Author Archives: Mike

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Enabling and disabling SOC – FortiAnalyzer – FortiOS 6.2.3

Enabling and disabling SOC

The FortiAnalyzer SOC module can be disabled for performance tuning through the CLI. When disabled, the GUI will hide the SOC modules as well as the FortiView and Monitors panes, and stop background processing for this feature.

To disable SOC in the CLI:

config system global set disable-module fortiview-noc

end

To enable SOC in the CLI:

config system global unset disable-module end

Disabling the SOC module will cause the FortiAnalyzer to return the following error message when the FortiGate attempts to retrieve FortiAnalyzer data: Server Error: FortiView\/NOC function is disabled on FortiAnalyzer.

The FortiGate GUI displays the message: Failed to retrieve FortiView data.

 

Using FortiView – FortiAnalyzer – FortiOS 6.2.3

Using FortiView

Viewing FortiView dashboards

When viewing FortiView dashboards, use the controls in the toolbar to select a device, specify a time period, refresh the view, and switch to full-screen mode.

Many widgets on FortiView dashboards let you drill down to view more details. To drill down to view more details, click, double-click, or right-click an element to view details about different dimensions in different tabs. You can continue to drill down by double-clicking an entry. Click the close icon in the widget’s toolbar to return to the previous view. Many FortiView widgets support multiple chart types such as table view, bubble view, map view, tile view, etc.

  • In widgets that support multiple views, select the settings icon in the top-right corner of the widget to choose another view.
  • If sorting is available, there is a Sort By dropdown list in the top-left. l Some widgets have a Show dropdown list in the bottom-right for you to select how many items to display. l To sort by a column in table view, click the column title.
  • To view more information in graphical views such as bubble, map, or user view, hover the mouse over a graphical element.

Some dashboards include multiple widgets. For example, Applications & Websites > Top Cloud Applications includes widgets for Top Cloud Application and Top Cloud User.

Viewing the threat map

You can view an animated world map that displays threats from unified threat management logs. Threats are displayed in real-time. No replay or additional details are available.

You must specify the longitude and latitude of the device to enable threats for the device to display in the threat map. You can edit the device settings to identify the geographical location of the device in Device Manager. For more information, see Editing device information on page 29

To view the threat map:

  1. Go to FortiView > Threats > Threat Map.
  2. In the map, view the geographic location of the threats.

Threats are displayed when the threat level is greater than zero. l A yellow line indicates a high threat. l A red line indicates a critical threat.

  1. In the Threat Window, view the Time, Threat, Source, Destination, and Severity(score).

Filtering FortiView

Filter FortiView widgets using the Add Filter box in the toolbar or by right-clicking an entry and selecting a contextsensitive filter. You can also filter by specific devices or log groups and by time.

To filter FortiView widgets using filters in the toolbar:

  1. Specify filters in the Add Filter
    • Filter Mode: In the selected summary view, click Add Filter and select a filter from the dropdown list, then type a value. Click NOT to negate the filter value. You can add multiple filters and connect them with “and” or “or”.
    • Text Search: Click the Switch to Text Search icon at the right end of the Add Filter In Text Search mode, enter the search criteria (log field names and values). Click the Switch to FilterMode icon to go back to Filter Mode.
  2. In the Device list, select a device.
  3. In the Time list, select a time period.

To filter FortiView widgets using the right-click menu:

In the selected view, right-click an entry and select a filter criterion (Search <filtervalue>).

Depending on the column in which your mouse is placed when you right-click, FortiView uses the column value as the filter criteria. This context-sensitive filter is only available for certain columns.

Viewing related logs

You can view the related logs for a FortiView summary in Log View. When you view related logs, the same filters that you applied to the FortiView summary are applied to the log messages.

To view related logs for a FortiView summary, right-click the entry and select View Related Logs.

Exporting filtered summaries

You can export filtered FortiView summaries or from any level of drilldown to PDF and report charts. Filtered summaries are always exported in table format.

To export a filtered summary:

  1. In the filtered summary view or its drilldown, select the tools icon in the top-right corner of the widget and choose Export to PDF or Export to Report Chart.
  2. In the dialog box, review and configure settings:
    • Specify a file name for the exported file. l In the Top field, specify the number of entries to export.
    • If you are in a drilldown view, the tab you are in is selected by default. You can select more tabs. If you are exporting to report charts, the export creates one chart for each tab.
  3. Click OK.

Charts are saved in the Chart Library. You can use them in the same way you use other charts.

Monitoring resource usage of devices

You can monitor how much FortiAnalyzer system resources (e.g., CPU, memory, and disk space) each device uses. When ADOMs are enabled, this information is displayed per ADOM. In a specific ADOM, you can view the resource usage information of all the devices under the ADOM.

Go to SOC > FortiView > System > Resource Usage to monitor resource usage for devices.

