Author Archives: Mike

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

FortiAnalyzer – FortiOS 6.2.3 – Datasets

Datasets

Use the Datasets pane to create, edit, and manage your datasets.

Creating datasets

FortiAnalyzer datasets are collections of data from logs for monitored devices. Charts and macros reference datasets. When you generate a report, the datasets populate the charts and macros to provide data for the report.

FortiAnalyzer has many predefined datasets that you can use right away. You can also create your own custom datasets.

To create a new dataset:

  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Reports > Report Definitions > Datasets, and click Create New.
  3. Provide the required information for the new dataset.
Name                                       Enter a name for the dataset.
Log Type                                 Select a log type from the dropdown list.

l  The following log types are available for FortiGate: Application Control,

Intrusion Prevention, Content Log, Data Leak Prevention, Email Filter,

Event, Traffic, Virus, VoIP, Web Filter, Vulnerability Scan, FortiClient Event, FortiClient Traffic, FortiClient Vulnerability Scan, Web Application Firewall, GTP, DNS, SSH, and Local Event.

l  The following log types are available for FortiMail: Email Filter, Event, History, and Virus.

l  The following log types are available for FortiWeb: Intrusion Prevention, Event, and Traffic.

Query Enter the SQL query used for the dataset. An easy way to build a custom query is to copy and modify a predefined dataset’s query.
Variables                                Click the Add button to add variable, expression, and description information.
Test query with specified devices and time period
Time Period             Use the dropdown list to select a time period. When selecting Custom, enter the start date and time, and the end date and time.
Devices       Select All Devices or Specify to select specific devices to run the SQL query against. Click the Select Device button to add multiple devices to the query.
                     Test                         Click to test the SQL query before saving the dataset configuration.
  1. Click Test.

The query results are displayed. If the query is not successful, an error message appears in the Test Result pane.

  1. Click OK.

Viewing the SQL query of an existing dataset

You can view the SQL query for a dataset, and test the query against specific devices or all devices.

To view the SQL query for an existing dataset:

  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Reports > Report Definitions > Datasets.
  3. Hover the mouse cursor over the dataset on the dataset list. The SQL query is displayed as a tooltip. You can also open the dataset to view the Query

SQL query functions

In addition to standard SQL queries, the following are some SQL functions specific to FortiAnalyzer. These are based on standard SQL functions.

root_domain(hostname) The root domain of the FQDN. An example of using this function is:

select devid, root_domain(hostname) as website FROM $log WHERE’user’=’USER01′ GROUP BY devid, hostname ORDER BY hostname LIMIT 7

nullifna(expression) This is the inverse operation of coalesce that you can use to filter out n/a values. This function takes an expression as an argument. The actual SQL syntax this is base on is select nullif(nullif(expression, ‘N/A’), ‘n/a’).

In the following example, if the user is n/a, the source IP is returned, otherwise the username is returned.

select coalesce(nullifna(‘user’), nullifna(‘srcip’)) as user_ src, coalesce(nullifna(root_domain(hostname)),’unknown’) as domain FROM $log WHERE dstport=’80’ GROUP BY user_src, domain ORDER BY user_src LIMIT 7

email_domain email_user email_domain returns the text after the @ symbol in an email address. email_user returns the text before the @ symbol in an email address. An example of using this function is:

select ‘from’ as source, email_user(‘from’) as e_user, email_ domain(‘from’) as e_domain FROM $log LIMIT 5 OFFSET 10

from_dtime from_itime from_dtime(bigint) returns the device timestamp without time zone. from_itime(bigint) returns FortiAnalyzer’s timestamp without time zone. An example of using this function is:

select itime, from_itime(itime) as faz_local_time, dtime, from_ dtime(dtime) as dev_local_time FROM $log LIMIT 3

Managing datasets

You can manage datasets by going to Reports > Report Definitions > Datasets. Some options are available as buttons on the toolbar. Some options are available in the right-click menu. Right-click a dataset to display the menu.

Option Description
Create New Creates a new dataset.
Edit Edits the selected dataset. You can edit datasets that you created. You cannot edit predefined datasets.
View Displays the settings for the selected dataset. You cannot edit predefined datasets.
Delete Deletes the selected dataset. You can delete datasets that you create. You cannot delete predefined datasets.
Clone Clones the selected dataset. You can edit cloned datasets.
Validate Validate selected datasets.
Validate All Custom Validates all custom datasets.
Search Lets you search for a dataset name.

FortiAnalyzer – FortiOS 6.2.3 – Macro library

Macro library

Use the Macro library to create, edit, and manage your macros.

Creating macros

FortiAnalyzer includes a number of predefined macros. You can also create new macros, or clone and edit existing macros.

Macros are predefined to use specific datasets and queries. They are organized into categories, and can be added to, removed from, and organized in reports.

To create a new macro:

  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Reports > Report Definitions > Macro Library, and click Create New. The Create Macro pane is displayed.
  3. Provide the required information for the new macro.
Name Enter a name for the macro.
Description Enter a description of the macro.
Dataset Select a dataset from the dropdown list.The options will vary based on device type.
Query Displays the query statement for the dataset selected.
Data Binding The data bindings vary depending on the dataset selected. Select a data binding from the dropdown list.
Display Select a value from the dropdown list.
  1. Click OK. The newly created macro is shown in the Macro library.

