FortiView

Top cloud applications

The Top Cloud Applications dashboard displays information about the cloud application traffic on your FortiGate unit. You can drill down the displayed information, and also select the device and time period, and apply search filters.

Figure 93:Top cloud applications

The following information is displayed:

Application Displays the application name. Select the column header to sort entries by category. You can apply a search filter to the application (app) column.
User Displays the user name.

This column is only shown when Cloud Users is selected in the applications/users drop-down list.

Category Displays the application category. Select the column header to sort entries by category. You can apply a search filter to the category

(appcat) column.

This column is only shown when Cloud Applications is selected in the applications/users drop-down list.

Risk Displays the application risk level. Hover the mouse cursor over the entry in the column for additional information. Select the column header to sort entries by category. Risk uses a new 5-point risk rating. The rating system is as follows:

•      Critical: Applications that are used to conceal activity to evade detection.

•      High: Applications that can cause data leakage, are prone to vulnerabilities, or downloading malware.

•      Medium: Applications that can be misused.

•      Elevated: Applications that are used for personal communications or can lower productivity.

•      Low: Business related applications or other harmless applications.

This column is only shown when Cloud Applications is selected in the applications/users drop-down list.

Login IDs Displays the number of login IDs associated with the application. Select the column header to sort entries by category.

This column is only shown when Cloud Applications is selected in the applications/users drop-down list.

Sessions Displays the number of sessions associated with the application. Select the column header to sort entries by category.
File (Up/Down) Displays the number of files uploaded and downloaded. Hover the mouse cursor over the entry in the column for additional information.

Select the column header to sort entries by category.

Videos Played Displays the number of videos played using the application. Select the column header to sort entries by category.
Bandwidth

(Sent/Received)

Displays the bandwidth value for sent and received packets. Select the column header to sort entries by bandwidth. Select the column header to sort entries by category.

The following options are available:

Search Click the search field to add a search filter by application (app), source interface (srcintf), destination interface (dstintf), policy ID

(policyid), security action (utmaction), or virtual domain (vd). Select the GO button to apply the search filter. Alternatively, you can right-click the column entry to add the search filter. Select the clear icon, , to remove the search filter.

Devices Select the device from the drop-down list or select All Devices. Select the GO button to apply the device filter.
Time Period Select the time period from the drop-down list. Select Custom from the list to specify the start and end date and time. Select the GO button to apply the time period filter.
N When selecting a time period with last N in the entry, you can enter the value for N in this text field.
 Custom When Custom is selected the custom icon will be displayed. Select the icon to change the custom time period.

Cloud Applications / Select to view information based on either applications or users.

Cloud Users

 

 Cloud Users /

Cloud

Applications

Select to drill down by cloud users to view user related information including IP address, source IP address, number of files uploaded and downloaded, number of videos plays, number of sessions, and bandwidth (sent/received).

You can select to sort entries displayed by selecting the column header.

You can apply a search filter in the user (clouduser) and source (source) columns to further filter the information displayed. Select the GO button to apply the search filter.

Select the return icon, , to return to the Top Cloud Applications page.

 Files Select to drill down by files to view file related information including the user email address, source IP address, file name, and file size.

You can select to sort entries displayed by selecting the column header.

You can apply a search filter in the user (clouduser) and source (srcip) columns to further filter the information displayed. Select the GO button to apply the search filter.

Select the return icon, , to return to the Top Cloud Applications page.

 Videos Select to drill down by videos to view video related information including the user email address, source IP address, file name, and file size.

You can select to sort entries displayed by selecting the column header.

You can apply a search filter in the user (clouduser) and source (srcip) columns to further filter the information displayed. Select the GO button to apply the search filter.

Select the return icon, , to return to the Top Cloud Applications page.

 Sessions Select to drill down by sessions to view session related information including the date and time, source/device IP address, destination IP address, service, number of packets sent and received, user, application, and security action.

You can select to sort entries displayed by selecting the column header.

You can apply a search filter in the destination (dstip), service (service), user (user), and application (app) columns to further filter the information displayed. Select the GO button to apply the search filter.

Select the return icon, , to return to the Top Cloud Applications page.

 Search Add a search filter by cloud application (app), category (appcat), or cloud user (clouduser). Select the GO button to apply the filter. Select the clear icon, , to remove the search filter.

Log view

Logging and reporting can help you determine what is happening on your network, as well as informing you of certain network activity, such as the detection of a virus, or IPsec VPN tunnel errors. Logging and reporting go hand in hand, and can become a valuable tool for information gathering, as well as displaying the activity that is happening on the network.

Your FortiAnalyzer device collects logs from managed FortiGate, FortiCarrier, FortiCache, FortiMail, FortiSandbox, FortiWeb devices, FortiClient endpoint agents, and syslog servers.

Table 6: Collected logs

Device Type Logs
FortiGate Traffic, Event, Security, and VoIP

Content logs are also collected for FortiOS 4.3 devices.

