Destinations

The Destinations console provides information about the destination IP addresses of traffic on your FortiGate unit, as well as the application used. You can drill down the displayed information, and also select the device and time period, and apply search filters.

This console can be filtered by Country, Destination Interface, Destination IP, Policy, Result, and Source Interface. For more on filters, see Filtering options.

Scenario: Monitoring destination data

The Destinations console can be used to access detailed information on user destination-accessing through the use of the console’s drilldown functionality. In this scenario, the console is used to find out more about a particular user’s Facebook usage patterns over a 24-hour period:

1. Go to FortiView > Destinations.

2. Select 1 hour from the Time Display options at the top right corner of the console.

3. The easiest way to locate most destinations is to scan the Applications column for the name of the application.

Once the session containing Facebook has been located, double-click it to access the Destination summary window.

4. Locate Facebook in the Applications column and double-click it to view the Facebook drilldown page. From here, detailed information regarding the user’s Facebook session can be accessed.

Only FortiGate models 100D and above support the 24 hour historical data.

Interfaces

The Interfaces console lists the total number of interfaces connected to your network, how many sessions there are in each interface, and what sort of traffic is occurring, represented in both bytes sent and received, and the

total bandwidth used.

This console can be filtered by Country, Destination Interface, Destination IP, Policy, Result, Source, and Source

Interface. For more on filters, see Filtering options.

Only FortiGate models 100D and above support the 24 hour historical data.

Scenario: Investigate traffic spikes per user

The wan1 interface is showing a higher amount of traffic than usual. A system administrator uses the console to inspect which user (as represented by an IP address) is creating the spike in traffic:

1. 1. Go to FortiView > Interfaces and double-click on wan1, or right click and select Drill Down to Details….
2. 2. The console will drill down to a summary page of wan1, showing how many bytes are being sent and received, how much bandwidth is being used, and how many sessions are currently using this interface. You see the

IP address of the user that is showing the most amount of traffic under Source.

3. 3. You can further drill down to see the IP destination, the device, and the applications being used, and other options.

Sources

The Sources console provides information about the sources of traffic on your FortiGate unit.

This console can be filtered by Country, Destination Interface, Policy, Result, Source, and Source Interface. For more on filters, see Filtering options.

Specific devices and time periods can be selected and drilled down for deep inspection.

Scenario: Investigating a spike in traffic

A system administrator notices a spike in traffic and wants to investigate it. From the Sources window, they can determine which user is responsible for the spike by following these steps:

1. Go to FortiView > Sources.

2. In the graph display, click and drag across the peak that represents the spike in traffic.

3. Sort the sources by bandwidth use by selecting the Bytes (Sent/Received) header.

4. Drill down into whichever source is associated with the highest amount of bandwidth use by double-clicking it.

From this screen, you have an overview of that source’s traffic activity.

5. Again, in either the Applications or Destinations view, select the Bytes (Sent/Received) header to sort by bandwidth use.

6. Double-click the top entry to drill down to the final inspection level, from which you can access further details on the application or destination, and/or apply a filter to prohibit or limit access.

FortiView consoles

This section describes the following log filter consoles available in FortiView:

• Sources on page 1160 explains the features of FortiView’s Sources console, and shows how you can investigate an unusual spike in traffic to determine which user is responsible.
• Destinations on page 1161 explains the features of FortiView’s Destinations console and shows how you can access detailed information on user destination-accessing through the use of drill down functionality.
• Interfaces on page 1161 explains the number of interfaces connected to your network, how many sessions there are in each interface, and what sort of traffic is occurring.
• Policies on page 1162 explains what policies are in affect on your network, what their source and destination interfaces are, how many sessions are in each policy, and what sort of traffic is occurring.
• Countries on page 1162 explains and graphically displays network activity by geographic region.
• WiFi Clients on page 1164 shows a list of all the devices connected to the WLAN.
• All Sessions on page 1164 explains the features of FortiView’s All Sessions console and shows how you can filter sessions by port number and application type.
• Applications on page 1165 explains the features of FortiView’s Applications console and shows how you can view what sort of applications their employees are using.
• Cloud Applications on page 1165 explains the features of FortiView’s Cloud Applications console and shows how you can drill down to access detailed data on cloud application usage, e.g. YouTube.
• Web Sites on page 1166 explains the features of FortiView’s Web Sites console and shows how you can investigate instances of proxy avoidance which is the use of a proxy site in order to access data that might otherwise be blocked by the server.
• Threats on page 1167 explains the features of FortiView’s Threats console and shows how you can monitor threats to the network, both in terms of their Threat Score and Threat Level.
• Threat Map on page 1168 explains the features of Fortiview’s Threat Map console which provides a geographical display of threats, in realtime, from international sources as they arrive at your FortiGate.
• Failed Authentication on page 1169 explains instances in which users attempted to connect to the server but were unsuccessful.
• System Events on page 1169 explains security events detected by FortiOS, providing a name and description for the events, an assessment of the event’s severity level, and the number of instances the events were detected.
• Admin Logins on page 1170 explains information on administrator interactions with the network, including the number of login instances, number of failed logins, and the length of time logged in.
• VPN on page 1170 explains how users can access information on any VPNs associated with their FortiGate.

