Category Archives: Administration Guides

Creating reports – FortiAnalyzer – FortiOS 6.2.3

Creating reports

You can create reports from report templates, by cloning and editing predefined/existing reports, or start from scratch.

Creating reports from report templates

You can create a new report from a template. The template populates the Layout tab of the report. The template specifies what text, charts, and macros to use in the report and the layout of the content. Report templates do not contain any data. Data is added to the report when you generate the report.

To create a new report from a template:

If using ADOMs, ensure that you are in the correct ADOM.
Go to Reports > Report Definitions > All Reports.
In the toolbar, click Create New. The Create Report dialog box opens.
In the Name box, type a name for the new report. The following characters are NOT supported in report names: \ / ” ‘ < > & , | # ? % $ +
Select From Template for the Create from setting, then select a template from the dropdown list. The template populates the Layout tab of the report.
Select the folder that the new report will be saved to from the dropdown list. See Organizing reports into folders on page 125 for information about folders.
Select OK to create the new report.
On the Settings tab, configure the settings as required. For a description of the fields, see Reports Settings tab on page 117.
Optionally, go to the Layout tab to customize the report layout and content. For a description of the fields, see Reports Layout tab on page 120.
Click Apply to save your changes.

Creating reports by cloning and editing

You can create reports by cloning and editing predefined and/or existing reports.

To create a report by cloning and editing:

If using ADOMs, ensure that you are in the correct ADOM.
Go to Reports > Report Definitions > All Reports.
In the content pane, select the report from the list, then click Clone in the toolbar.
In the Clone Report dialog box, type a name for the cloned report. The following characters are NOT supported in report names: \ / ” ‘ < > & , | # ? % $ +
Select the folder that the new report will be saved to from the dropdown list. See Organizing reports into folders on page 125 for information about folders.
Select OK to create the new report.
On the Settings tab, configure the settings as required. For a description of the fields, see Reports Settings tab on page 117.
Optionally, go to the Layout tab to customize the report layout and content. For a description of the fields, see Reports Layout tab on page 120.
Click Apply to save your changes.

Creating reports without using a template

To create a report without using a template:

If using ADOMs, ensure that you are in the correct ADOM.
Go to Reports > Report Definitions > All Reports.
In the toolbar, click Create New. The Create New Report dialog box opens.
In the Name box, type a name for the new report. The following characters are NOT supported in report names: \ / ” ‘ < > & , | # ? % $ +
Select the Blank option for the Create from
Select the folder that the new report will be saved to from the dropdown list. See Organizing reports into folders on page 125 for information about folders.
Select OK to create the new report.
On the Settings tab, you can specify a time period for the report, what device logs to include in the report, and so on. You can also add filters to the report, add a cover page to the report, and so on. For a description of the fields, see Reports Settings tab on page 117.
On the Layout tab, you can specify the charts and macros to include in the report, as well as report content and layout.

For a description of the fields, see Reports Layout tab on page 120.

For information about creating charts and macros, see Creating charts on page 130 and Creating macros on page 134.

Click Apply to save your changes.

Reports Settings tab

The following options are available in the Settings tab:

Field	Description
Time Period	The time period the report covers. Select a time period or select Custom to manually specify the start and end date and time.
Devices	The devices to include in the report. Select either All Devices or Specify to add specific devices. Select the add icon to select devices.
Type	Select either Single Report (Group Report) or Multiple Reports (Per-Device). This option is only available if multiple devices are selected.
Enable Schedule	Select to enable report template schedules.
Field		Description
Enable Auto-Cache		Select to assemble datasets before generating the report and as the data is available. This process uses system resources and is recommended only for reports that require days to assemble datasets. Disable this option for unused reports and for reports that require little time to assemble datasets.
Generate PDF Report Every		Select when the report is generated. Enter a number for the frequency of the report based on the time period selected from the dropdown list.
Start time		Enter a starting date and time for the file generation.
End time		Enter an ending date and time for the file generation, or set it to never ending.
Enable Notification		Select to enable report notification.
Output Profile		Select the output profile from the dropdown list, or click Create New to create a new output profile. See Output profiles on page 138.

Filters section of Reports Settings tab

See Filtering report output on page 124.

Advanced Settings section of Reports Settings tab

The following options are available in the Advanced Settings section of the Settings tab.