Long-lived session handling

Because traffic logs are only sent at the end of a session, long-lived sessions can be unintentionally excluded when narrowing searches in FortiView. To account for this, interim traffic logs can be enabled through FortiOS, allowing FortiView to show the trend of session history rather than one large volume once the session is closed.

For a long-lived session with a duration greater than two minutes, interim traffic logs are generated with the Log ID of 20.

  • For interim traffic logs, the sentdelta and rcvddelta fields are filled in with an increment of bytes which are sent/received after the start of the session or previous interim traffic log.
  • Interim traffic logs are not counted in Sessions, but the sentdelta and recvddelta in related traffic logs will be added when calculating the sent and received bytes.

When a long-lived session ends, a traffic log with a Log ID of 13 is sent which indicates the session is closed.

Viewing Compromised Hosts

Compromised Hosts or Indicators of Compromise Service (IOC) is a licensed feature.

To view Compromised Hosts, you must turn on the UTM web filter of FortiGate devices and subscribe your

FortiAnalyzer unit to FortiGuard to keep its local threat database synchronized with the FortiGuard threat database. See Subscribing FortiAnalyzer to FortiGuard on page 106.

The Indicators of Compromise Service (IOC) downloads the threat database from FortiGuard. The FortiGuard threat database contains the blacklist and suspicious list. IOC detects suspicious events and potentially compromised network traffic using sophisticated algorithms on the threat database.

FortiAnalyzer identifies possible compromised hosts by checking the threat database against an event’s IP, domain, and URL in the following logs of each end user:

l Web filter logs. l DNS logs. l Traffic logs.

When a threat match is found, sophisticated algorithms calculate a threat score for the end user. When the check is complete, FortiAnalyzer aggregates all the threat scores of an end user and gives its verdict of the end user’s overall IOC.

Compromised Hosts displays the results showing end users with suspicious web usage which can indicate that the endpoint is compromised. You can drill down to view threat details.

Understanding Compromised Hosts entries

When a log entry is received and inserted into the SQL database, the log entry is scanned and compared to the blacklist and suspicious list in the IOC threat database that is downloaded from FortiGuard.

If a match is found in the blacklist, then FortiAnalyzer displays the endpoint in Compromised Hosts with a Verdict of Infected.

If a match is found in the suspicious list, then FortiAnalyzer flags the endpoint for further analysis.

In the analysis, FortiAnalyzer compares the flagged log entries with the previous endpoint’s statistics for the same day and then updates the score.

If the score exceeds the threshold, that endpoint is listed or updated in Compromised Hosts.

When an endpoint is displayed in Compromised Hosts, all the suspicious logs which contributed to the score are listed.

When the database is rebuilt, all log entries are reinserted and rescanned.

Working with Compromised Hosts information

Go to SOC > FortiView > Threats > Compromised Hosts.

When viewing Compromised Hosts:

  • Use the widget settings icon to select Table or Users format, set the refresh interval, and modify other widget settings.
  • Use the tools icon to export the information, edit rescan configuration, and set additional display options.
  • Use the toolbar to select devices, specify a time period, refresh the view, select a theme (Day, Night, and Ocean), and switch to full-screen mode.

When you view an event, the # of Threats is the number of unique Threat Names associated with that compromised host (end user).

When you drill down to view details, the # of Events is the number of logs matching each blacklist entry for that compromised host (end user).

  • To acknowledge a Compromised Hosts line item, click Ack on that line. l To filter entries, click Add Filter and specify devices or a time period.
  • To drill down and view threat details, double-click a tile or a row.

Incorrectly rated IOCs can be reported within the Threat Intel Lookup screen, accessible by double-clicking on an End User, selecting the detected pattern from the Blacklist, and clicking Report Misrated IOC.

Subscribing FortiAnalyzer to FortiGuard

To keep your FortiAnalyzer threat database up to date:

  • Ensure your FortiAnalyzer can reach FortiGuard at fortinet.com.
  • Purchase a FortiGuard Indicators of Compromise Service license and apply that license to the product registration.

No change is needed on the FortiAnalyzer side.

To subscribe FortiAnalyzer to FortiGuard:

  1. Go to System Settings > Dashboard.
  2. In the License Information widget, find the FortiGuard > Indicators of Compromise Service field and click Purchase.
  3. After purchasing the license, check that the FortiGuard > Indicators of Compromise Service is Licensed and shows the expiry date.

Managing a Compromised Hosts rescan policy

The Compromised Hosts scan time range can be customized to scan previous entries so that when a new package is received from FortiGuard, FortiAnalyzer can immediately rescan using the new definitions.

Requirements for managing a Compromised Hosts rescan policy: l This feature requires a valid indicators of compromise (IOC) license. The rescan options will not be available in the GUI or CLI without a license.

l The administrator must have System Settings write privileges to enable or disable and configure Global IOC Rescan.