FortiCarrier Traffic, Event
FortiCache Traffic, Event, Antivirus, and Web Filter
FortiMail History, Event, Antivirus, and Email Filter
FortiSandbox Malware, Network Alerts
FortiWeb Event, Intrusion Prevention, and Traffic
Syslog Generic

Traffic logs record the traffic that is flowing through your FortiGate unit. Since traffic needs firewall policies to properly flow through the unit, this type of logging is also referred to as firewall policy logging. Firewall policies control all traffic that attempts to pass through the FortiGate unit, between FortiGate interfaces, zones and VLAN sub-interfaces.

The event log records administration management as well as Fortinet device system activity, such as when a configuration has changed, or admin login or HA events occur. Event logs are important because they record Fortinet device system activity, which provides valuable information about how your Fortinet unit is performing. The FortiGate event logs includes System, Router, VPN, and User menu objects to provide you with more granularity when viewing and searching log data.

Security logs (FortiGate) record all antivirus, web filtering, application control, intrusion prevention, email filtering, data leak prevention, vulnerability scan, and VoIP activity on your managed devices.

The logs displayed on your FortiAnalyzer are dependent on the device type logging to it. FortiGate, FortiCarrier, FortiCache, FortiMail, FortiWeb, FortiSandbox, FortiClient and Syslog logging is supported. ADOMs must be enabled to support FortiCache, FortiMail, FortiWeb, FortiSandbox, and Syslog logging.

For more information on logging see the Logging and Reporting for FortiOS Handbook in the Fortinet Document Library.

The Log View menu displays log messages for connected devices. You can also view, import, and export log files that are stored for a given device, and browse logs for all devices.

Viewing log messages

To view log messages, select the FortiView tab, select Log View in the left tree menu, then browse to the ADOM whose logs you would like to view in the tree menu. You can view the traffic log, event log, or security log information per device or per log array. FortiMail and FortiWeb logs are found in their respective default ADOMs. For more information on FortiGate raw logs, see the FortiGate Log Message Reference in the Fortinet Document Library. For more information on other device raw logs, see the Log Message Reference for the platform type.

Figure 94:Log View (formatted display)

This page displays the following information and options:

 Refresh Select to refresh the log view.

This option is only available when viewing historical logs.

 Search Enter a search term to search the log messages. See “To perform a text search:” on page 139. You can also right-click an entry in one of the columns and select to add a search filter. Select GO in the toolbar to apply the filter. Not all columns support the search feature.

Latest Search         Select the latest search icon to repeat previous searches, select favorite searches, or quickly add filters to your search. The filters available will vary based on device and log type.

 Clear Search Select to clear search filters.
 Help Hover your mouse over the help icon, for example search syntax. See “Examples” on page 140.
Device Select the device or log array in the drop-down list. Select Manage Log Arrays in the Tools menu to create, edit, or delete log arrays.
Time Period Select a time period from the drop-down list. Options include: Last

30 mins, Last 1 hour, Last 4 hours, Last 12 hours, Last 1 day, Last 7

 GO days, Last N hours, Last N days, or Custom, . See “To customize the time period:” on page 140.

This option is only available when viewing historical logs.

Select to apply the time period and limit to the displayed log entries.

A progress bar is displayed in the lower toolbar.

 Create Custom View Select to create a new custom view. You can select to create multiple custom views in log view. Each custom view can display a select device or log array with specific filters and time period. See “To create a new custom view:” on page 138.

This option is only available when viewing historical logs.

 Pause  Resume Pause or resume real-time log display. These two options are only available when viewing real-time logs.
Tools The tools button provides options for changing the manner in which the logs are displayed, and search and column options. You can manage log arrays and it also provides an option for downloading logs, see “Download log messages” on page 141.
 Real-time Log

Historical Log

Select to change view from Real-time Log to Historical Log.
 Display Raw Select to change view from formatted display to raw log display.
 Download Select to download logs. A download dialog box is displayed. Select the log file format, compress with gzip, the pages to include and select Apply to save the log file to the management computer.

This option is only available when viewing historical logs in formatted display.

 Manage Log Arrays Select to create new, edit, and delete log arrays. Once you have created a log array, you can select the log array in the Device drop-down menu in the Log View toolbar.

In FortiAnalyzer v5.2.0 and later, when selecting to add a device with VDOMs, all VDOMs are automatically added to the Log Array.

Case Sensitive

Search

Select to enable case sensitive search.
Enable Column

Filter

Select to enable column filters.
Display Log Details Select to display the log details window.
Logs The columns and information shown in the log message list will vary depending on the selected log type, the device type, and the view settings. Right-click on various columns to add search filters to refine the logs displayed. When a search filter is applied, the value is highlighted in the table and log details.
Log Details Detailed information on the log message selected in the log message list. The item is not available when viewing raw logs. See “Log details” on page 142 for more information.

Log Details are only displayed when enabled in the Tools menu.

Status Bar Displays the log view status as a percentage.
Pagination Adjust the number of logs that are listed per page and browse through the pages.
Limit Select the maximum number of log entries to be displayed from the drop-down list. Options include: 1000, 5000, 10000, 50000, or All.

Information about archived logs, when they are available. The item is

Archive not available when viewing raw logs, or when the selected log message has no archived logs. When an archive is available, the archive icon is displayed. See “Archive” on page 143 for more information.

This option is only available when viewing historical logs in formatted display and when an archive is available.

This entry was posted in Administration Guides, FortiAnalyzer and tagged , , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.