Author Archives: Mike

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

FortiGate Cloud – Inventory

Inventory

Inventory displays a centralized inventory of all FortiGate and FortiWifi devices from all FortiGate Cloud instances in a domain group, regardless of datacenter. For example, if you are accessing Inventory from the European datacenter, you will see the inventory of a connected FortiGate Cloud instance from the global datacenter.

Inventory is divided into tabs: FortiGate Inventory, FortiCare Inventory, FortiGate Cloud Deployed, and FortiManager Deployed. You can filter each list by searching for the device serial number in the SN searchbar or selecting the desired bulk key from the Bulk Key dropdown list.

FortiGate Inventory

FortiGate Inventory displays the inventory of all FortiGate and FortiWifi devices imported by FortiCloud key or bulk key to FortiGate Cloud, including each device’s subscription status. The inventory provides a centralized view of all devices imported into the Europe and global services. From here, you can deploy devices to FortiGate Cloud or FortiManager, if configured. You can also delete an imported device from the inventory.

To deploy devices to FortiGate Cloud:

  1. On the homepage, go to Inventory.
  2. Select the desired devices.
  3. Click Deploy to FortiGate Cloud.
  4. In the Deploy to FortiGate Cloud dialog, if you have enabled multitenancy, configure the following options:
Option Description
Sub Account Select the desired subaccount to add the devices to.
Task Name Enter the desired task name.
Template From the dropdown list, select the desired template. This dialog only displays templates applicable for the selected devices. If you select a template, this enables configuration management for the devices. For details on creating and configuring a template, see Templates on page 47.
Auto Upgrade Firmware to Match Template Version Enable to automatically upgrade FortiOS on these devices to the template version, if the template FortiOS version is newer. Ensure that you review the FortiOS Upgrade Path to ensure that upgrade is supported before enabling this option.
  1. Configure the timezone for the selected devices.
  2. Click Deploy. These devices are deployed to FortiGate Cloud, and you can now access them on the FortiGate Cloud Deployed

To deploy a device to FortiManager:

  1. On the homepage, go to Inventory.
  2. From the Deploy to FortiManager dropdown list, select FortiManagerSetup .

Inventory

  1. In the FortiManagerSetup dialog, enter the desired FortiManager IP address/FQDN and serial number. Click Submit.
  2. Select the desired devices.
  3. Click Deploy to FortiManager.
  4. Click Deploy. These devices are deployed to FortiManager, and you can now view their serial numbers on the FortiManagerDeployed Once deployed to FortiManager, FortiGate Cloud has no control over the device. You cannot manage the device in FortiGate Cloud until you set central management back to FortiGate Cloud.

To delete a device from inventory:

  1. On the homepage, go to Inventory.
  2. Select the desired devices.
  3. Click Delete.
  4. In the confirmation dialog, click YES.

FortiCare Inventory

FortiCare Inventory displays the devices that are registered to FortiCare under the account’s primary administrator email address. Only the primary administrator can view and deploy these devices from the FortiCare Inventory to FortiGate Cloud. To deploy FortiCare devices to FortiGate Cloud, follow the instructions described in To deploy devices to FortiGate Cloud: on page 40, from the FortiCare Inventory tab.

FortiGate Cloud Deployed and FortiManager Deployed

The FortiGate Cloud Deployed and FortiManagerDeployed tabs displays all FortiGate and FortiWifi devices deployed to FortiGate Cloud and FortiManager, respectively. The tabs also display the devices’ subscription statuses and the date and time that they were deployed to FortiGate Cloud or FortiManager. Click a device serial number to access Analysis, Management, and SandBox functions for that device.

The FortiGate Inventory tab provides a centralized view of all devices imported into the Europe and global services. However, after you deploy a FortiGate to FortiGate Cloud, you can only view the FortiGates deployed to the service that you are currently logged in to on the FortiGate Cloud Deployed tab. For example, if you are currently logged in to the Europe service, the FortiGate Cloud Deployed tab only displays FortiGates deployed to the FortiGate Cloud Europe service.