To configure rescan settings and check rescan results:

  1. Go to SOC > FortiView > Threats > Compromised Hosts.
  2. From the Tools menu on the right-side of the toolbar, select Edit Rescan Configuration. The Edit Compromised Hosts Rescan Policy Settings window opens.
  3. Under Compromised Hosts Rescan Global Settings:
    1. Enable Global Compromised Hosts Rescan.
    2. Set the running time to either a specific hour of the day, or select package update to rescan when the package is updated.
  4. Under Compromised Hosts Rescan Current ADOM Settings:
    1. Enable Current ADOM Compromised Hosts Rescan.
    2. Select the log types to be scanned (DNS, Web Filter, and Traffic logs).
    3. Set the number of previous days’ logs that are scanned.

By default, all log types are selected, and the scan will cover the past 14 days. The maximum recommended number of scan days is calculated based on historical scan speeds, or 30 days if no previous scans have been done.

  1. All tasks are shown in the Rescan tasks table, which includes:

l The start and end time of each task. l The status of the task (complete, running, etc.). l How complete a task is, as a percentage. l The total number of scanned logs and the threat count (the number of logs with threats) for each task. l The IOC package update time. l A count of the new threats that were added in this update.

Running tasks can be canceled by clicking the Cancel button in the Status column.

  1. Select a non-zero threat count number in the Rescan tasks table to drill down to a specific scans task details. These details include the Detect Pattern, Threat Type, Threat Name, # of Events, and the Endpoint.
  2. Click Back to return to the settings window.
  3. Click OK to return to the compromised hosts list.
  4. In the compromised hosts list, a rescan icon will be shown in the Last Detected column if any threats where found during a rescan. To view only those hosts that had threats found during a rescan, select Only Show Rescan from the Tools menu in the toolbar.

Examples of using FortiView

You can use FortiView to find information about your network. The following are some examples.

Finding application and user information

Company ABC has over 1000 employees using different applications across different divisional areas, including supply chain, accounting, facilities and construction, administration, and IT.

The administration team received a $6000 invoice from a software provider to license an application called Widget-Pro. According to the software provider, an employee at Company ABC is using Widget-Pro software.

The system administrator wants to find who is using applications that are not in the company’s list of approved applications. The administrator also wants to determine whether the user is unknown to FortiGuard signatures, identify the list of users, and perform an analysis of their systems.

To find application and user information:

  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to SOC > FortiView > Applications & Websites > Top Applications.
  3. Click Add Filter, select Application, type Widget-Pro.
  4. If you do not find the application in the filtered results, go to Log View > Traffic.
  5. Click the Add Filter box, select Source IP, type the source IP address, and click Go.

Analyzing and reporting on network traffic

A new administrator starts at #1 Technical College. The school has a free WiFi for students on the condition that they accept the terms and policies for school use.

The new administrator is asked to analyze and report on the top source and destinations students visit, the source and destinations that consume the most bandwidth, and the number of attempts to visit blocked sites.

To review the source and destination traffic and bandwidth:

  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to SOC > FortiView > Traffic > Top Sources.
  3. Go to SOC > FortiView > Traffic > Top Destinations.

If available, select the icon beside the IP address to see its WHOIS information.

FortiView – FortiAnalyzer – FortiOS 6.2.3

FortiView

FortiView is a comprehensive monitoring system for your network that integrates real-time and historical data into a single view. It can log and monitor threats to networks, filter data on multiple levels, keep track of administrative activity, and more.

FortiView allows you to use multiple filters in the consoles, enabling you to narrow your view to a specific time, by user ID or local IP address, by application, and others. You can use it to investigate traffic activity such as user uploads/downloads or videos watched on YouTube on a network-wide user group or on an individual-user level.

In FortiView dashboards, you can view summaries of log data such as top threats to your network, top sources of network traffic, and top destinations of network traffic.

Depending on which dashboard you are viewing, information can be viewed in different formats: table, bubble, map, or tile. Alternative chart types are available in each widget’s Settings menu.

For each summary, you can drill down to see more details.

FortiGate, FortiCarrier, and FortiClient EMS devices support FortiView.

How ADOMs affect FortiView

When ADOMs are enabled, each ADOM has its own data analysis in FortiView.

Fabric ADOMs will show data analysis from all eligible devices in the Security Fabric.

Logs used for FortiView

FortiView displays data from Analytics logs. Data from Archive logs is not displayed in FortiView. For more information, see Analytics and Archive logs on page 22.

FortiView dashboards

Many dashboards display a historical chart in a table format to show changes over the selected time period.

If you sort by a different column, the chart shows the history of the sorted column. For example, if you sort by Sessions Blocked/Allowed, the chart shows the history of blocked and allowed sessions. If you sort by Bytes Sent/Received, the chart shows the history of bytes sent and received.

When you drill down to view a line item, the historical chart show changes for that line item.

