FortiView Guide

FortiView interface

FortiView lets you access information about the traffic activity on your FortiGate, visually and textually. FortiView is broken up into several consoles, each of which features a top menu bar and a graph window, as seen in the following image:

FortiView Application console sorted by Sessions (Blocked/Allowed)

The top menu bar features:

  • a Refresh button, which updates the data displayed, l a Filter button, for filtering the data by category, l a Settings button (containing additional viewing settings and a link to the Threat Weight menu).
  • a drop-down menu of different views:
  • Time Display (options: now, 5 minutes, 1 hour, or 24 hours), l Table View l Timeline View l Bubble Chart [1]l Country Map

interface

The FortiView graph

The graph window can be hidden using the X in the top right corner, and re-added by selecting Show Graph. To zoom in on a particular section of the graph, click and drag from one end of the desired section to the other. This will appear in the Time Display options as a Custom selection. The minimum selection size is 60 seconds.

Bubble Chart Visualization

Notes about the Bubble Chart:

  • It is possible to sort on the Bubble Chart using the Sort By: dropdown menu. l The size of each bubble represents the related amount of data.
  • Place your cursor over a bubble to display a tool-tip with detailed info on that item. l You can click on a bubble to drilldown into greater (filtered) detail.

interface

Links created between FortiView and View/Create Policy

The Policy column in FortiView consoles and the Log Viewer pages includes a link, which navigates to the IPv4 or IPv6 policy list and highlights the policy.

Right-clicking on a row in FortiView or the Log Viewer has menu items for Block Source, Block Destination and Quarantine Source where appropriate columns are available to determine these values. When multiple rows are selected, the user will be prompted to create a named Address Group to contain the new addresses.

When the user clicks Block Source or Block Destination they are taken to a policy creation page with enough information filled in to create a policy blocking the requested IP traffic.

The policy page will feature an informational message block at the top describing the actions that will be taken. Once the user submits the form, the requisite addresses, groups and policy will be created at once.

If the user clicks on Quarantine User then they will be prompted for a duration. They may also check a box for a Permanent Ban. The user can manage quarantined users under Monitor > Quarantine Monitor.

Visualization support for the Admin Logins page

A useful chart is generated for Admin login events under FortiView > Admin Logins. You can view the information in either Table View or Timeline View (shown below). In Timeline View, each line represents on administrator, with individual sessions indicated per administrator line. When you hover over a particular timeline, detailed information appears in a tooltip.

Realtime visualization

To enable realtime visualization:

  1. Click on the Settings icon next to the upper right-hand corner and select Auto update realtime visualizations.

An option is displayed to set the Interval (seconds). The maximum value is 300.

  1. Enter a desired Interval and click Apply.

Accelerated sessions

When viewing sessions in the All Sessions console, information pertaining to NP4/ NP6 acceleration is now reflected via an appropriate icon in the table. The tooltip for the icon includes the NP chip type and its total number of accelerated sessions.

Filtering on accelerated sessions

You can filter the console on ‘FortiASIC’ (‘Accelerated’ versus ‘Not Accelerated’) sessions.

interface

WHOIS Lookup anchor for public IPv4 addresses

A Reverse IP lookup is possible using the WHOIS lookup icon available when you mouse over a public IP address in a FortiView log. If you left-click on the lookup icon, a new tab is opened in your browser for www.networksolutions.com, and a lookup is performed on the selected IP address (this option persists after drilling down one level in FortiView).

 

FortiView consoles

This section describes the following log filter consoles available in FortiView:

  • Sources on page 20 displays detailed information on the sources of traffic passing through the FortiGate, and the section covers how you can investigate an unusual spike in traffic to determine which user is responsible.
  • Destinations on page 21 displays detailed information on user destination-accessing through the use of drill down functionality.
  • Applications on page 22 displays Applications used on the network that have been recognized by Application Control, and this section shows how you can view what sort of applications individual employees are using.
  • Cloud Applications on page 23 displays Web/Cloud Applications used on the network, and this section shows how you can drill down to access detailed data on cloud application usage, e.g. YouTube.
  • Web Sites on page 24 displays websites visited as part of network traffic that have been recognized by Web Filtering, and this section shows how you can investigate instances of proxy avoidance, which is the act of circumventing blocks using proxies.
  • Threats on page 25 monitors threats to the network, both in terms of their Threat Score and Threat Level. l WiFi Clients on page 26 displays a list of all the devices connected to the WLAN.
  • “Traffic Shaping” on page 27 displays a list of existing Traffic Shapers, detailing their bandwidth use and which traffic is being shaped by each shaper.
  • System Events on page 28 displays security events detected by FortiOS, providing a name and description for the events, an assessment of the event’s severity level, and the number of instances the events were detected. l VPN on page 29 displays how users can access information on any VPNs associated with their FortiGate.
  • “Endpoint Vulnerability” on page 30 displays a list of Vulnerability events detected by the FortiGate on networked devices, along with links to further vulnerability information and databases.
  • Threat Map on page 31 provides a geographical display of threats, in realtime, from international sources as they arrive at your FortiGate.
  • Policies on page 32 displays what policies are in affect on your network, what their source and destination interfaces are, how many sessions are in each policy, and what sort of traffic is occurring.
  • Interfaces on page 33 displays the number of interfaces connected to your network, how many sessions there are in each interface, and what sort of traffic is occurring.
  • FortiSandbox on page 34 displays FortiSandbox activity. FortiSandbox detects and analyzes advanced attacks designed to bypass traditional security defenses, and has a wide array of features that allow it to prevent future attacks from occurring again.
  • All Sessions on page 35 displays complete information on all FortiGate sessions, with the ability to filter sessions by port number and application type.
This entry was posted in FortiView on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

5 thoughts on “FortiView Guide

  1. TOGE

    Hello Mike,

    Useful and interesting Post !

    I have some trouble with fortiview and i’d love to ask a questions,

    I have two FortiGate devices in two different companies, FG VM64 and FG-200E.
    Under fortiview / Traffic from LANDMZ / Sources, i want to see and filter logs by “user”.
    FG-200E can filter by username and also has many other options to filter logs, but FGVM64 has only “Source” and “Source Device” filter applicable.

    My question is: Doesn’t VM64 supports other filter options or do i have to turn something on to enable filter options ?

    Note: FG200E is logging in memory, whether FGVM64 has Disk logging enabled. Both of them has traffic logging enabled (Under policy / Logging option / Log Allowed Traffic / All Sessions) and both of them are using DC Agent to poll user database from AD. I know DC Agent is configured well because everything else is working fine and i can see users under Monitor / Firewall user monitor and under Log&Report / Forward traffic.

    I already tried using different Browsers.

    Regards.

    Reply
    1. Mike Post author

      So both FortiGates are configured the same? The only difference is the platform it is on? (appliance vs VM)

      Reply
      1. TOGE

        Hello and thanks for a quick response !

        No, configurations are different, but both are using DC agent to poll users from AD and then users are matched under different policies to give them different web access privileges.

        Under fortiview/source, Physical version has way more options to filter traffic, than VM version.

        But Yesterday i asked friend of mine, who has FG100E (no DC agent on it, used as transparent) and he also has no that additional filters available. So i dont think that its Physical/Virtual related.

        Could it be because of software version ?
        FG200E: v6.0.2
        FG100E and VM: v6.0.4

        Reply
  2. irabor

    Hello Mike,
    I configured fortigate to serve as web proxy, i configured the rules under proxy tab, no rules in the IPv4 policy section. I am not seeing logs in fortiview, but when i go to the proxy policy and i right-click and click on ‘show matching logs’, i can see see logs.
    What am i doing wrongly

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.