a simplified version of the first column, including only the IP address without extra information.
  l Source Interface is the interface from which the traffic originates. In realtime, this is calculated from the session list, and in historical it is from the logs.
  l More information can be shown in a tooltip while hovering over these entries.

93

l For realtime, two more columns are available, Bandwidth and Packets, both of which come from the session list.

Drilldown Level

Sample entry:

Graph l The graph shows the bytes sent/received in the time frame. Realtime does not include a chart.
  l Users can customize the time frame by selecting a time period within the graph.
Summary

Information

l Shows information such as the user/avatar, avatar/source IP, bytes, and sessions total for the time period.
  l Can quarantine host (access layer quarantine) if they are behind a FortiSwitch or FortiAP.
  l Can ban IP addresses, adds the source IP address into the quarantine list.
Tabs l Drilling down entries in any of these tabs (except sessions tab) will take you to the underlying traffic log in the sessions tab.
  l Applications shows a list of the applications attributed to the source IP. This can include scanned applications (using application control in a firewall policy or unscanned applications.

config log gui-display set fortiview-unscanned-apps enable end

  l Destinations shows destinations grouped by IP address/FQDN.
  l Threats lists the threats caught by UTM profiles. This can be from antivirus, IPS, webfilter, application control, etc.
  l Web Sites contains the websites which were detected either with webfilter, or through FQDN in traffic logs.
  l Web Categories groups entries into their categories as dictated by the Web Filter Database.
  l Search Phrases shows entries of search phrases on search engines captured by a web filter UTM profile, with deep inspection enabled in firewall policy.
  l Policies groups the entries into which polices they passed through or were blocked by.
  l Sessions shows the underlying logs (historical) or sessions (realtime). Drilldowns from other tabs end up showing the underlying log located in this tab.
  l More information can be shown in a tooltip while hovering over these entries.

Troubleshooting

  • Use diagnose debug application httpsd -1 to check which filters were passed through httpsd.

For example:

[httpsd 3163 – 1546543360 info] api_store_parameter[227] — add API parameter ‘filter’: ‘{ “source”: “10.1.100.30”, “application”: “TCP\/5228”, “srcintfrole”: [ “lan”,

“dmz”, “undefined” ] }’ (type=object)

  • Use diagnose debug application miglogd 0x70000 to check what the SQL command is that is passed to the underlying SQL database.

For example:

fortiview_request_data()-898: total:31 start:1546559580 end:1546563179

_dump_sql()-799: dataset=fv.general.chart, sql:select a.timestamp1,ses_al,ses_ bk,r,s,ifnull(sc_l,0),ifnull(sc_m,0),ifnull(sc_h,0),ifnull(sc_c,0) from (select timestamp-(timestamp%60) timestamp1 ,sum(case when passthrough<>’block’ then sessioncount else 0 end) ses_al,sum(case when passthrough=’block’ then sessioncount else 0 end) ses_bk,sum(rcvdbyte) r,sum(sentbyte) s from grp_traffic_all_src where timestamp BETWEEN 1546559580 and 1546563179 and 1=1 AND srcip in (‘10.1.100.11’) AND srcintfrole in (‘lan’,’dmz’,’undefined’) group by timestamp1 ) a left join (select timestamp-(timestamp%60) timestamp1 ,sum(case when threat_level=1 then crscore else 0 end) sc_l,sum(case when threat_level=2 then crscore else 0 end) sc_ m,sum(case when threat_level=3 then crscore else 0 end) sc_h,sum(case when threat_ level=4 then crscore else 0 end) sc_c from grp_threat where timestamp BETWEEN 1546559580 and 1546563179 and 1=1 AND srcip in (‘10.1.100.11’) AND srcintfrole in (‘lan’,’dmz’,’undefined’) group by timestamp1 ) b on a.timestamp1 = b.timestamp1; takes 40(ms), agggr:0(ms)

  • Use exe report flush-cache and exe report recreate-db to clear up any irregularities that may be caused by upgrading or cache issues.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.