Managing macros

You can manage macros by Reports > Report Definitions > Macro Library. Some options are available as buttons on the toolbar. Some options are available in the right-click menu. Right-click a macro to display the menu.

Option   Description
Create New   Creates a new macro.
Edit   Edits the selected macro. You can edit macros that you created. You cannot edit predefined macros.
View   Displays the settings for the selected macro. You cannot edit a predefined macro.
Delete   Deletes the selected macro. You can delete macros that you create. You cannot delete predefined macros.
Clone   Clones the selected macro.
Show Predefined   Displays the predefined macros.
Show Custom   Displays the custom macros.
Search   Lets you search for a macro name.

Viewing datasets associated with macros

To view datasets associated with macros:

  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Reports > Report Definitions> Macro Library.
  3. Select a macro, and click View (for predefined macros) or Edit (for custom macros) in the toolbar.
  4. In the View Macro or Edit Macro pane, find the name of the dataset associated with the macro in the Dataset
  5. Go to Reports > Report Definitions> Datasets.
  6. In the Search box, type the name of the dataset.
  7. Double-click the dataset to view it.

FortiAnalyzer – FortiOS 6.2.3 – Chart library

Chart library

Use the Chart library to create, edit, and manage your charts.

In a Security Fabric ADOM, you can insert charts from all device types into a single report.

Creating charts

To create charts:

  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Reports > Report Definitions > Chart Library.
  3. Click Create New in the toolbar.
  4. Configure the settings for the new chart, the click OK.
Name Enter a name for the chart.
Description Enter a description of the chart.
Dataset Select a dataset from the dropdown list. For more information, see Datasets on page 136. Options vary based on device type.
Resolve Hostname Select to resolve the hostname. Select one of the following: Inherit, Enabled, or Disabled.
Chart Type Select a graph type from the dropdown list; one of: Table, Bar, Pie, Line, Area, Donut, or Radar. This selection affects the rest of the available selections.
Data Bindings The data bindings vary depending on the chart type selected.
Table  
Table Type Select Regular, Ranked, or Drilldown.
Add Column Select to add a column. Up to 15 columns can be added for a Regular table.

Ranked tables have two columns, and Drilldown tables have three columns.

Columns The following column settings must be set: l Column Title: Enter a title for the column. l Width: Enter the column width as a percentage.

Data Binding: Select a value from the dropdown list. The options vary depending on the selected dataset.

Format: Select a value from the dropdown list.

Add Data Binding: Add data bindings to the column. Every column must have at least one data binding. The maximum number varies depending

 

  on the table type.
Order By Select what to order the table by. The available options vary depending on the selected dataset.
Show Top Enter a numerical value. Only the first ‘X’ items are displayed. Other items can be bundled into the Others category for Ranked and Drilldown tables.
Drilldown

Top

Enter a numerical value. Only the first ‘X’ items are displayed. This options is only available for Drilldown tables.
Bar  
X-Axis Data Binding: Select a value from the dropdown list. The available options vary depending on the selected dataset.

Label: Enter a label for the axis.

Show Top: Enter a numerical value. Only the first ‘X’ items are displayed.

Other items are bundled into the Others category.

Y-axis Data Binding: Select a value from the dropdown list. The available options vary depending on the selected dataset.

Format: Select a format from the dropdown list: Bandwidth, Counter, Default, Percentage, or Severity. l Label: Enter a label for the axis.

Bundle rest into “Others” Select to bundle the rest of the results into an Others category.
Group By l Data Binding: Select a value from the dropdown list. The available options vary depending on the selected dataset. l Show Top: Enter a numerical value. Only the first ‘X’ items are displayed.

Other items can be bundled into the Others category.

Order By Select to order by the X-Axis or Y-Axis.
Pie, Donut, or Radar  
Category Data Binding: Select a value from the dropdown list. The available options vary depending on the selected dataset.

Label: Enter a label for the axis.

Show Top: Enter a numerical value. Only the first ‘X’ items are displayed.

Other items can be bundled into the Others category.

Series Data Binding: Select a value from the dropdown list. The available options vary depending on the selected dataset.

Format: Select a format from the dropdown list: Bandwidth, Counter, Default, Percentage, or Severity. l Label: Enter a label for the axis.

Bundle rest into “Others” Select to bundle the rest of the results into an Others category.
Line or Area  
X-Axis l Data Binding: Select a value from the dropdown list. The available
  options vary depending on the selected dataset.

l Format: Select a format from the dropdown list: Default, or Time. l Label: Enter a label for the axis.

Lines Data Binding: Select a value from the dropdown list. The available options vary depending on the selected dataset.

Format: Select a format from the dropdown list: Bandwidth, Counter, Default, Percentage, or Severity.

Type: Select the type from the dropdown list: Line Up or Line Down. l Legend: Enter the legend text for the line.

Add line Select to add more lines.