Field	Description
Language	Select the report language.
Bundle rest into “Others”	Select to bundle the uncategorized results into an Others category.
Print Orientation	Set the print orientation to portrait or landscape.
Chart Heading Level	Set the heading level for the chart heading.
Default Font	Set the default font.
Hide # Column	Select to hide the column numbers.
Layout Header	Enter header text and select the header image. Accept the default Fortinet image or click Browse to select a different image.
Layout Footer	Select either the default footer or click Custom to enter custom footer text in the text field.
Print Cover Page	Select to print the report cover page. Click Customize to customize the cover page. See Customizing report cover pages on page 119.
Print Table of Contents	Select to include a table of contents.
Field		Description
Print Device List		Select to print the device list. Select Compact, Count, or Detailed from the dropdown list.
Print Report Filters		Select to print the filters applied to the report.
Obfuscate User		Select to hide user information in the report.
Resolve Hostname		Select to resolve hostnames in the report.
Allow Save Maximum		Select a value between 1-10000 for the maximum number of reports to save.
Color Code		The color used to identify the report on the calendar. Select a color code from the dropdown list to apply to the report schedule. Color options include: Bold Blue, Blue, Turquoise, Green, Bold Green, Yellow, Orange, Red, Bold Red, Purple, and Gray.

Customizing report cover pages

A report cover page is only included in the report when enabled on the Settings tab in the Advanced Settings section.

When enabled, the cover page can be customized to contain the desired information and imagery.

To customize a report cover page:

If using ADOMs, ensure that you are in the correct ADOM.
Go to Reports > Report Definitions > All Reports.
In the content pane, select the report from the list, and click Edit in the toolbar.
Select the Settings tab and then click Advanced Settings.
Select the Print CoverPage checkbox, then click Customize next to the checkbox. The Edit CoverPage pane opens.
Configure the following settings:

Background Image	Click Browse to open the Choose an Image dialog box. Select an image or click Upload File to find an image on the management computer, then click OK to add the image as the background image of the cover page.
Top Image	Click Browse to open the Choose an Image dialog box. Select an image or click Upload File to find an image on the management computer, then click OK to add the image at the top of the cover page.
Top Image Position	Select the top image position from the dropdown menu. Select one of the following: Left, Center, Right.
Text Color	Select a text color from the dropdown list.
Show Creation Time	Select to print the report date on the cover page.
Show Data Range	Select to print the data range on the cover page.
Report Title	Accept the default title or type another title in the Report Title field.
Custom Text 1	If you want, enter custom text for the Custom Text 1 field.
Custom Text 2	If you want, enter custom text for the Custom Text 2 field.
Bottom Image	Click Browse to open the Choose an Image dialog box. Select an image or click Upload File to find an image on the management computer, then click OK to add the image to the bottom of the cover page.
Footer Left Text	If you want, enter custom text to be printed in the left footer of the cover page.
Footer Right Text	If you want, enter custom text to be printed in the right footer of the cover page.
Footer Background Color	Select the cover page footer background color from the dropdown list.
Reset to Default	Select to reset the cover page settings to their default settings.

Click OK to save the configurations and return to the Settings

Reports Layout tab

Because the cut, copy, and paste functions need access to the clipboard of your operating system, some Internet browsers either block it when called from the layout editor toolbar, or ask you to explicitly agree to it. If you’re blocked from accessing the clipboard by clicking the respective cut, copy and paste buttons from the toolbar or context menu, you can always use keyboard shortcuts.

The following options are available in the Layout tab (layout editor):

Field	Description
Insert Chart or Edit Chart	Click to insert a FortiAnalyzer chart. Charts are associated with datasets that extract data from logs for the report. In the Insert Chart or Chart Properties dialog box, you can specify a custom title, width, and filters for the chart. For information on setting filters, see Filtering report output on page 124. You can edit a chart by right clicking the chart in the layout editor and selecting Chart Properties or by clicking the chart to select it and then clicking Edit Chart.
Insert Macro	Click to insert a FortiAnalyzer macro. Macros are associated with datasets that extract data from logs for the report.
Image	Click the Image button in the toolbar to insert an image into the report layout. Right-click an existing image to edit image properties.
Table	Click the Table button in the toolbar to insert a table into the report layout. Rightclick an existing table to edit a cell, row, column, table properties, or delete the table.
Insert Horizontal Line	Click to insert a horizontal line.
Insert Page Break for Printing	Click to insert a page break for printing.
Link	Click the Link button in the toolbar to open the Link dialog box. You can select to insert a URL, a link to an anchor in the text, or an email address. Alternatively, use the CTRL+L keyboard shortcut to open the Link dialog box.
Anchor	Click the Anchor button in the toolbar to insert an anchor in the report layout.
Cut	To cut a text fragment, start with selecting it. When the text is selected, you can cut it using one of the following methods: l Click the cut button in the toolbar l Right-click and select cut in the menu l Use the CTRL+X shortcut on your keyboard.
Copy	To cut a text fragment, start with selecting it. When the text is selected, you can cut it using one of the following methods: l Click the cut button in the toolbar l Right-click and select cut in the menu l Use the CTRL+C shortcut on your keyboard.
Paste	To paste text, start with cutting or copying from another source. Depending on the security settings of your browser, you may either paste directly from the clipboard or use the Paste dialog box.
Paste as plain text	Click Paste as plain text to paste formatted text without the formatting. If the browser blocks the editor toolbar’s access to clipboard, a Paste as Plain Text dialog box appears and you can paste the fragment into the text box using the CTRL+V keyboard shortcut.