FortiView dashboards for FortiGate and FortiCarrier devices

Category            View Description
Threats Top Threats Lists the top threats to your network.

The following incidents are considered threats:

l     Risk applications detected by application control. l Intrusion incidents detected by IPS.

l     Malicious web sites detected by web filtering. l Malware/botnets detected by antivirus.

Threat Map Displays a map of the world that shows the top traffic destinations starting at the country of origin. Threats are displayed when the threat score is greater than zero and either the source or destination IP is a public IP address.

The Threat Window below the map, shows the threat, source, destination, severity, and time. The color gradient of the lines indicate the traffic risk. A yellow line indicates a high risk and a red line indicates a critical risk.

This view does not support filtering and Day, Night, and Ocean themes.

See also Viewing the threat map on page 102.

Compromised Hosts Displays end users with suspicious web use compromises, including end users’ IP addresses, overall threat rating, and number of threats. To use this feature:

1.    UTM logs of the connected FortiGate devices must be enabled.

2.    The FortiAnalyzer must subscribe to FortiGuard to keep its threat database up-to-date.

FortiSandbox Detection Displays a summary of FortiSandbox related detections.

The following information is displayed: Filename, End User and/or IP,

Destination IP, Analysis (Clean, Suspicious or Malicious rating), Action (Passthrough, Blocked, etc.), and Service (HTTP, FTP, SMTP, etc.).

Select an entry to view additional information in the drilldown menu. Clicking a FortiSandbox action listed in the Process Flow displays details about that action, including the Overview, Indicators, Behavior Chronology Chart, Tree View, and more. Information included in the Details and Tree View tab is only available with FortiSandbox 3.1.0 and above.

 

  Category           View Description
Traffic Top Source Displays the highest network traffic by source IP address and interface, device, threat score (blocked and allowed), sessions (blocked and allowed), and bytes (sent and received).
Top Source Addresses Displays the top source addresses by source object, interface, device, threat score (blocked and allowed), sessions (blocked and allowed), and bytes (sent and received).
Top Destinations Displays the highest network traffic by destination IP addresses, the applications used to access the destination, sessions, and bytes. If available, click the icon beside the IP address to see its WHOIS information.
Top Destination Addresses Displays the top destination addresses by destination objects, applications, sessions, and bytes. If available, click the icon beside the IP address to see its WHOIS information.
Top Country/Region Displays the highest network traffic by country in terms of traffic sessions, including the destination, threat score, sessions, and bytes.
Policy Hits Lists the policy hits by policy, device name, VDOM, number of hits, bytes, and last used time and date.
DNS Logs Summarizes the DNS activity on the network. Double click an entry to drill down to the specific details about that domain.
Applications & Websites Top Applications Displays the top applications used on the network including the application name, category, risk level, and sessions blocked and allowed. Bytes sent and received can also be enabled through the widget settings. For a usage example, see Finding application and user information on page 109.
Top Cloud

Applications

Displays the top cloud applications used on the network.
Top Cloud Users Displays the top cloud users on the network.
Top Website Domains Displays the top allowed and blocked website domains on the network.
Top Website

Categories

Displays the top website categories.
Top Browsing Users Displays the top web-browsing users, including source, group, number of sites visited, browsing time, and number of bytes sent and received.
  VPN                  SSL & Dialup IPsec Displays the users who are accessing the network by using the following types of security over a virtual private network (VPN) tunnel: secure socket layers (SSL) and Internet protocol security (IPsec).
Category            View Description
System   You can view VPN traffic for a specific user from the top view and drilldown views. In the top view, double-click a user to view the VPN traffic for the specific user. In the drilldown view, click an entry from the table to display the traffic logs that match the VPN user and the destination.
Site-to-Site IPsec Displays the names of VPN tunnels with Internet protocol security (IPsec) that are accessing the network.
Admin Logins Displays the users who logged into the managed device.
System Events Displays events on the managed device.
Resource Usage Displays device CPU, memory, logging, and other performance information for the managed device.

Resource Usage includes two widgets: Resource Usage Average and Resource Usage Peak.

Failed Authentication Attempts Displays the IP addresses of the users who failed to log into the managed device.

SOC Monitoring – FortiAnalyzer – FortOS 6.2.3

SOC Monitoring

Use the Security Operations Center (SOC) to view Monitors and FortiView.

Monitors are designed for network and security operation centers where dashboards are displayed across multiple large monitors.

FortiView is a comprehensive monitoring system for your network that integrates real-time and historical data into a single view. It can log and monitor threats to networks, filter data on multiple levels, keep track of administrative activity, and more.

Monitors

SOC (Security Operations Center) Monitors are designed for a network and security operations center where multiple dashboards are displayed in large monitors.

In the Monitors view, dashboards display both real-time monitoring and historical trends. Centralized monitoring and awareness help you to effectively monitor network events, threats, and security alerts. Use Monitors dashboards to view multiple panes of network activity, including monitoring network security, compromised hosts, endpoints, Security Fabric, WiFi security, and FAZ system performance.