FortiGate Cloud – SandBox

SandBox

FortiSandbox Cloud is a service that uploads and analyzes files that FortiGate AV marks as suspicious.

In a proxy-based AV profile on a FortiGate, the administrator selects Inspect Suspicious Files with FortiGuard Analytics to enable a FortiGate to upload suspicious files to FortiGuard for analysis. Once uploaded, the file is executed and the resulting behavior analyzed for risk. If the file exhibits risky behavior or is found to contain a virus, a new virus signature is created and added to the FortiGuard AV signature database. The next time the FortiGate updates its AV database it will have the new signature. The turnaround time on Cloud SandBoxing and AV submission ranges from ten minutes (automated SandBox detection) to ten hours (if FortiGuard Labs is involved).

FortiGuard Labs considers a file suspicious if it exhibits some unusual behavior, yet does not contain a known virus (the behaviors that FortiGate Cloud Analytics considers suspicious change depending on the current threat climate and other factors).

The FortiGate Cloud console enables administrators to view the status of any suspicious files uploaded: Pending, Clean, Malware, or Unknown. The console also provides data on time, user, and location of the infected file for forensic analysis. SandBoxing is available in both free and paid FortiGate Cloud subscriptions.

You can view the FortiSandbox Cloud Service Description for details.

The SandBox tab collects information that the FortiSandbox Cloud service compiles. FortiSandbox Cloud submits files to FortiGuard for threat analysis. You can configure your use of the service and view analyzed files’ results.

You must enable Cloud SandBoxing on the FortiGate and submit a suspicious file for the SandBox tab to become visible.

The SandBox homepage provides the following information about devices. You can select a device’s serial number or name to access SandBox tools for that device:

  • Model/serial number l Fortinet product type l Firmware version
  • Status (If the device is connected through a management tunnel) l Service the device is currently active in l Last compiled report and last log uploaded l Subscription expiry date

You can use the gear icon to access additional functions:

To undeploy the FortiGate:

  1. Click the Config icon for the desired device.
  2. Click Undeploy.
  3. In the confirmation dialog, click YES.
  4. You have the option to place a unit where the FortiGate was deployed. The unit contains historical data and a serial number that starts with U.

To rename the FortiGate:

  1. Click the Config icon for the desired device, then click Rename.
  2. In the Device Name field, enter the desired name. Click Submit.

To set up FortiSandbox:

  1. Go to Security Fabric > Settings and enable SandBox Inspection. Set SandBox type to FortiSandbox Cloud. The associated FortiGate Cloud account appears.
  2. In Security Profiles > AntiVirus, create a profile that has Send Files To FortiSandbox Cloud ForInspection
  3. Create a firewall policy with logging enabled that uses the FortiSandbox-enabled AV profile.
  4. Once devices have uploaded some files to FortiSandbox Cloud, log in to the FortiGate Cloud portal to see the results.

To go to the device list:

You can return to the device list from the Analysis, Management, or Sandbox page for an individual device.

  1. In the upper left corner, click Show Device List.

Dashboard

You can see an overview of the FortiSandbox results on the Dashboard.

The Dashboard contains the following widgets:

Widget Description
System Status Quick view of the current state of the AV databases and load.
Top 5 Targeted Hosts (Last 24 Hours) Displays which hosts received the most threats during the last 24 hours.
Scan Result (Today and Past 7 Days) Shows the last eight days of results and their risk levels. You can toggle the display of clean files in the chart by selecting the checkmark in the lower right of the widget.
Top 20 File Types (Last 24 Hours) Displays the most commonly analyzed file types in the last 24 hours of scanning.

Records and On-Demand

Records displays files that your connected device’s AV has flagged as suspicious, which have been uploaded to FortiGate Cloud for FortiGuard analysis. In On-Demand, you can manually upload files for FortiGuard analysis, and view the analysis results. These pages may not appear if you do not have the FortiSandbox Cloud service enabled on the connected device.