Managing charts

Manage your charts in Reports > Report Definitions > Chart Library. Some options are available as buttons on the toolbar. Some options are available in the right-click menu. Right-click a chart to display the menu.

Option Description
Create New Creates a new chart.
Edit Edits a chart. You can edit charts that you created. You cannot edit predefined charts.
View Displays the settings for the selected predefined chart. You cannot edit a predefined chart.
Delete Deletes the selected chart. You can delete charts that you create. You cannot delete predefined charts.
Clone Clones the selected chart.
Import Imports a previously exported FortiAnalyzer chart.
Export Exports one or more FortiAnalyzer charts.
Show Predefined Displays the predefined charts.
Show Custom Displays the custom charts.
Search Lets you search for a chart name.

Viewing datasets associated with charts

To view datasets associated with charts:

  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Reports > Report Definitions > Chart Library.
  3. Select a chart, and click View in the toolbar.
  4. In the View Chart pane, find the name of the dataset associated with the chart in the Dataset
  5. Go to Reports > Report Definitions > Datasets.
  6. In the Search box, type the name of the dataset.
  7. Select the dataset that is found, and click View in the toolbar to view it.

Managing reports – FortiAnalyzer – FortiOS 6.2.3

Managing reports

You can manage reports by going to Reports > Report Definitions > All Reports. Some options are available as buttons on the toolbar. Some options are available in the right-click menu. Right-click a report to display the menu.

Option Description
Create New Creates a new report. You can choose whether to base the new report on a report template.
Edit Edits the selected report.
Delete Deletes the selected report.
Clone Clones the selected report.
Run report Generates a report.
Folder Organizes reports into folders.
Import Imports a report from a management computer.
Export Exports a report to a management computer.
Show Scheduled Only Filters the list to include only reports that have been run or are scheduled to be run.

Organizing reports into folders

You can create folders to organize reports.

To organize reports into folders:

  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Reports > Report Definitions > All Reports.
  3. Click Folder in the toolbar, and select Create New Folder.
  4. Specify the folder name and location and click OK. The folder is now displayed in the report list.

You can now create, clone, or import reports into this folder.

Importing and exporting reports

You can transport a report between FortiAnalyzer units. You can export a report from the FortiAnalyzer unit to the management computer. The report is saved as a .dat file on the management computer. You can then import the report file to another FortiAnalyzer unit.

To export reports:

  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Reports > Report Definitions > All Reports.
  3. In the content pane, select a report, and select More > Export in the toolbar to save the file to the management computer.

To import reports:

  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Reports > Report Definitions > All Reports.
  3. In the content pane, click More > Import in the toolbar. The Import Report dialog box opens.
  4. Drag and drop the report file onto the dialog box, or click Browse and locate the file to be imported on your local computer.
  5. Select a folder to save the report to from the dropdown list.
  6. Click OK to import the report.

Report template library

Because the cut, copy, and paste functions need access to the clipboard of your operating system, some Internet browsers either block it when called from the layout editor toolbar, or ask you to explicitly agree to it. If you’re blocked from accessing the clipboard by clicking the respective cut, copy and paste buttons from the toolbar or context menu, you can always use keyboard shortcuts.

A report template defines the charts and macros that are in the report, as well as the layout of the content.

You can use the following items to create a report template:

  • Text l Images l Tables
  • Charts that reference datasets l Macros that reference datasets

Datasets for charts and macros specify what data are used from the Analytics logs when you generate the report. You can also create custom charts and macros for use in report templates.

Creating report templates

You can create a report template by saving a report as a template or by creating a totally new template.

To create a report template:

  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to the Reports > Report Definitions> Templates.
  3. In the toolbar of the content pane, click Create New.
  4. Set the following options:
    1. If you are in a Security Fabric ADOM, the Category must be SecurityFabric. d. Language.
  5. Use the toolbar to insert and format text and graphics for the template. In particular, use the Insert Chart and Insert Macro buttons to insert charts and macros into the template.

For a description of the fields, see Reports Layout tab on page 120. For information about creating charts and macros, see Creating charts on page 130 and Creating macros on page 134.

  1. Click OK.

The new template is now displayed on the template list.

To create a report template by saving a report:

  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Reports > Report Definitions > All Reports.
  3. In the content pane, select the report from the list, and click Edit in the toolbar.
  4. In the Layout tab, click the Save As Template button in the toolbar.
  5. In the Save as Template dialog box, set the following options, and click OK:
    1. If you are in a Security Fabric ADOM, the Category must be SecurityFabric.

The new template is now displayed on the template list.

Viewing sample reports for predefined report templates

You can view sample reports for predefined report templates to help you visualize how the reports would look.

To view sample reports:

  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to the Reports > Report Definitions > Templates.
  3. In the content pane, click the HTML or PDF link in the Preview column of a template to view a sample report based on the template.

Managing report templates

You can manage report templates in Reports > Report Definitions> Templates. Some options are available as buttons on the toolbar. Some options are available in the right-click menu. Right-click a template to display the menu.