FortiView interface

FortiView lets you access information about the traffic activity on your FortiGate, visually and textually. FortiView is broken up into several consoles, each of which features a top menu bar and a graph window, as seen in the following image:

FortiView Application console sorted by Sessions (Blocked/Allowed)

The top menu bar features:

• a Refresh button, which updates the data displayed,
• a Filter button, for filtering the data by category,
• a Settings button (containing additional viewing settings and a link to the Threat Weight menu).
• a drop-down menu of different views:
• Time Display (options: now, 5 minutes, 1 hour, or 24 hours),
• Table View
• Timeline View
• Bubble Chart 1
• Country Map 2

1 For information on the Bubble Chart, refer to Bubble Chart Visualization on page 1157.

2 For more information on the Country Map, refer to Countries on page 1162.

The FortiView graph

The graph window can be hidden using the X in the top right corner, and re-added by selecting Show Graph. To zoom in on a particular section of the graph, click and drag from one end of the desired section to the other. This will appear in the Time Display options as a Custom selection. The minimum selection size is 60 seconds.

Only FortiGate models 100D and above support the 24 hour historical data.

Bubble Chart Visualization

Notes about the Bubble Chart:

• It is possible to sort on the Bubble Chart using the Sort By: dropdown menu.
• The size of each bubble represents the related amount of data.
• Place your cursor over a bubble to display a tool-tip with detailed info on that item.
• You can click on a bubble to drilldown into greater (filtered) detail.

Links created between FortiView and View/Create Policy

The Policy column in FortiView consoles and the Log Viewer pages includes a link, which navigates to the IPv4 or IPv6 policy list and highlights the policy.

Right-clicking on a row in FortiView or the Log Viewer has menu items for Block Source, Block Destination and Quarantine Source where appropriate columns are available to determine these values. When multiple rows are selected, the user will be prompted to create a named Address Group to contain the new addresses.

When the user clicks Block Source or Block Destination they are taken to a policy creation page with enough information filled in to create a policy blocking the requested IP traffic.

The policy page will feature an informational message block at the top describing the actions that will be taken. Once the user submits the form, the requisite addresses, groups and policy will be created at once.

If the user clicks on Quarantine User then they will be prompted for a duration. They may also check a box for a Permanent Ban. The user can manage quarantined users under Monitor > User Quarantine Monitor.

Visualization support for the Admin Logins page

A useful chart is generated for Admin login events under FortiView > Admin Logins. You can view the information in either Table View or Timeline View (shown below). In Timeline View, each line represents on administrator, with individual sessions indicated per administrator line. When you hover over a particular timeline, detailed information appears in a tooltip.

Configuration Dependencies

Most FortiView consoles require the user to enable several features to produce data. The following table summarizes the dependencies:

Feature Dependencies (Realtime) Dependencies (Historical)

Sources
None, always supported
Traffic logging enabled in policy

Destinations
None, always supported
Traffic logging enabled in policy

Feature Dependencies (Realtime) Dependencies (Historical)

Interfaces None, always supported Disk logging enabled

Traffic logging enabled in policy

Policies None, always supported Disk logging enabled

Traffic logging enabled in policy

Countries None, always supported Disk logging enabled

Traffic logging enabled in policy

All Sessions None, always supported Traffic logging enabled in policy

Applications None, always supported Disk logging enabled

Traffic logging enabled in policy

Application control enabled in policy

WiFi Clients None, always supported Disk logging enabled

Traffic logging enabled in policy

Cloud Applications Not supported Disk logging enabled
Application control enabled in policy SSL “deep inspection” enabled in policy Deep application inspection enabled in
application sensor

Extended UTM log enabled in application sensor

Web Sites Disk logging enabled

Web Filter enabled in policy

“web-url-log” option enabled in Web Fil- ter profile

Disk logging enabled

Web Filter enabled in policy

“web-url-log” option enabled in Web Filter profile

Feature Dependencies (Realtime) Dependencies (Historical)

Threats
Not supported
Disk logging enabled

Traffic logging enabled in policy

Threat weight detection enabled

Threat Map
None, always supported
Disk logging enabled

Traffic logging enabled in policy

Threat weight detection enabled

FortiSandbox
Not supported
Disk logging enabled

Traffic logging enabled in policy

Failed Authentic- ation
Not supported
Disk logging enabled

System Events
Not supported
Disk logging enabled

Admin Logins
Not supported
Disk logging enabled

VPN
Not supported
Disk logging enabled

Traffic logging enabled in policy

FortiView Feature Support – Platform Matrix

Note that the following table identifies three separate aspects of FortiView in FortiOS 5.2.3:

• Basic feature support
• Historical Data
• Disk Logging

a = Default support.

# = Local storage required.

* Refer to section on Historical Data below.

Enabling FortiView

By default, FortiView is enabled on FortiGates running FortiOS firmware version 5.2 and above. You will find the FortiView consoles in the main menu. However, certain options will not appear unless the FortiGate has Disk Logging enabled.

Only certain FortiGate models support Disk Logging. A complete list of FortiGate platforms that support Disk Logging is provided in the matrix below.

To enable Disk Logging

1. Go to Log & Report > Log Settings and select the checkbox next to Disk.

2. Apply the change.

To enable Disk Logging – CLI

config log disk setting set status enable

end