You can select an analysis level and click the file names for more information. On-Demand also has an Export option, which allows you to export a CSV or PDF of on-demand results, and Upload File, where you can manually upload a file for analysis.

The maximum file size is 10 MB. The processing time may vary based on the file size.

Setting

In Setting, you can configure FortiSandbox Cloud settings:

  • Enable Alert Setting: to enable alert emails, enter multiple emails (one per line) to receive alerts, and set which severity level triggers sending alert emails.
  • Log Retention: set number of days to retain log data.
  • Malware Package Options and URL Package Options: select the risk level of data that will be automatically submitted to FortiGuard to further antithreat research.

To configure FortiSandbox alert emails:

  1. Go to SandBox > Setting.
  2. Select Enable Alert Setting.
  3. Enter emails into the list to contact in the event of a FortiSandbox alert.
  4. Select the severity levels to trigger an alert.

 

FortiGate Cloud – Management

Management

On the Management tab, you can remotely manage FortiGate and FortiWiFi devices that are connected to the FortiGate Cloud service.

The Management homepage provides the following information about devices. You can select a device’s serial number or name to access management tools for that device:

  • Model/serial number l Fortinet product type l Firmware version
  • Status (If the device is connected through a management tunnel) l Service the device is currently active in l Applied template

You can use the gear icon to access additional functions:

To undeploy the FortiGate:

  1. Click the Config icon for the desired device.
  2. Click Undeploy.
  3. In the confirmation dialog, click YES.
  4. You have the option to place a unit where the FortiGate was deployed. The unit contains historical data and a serial number that starts with U.

To authorize a new account to access the FortiGate’s historical data:

  1. Click the Config icon for the desired device.
  2. Click Authorize New Account.
  3. In the Account ID field, enter the desired account ID.
  4. Click Submit.

To rename the FortiGate:

  1. Click the Config icon for the desired device, then click Rename.
  2. In the Device Name field, enter the desired name. Click Submit.

To go to the device list:

You can return to the device list from the Analysis, Management, or Sandbox page for an individual device.

  1. In the upper left corner, click Show Device List.

You must first enable the management tunnel on your device before you can see any management functions. On the device, run the following CLI commands:

config system central-management set mode backup set type fortiguard

end

Config

In Config, you can access a pared-down version of the remote device’s management interface to configure major features as if you were accessing the device itself. For descriptions of the configuration options, see the FortiOS documentation.

The configuration you see in FortiGate Cloud does not autorefresh. FortiGate Cloud displays a notification if the current local FortiGate configuration differs from the latest configuration uploaded to FortiGate Cloud. You can overwrite the FortiGate Cloud configuration with the current local FortiGate configuration by clicking Import, or merge the two configurations by clicking Merge. If you are merging the configurations and there is a conflict between them (for example, an option is enabled locally on the FortiGate but disabled in FortiGate Cloud), FortiGate Cloud keeps the local FortiGate Cloud configuration for that option. You can then make any changes you want to reflect on the device, and select Deploy to push the configuration to the device.

In the case that your device configuration version does not match the firmware version, FortiGate Cloud may display a Device config version does not match device firmware version message. You can click the Import button to synchronize the configurations.

To deploy cloud configuration to devices:

  1. Go to Management > Config.
  2. Before you edit any settings, click the Import button to retrieve the most up-to-date configuration from the FortiGate Cloud-connected device.
  3. On this page, you have limited access to a pared-down version of the FortiGate interface, allowing you to edit interfaces, routes, policies, etc. Edit the FortiGate configuration as needed.
  4. When you are ready to push your updated configuration back to the device, select Deploy in the upper right.
  5. Wait for the configuration to download to the device. When it completes, a deployment log appears, showing you the changes as they appear in the CLI.

Backup

In Backup, you can back up, Edit, View, Compare (to other revisions), Download, Restore (to device), and Delete revisions. You can filter the revision list by firmware version or created time. You can also search for a specific backup.

