Author Archives: Mike

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Sources

Sources

The Sources console provides information about the sources of traffic on your FortiGate unit.

This console can be filtered by Country, Destination Interface, Policy, Result, Source, and Source Interface. For more on filters, see Filtering options.

Specific devices and time periods can be selected and drilled down for deep inspection.

 

Scenario: Investigating a spike in traffic

A system administrator notices a spike in traffic and wants to investigate it. From the Sources window, they can determine which user is responsible for the spike by following these steps:

1. Go to FortiView > Sources.

2. In the graph display, click and drag across the peak that represents the spike in traffic.

3. Sort the sources by bandwidth use by selecting the Bytes (Sent/Received) header.

4. Drill down into whichever source is associated with the highest amount of bandwidth use by double-clicking it.

From this screen, you have an overview of that source’s traffic activity.

5. Again, in either the Applications or Destinations view, select the Bytes (Sent/Received) header to sort by bandwidth use.

6. Double-click the top entry to drill down to the final inspection level, from which you can access further details on the application or destination, and/or apply a filter to prohibit or limit access.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiView consoles

FortiView consoles

 

This section describes the following log filter consoles available in FortiView:

  • Sources on page 1160 explains the features of FortiView’s Sources console, and shows how you can investigate an unusual spike in traffic to determine which user is responsible.
  • Destinations on page 1161 explains the features of FortiView’s Destinations console and shows how you can access detailed information on user destination-accessing through the use of drill down functionality.
  • Interfaces on page 1161 explains the number of interfaces connected to your network, how many sessions there are in each interface, and what sort of traffic is occurring.
  • Policies on page 1162 explains what policies are in affect on your network, what their source and destination interfaces are, how many sessions are in each policy, and what sort of traffic is occurring.
  • Countries on page 1162 explains and graphically displays network activity by geographic region.
  • WiFi Clients on page 1164 shows a list of all the devices connected to the WLAN.
  • All Sessions on page 1164 explains the features of FortiView’s All Sessions console and shows how you can filter sessions by port number and application type.
  • Applications on page 1165 explains the features of FortiView’s Applications console and shows how you can view what sort of applications their employees are using.
  • Cloud Applications on page 1165 explains the features of FortiView’s Cloud Applications console and shows how you can drill down to access detailed data on cloud application usage, e.g. YouTube.
  • Web Sites on page 1166 explains the features of FortiView’s Web Sites console and shows how you can investigate instances of proxy avoidance which is the use of a proxy site in order to access data that might otherwise be blocked by the server.
  • Threats on page 1167 explains the features of FortiView’s Threats console and shows how you can monitor threats to the network, both in terms of their Threat Score and Threat Level.
  • Threat Map on page 1168 explains the features of Fortiview’s Threat Map console which provides a geographical display of threats, in realtime, from international sources as they arrive at your FortiGate.
  • Failed Authentication on page 1169 explains instances in which users attempted to connect to the server but were unsuccessful.
  • System Events on page 1169 explains security events detected by FortiOS, providing a name and description for the events, an assessment of the event’s severity level, and the number of instances the events were detected.
  • Admin Logins on page 1170 explains information on administrator interactions with the network, including the number of login instances, number of failed logins, and the length of time logged in.
  • VPN on page 1170 explains how users can access information on any VPNs associated with their FortiGate.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiView interface

FortiView interface

FortiView lets you access information about the traffic activity on your FortiGate, visually and textually. FortiView is broken up into several consoles, each of which features a top menu bar and a graph window, as seen in the following image:

 

FortiView Application console sorted by Sessions (Blocked/Allowed)

The top menu bar features:

  • a Refresh button, which updates the data displayed,
  • a Filter button, for filtering the data by category,
  • a Settings button (containing additional viewing settings and a link to the Threat Weight menu).
  • a drop-down menu of different views:
  • Time Display (options: now, 5 minutes, 1 hour, or 24 hours),
  • Table View
  • Timeline View
  • Bubble Chart 1
  • Country Map 2

1 For information on the Bubble Chart, refer to Bubble Chart Visualization on page 1157.

2 For more information on the Country Map, refer to Countries on page 1162.

 

 

The FortiView graph

The graph window can be hidden using the X in the top right corner, and re-added by selecting Show Graph. To zoom in on a particular section of the graph, click and drag from one end of the desired section to the other. This will appear in the Time Display options as a Custom selection. The minimum selection size is 60 seconds.