A typical scenario is to set up dashboards and widgets to display information most relevant to your network and security operations. Use the main monitors in the middle to display important dashboards in a larger size. Then use the monitors on the sides to display other information in smaller widgets.

For example, use the top monitor in the middle to display the Top Threat Destinations widget in full screen, use the monitor(s) below that to display other Threat Monitor widgets, use the monitors on the left to display WiFi Monitor widgets at the top and FAZ Performance Monitor widgets at the bottom, and use the monitors on the right as a workspace to display widgets showing the busiest network activity. You can move, add, or remove widgets.

Monitors dashboards and widgets are very flexible and have the following features:

  • You can create predefined or custom dashboards. l For both predefined and custom dashboards, you can add, delete, move, or resize widgets. l You can add the same dashboard multiple times on the same or different monitors. l Each widget monitors one activity.
  • You can add the same widget multiple times and apply different settings to each one. For example, you can add widgets to monitor the same activity using a different chart type, refresh interval, or time period.
  • You can resize widgets or display a widget in full screen.

SOC monitor dashboards

SOC monitors include predefined dashboards.

Both predefined and custom dashboards can be modified with widgets, including: Threats widgets, Compromised Hosts widgets, Traffic widgets, Applications & Websites widgets, VPN widgets, WiFi widgets, Endpoints widgets, System widgets, Threat Research widgets, Security Fabric widgets, and FortiClient Software widgets.

For example, the default Threat Monitor dashboard includes four widgets: Threat Map, Top Threat Destinations, Top Threats, and Top Virus Incidents OverTime. These widgets can be removed, enlarged, reduced, or customized, and new widgets can be added to the dashboard.

For more information, see Customizing the Monitors dashboard on page 96.

SOC Monitors includes the following predefined dashboards:

Threats Monitors the top security threats to your network.
Traffic Monitors the traffic on your network.
Applications & Websites Monitors the application and website traffic on your network.
Compromised Hosts Monitors compromises and suspicious web use in your network.
FortiSandbox Detections Monitors FortiSandbox detections on your network.
Endpoints Monitors endpoint activity on your network.
Fabric State of Security Monitors your network’s Security Fabric rating, score, and topology.

This information for this dashboard is available after you create a Security Fabric group in FortiGate and add it in FortiAnalyzer. The Security Fabric can be selected in the settings options for each widget.

VPN Monitors VPN activity on your network.
WiFi Monitors WiFi access points and SSIDs.
Local System Performance Monitors the local system performance of the FortiAnalyzer unit.
FortiClient Software Inventory Monitors the FortiClient endpoints sending logs to FortiAnalyzer.
Archive Includes FortiAnalyzer NOC-SOC modules from versions prior to 6.2.0.

Threats widgets

Threats includes the following widgets:

Top Threat Destinations A world map, spinning 3D globe, or table showing the top 10, 20, 50, 100 threat destinations. On the map view, hover the cursor over data points to see the source device and IP address, destination IP address and country, threat level, and the number of incidents (blocked and allowed).
Top Threats The top threats to your network. Hover the cursor over data points to see the threat, category, threat level, threat score (blocked and allowed), and the number of incidents (blocked and allowed).

The following incidents are considered threats:

l Risk applications detected by application control l Intrusion incidents detected by IPS l Malicious web sites detected by web filtering l Malware/botnets detected by antivirus

Top Threats

(FortiClient)

The top threats to your network from risk applications, intrusion incidents, malicious websites, and malware/botnets.

Only visible in a Fabric ADOM.

Top Threats Over

Time by Threat

Scores

The historical threats to your network from risk applications, intrusion incidents, malicious web sites, and malware/botnets.
Top Threats by Weight & Count The top threats by weight and count to your network from risk applications, intrusion incidents, malicious websites, and malware/botnets.
FortiSandbox Detection FortiSandbox detection detail, including scan doc name, source user, destination IP, verdict level, action, and service.
FortiSandbox –

Scanning Statistics

The number of files detected by FortiSandbox by type: Malicious, Suspicious, Clean, and Others.
FortiSandbox – Top

Malicious &

Suspicious File

Users

Users or IP addresses that have the highest number of malicious and suspicious files detected by FortiSandbox.
Threat Map Threats happening right now across the world.

Compromised Hosts widgets

Compromised Hosts includes the following widget:

Compromised Hosts Suspicious web use compromises. By default, this widget includes two panes: Compromised Hosts and Compromised Hosts Incidents.

The Compromised Hosts pane automatically rotates through compromised hosts. You can pause autoplay or click > or < to manually move to another compromised host.

The Compromised Hosts Incidents pane displays a map of compromised hosts incidents.