To back up the device configuration to the cloud:

  1. Go to Management > Backup.
  2. Select Backup Config in the upper right, and enter the backup revision name. FortiGate Cloud adds the new configuration to the list. By selecting the icons on the right side, you can rename, view, compare, download, restore, and delete configuration files. The compare icon only appears once you have multiple revisions available.

To enable auto backup:

  1. Go to Management > Backup > Auto Backup Setting.
  2. Click Enable Auto Backup. Only setting changes on the FortiGate (locally from the FortiGate or from FortiGate

Cloud) trigger auto backup. You can select one of the following auto back up settings:

Option   Description
Per Session   By default, the session duration is 600 seconds. For example, if you modify

FortiGate settings at 10:00 AM, FortiGate Cloud schedules an auto backup in

600 seconds. If no other setting changes occur within the 600 seconds, FortiGate Cloud performs an auto backup at 10:10 AM. However, if you further modify settings, for example, at 10:05 AM, this resets the timer and FortiGate Cloud schedules an auto backup for 600 seconds after 10:05 AM.

FortiGate Cloud keeps every backup revision for all sessions in one day.

You can only configure an alert email for this option. The alert email does not contain a copy of the backup revision.

Per Day   This option operates the same as PerSession, except that FortiGate Cloud only keeps one latest backup revision per day.
  1. Click Apply.

Upgrade

In Upgrade, you can see the current firmware version installed on the device, and update to newer stable versions if they are available. The upgrade path that FortiGate Cloud displays may differ from the upgrade path that FortiGuard displays.

To upgrade remote device firmware:

  1. Go to Management > Upgrade.
  2. Verify your device’s current firmware version in the upper left before continuing.
  3. If you are concerned about the effects of upgrading or have not upgraded recently, use the Upgrade Path Tool to ensure you are following the recommended upgrade path.
  4. It is recommended to back up your device’s configuration before upgrading, in Management > Backup or in the device’s management interface.
  5. Select an available firmware from the list, and select Upgrade. You can schedule a time and date to perform the remote upgrade. For example, you can schedule it during downtime to minimize disruption. A caution icon may also display to indicate that the upgrade path may not be supported.
  6. Wait for the upgrade to take effect.

Script

In Script, you can create and run script files on connected remote devices to check device status or get bulk configuration information quickly.

To execute a script on a remote device:

  1. Go to Management > Script.
  2. In the upper right, select Add Script.
  3. Enter a name and a description, and the CLI script content that you want to run. Each script is a series of CLI commands, one command per line. Click Submit.
  4. Click the Deploy icon, and select a time to automatically deploy the script to the device.
  5. To cancel the scheduled run, click the Cancel icon next to the scheduled time.
  6. FortiGate Cloud records that script’s output. You can read it by clicking View Result.

 

FortiDeceptor – Introduction

Introduction

FortiDeceptor creates a network of decoy VMs to lure attackers and monitor their activities on the network. When attackers attack decoy VMs, their actions are analyzed to protect the network.

Key features of FortiDeceptor include:

  • Deception OS: Windows, Linux, or SCADA OS images are available to create Decoy VMs. l Decoy VMs: Decoy VMs that behave like real endpoints can be deployed through FortiDeceptor. l Lures: Lures are services, applications, or users added to a Decoy VM to simulate a real user environment.
  • FortiDeceptor Token Package: Install a FortiDeceptor Token Package to add breadcrumbs on real endpoints and lure an attacker to a Decoy VM. Tokens are normally distributed within the real endpoints and other IT assets on the network to maximize the deception surface. Use tokens to influence attackers’ lateral movements and activities. Examples of what you can use in a token include: cached credentials, database connections, network share, data files, and configuration files. l Monitor the hacker’s actions: Monitor Incidents, Events, and Campaign.
  • An Event represents a single action, for example, a login-logout event on a victim host.
  • An Incident represents all actions on a single victim host, for example, a login-logout, file system change, a registry modification, and a website visit on a single victim host.
  • A Campaign represents the hacker’s lateral movement. All related Incidents are a Campaign. For example, an attacker logs on to a system using the credentials found on another system.
  • Log Events: Log all FortiDeceptor system events.