Option Description
Create New Creates a new report template
Edit Edits a report template. You can edit report templates that you created. You cannot edit predefined report templates.
View Displays the settings for the predefined report template. You can copy elements from the report template to the clipboard, but you cannot edit a predefined report template.
Delete Deletes the selected report template. You cannot delete predefined report templates.
Clone Clones the selected report template.
Create Report Creates the selected report template.
Install Template Pack Upload and install a template pack.

List of report templates

FortiAnalyzer includes report templates you can use as is or build upon when you create a new report. FortiAnalyzer provide different templates for different devices.

You can find report templates in Reports > Report Definitions > Templates.

FortiGate report templates

Template – 360 Protection Report Template – Security Events and Incidents Summary
Template – 360-Degree Security Review Template – Self-Harm and Risk Indicators Report
Template – Admin and System Events Report Template – Situation Awareness Report
Template – Application Risk and Control Template – Social Media Usage Report
Template – Bandwidth and Applications Report Template – Threat Report
Template – Client Reputation Template – Top 20 Categories and Applications (Bandwidth)
Template – Cyber Threat Assessment Template – Top 20 Categories and Applications (Session)
Template – Cyber-Bullying Indicators Report Template – Top 20 Category and Websites (Bandwidth)
Template – DNS Report Template – Top 20 Category and Websites (Session)
Template – Data Loss Prevention Detailed Report Template – Top 500 Sessions by Bandwidth
Template – Detailed Application Usage and Risk Template – Top Allowed and Blocked with Timestamps
Template – Email Report Template – User Detailed Browsing Log
Template – FortiGate Performance Statistics Report Template – User Security Analysis
Template – GTP Report Template – User Top 500 Websites by Bandwidth
Template – High Bandwidth Application Usage Report Template – User Top 500 Websites by Session
Template – Hourly Website Hits Template – VPN Report
Template – IPS Report Template – Web Usage Report
Template – PCI-DSS Compliance Review Template – What is New Report
Template – SaaS Application Usage Report Template – WiFi Network Summary
Template – Security Analysis Template – Wireless PCI Compliance

FortiCache report templates

Template – FortiCache Default Report
Template – FortiCache Security Analysis
Template – FortiCache Web Usage Report

FortiClient report templates

Template – FortiClient Default Report
Template – FortiClient Vulnerability Scan Report

FortiDDoS report templates

Template – FortiDDoS Default Report

FortiMail report templates

Template – FortiMail Analysis Report
Template – FortiMail Default Report

FortiProxy report templates

Template – FortiProxy Default Report
Template – FortiProxy Security Analysis
Template – FortiProxy Web Usage Report

FortiSandbox report templates

Template – Endpoint Sandbox Detections Report
Template – FortiSandbox Default Report

FortiWeb report templates

Template – FortiWeb Default Report
Template – FortiWeb Web Application Analysis Report

Fabric report templates

Template – Fortinet Email Risk Assessment

Creating reports – FortiAnalyzer – FortiOS 6.2.3

Creating reports

You can create reports from report templates, by cloning and editing predefined/existing reports, or start from scratch.

Creating reports from report templates

You can create a new report from a template. The template populates the Layout tab of the report. The template specifies what text, charts, and macros to use in the report and the layout of the content. Report templates do not contain any data. Data is added to the report when you generate the report.

To create a new report from a template:

  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Reports > Report Definitions > All Reports.
  3. In the toolbar, click Create New. The Create Report dialog box opens.
  4. In the Name box, type a name for the new report. The following characters are NOT supported in report names: \ / ” ‘ < > & , | # ? % $ +
  5. Select From Template for the Create from setting, then select a template from the dropdown list. The template populates the Layout tab of the report.
  6. Select the folder that the new report will be saved to from the dropdown list. See Organizing reports into folders on page 125 for information about folders.
  7. Select OK to create the new report.
  8. On the Settings tab, configure the settings as required. For a description of the fields, see Reports Settings tab on page 117.
  9. Optionally, go to the Layout tab to customize the report layout and content. For a description of the fields, see Reports Layout tab on page 120.
  10. Click Apply to save your changes.

Creating reports by cloning and editing

You can create reports by cloning and editing predefined and/or existing reports.

To create a report by cloning and editing:

  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Reports > Report Definitions > All Reports.
  3. In the content pane, select the report from the list, then click Clone in the toolbar.
  4. In the Clone Report dialog box, type a name for the cloned report. The following characters are NOT supported in report names: \ / ” ‘ < > & , | # ? % $ +
  5. Select the folder that the new report will be saved to from the dropdown list. See Organizing reports into folders on page 125 for information about folders.
  6. Select OK to create the new report.
  7. On the Settings tab, configure the settings as required. For a description of the fields, see Reports Settings tab on page 117.
  8. Optionally, go to the Layout tab to customize the report layout and content. For a description of the fields, see Reports Layout tab on page 120.
  9. Click Apply to save your changes.