Only FortiGate models 100D and above support the 24 hour historical data.

 

Bubble Chart Visualization

 

Notes about the Bubble Chart:

  • It is possible to sort on the Bubble Chart using the Sort By: dropdown menu.
  • The size of each bubble represents the related amount of data.
  • Place your cursor over a bubble to display a tool-tip with detailed info on that item.
  • You can click on a bubble to drilldown into greater (filtered) detail.

 

Links created between FortiView and View/Create Policy

The Policy column in FortiView consoles and the Log Viewer pages includes a link, which navigates to the IPv4 or IPv6 policy list and highlights the policy.

Right-clicking on a row in FortiView or the Log Viewer has menu items for Block Source, Block Destination and Quarantine Source where appropriate columns are available to determine these values. When multiple rows are selected, the user will be prompted to create a named Address Group to contain the new addresses.

When the user clicks Block Source or Block Destination they are taken to a policy creation page with enough information filled in to create a policy blocking the requested IP traffic.

The policy page will feature an informational message block at the top describing the actions that will be taken. Once the user submits the form, the requisite addresses, groups and policy will be created at once.

If the user clicks on Quarantine User then they will be prompted for a duration. They may also check a box for a Permanent Ban. The user can manage quarantined users under Monitor > User Quarantine Monitor.

 

Visualization support for the Admin Logins page

A useful chart is generated for Admin login events under FortiView > Admin Logins. You can view the information in either Table View or Timeline View (shown below). In Timeline View, each line represents on administrator, with individual sessions indicated per administrator line. When you hover over a particular timeline, detailed information appears in a tooltip.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Configuration Dependencies

Configuration Dependencies

Most FortiView consoles require the user to enable several features to produce data. The following table summarizes the dependencies:

Feature Dependencies (Realtime) Dependencies (Historical)

Sources
None, always supported
Traffic logging enabled in policy

Destinations
None, always supported
Traffic logging enabled in policy

Feature Dependencies (Realtime) Dependencies (Historical)

Interfaces None, always supported Disk logging enabled

Traffic logging enabled in policy

Policies None, always supported Disk logging enabled

Traffic logging enabled in policy

Countries None, always supported Disk logging enabled

Traffic logging enabled in policy

All Sessions None, always supported Traffic logging enabled in policy

Applications None, always supported Disk logging enabled

Traffic logging enabled in policy

Application control enabled in policy

WiFi Clients None, always supported Disk logging enabled

Traffic logging enabled in policy

Cloud Applications Not supported Disk logging enabled
Application control enabled in policy SSL “deep inspection” enabled in policy Deep application inspection enabled in
application sensor

Extended UTM log enabled in application sensor

Web Sites Disk logging enabled

Web Filter enabled in policy

“web-url-log” option enabled in Web Fil- ter profile

Disk logging enabled

Web Filter enabled in policy

“web-url-log” option enabled in Web Filter profile

Feature Dependencies (Realtime) Dependencies (Historical)

Threats
Not supported
Disk logging enabled

Traffic logging enabled in policy

Threat weight detection enabled

Threat Map
None, always supported
Disk logging enabled

Traffic logging enabled in policy

Threat weight detection enabled

FortiSandbox
Not supported
Disk logging enabled

Traffic logging enabled in policy

Failed Authentic- ation
Not supported
Disk logging enabled

System Events
Not supported
Disk logging enabled

Admin Logins
Not supported
Disk logging enabled

VPN
Not supported
Disk logging enabled

Traffic logging enabled in policy


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiView Feature Support – Platform Matrix

FortiView Feature Support – Platform Matrix

Note that the following table identifies three separate aspects of FortiView in FortiOS 5.2.3:

  • Basic feature support
  • Historical Data
  • Disk Logging
 
Platform Basic Feature Support Disk Logging Historical Data *
 

FG/FWF20C Series

 

a

   
 

FG/FWF30D/40C Series

 

a

   
 

FG/FWF60C Series

 

a

   
 

FG/FWF60D Series

 

a

   
 

FGR60D

 

a

   
 

FG60D

 

a

   
 

FG/FWF80C Series

 

a

   

 

 

 

Platform Basic Feature Support Disk Logging Historical Data *
 

FG80D

 

a

 

a

 

1 hour

 

FG/FWF90D Series

 

a

 

a

 

1 hour

 

FG/FWF92D Series

 

a

   
 

FG110C

 

a

   
 

FG111C

 

a

 

CLI

 

1 hour

 

FG100D Series

 

a

 

a

 

24 hours

 

FG200B Series

 

a

 

#

 

# (24 hours)

 

FG200D Series

 

a

 

a

 

24 hours

 

FG310B

 

a

   

# (24 hours)

 

FG311B

 

a

   

# (24 hours)

 

FG300C

 

a

 

a

 

24 hours

 

FG300D

 

a

 

a

 

24 hours

 

FG500D

 

a

 

a

 

24 hours

 

FG620B

 

a

 

#

 

# (24 hours)

 

FG621B

 

a

 

#

 

# (24 hours)

 

FG600C

 

a

 

a

 

24 hours

 

FG800C

 

a

 

a

 

24 hours

 

FG1000D

 

a

 

a

 

7 hours, 24 hours

 

FG1500D

 

a

 

a

 

7 hours, 24 hours

 

FG1240B

 

a

 

a

 

24 hours

 

FG3016B

 

a

 

#

 

# (24 hours)

 

FG3040B

 

a

 

CLI

 

24 hours

 

FG3140B

 

a

 

CLI

 

24 hours

 

 

Platform Basic Feature Support Disk Logging Historical Data *
 

FG3240C

 

a

 

CLI

 

24 hours

 

FG3600C

 

a

 

CLI

 

24 hours

 

FG3700D/DX

 

a

 

CLI

 

7 hours, 24 hours

 

FG3810A

 

a

 

#

 

# (24 hours)

 

FG3950B

 

a

 

#, CLI

 

# (24 hours)

 

FG3951B

 

a

 

#, CLI

 

# (24 hours)

 

FG5001A

 

a

 

#, CLI

 

# (24 hours)

 

FG5001B

 

a

 

CLI

 

24 hours

 

FG5001C

 

a

 

CLI

 

24 hours

 

FG5001D

 

a

 

CLI

 

24 hours

 

FG5101C

 

a

 

CLI

 

24 hours

 

FS5203B

 

a

 

CLI

 

 

a = Default support.

# = Local storage required.

 

* Refer to section on Historical Data below.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Enabling FortiView

Enabling FortiView

By default, FortiView is enabled on FortiGates running FortiOS firmware version 5.2 and above. You will find the FortiView consoles in the main menu. However, certain options will not appear unless the FortiGate has Disk Logging enabled.

Only certain FortiGate models support Disk Logging. A complete list of FortiGate platforms that support Disk Logging is provided in the matrix below.

 

To enable Disk Logging

1. Go to Log & Report > Log Settings and select the checkbox next to Disk.

2. Apply the change.

 

To enable Disk Logging – CLI

config log disk setting set status enable

end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Chapter 10 – FortiView

Chapter 10 – FortiView

 

FortiView

  • Overview on page 1149 outlines the role FortiView plays in FortiOS and its overall layout. This section also identifies which FortiGate platforms support the full FortiView features.
  • FortiView consoles on page 1160 describes the various FortiView consoles available in FortiOS, including example scenarios, in most cases.
  • Reference on page 1172 explains reference information for the various consoles in FortiView, and describes the assortment of filtering options, drilldown options, and columns available.
  • Troubleshooting FortiView on page 1183 offers solutions to common technical issues experienced by FortiGate users regarding FortiView.