FortiGate Cloud – Event Management

Event Management

In Event Management, you can set up email alerts for specific network structure emergencies, such as FortiGate Cloud losing connection to the device, or the device’s power supply failing. The page defaults to All Events in the left menu, which lists all past emergency events. Select Event Handlers to configure the alert settings.

You can enable events to track by selecting their checkboxes. If you want to receive an alert email when they occur, select the checkbox under Send Alert Email and enter the email address to send the alert email to.

Select the gear icon to configure each Event Handler directly and set the logged severity level and notification frequency.

 

FortiGate Cloud – Reports

Reports

Reports generates custom reports of specific traffic data, and can email them to specified addresses. Select a report to see a list of collected reports of that type. By default, there is a preconfigured Summary Report and a Web Activity Report.

You can Add new reports or Edit existing ones. Both open an editing interface, which allows you to edit the report content and add or remove sections.

To create a custom report:

  1. Go to Analysis > Reports.
  2. Click Add in the upper right, and choose to create a blank report, default Summary or Web Activity Report, copy an existing report, or import an external template. Click Submit.
  3. To add a chart, click the gear icon and select Add Chart.
  4. In the Predefined Chart List dialog, select the desired chart. You can further customize the chart by clicking Customize. Click Save.
  5. Click the gear icon to add Descriptions, and Titles to the current section, or new 1- or 2-column sections.
  6. Click Settings. You can upload a report logo and set the report language.
  7. Click Save.
  8. Select Run, and view the finished report.

To schedule a report:

  1. Go to Analysis > Reports.
  2. Click the desired report from the left pane.
  3. Click Schedule to determine the range of time for which to generate reports: Daily, Weekly or Monthly, and which email to send the reports to. For example, if you want to generate a report for a month of data, you can select

Monthly and FortiGate Cloud will run and send the report once a month. You can also run a report immediately.

To configure report settings:

If you have enabled multitenancy, you can access these options in Group Management > Manage Report Configs.

  1. Go to Analysis > Reports.
  2. Click the desired report from the left pane.
  3. Click Settings. You can upload a report logo and set the report language. Click Submit.

Reports reference

The following provides descriptions of preconfigured reports:

Report Description
DNS The default version of this report displays the following charts:

l Queried Botnet C&C domains and IP addresses l High risk sources l Top queried domains l Top domain lookup block l Top domain lookup timeout

FSBP The default version of this report displays results based on the device’s security rating result:

l Fabric components audited l Score history (industry average and industry range) l Maturity milestones l Achievements and to-do list

The FSBP Dashboard is only available for devices that support the Security Rating feature. If the device does not have any Security Rating results, all charts show no data.

High Bandwidth Application Usage Shows you applications that may affect network performance by using high bandwidth, allowing you to quickly pinpoint high bandwidth usage and violation of corporate policies.

 

Report Description
  This report focuses on peer-to-peer applications (such as BitTorrent, Xunlei,

Gnutella, Filetopia), file sharing and storage applications (such as Onebox, Google Drive, Dropbox, Apple Cloud), and voice/video applications (such as YouTube, Skype, Spotify, Vimeo, Netflix).

You cannot edit this report.

Summary The default version of this report displays the following sections:

l Threat Analysis l Traffic Analysis l Web Activities l VPN Analysis l System Activity

Web Activity The default version of this report displays the following charts:

l Most Visited Web Categories l Most Visited Websites l Most Visited Web Categories and Web Sites l Most Active Web Users l Most Visited Web Sites by Most Active Users l Most Active Users of Most Visited Web Sites

360 Degree Activities Displays the following sections:

l Application Visibility l Web Traffic Analysis l User Behavior Analysis

You cannot edit this report.