Click Settings to change the number of top compromised hosts, Time Period, Refresh Interval, Autoplay Interval, and to show or hide Compromised Hosts Incidents.

Traffic widgets

Traffic includes the following widgets:

User Data Flow Bandwidth breakdown of top user destination country/region or application usage.
Top Sources Today Near real-time network traffic by blocked and allowed sessions.
Top Sources The highest network traffic by source IP address and interface, sessions (blocked and allowed), threat score (blocked and allowed), and bytes (sent and received).
Top Source

Address Objects

The highest network traffic by source address objects, sessions (blocked and allowed), threat score (blocked and allowed), and bytes (sent and received).
Top

Country/Region

The highest network traffic by country/region, sessions (blocked and allowed), and bytes (sent and received).
Top

Country/Region

Over Time by

Sessions

The historical network traffic by country/region, sessions (blocked and allowed), and bytes (sent and received).
Top Policy Hits Top policy hits from recent traffic.
Policy Hits Over

Time by Bandwidth

The historical policy hits from recent traffic.
Top Destinations Top destinations from recent traffic.
Top Destination Address Objects Top destination address objects from recent traffic.
Traffic Over Time by Sessions The historical destinations from recent traffic.
Top Cloud Users Top cloud users from recent traffic.
DNS Logs Top DNS logs from recent traffic.
Top Source (FortiDDoS) Top source IP addresses from recent traffic. Only available in a Fabric ADOM.
Top Destination (FortiDDoS) Top destination IP addresses from recent traffic. Only available in a Fabric ADOM.
Top Type

(FortiDDoS)

Top types from recent traffic.

Only available in a Fabric ADOM.

Applications & Websites widgets

Applications & Websites includes the following widgets:

Top Applications The top applications used on the network, including application name, risk level, category, sessions (blocked and allowed), and bytes (sent and received).
Top Applications

Over Time by

Sessions

The historical sessions of applications used on the network, including application name, risk level, category, sessions (blocked and allowed), and bytes (sent and received).
Top Applications

(FortiClient)

The top applications used on the network, including application name, risk level, category, sessions (blocked and allowed), and bytes (sent and received).

Only available in a Fabric ADOM.

Top Cloud

Applications

Top cloud applications from recent traffic.
Cloud Applications

Over Time by

Sessions

The historical sessions of cloud applications used on the network.
Top Website Domains Top website domains from recent traffic.
Top Website

Categories

Top website categories from recent traffic.
Top Website

(FortiClient)

Top website domains from recent traffic. Only available in a Fabric ADOM.
Website Browsing

Over Time by

Sessions

The historical websites browsing sessions from recent traffic.
Top Browsing User Top browsing users from recent traffic.
Browsing User

Over Time by

Bandwidth

The historical browsing users from recent traffic.

VPN widgets

VPN includes the following widgets:

Top Dialup VPN The users accessing the network using SSL or IPsec over a VPN tunnel.
VPN Site-to-Site The names of VPN tunnels with Internet protocol security (IPsec) that are accessing the network.

WiFi widgets

WiFi includes the following widgets:

Authorized APs The names of authorized WiFi access points on the network.
Top SSID The top SSID (service set identifiers) of authorized WiFi access points on the network. Hover the cursor over data points to see the SSID and bytes (sent and received).
Top SSID Over

Time by Bandwidth

The historical SSID (service set identifiers) traffic of authorized WiFi access points on the network.
Top Rogue APs The top SSID (service set identifiers) of unauthorized WiFi access points on the network. Hover the cursor over data points to see the SSID and total live time.
WiFi Clients The top WiFi access points on the network by bandwidth/sessions.

Endpoints widgets

Endpoints includes the following widgets:

Top Endpoint

Vulnerabilities

Vulnerability information about FortiClient endpoints including vulnerability name and CVE ID.
Top Endpoint

Vulnerabilities

(FortiClient)

Vulnerability information about FortiClient endpoints including vulnerability name and CVE ID.

Only available in a Fabric ADOM.

Top Endpoint

Devices with

Vulnerabilities

Vulnerability information about FortiClient endpoints including source IP address and device.
Top Endpoint

Devices with

Vulnerabilities

(FortiClient)

Vulnerability information about FortiClient endpoints including source IP address and device. Only available in a Fabric ADOM.
User

Vulnerabilities

Summary

User vulnerabilities summary.
All Endpoints All endpoints.
All Endpoints

(FortiClient)

All endpoints.
Top Endpoint

Threats

Top threats from all endpoints.
Top Endpoints

Applications

Top applications from all endpoints. Only available in a Fabric ADOM.

System widgets

This dashboard monitors the system performance of the FortiAnalyzer unit running SOC and not the logging devices. It includes the following widgets:

CPU & Memory

Usage

The usage status of the CPU and memory.
Multi Core CPU Usage The usage status of a multi-core CPU.
Insert Rate vs Receive Rate The number of logs received vs the number of logs actively inserted into the database, including the maximum and minimum rates. l Receive rate: how many logs are being received. l Insert rate: how many logs are being actively inserted into the database.