 

Whats new in FortiOS 5.4

 

New Consoles

In FortiOS 5.4, a variety of new consoles have been added to FortiView:

 

FortiView Policies console

The new Policies console works similarly to other FortiView consoles, yet allows administrators to monitor policy activity, and thereby decide which policies are most and least active. This helps the administer to discern which policies are unused and can be deleted.

In addition, you have the ability to click on any policy in the table to drill down to the Policies list and view or edit that policy. You can view this new console in either Table or Bubble Chart view.

 

FortiView Interfaces console

The new Interfaces console works similarly to other FortiView consoles and allows administrators to perform current and historical monitoring per interface, with the ability to monitor bandwidth in particular. You can view this new console in either Table or Bubble Chart view.

 

FortiView Countries console

A new Countries console has been introduced to allow administrators to filter traffic according to source and destination countries. This console includes the option to view the Country Map visualization (see below).

 

FortiView Device Topology console

The new Device Topology console provides an overview of your network structure in the form of a Network Segmentation Tree diagram (see below).

 

FortiView Traffic Shaping console

A new Traffic Shaping console has been introduced to improve monitoring of existing Traffic Shapers. Information displayed includes Shaper info, Sessions, Bandwidth, Dropped Bytes, and more.

 

FortiView Threat Map console

A new Threat Map console has been introduced to monitor risks coming from various international locations arriving at a specific location, depicted by the location of a FortiGate on the map (see below).

 

FortiView Failed Authentication console

A Failed Authentication console has been added under FortiView that allows you to drill down an entry to view the logs. This new console is particularly useful in determining whether or not the FortiGate is under a brute force attack. If an administrator sees multiple failed login attempts from the same IP, they could (for example) add a local-in policy to block that IP.

 

The console provides a list of unauthorized connection events in the log, including the following:

  • unauthorized access to an admin interface (telnet, ssh, http, https, etc.) l  failure to query for SNMP (v3) or outside of authorized range (v1, v2, v3) l  failed attempts to establish any of the following:
  • Dial-up IPsec VPN connections
  • Site-to-site IPsec VPN connections
  • SSL VPN connections
  • FGFM tunnel

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Example PIM configuration that uses BSR to find the RP

Example PIM configuration that uses BSR to find the RP

This example shows how to configure a multicast routing network for a network consisting of four FortiGate-500A units (FortiGate-500A_1 to FortiGate-550A_4). A multicast sender is connected to FortiGate-500A_2. FortiGate-500A_2 forwards multicast packets in two directions to reach Receiver 1 and Receiver 2.
The configuration uses a Boot Start Router (BSR) to find the Rendezvous Points (RPs) instead of using static RPs. Under interface configuration, the loopback interface lo0 must join the 236.1.1.1 group (source). This example describes:

  • Commands used in this example
  • Configuration steps
  • Example debug commands

 

PIM network topology using BSR to find the RP

Commands used in this example

 

This example uses CLI commands for the following configuration settings:

  • Adding a loopback interface (lo0)
  • Defining the multicast routing
  • Adding the NAT multicast policy

 

Adding a loopback interface (lo0)

Where required, the following command is used to define a loopback interface named lo0.

config system interface edit lo0

set vdom root

set ip 1.4.50.4 255.255.255.255

set allowaccess ping https ssh snmp http telnet set type loopback

next end

 

Defining the multicast routing

In this example, the following command syntax is used to define multicast routing.

The example uses a Boot Start Router (BSR) to find the Rendezvous Points (RPs) instead of using static RPs. Under interface configuration, the loopback interface lo0 must join the 236.1.1.1 group (source).

config router multicast config interface

edit port6

set pim-mode sparse-mode next

edit port1

set pim-mode sparse-mode next

edit lo0

set pim-mode sparse-mode set rp-candidate enable

config join-group edit 236.1.1.1 next

end

set rp-candidate-priority 1 next

end

set multicast-routing enable config pim-sm-global

set bsr-allow-quick-refresh enable set bsr-candidate enable

set bsr-interface lo0 set bsr-priority 200

end end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!