Cyber Threat Assessment An enhanced version of the Summary Report. Displays the following sections: l User Productivity l Application Usage l Web Usage

l  Security and Threat Prevention l Application Vulnerability Exploits l Virus Prevention l At-Risk Devices and Hosts l High Risk Application

l  Network Utilization l Bandwidth

You cannot edit this report.

FortiGate Cloud – Logs

Logs

Logs offers more detailed log information, access to individual log data, and downloadable log files. You can select a category of logs to view from the list on the left.

You can select a time period to view data for:

l Last 60 minutes l Last 24 hours l Last 7 days l Last 30 days l Specified time period

You can set the chart’s refresh rate by selecting the Change Refresh Period icon. By using the Add Filter dropdown list, you can filter the log list by various factors. Selecting Column Setting allows you to customize the default log view. By selecting Log Files, you can see the raw log data files and manually download them. The box in the lower right allows you to move through pages of log data by clicking the arrows or entering a page number.

You can download various types of raw logs from FortiGate Cloud. The log filename format is as follows:

<FortiGate serial number>_<log type>_<beginning of log date range>-<time of first log>-<end of log date range>-<time of last log>.log.gz

The log filename format uses a shortened identifier for each log type:

Log type   Identifier
Traffic   tlog
Web Filter   wlog
Application Control   rlog
AntiSpam   slog
AntiVirus   vlog
Log type Identifier
DLP dlog
Attack alog
Anomaly mlog
DNS olog
Event (including all subtypes) elog

For example, consider an Application Control log that is generated for the period between October 23, 2019 and November 2, 2019 for a FortiGate with the serial number “FGT123”. The first log in the file has a timestamp of 6:09 PM, while the last log in the file has a timestamp of 9:32 AM. The log file name is as follows: FGT123_rlog_20191023-1809-20191101-0932.log.gz

FortiGate Cloud – FortiView

FortiView

The default FortiView page is the summary view, which uses widgets to show a general overview of what is happening with your device. You can add new widgets by selecting Add Widget.

Each widget is a customizable box, showing certain information about the device. You can do the following with widgets:

  • Click a widget title and drag it to move it around. l Delete a widget by selecting the X icon. l Set the refresh rate of widgets by selecting the dropdown list beside the refresh icon.

The following lists all widget types, grouped according to function:

Threats

Widget Description Feature required to be enabled on device
Top Threats Displays which threats trigger the most detection events on the network. At least one of the following: IPS,

AV, AntiSpam, DLP, or Anomaly

Detection.

Top Spam Displays which sources send the most spam email into the network. AntiSpam
Top Viruses Counts the viruses that the device’s AV most frequently finds. AV
Top Applications by Threat Score Compares which applications have the most traffic compared to their threat score, based on the device’s Application Control settings. Application Control
Top Attacks Counts the attacks that the device’s IPS most frequently prevents. IPS
Top DLP By Rules Counts the DLP events that the device detects, sorted by DLP rule. DLP

Traffic Analysis

Widget Description Feature required to be enabled on device
Top Applications Compares which applications are most frequently used, based on the device’s Application Control settings. Application Control
Top Application Categories Compares which application categories are most frequently used, based on the device’s Application Control settings. Application Control
Top Sources Displays which sources have the most traffic from or to the device.  
Top Destinations Displays which destinations have the most traffic from or to the device.  
Widget Description Feature required to be enabled on device
Top Protocols Compares the traffic volume that has passed through a certain interface, based on which protocol it uses (HTTP, HTTPS, DNS, TCP, UDP, other).  
Top Countries Displays which countries have the most traffic from or to the device.  
Traffic History Displays volume of incoming and outgoing traffic over time.  