Creating reports without using a template

To create a report without using a template:

  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Reports > Report Definitions > All Reports.
  3. In the toolbar, click Create New. The Create New Report dialog box opens.
  4. In the Name box, type a name for the new report. The following characters are NOT supported in report names: \ / ” ‘ < > & , | # ? % $ +
  5. Select the Blank option for the Create from
  6. Select the folder that the new report will be saved to from the dropdown list. See Organizing reports into folders on page 125 for information about folders.
  7. Select OK to create the new report.
  8. On the Settings tab, you can specify a time period for the report, what device logs to include in the report, and so on. You can also add filters to the report, add a cover page to the report, and so on. For a description of the fields, see Reports Settings tab on page 117.
  9. On the Layout tab, you can specify the charts and macros to include in the report, as well as report content and layout.

For a description of the fields, see Reports Layout tab on page 120.

For information about creating charts and macros, see Creating charts on page 130 and Creating macros on page 134.

  1. Click Apply to save your changes.

Reports Settings tab

The following options are available in the Settings tab:

Field   Description
Time Period   The time period the report covers. Select a time period or select Custom to manually specify the start and end date and time.
Devices   The devices to include in the report. Select either All Devices or Specify to add specific devices. Select the add icon to select devices.
Type   Select either Single Report (Group Report) or Multiple Reports (Per-Device).

This option is only available if multiple devices are selected.

Enable Schedule   Select to enable report template schedules.
Field Description
Enable Auto-Cache Select to assemble datasets before generating the report and as the data is available. This process uses system resources and is recommended only for reports that require days to assemble datasets. Disable this option for unused reports and for reports that require little time to assemble datasets.
Generate PDF Report Every Select when the report is generated.

Enter a number for the frequency of the report based on the time period selected from the dropdown list.

Start time Enter a starting date and time for the file generation.
End time Enter an ending date and time for the file generation, or set it to never ending.
Enable Notification Select to enable report notification.
Output Profile Select the output profile from the dropdown list, or click Create New to create a new output profile. See Output profiles on page 138.

Filters section of Reports Settings tab

See Filtering report output on page 124.

Advanced Settings section of Reports Settings tab

The following options are available in the Advanced Settings section of the Settings tab.

Field Description
Language Select the report language.
Bundle rest into “Others” Select to bundle the uncategorized results into an Others category.
Print Orientation Set the print orientation to portrait or landscape.
Chart Heading Level Set the heading level for the chart heading.
Default Font Set the default font.
Hide # Column Select to hide the column numbers.
Layout Header Enter header text and select the header image. Accept the default Fortinet image or click Browse to select a different image.
Layout Footer Select either the default footer or click Custom to enter custom footer text in the text field.
Print Cover Page Select to print the report cover page. Click Customize to customize the cover page. See Customizing report cover pages on page 119.
Print Table of Contents Select to include a table of contents.
Field Description
Print Device List Select to print the device list. Select Compact, Count, or Detailed from the dropdown list.
Print Report Filters Select to print the filters applied to the report.
Obfuscate User Select to hide user information in the report.
Resolve Hostname Select to resolve hostnames in the report.
Allow Save Maximum Select a value between 1-10000 for the maximum number of reports to save.
Color Code The color used to identify the report on the calendar. Select a color code from the dropdown list to apply to the report schedule. Color options include: Bold Blue, Blue, Turquoise, Green, Bold Green, Yellow, Orange, Red, Bold Red, Purple, and Gray.

Customizing report cover pages

A report cover page is only included in the report when enabled on the Settings tab in the Advanced Settings section.

When enabled, the cover page can be customized to contain the desired information and imagery.

To customize a report cover page:

  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Reports > Report Definitions > All Reports.
  3. In the content pane, select the report from the list, and click Edit in the toolbar.
  4. Select the Settings tab and then click Advanced Settings.
  5. Select the Print CoverPage checkbox, then click Customize next to the checkbox. The Edit CoverPage pane opens.
  6. Configure the following settings:
Background Image Click Browse to open the Choose an Image dialog box.

Select an image or click Upload File to find an image on the management computer, then click OK to add the image as the background image of the cover page.

Top Image Click Browse to open the Choose an Image dialog box.

Select an image or click Upload File to find an image on the management computer, then click OK to add the image at the top of the cover page.

Top Image Position Select the top image position from the dropdown menu. Select one of the following: Left, Center, Right.
Text Color Select a text color from the dropdown list.
Show Creation Time Select to print the report date on the cover page.
Show Data Range Select to print the data range on the cover page.
Report Title Accept the default title or type another title in the Report Title field.
Custom Text 1 If you want, enter custom text for the Custom Text 1 field.
Custom Text 2 If you want, enter custom text for the Custom Text 2 field.
Bottom Image Click Browse to open the Choose an Image dialog box.

Select an image or click Upload File to find an image on the management computer, then click OK to add the image to the bottom of the cover page.

Footer Left Text If you want, enter custom text to be printed in the left footer of the cover page.
Footer Right Text If you want, enter custom text to be printed in the right footer of the cover page.
Footer Background Color Select the cover page footer background color from the dropdown list.
Reset to Default Select to reset the cover page settings to their default settings.
  1. Click OK to save the configurations and return to the Settings

Reports Layout tab

Because the cut, copy, and paste functions need access to the clipboard of your operating system, some Internet browsers either block it when called from the layout editor toolbar, or ask you to explicitly agree to it. If you’re blocked from accessing the clipboard by clicking the respective cut, copy and paste buttons from the toolbar or context menu, you can always use keyboard shortcuts.