If the insert rate is higher than the log receive rate, then the database is rebuilding. The lag is the number of logs waiting to be inserted.

Receive Rate vs Forwarding Rate The number of logs received vs the number of logs forwarded out, including the maximum and minimum rates. l Receive rate: how many logs are being received. l Forward rate: how many logs are being forwarded out.
Disk I/O The disk Transaction Rate (I/Os per second), Throughput (KB/s), or Utilization (%). The Transaction Rate and Throughput graphs also show the maximum and minimum disk activity.
Resource Usage Average Overview of average resource usage history across all devices.
Resource Usage Peak Overview of peak resource usage history across all devices.
Admin Logins Top admin logins from recent traffic.
System Events Top system events from recent traffic.
Failed

Authentication

Attempts

Top unauthorized connections from recent traffic.

Threat Research widgets

Threat Research includes the following widgets:

Worldwide Threat

Prevalence – Today

(UTC)

The top virus, IPS, botnet, and application threats globally today based on UTC. This data is from FortiGuard and not from FortiGate.
Top Virus

Incidents Over

Time

Local virus incidents in the last one month.

Security Fabric widgets

Security Fabric includes the following widgets.

This information for this dashboard is available after you create a Security Fabric group in FortiGate and add it in FortiAnalyzer. The Security Fabric can be selected in the settings options for each widget.

Security Fabric Rating Report A report showing the security rating details of connected Security Fabric devices. Click a milestone to drill down and hover the cursor over data points to see more details.
Security Fabric Score The current and historical Security Fabric scores. The Historical Security Fabric Scores pane displays your Security Fabric score over time and how it compares to the industry average and the industry score range. You can hide the Historical Security Fabric Scores pane.
Security Fabric Topology A topology map showing the logical structure of connected Security Fabric devices.
Best Practices Overview Overview of the device best practices across regions of North America, Latin America, EMEA, and APAC.

FortiClient Software widgets

FortiClient Software includes the following widget:

FortiClient

Software Inventory

The total number of apps installed, top apps, new apps installed, top apps by installs, and top hosts by number of apps.

Using the Monitors dashboard

SOC monitors dashboards contain widgets that provide network and security information. Use the controls in the dashboard toolbar to work with a dashboard.

Add Widget Add widgets to a predefined or custom dashboard. For details, see Customizing the Monitors dashboard on page 96.
Dashboard Create a new dashboard or reset a predefined dashboard to its default settings. For custom dashboards, you can rename or delete the custom dashboard. For details, see Customizing the Monitors dashboard on page 96.
Create New Create a new dashboard.
Reset Reset a predefined dashboard to its default widgets and settings.
Rename Rename a custom dashboard.
Delete Delete a custom dashboard.
Devices Select the devices to include in the widget data.

The device list will also include a Security Fabric if available.

To select a Security Fabric, you need to first create a Security Fabric group in FortiGate and add the Security Fabric group in FortiAnalyzer.

Time Period Select a time period from the dropdown menu, or set a custom time period.
Refresh Refresh the data in the widgets.
Background color Change the background color of the dashboard to make widgets easier to view in different room lighting. l Day shows a brighter gray background color. l Night shows a black background. l Ocean shows a blue background color.
Hide Side-menu or Show Side-menu Hide or show the tree menu on the left. In a typical SOC environment, the side menu is hidden and dashboards are displayed in full screen mode.

Use the controls in the widget title bar to work with widgets.

Settings icon Change the settings of the widget. Widgets have settings applicable to that widget, such as how many of the top items to display, Time Period, Refresh Interval, and Chart Type.
View different chart types Some widget settings let you choose different chart types such as the Disk I/O and Top Countries widget. You can add these widgets multiple times and set each widget to show a different chart type.
Hide or show a data type For widgets that show different data types, click a data type in the title bar to hide or show that data type in the graph.

For example, in the Insert Rate vs Receive Rate widget, click Receive Rate or Insert Rate in the title bar to hide or show that data. In the Disk I/O widget, click Read or Write in the title bar to hide or show that data type.

Remove widget icon Delete the widget from a predefined or custom dashboard.
Move widget Click and drag a widget’s title bar to move it to another location.
Resize widget Click and drag the resize button in the bottom-right of the widget.
View more details Hover the cursor over a widget’s data points to see more details.
View a narrower time period Some widgets have buttons below the graph. Click and drag the buttons to view a narrower time period.
Zoom in and out For widgets that show information on a map such as the Top Threat Destinations widget, use the scroll wheel to change the zoom level. Click and drag the map to view a different area.

Customizing the Monitors dashboard

You can add any widget to a predefined dashboard. You can also move, resize, or delete widgets. You cannot rename or delete a predefined dashboard. To reset a predefined dashboard to its default settings, click Dashboard > Reset.