Websites

Widget Description Feature required to be enabled on device
Top Websites Compares which websites are most frequently visited. You can click a category to see which websites in that category are being visited. Web Filtering
Top Web Categories Compares which web filtering categories are most frequently used, based on the device’s Web Filtering settings. Web Filtering
Top Users/IP by Browsing Time in Seconds Compares which users visit which IP addresses most frequently in the greatest ratio. You can click a user to see which IP addresses they visit. Web Filtering

FortiView offers log information, reformatted into easily navigable charts, in a style similar to FortiView in FortiOS.

You can select a time period to view data for:

  • Last 60 minutes l Last 24 hours l Last 7 days
  • Last 30 days l Specified time period

You can set the chart’s refresh rate by clicking the Refresh icon. By using the Add Filter dropdown list, you can filter the chart by various factors. Individual chart entries may also allow you to filter by that entry’s data by selecting a filter icon on the right, or drill down to see all related log data, such as all log data through that interface.

FortiView charts reference

The following provides descriptions of all FortiView charts.

User Dashboard

The User Dashboard displays the number of users/entities that fit into the following security categories:

l Visited high risk websites l Infected by malware l Targeted by malware l Targeted by spam l Violated data leak rules l Used high-risk applications l Targeted by attacks l Attacked by protocol intrusion

You can click each category to view the list of users/entities affected. You can drill down further to view the list of incidents for each user/entity and the logs for each incident.

FSBP Dashboard

The FSBP Dashboard displays security rating results for the device, in the following categories:

  • Overall Score l Maturity Milestones l Top Achievement
  • Top Todo
  • History Trend

The FSBP Dashboard is only available for devices that support the Security Rating feature.

Threats

Chart Description
Top Threats Lists the top threats to your network.

The following incidents are considered threats:

l Risk applications detected by application control. l Intrusion incidents detected by IPS.

Chart Description
  l  Malicious web sites detected by web filtering.

l  Malware/botnets detected by antivirus.

IPS Lists intrusion incidents detected by IPS.
AntiVirus Lists the malware/botnets detected by AV.
AntiSpam Lists the spam detected by AntiSpam.
DLP & Archives Lists the DLP and archives incidents.
Anomaly Lists network anomalies.

Traffic Analysis

Chart Description
Application Displays the top applications used on the network including the application name, category, bandwidth (sent/received), sessions, and risk level.
Cloud Application Displays the top cloud applications used on the network.
Source Displays the highest network traffic by source IP address and name, bandwidth (sent/received), sessions, and risk level.
User Displays the highest network traffic by user in terms of bandwidth sent/received, sessions, and risk level.
Destination Displays the highest network traffic by destination IP addresses, the applications used to access the destination, bandwith sent/received, sessions, and risk level.
Interface Displays the highest network traffic by interface in terms of bandwidth sent/received, traffic sessions. and risk level. You can view by source or destination interface.
Country Displays the highest network traffic by country in terms of bandwidth sent/received, traffic sessions, and risk level. You can view by source or destination country.
Policy Hits Lists the policy hits by policy, device name, VDOM, number of hits, bytes, and last used time and date.

Website

Chart Description
Website Displays the top allowed and blocked website domains on the network. You can also view by source. You can filter by threat level.
Web Category Displays the top website categories. You can filter by threat level.
Chart Description
Browsing User/IP Displays the top web-browsing users and their IP addresses by total browsing time duration. You can also view by category or domain. You can filter by threat level.

System Events

Chart Description
System Activity Displays events on the managed devices, their severity, and number of incidents. You can filter by user or severity level.
Admin Session Displays the users who logged into managed devices, the number of configuration changes they performed, number of admin sessions, and their total duration of logged-in time. You can also view by login interface. You can filter by severity level.
Failed Login Displays the users who failed to log into managed devices. You can also view by login interface. You can filter by severity level.
Wireless Displays wireless events. You can filter by severity level.

VPN Events

Chart Description
Site to Site Displays the names of VPN tunnels with IPsec that are accessing the network.
SSL and Dialup Displays the users who are accessing the network by using an SSL or IPsec VPN tunnel.
Failed VPN Login Displays the users who failed to log in successfully via VPN.