The following options are available in the Layout tab (layout editor):

Field Description
Insert Chart or Edit Chart Click to insert a FortiAnalyzer chart. Charts are associated with datasets that extract data from logs for the report.

In the Insert Chart or Chart Properties dialog box, you can specify a custom title, width, and filters for the chart. For information on setting filters, see Filtering report output on page 124.

You can edit a chart by right clicking the chart in the layout editor and selecting

Chart Properties or by clicking the chart to select it and then clicking Edit Chart.

Insert Macro Click to insert a FortiAnalyzer macro. Macros are associated with datasets that extract data from logs for the report.
Image Click the Image button in the toolbar to insert an image into the report layout. Right-click an existing image to edit image properties.
Table Click the Table button in the toolbar to insert a table into the report layout. Rightclick an existing table to edit a cell, row, column, table properties, or delete the table.
Insert Horizontal Line Click to insert a horizontal line.
Insert Page Break for Printing Click to insert a page break for printing.
Link Click the Link button in the toolbar to open the Link dialog box. You can select to insert a URL, a link to an anchor in the text, or an email address. Alternatively, use the CTRL+L keyboard shortcut to open the Link dialog box.
Anchor Click the Anchor button in the toolbar to insert an anchor in the report layout.
Cut To cut a text fragment, start with selecting it. When the text is selected, you can cut it using one of the following methods: l Click the cut button in the toolbar l Right-click and select cut in the menu l Use the CTRL+X shortcut on your keyboard.
Copy To cut a text fragment, start with selecting it. When the text is selected, you can cut it using one of the following methods: l Click the cut button in the toolbar l Right-click and select cut in the menu l Use the CTRL+C shortcut on your keyboard.
Paste To paste text, start with cutting or copying from another source. Depending on the security settings of your browser, you may either paste directly from the clipboard or use the Paste dialog box.
Paste as plain text Click Paste as plain text to paste formatted text without the formatting. If the browser blocks the editor toolbar’s access to clipboard, a Paste as Plain Text dialog box appears and you can paste the fragment into the text box using the CTRL+V keyboard shortcut.

 

Field Description
Paste from Word You can preserve basic formatting when you paste a text fragment from Microsoft Word. To achieve this, copy the text in a Word document and paste it using one of the following methods:

l Click the Paste from Word button in the toolbar l Use the CTRL+V shortcut on your keyboard.

Undo Click to undo the last action. Alternatively, use the CTRL+Z keyboard shortcut to perform the undo operation.
Redo Click to redo the last action. Alternatively, use the CTRL+Y keyboard shortcut to perform the redo operation.
Find Click to find text in the report layout editor. This dialog box includes the following elements: l Find what: Is the text field where you enter the word or phrase you want to find.

Match case: Checking this option limits the search operation to words whose case matches the spelling (uppercase and lowercase letters) given in the search field. This means the search becomes case-sensitive.

Match whole word: Checking this option limits the search operation to whole words.

Match cyclic: Checking this option means that after the editor reaches the end of the document, the search continues from the beginning of the text.

This option is checked by default.

Replace Click to replace text in the report layout editor. This dialog box includes consists of the following elements:

Find what: Is the text field where you enter the word or phrase you want to find.

Replace with: Is the text field where you enter the word or phrase that will replace the search term in the document.

Match case: Checking this option limits the search operation to words whose case matches the spelling (uppercase and lowercase letters) given in the search field. This means the search becomes case-sensitive.

Match whole word: Checking this option limits the search operation to whole words.

Match cyclic: Checking this option means that after the editor reaches the end of the document, the search continues from the beginning of the text.

This option is checked by default.

Save as Template Click to save the layout as a template.
Paragraph Format Select the paragraph format from the dropdown list. Select one of the following: Normal, Heading 1, Heading 2, Heading 3, Heading 4, Heading 5, Heading 6, Formatted, Address, or Normal (DIV).
Font Name Select the font from the dropdown list.
Font Size Select the font size from the dropdown list. Select a size ranging from 8 to 72.

 

Field Description
Bold Select the text fragment and then click the Bold button in the toolbar.

Alternatively, use the CTRL+B keyboard shortcut to apply bold formatting to a text fragment.

Italic Select the text fragment and then click the Italic button in the toolbar.

Alternatively, use the CTRL+I keyboard shortcut to apply italics formatting to a text fragment.

