VPN

From the VPN console, users can access information on any VPNs associated with their FortiGate. From the initial window, a list of all the associated VPNs is provided, along with general information, such as number of user connections and VPN type. By double-clicking on an individual VPN (or right-clicking and selecting Drill down for details…), users can access more specific data on that VPN.

Logs in the VPN console can be sorted by number of connections, last connection time, or data sent/received by selecting the column headers.

This console can be filtered by Result, User Name, and VPN Type. For more on filters, see Filtering options on page 1172.

Certain dashboard options will not appear unless your FortiGate has Disk Logging enabled.

Furthermore, only certain FortiGate models support Disk Logging — refer to the FortiView Feature Support – Platform Matrix on page 1149 for more information.

To enable Disk Logging, go to Log & Report > Log Settings, and select the check- box next to Disk and apply the change.

Scenario: Investigating VPN user activity

The VPN console can be used to access detailed data on VPN-user activity via the use of the drill down windows. In this scenario, the administrator looks into the usage patterns of the IPsec user who has most frequently connected to the network.

1. Go to FortiView > VPN to view the VPN console.

2. Select the Connections column header to sort the entries by number of connections to the network.

3. Locate the top user whose VPN Type is ipsec and double-click the entry to enter that user’s drill down screen.

4. To get the most representative data possible, sort the entries by bandwidth use by selecting the Bytes (Sent/Received) column header. Double-click the top entry to enter the drill down window for that connection instance.

From this screen, the administrator can find out more about the specific session, including the date/time of access, the XAuth (Extensible Authentication) User ID, the session’s Tunnel ID, and more.

Only FortiGate models 100D and above support the 24 hour historical data.

Admin Logins

Only FortiGate models 100D and above support the 24 hour historical data.

The Admin Logins console provides information on administrator interactions with the network, including the number of login instances, number of failed logins, and the length of time logged in. This console features the same view options as the other consoles, as well as Timeline View.

This console can be filtered by Result and User Name. For more on filters, see Filtering options.

Scenario: Scrutinizing Administrator Security

Admin Logins can be used in conjunction with System Events to see who was on during a system change that impacted performance and allowed a threat to persist/pass through the firewall:

1. Go to FortiView > System Events, to see what and how many network events have taken place, as well as how severe they are in terms of the threat they pose to the network.

2. You see that a particular event has warranted a severe rating, and has allowed traffic to bypass the firewall.

Double-click on the event to drill down.

3. Once drilled down, you can see the date and time that the system change took place.

4. Go to FortiView > Admin Logins, to see who has been logged in, how long they have been logged in, and what configuration changes they have made. Using the time graph, you can correlate the information from System Events with who was logged in at the time the threat was allowed.

Only FortiGate models 100D and above support the 24 hour historical data.

System Events

The System Events console lists security events detected by FortiOS, providing a name and description for the events, an assessment of the event’s severity level (Alert, Critical, Emergency, Error, or Warning), and the number of instances the events were detected.

This console can be filtered by Event Name, Result, and Severity. For more on filters, see Filtering options on page 1172.

Scenario: Investigate network security events

System Events can be used in conjunction with All Sessions to see what network security events took place, and specifically see what action was taken upon their detection:

1. Go to FortiView > System Events to see what and how many network events have taken place, as well as how severe they are in terms of the threat they pose to the network.

2. You see that a particular event has warranted a severe rating, and has allowed traffic to bypass the firewall. Note when the event took place, and go to FortiView > All Sessions, to see more information pertaining to the security event.

3. From this console, you can determine the system event’s source, how much traffic was sent and received, and the security action taken in response to this security event. These actions differ, depending upon the severity of the security event. See the entry for Security Action in Columns displayed on page 1175.

Failed Authentication

The Failed Authentication console displays instances in which users attempted to connect to the server but were unsuccessful. Depending on the Time Display setting, the console will display instances from the last 5 minutes, 1 hour, or 24 hours. The results can be sorted by the number of instances a given user attempted to log in.

By double-clicking on any of the entries on the main Failed Authentication console, a drill down view appears, displaying more detailed information on that user’s authentication attempts, including the date and time of each login attempt, the message explaining the reason each authentication failed e.g. a mismatched password, and the source IP address.

This console can be filtered by Destination, Login Type, Result, Source, Type, and User. For more on filters, see Filtering options.

Only FortiGate models 100D and above support the 24 hour historical data.

Scenario: Investigating a user’s failed authentication attempts

The Failed Authentications console can be used to access information on individual users and their unsuccessful attempts to access the network. In this scenario, an administrator investigates a user’s multiple attempts via the console’s drill down capability.

1. Go to FortiView > Failed Authentication to access the Failed Authentication console.

2. Select the Failed Attempts column header to sort the entries by number of attempts.

3. Double-click the top entry to drill down to more detailed information on attempts made by the user with the highest number of attempts.

Threat Map

The Threat Map console displays network activity by geographic region. Threats from various international destinations will be shown, but only those arriving at your destination, as depicted by the FortiGate. You can place your cursor over the FortiGate’s location to display the device name, IP address, and the city name/location.

A visual lists of threats is shown at the bottom, displaying the location, severity, and nature of the attacks. The color gradient of the darts on the map indicate the traffic risk, where red indicates the more critical risk.

Unlike other FortiView consoles, this console has no filtering options, however you can click on any country to drill down into greater (filtered) detail.

Only FortiGate models 100D and above support the 24 hour historical data.

Scenario: Investigate various international threats

The Threat Map console can be used to regionalize areas that you are more interested in, and disregard regions that you are not interested in:

1. Go to FortiView > Threat Map to see a real-time map of the globe. This will show various incoming threats from multiple destinations around the world, depending upon where the FortiGate is placed on the map.

2. You are not interested with threats that are being sent to Eastern Europe, however you are concerned with threats that may be sent to a city in North America. Click and drag the FortiGate to the approximate location where you would like to monitor the incoming threats.

3. To see which countries are sending the more severe threats to your region/location, either see where the red darts are coming from, or check the visual lists of threats at the bottom.