Top Threats
The Top Threats dashboard lists the top users involved in incidents, as well as information on the top threats to your network. You can drill down the displayed information, select the device and time period, and apply search filters.
If you are running FortiOS v5.0.x, you must enable Client Reputation in the security profiles on the FortiGate in order to view entries in the Top Threats section of FortiView in FortiManager.
The following incidents are considered threats:
l Risk applications detected by application control l Intrusion incidents detected by IPS l Malicious web sites detected by web filtering l Malware/botnets detected by antivirus.
Top threats
The following information is displayed:
| Threat Displays the threat type. Select the column header to sort entries by threat. You can apply a search filter to the threat (threat) column. |
| Category Displays the threat category. Select the column header to sort entries by category. You can apply a search filter to the category (threattype) column. |
| Threat Level Displays the threat level. Select the column header to sort entries by threat level. |
| Threat Score Displays the threat score for blocked and allowed traffic. Select the column header (Blocked/Allowed) to sort entries by threat score. |
| Incidents (Blocked/Al- Displays the number of incidents blocked and allowed. Select the column header lowed) to sort entries by incidents. |
The following options are available:
| Refresh | Refresh the displayed information. | |
| Search | Click the search field to add a search filter and select the GO button to apply the search filter. Alternatively, you can right-click the column entry to add the search filter. | |
| Devices | Select the device or log array from the drop-down list or select All Devices. Select the GO button to apply the device filter. | |
| Time Period | Select the time period from the drop-down list. Select Custom from the list to specify the start and end date and time. Select the GO button to apply the time period filter. | |
| N | When selecting a time period with last N in the entry, you can enter the value for N in this text field. | |
| Custom | When Custom is selected the custom icon will be displayed. Select the icon to change the custom time period. | |
| Go | Select the GO button to apply the filter. | |
| Pagination | Select the number of entries to display per page and browse pages. | |
| Right-click menu | ||
| Source | Select to drill down by source to view source related information including the source IP address, device MAC address or FQDN, threat score (blocked/allowed), bytes (sent/received), and incidents (blocked/allowed).
You can select to sort entries displayed by selecting the column header. You can apply a search filter in the source (srcip) and device (dev_src) columns to further filter the information displayed. Select the GO button to apply the search filter. Select the return icon to return to the Top Threats page. |
|
| Destination | Select to drill down by destination to view destination related information including the destination IP address and geographic region, the threat score (blocked/allowed), bytes (sent/received), and incidents (blocked/allowed).
You can select to sort entries displayed by selecting the column header. You can apply a search filter in the destination (dstip) column to further filter the information displayed. Select the GO button to apply the search filter. Select the return icon to return to the Top Threats page. |
|
| Sessions | Select to drill down by sessions to view session related information including date/time, source/device, destination IP address and geographic region, service, bytes (sent/received), user, application, and security action.
You can select to sort entries displayed by selecting the column header. You can apply a search filter in the destination (dstip), service (service), user (user), or application (app) columns to further filter the information displayed. Select the GO button to apply the search filter. Select the return icon to return to the Top Threats page. |
|
| Search | Add a search filter and select the GO button to apply the filter. | |
Hello,
Maybe you can help me. I keep seeing “No Data” if I open Fortiview on my fortimanager.
I have 2 Fortigates (300D and a 200D) connected to it.
If I select logview, I can see all the traffic info of both Fortigates.
If I log on on the Fortigates, Fortiview is working fine. But somehow I can not get data in Fortiview on the Fortimanager.
What am I doing wrong?
Regards.
Stief
What version of FortiOS are you running on the Manager as well as the FortiGates? (I know you posted this on the FortiManager 5.2 page but I would like to confirm)
Fortimanager 5.4
Fortigates 5.41
Are you logging UTM etc functions or is it just plain firewall logging that isn’t showing?
Hi Mike,
Thanks for the reply.
It’s set to log all traffic. But also UTM stuff.
In Logview I can see everything but Fortiview stays empty.
Mike,
Was there ever any resolve to this issue? I’m dealing with the same thing.
I would check to see if ADOM’s were enabled. If they aren’t….enable them and make sure the ADOM that the FortiGate’s are a part of are listed as 5.4.
Sometimes I notice weird shenannigans and after looking deeper it is because during the upgrade process, or something along those lines…..the FortiManager/FortiAnalyzer is still operating the devices beneath it in 5.2 mode.
Let me know if that doesn’t make any sense. Long day so this response is sort of stream of consciousness lol
Hi,
Apperently it was a bug that is fixed in the latest release. After installing everything is working fine again.
Groovy! Thanks for the update!
Hi,
I cant see application name in forti view.
i am using version 5.2.10.
pls give me the solution
Thank u
Link to a screenshot of what you do see?
Dear Mike,
In fortimanager under fortiview -vpn-ssl-dialup-ipsec-monitor stopped reporting for last 4 days. Pls guide how to resolve the issue.
Regards,
The devices still registering and checked into the FortiManager?
All devices are registered/added in device manager, fortview has stopped logging from 26th april,
What version of code is running?
Fortigate is 6.0.1 & fortimanager is v6.0.3-build0255 181102 (GA)