Underline Select the text fragment and then click the Underline button in the toolbar. Alternatively, use the CTRL+U keyboard shortcut to apply underline formatting to a text fragment.
Strike Through Select the text fragment and then click the Strike Through button in the toolbar.
Subscript Select the text fragment and then click the Subscript button in the toolbar.
Superscript Select the text fragment and then click the Superscript button in the toolbar.
Text Color You can change the color of text in the report by using a color palette. To choose a color, select a text fragment, click the Text Color button in the toolbar, and select a color.
Background Color You can also change the color of the text background.
Insert/Remove Numbered List Click to insert or remove a numbered list.
Insert/Remove Bulleted List Click to insert or remove a bulleted list.
Decrease Indent To decrease the indentation of the element, click the Decrease Indent toolbar button. The indentation of a block-level element containing the cursor will decrease by one tabulator length.
Increase Indent To increase the indentation of the element, click the Increase Indent toolbar button. The block-level element containing the cursor will be indented with one tabulator length.
Block Quote Block quote is used for longer quotations that are distinguished from the main text by left and right indentation. It is recommended to use this type of formatting when the quoted text consists of several lines or at least 100 words.
Align Left When you align your text left, the paragraph is aligned with the left margin and the text is ragged on the right side. This is usually the default text alignment setting for the languages with left to right direction.
Center When you center your text, the paragraph is aligned symmetrically along the vertical axis and the text is ragged on the both sides. This setting is often used in titles or table cells.
Align Right When you align your text right, the paragraph is aligned with the right margin and the text is ragged on the left side. This is usually the default text alignment setting for the languages with right to left direction.
Justify When you justify your text, the paragraph is aligned to both the left and right margins and the text is not ragged on either side..
Field Description
Remove Format Click to remove formatting.

Filtering report output

You can apply log message filters to reports and charts.

To filter output in a report:

Click the Settings tab and scroll to the Filters section.

To filter output in a chart:

  1. Click the Layout
  2. Filter a new or existing chart:
    • Click Insert Chart and scroll to the Filters
    • Right-click a chart in the layout and select Chart Properties. Scroll to the Filters

In the Filters section, the following options are available.

Field Description
Log messages that match Available in the Settings tab only.

Select All to filter log messages based on all of the added conditions, or select Any of the Following Conditions to filter log messages based on any one of the conditions.

Add Filter Click to add filters. For each filter, select the field, and operator from the dropdown lists, then enter or select the values as applicable. Filters vary based on device type.

When adding a filter, keep the following considerations in mind:

l The Settings and Layout tabs use the same Log Field list to filter output; however, some log fields are not used in charts. The Log Field you use to filter a report may not apply to the log fields in a chart. l The Value field is case sensitive.

LDAP Query Available in the Settings tab only.

Click to add an LDAP query, then select the LDAP Server and the Case Change value from the dropdown lists.

Use this option to query an LDAP server for group membership. The results of this query is used to filter the report to only match logs for users belonging to that group.

You must specify the group name in the filter definition.

Field Description
  If you enable LDAP Query, the group name is not used to match the group field in logs. The group name is only used for the LDAP query to determine group membership.

The query will not retrieve the userPrincicpalName if the Distinguished Name in the System Settings does not contain an organization unit (ou). To retrieve the UPN, add the Distinguished Name as it appears in the System Settings to your query.

Reports – FortiAnalyzer – FortiOS 6.2.3

Reports

You can generate data reports from logs by using the Reports feature. You can do the following:

l Use predefined reports. Predefined report templates, charts, and macros are available to help you create new reports. l Create custom reports.

Report files are stored in the reserved space for the FortiAnalyzer device. See Automatic deletion on page 56.

For more information on FortiAnalyzer report technology and troubleshooting report performance issues, see the FortiAnalyzerReport Performance Troubleshooting Guide.

How ADOMs affect reports

When ADOMs are enabled, each ADOM has its own reports, libraries, and advanced settings. Make sure you are in the correct ADOM before selecting a report. See Switching between ADOMs on page 15.

Some reports are available only when ADOMs are enabled. For example, ADOMs must be enabled to access FortiCarrier, FortiCache, FortiClient, FortiDDoS, FortiMail, FortiSandbox, and FortiWeb reports. In a Security Fabric ADOM, all reports are displayed.

You can configure and generate reports for these devices within their respective default ADOM or a Security Fabric ADOM. These devices also have device-specific charts and datasets.

Predefined reports, templates, charts, and macros

FortiAnalyzer includes a number of predefined elements you can use to create and/or build reports.

Predefined… GUI Location Purpose
Reports Reports > Report Definitions > All Reports You can generate reports directly or with minimum setting configurations. Predefined reports are actually report templates with basic default setting configurations.
Templates Reports > Report Definitions > Templates You can use directly or build upon. Report templates include charts and/or macros and specify the layout of the report. A template populates the Layout tab of a report that is to be created. See List of report templates on page 128.
Predefined… GUI Location Purpose
Charts Reports > Report Definitions > Chart

Library

You can use directly or build upon a report template you are creating, or in the Layout tab of a report that you are creating. Charts specify what data to extract from logs.
Macros Reports > Report Definitions > Macro

Library

You can use directly or build upon a report template that you are creating, or in the Layout tab of a report that you are creating. Macros specify what data to extract from logs.

Logs used for reports

Reports uses Analytics logs to generate reports. Archive logs are not used to generate reports. For more information, see Data policy and automatic deletion on page 22.

For reports about users, the FortiGate needs to populate the user field in the logs sent to FortiAnalyzer.

How charts and macros extract data from logs

Reports include charts and/or macros. Each chart and macro is associated with a dataset. When you generate a report, the dataset associated with each chart and macro extracts data from the logs and populates the charts and macros. Each chart requires a specific log type.