You can add the same widget multiple times and configure each one differently, such as showing a different Time Period, Refresh Interval, or Chart Type.

To create a dashboard:

  1. In the toolbar, click Dashboard > Create New.
  2. Specify the Name and whether you want to create a blank dashboard or use a template.

If you select From Template, specify which predefined dashboard you want to use as a template.

  1. Click OK. The new dashboard appears In the tree menu.

To display Security Fabric in Monitors:

  1. Create a Security Fabric in FortiGate.
  2. Add the Security Fabric in FortiAnalyzer.
  3. Go to SOC > Monitors > Dashboards.
  4. Select the Fabric State of Security dashboard.
  5. Select the Security Fabric from the Devices

To add a widget:

  1. Select the predefined or custom dashboard where you want to add a widget.
  2. Click Add Widget to expand the menu; then locate the widget you want to add.
  3. Click the + button to add widgets.
  4. When you have finished adding widgets, click the close button to close the Add Widget

 

Incidents – FortiAnalyzer – FortiOS 6.2.3

Incidents

To view incidents, go to Incidents & Events > Incidents > All Incidents.

To configure incident settings, go to Incidents & Events > Incidents > Incident Settings.

Raising an incident

You can raise an incident only from alerts generated for one endpoint.

You can raise an incident in the following ways:

  • In Incidents & Events > Incidents > All Incidents, click Create New in the toolbar. This opens the Create New Incident
  • In Incidents & Events > All Events, right-click an event and select Raise Incident. This opens the Raise Incident pane with the applicable fields filled in, such as the Affected Endpoint.

Following is a description of the options available in the Create New Incident and Raise Incident pane.

Incident Reporter The admin account raising the incident. This field cannot be changed.
Incident Category Select a category from the dropdown list.
Severity Select a severity level from the dropdown list.
Status Select a status from the dropdown list.
Affected Endpoint In the Raise Incident pane, the affected endpoint is filled in and cannot be changed.

In the Create New Incident pane, select the affected endpoint from the dropdown list.

Description If you wish, enter a description.

Analyzing an incident

In Incidents & Events > Incidents > All Incidents, double-click an incident or right-click an incident and select Analysis Page.

The incident analysis page shows the incident’s Affected Endpoint and User, Incident Life Cycle, Incident Info, Timeline, and Events related to the incident.

In the Incident Info panel, you can change the Incident Category, Severity, Status, and Description.

In the Events panel, you can review and delete events attached to the incident.

Configuring incident settings

To configure incident settings, go to Incidents & Events > Incidents > Incident Settings.

When an incident is created, updated, or deleted, you can send a notification to external platforms using selected fabric connectors.

To configure incident notification settings:

  1. Go to Incidents & Events > Incidents > Incident Settings.
  2. Select a Fabric Connector from the dropdown list.
  3. Select which notifications you want to receive: l Send notification when new incident is created. Incidents with draft status will not triggernotification. l Send notification when new incident is updated. l Send notification when new incident is deleted.
  4. To add more fabric connectors, click Add Fabric Connector and repeat the above steps to configure notification settings.

 

Subnet lists – FortiAnalyzer – FortiOS 6.2.3

Subnet lists

In Incidents & Events, you can define subnet lists which can be added to subnet groups.

Subnet lists and groups can be used to create a whitelist or blacklist in event handlers.

Creating a subnet list

To create a new subnet:

  1. Go to Incidents & Events > Subnet Lists.
  2. Select Create New > Subnet.
  3. Enter a name for the subnet.
  4. Select a Subnet type and configure the corresponding information. Subnet types include: l Subnet Notation l IP Range l Batch Add
  5. Select OK.

Once a subnet has been created, it can be edited, cloned, or deleted by highlighting it and selecting the corresponding action in Subnet List toolbar.

Creating a subnet group

To create a subnet group:

  1. Go to Incidents & Events > Subnet List.
  2. Select Create New > Subnet Group.
  3. Enter a name for the subnet group.
  4. Select the subnet entries to be included in the group and select OK in the pop-up window.
  5. Select OK.

Once a subnet group has been created, it can be edited, cloned, or deleted by highlighting it and selecting the corresponding action in Subnet List toolbar.

Assigning subnet filters to event handlers

You can streamline SOC processes by defining a subnet whitelist/blacklist for event handlers. These addresses can be linked to any event handler to enable or prevent it from triggering an event. Creating a subnet whitelist/blacklist for event handlers eliminates the need to specify common networks in every event handler.

To include or exclude subnets in an event handler:

  1. Go to Incidents & Events > Event HandlerList.
  2. Select an event handler to edit from the list.
  3. In the Subnet category, select Specify.
  4. Choose which subnets to include or exclude by selecting them from the corresponding dropdown menu.
  5. Select OK.