FortiAnalyzer includes a number of predefined charts and macros. You can also create custom charts and macros.

How auto-cache works

When you generate a report, it can take days to assemble the required dataset and produce the report, depending on the required datasets. Instead of assembling datasets at the time of report generation, you can enable the auto-cache feature for the report.

Auto-cache is a setting that tells the system to automatically generate hcache. The hcache (hard cache) means that the cache stays on disk in the form of database tables instead of memory. Hcache is applied to “matured” database tables. When a database table rolls, it becomes “mature”, meaning the table will not grow anymore. Therefore, it is unnecessary to query this database table each time for the same SQL query, so hcache is used. Hcache runs queries on matured database tables in advance and caches the interim results of each query. When it is time to generate the report, much of the datasets are already assembled, and the system only needs to merge the results from hcaches. This reduces report generation time significantly.

The auto-cache process uses system resources to assemble and cache the datasets and it takes extra space to save the query results. You should only enable auto-cache for reports that require a long time to assemble datasets.

Generating reports

You can generate reports by using one of the predefined reports or by using a custom report that you created. You can find all the predefined reports and custom reports listed in Reports > Report Definitions > All Reports.

To generate a report:

  1. Go to Reports > Report Definitions > All Reports.
  2. In the content pane, select a report from the list.
  3. (Optional) Click Edit in the toolbar and edit settings on the Settings and Layout For a description of the fields in the Settings and Layout tabs, see Reports Settings tab on page 117 and Creating charts on page 130 and Macro library on page 134.
  4. In the toolbar, click Run Report.

Viewing completed reports

After you generate reports, you can view completed reports in Reports > Generated Reports or Reports > Report Definitions > All Reports. You can view reports in the following formats: HTML, PDF, XML, and CSV.

To view completed reports in Generated Reports:

  1. Go to Reports > Generated Reports.

This view shows all generated reports for the specified time period.

  1. To sort the report list by date, click Orderby Time.To sort the report list by report name, click Orderby Name.
  2. Locate the report and click the format in which you want to view the report to open the report in that format. For example, if you want to review the report in HTML format, click the HTML

To view completed reports in All Reports:

  1. Go to Reports > Report Definitions > All Reports.
  2. On the report list, double-click a report to open it.
  3. In the View Report tab, locate the report and click the format in which you want to view the report to open the report in that format.

For example, if you want to review the report in HTML format, click the HTML link.

Enabling auto-cache

You can enable auto-cache to reduce report generation time for reports that require a long time to assemble datasets. For information about auto-cache and hcache, see How auto-cache works on page 112.

You can see the status of building the cache in Reports > Report Definitions > All Reports in the Cache Status column.

To enable auto-cache:

  1. Go to Reports > Report Definitions > All Reports.
  2. Select the report from the list, and click Edit in the toolbar.
  3. In the Settings tab, select the Enable Auto-cache
  4. Click Apply.

Grouping reports

If you are running a large number of reports which are very similar, you can significantly improve report generation time by grouping the reports. Grouping reports has these advantages:

l Reduce the number of hcache tables. l Improve auto-hcache completion time. l Improve report completion time.

Step 1: Configure report grouping

For example, to group reports with titles containing string Security_Report by device ID and VDOM, enter the following CLI commands:

config system report group edit 0 set adom root config group-by edit devid next edit vd next

end

set report-like Security_Report

next

end

Notes:

  • The report-like field specifies the string in report titles that is used for report grouping. This string is casesensitive. l The group-by value controls how cache tables are grouped.
  • To view report grouping information, enter the following CLI command, then check the Report Group column of the table that is displayed.

execute sql-report list-schedule <ADOM>

Step 2: Initiate a rebuild of hcache tables

To initiate a rebuild of hcache tables, enter the following CLI command: diagnose sql hcache rebuild-report <start-time> <end-time>

Where <start-time> and <end-time> are in the format: <yyyy-mm-dd hh:mm:ss>.

Retrieving report diagnostic logs

Once you start to run a report, FortiAnalyzer creates a log about the report generation status and system performance. Use this diagnostic log to troubleshoot report performance issues. For example, if your report is very slow to generate, you can use this log to check system performance and see which charts take the longest time to generate.

For information on how to interpret the report diagnostic log and troubleshoot report performance issues, see the FortiAnalyzerReport Performance Troubleshooting Guide.

To retrieve report generation logs:

  1. In Reports > Generated Report, right-click the report and select Retrieve Diagnostic to download the log to your computer.
  2. Use a text editor to open the log.

Auto-Generated Reports

The CyberThreat Assessment report is automatically generated. By default, the report will run at 3:00AM every Monday. For more information on report scheduling, see Scheduling reports on page 115.

Schedules can be viewed in the Report Calendar. See Report calendar on page 141.

Scheduling reports

You can configure a report to generate on a regular schedule. Schedules can be viewed in the Report Calendar. See Report calendar on page 141.

To schedule a report:

  1. Go to Reports > Report Definitions > All Reports.
  2. Select a report and click Edit in the toolbar.
  3. Click Settings in the toolbar.
  4. Select the Enable Schedule checkbox and configure the schedule.
  5. Click Apply.