Field	Description
Paste from Word	You can preserve basic formatting when you paste a text fragment from Microsoft Word. To achieve this, copy the text in a Word document and paste it using one of the following methods: l Click the Paste from Word button in the toolbar l Use the CTRL+V shortcut on your keyboard.
Undo	Click to undo the last action. Alternatively, use the CTRL+Z keyboard shortcut to perform the undo operation.
Redo	Click to redo the last action. Alternatively, use the CTRL+Y keyboard shortcut to perform the redo operation.
Find	Click to find text in the report layout editor. This dialog box includes the following elements: l Find what: Is the text field where you enter the word or phrase you want to find. l Match case: Checking this option limits the search operation to words whose case matches the spelling (uppercase and lowercase letters) given in the search field. This means the search becomes case-sensitive. l Match whole word: Checking this option limits the search operation to whole words. l Match cyclic: Checking this option means that after the editor reaches the end of the document, the search continues from the beginning of the text. This option is checked by default.
Replace	Click to replace text in the report layout editor. This dialog box includes consists of the following elements: l Find what: Is the text field where you enter the word or phrase you want to find. l Replace with: Is the text field where you enter the word or phrase that will replace the search term in the document. l Match case: Checking this option limits the search operation to words whose case matches the spelling (uppercase and lowercase letters) given in the search field. This means the search becomes case-sensitive. l Match whole word: Checking this option limits the search operation to whole words. l Match cyclic: Checking this option means that after the editor reaches the end of the document, the search continues from the beginning of the text. This option is checked by default.
Save as Template	Click to save the layout as a template.
Paragraph Format	Select the paragraph format from the dropdown list. Select one of the following: Normal, Heading 1, Heading 2, Heading 3, Heading 4, Heading 5, Heading 6, Formatted, Address, or Normal (DIV).
Font Name	Select the font from the dropdown list.
Font Size	Select the font size from the dropdown list. Select a size ranging from 8 to 72.

Field	Description
Bold	Select the text fragment and then click the Bold button in the toolbar. Alternatively, use the CTRL+B keyboard shortcut to apply bold formatting to a text fragment.
Italic	Select the text fragment and then click the Italic button in the toolbar. Alternatively, use the CTRL+I keyboard shortcut to apply italics formatting to a text fragment.
Underline	Select the text fragment and then click the Underline button in the toolbar. Alternatively, use the CTRL+U keyboard shortcut to apply underline formatting to a text fragment.
Strike Through	Select the text fragment and then click the Strike Through button in the toolbar.
Subscript	Select the text fragment and then click the Subscript button in the toolbar.
Superscript	Select the text fragment and then click the Superscript button in the toolbar.
Text Color	You can change the color of text in the report by using a color palette. To choose a color, select a text fragment, click the Text Color button in the toolbar, and select a color.
Background Color	You can also change the color of the text background.
Insert/Remove Numbered List	Click to insert or remove a numbered list.
Insert/Remove Bulleted List	Click to insert or remove a bulleted list.
Decrease Indent	To decrease the indentation of the element, click the Decrease Indent toolbar button. The indentation of a block-level element containing the cursor will decrease by one tabulator length.
Increase Indent	To increase the indentation of the element, click the Increase Indent toolbar button. The block-level element containing the cursor will be indented with one tabulator length.
Block Quote	Block quote is used for longer quotations that are distinguished from the main text by left and right indentation. It is recommended to use this type of formatting when the quoted text consists of several lines or at least 100 words.
Align Left	When you align your text left, the paragraph is aligned with the left margin and the text is ragged on the right side. This is usually the default text alignment setting for the languages with left to right direction.
Center	When you center your text, the paragraph is aligned symmetrically along the vertical axis and the text is ragged on the both sides. This setting is often used in titles or table cells.
Align Right	When you align your text right, the paragraph is aligned with the right margin and the text is ragged on the left side. This is usually the default text alignment setting for the languages with right to left direction.
Justify	When you justify your text, the paragraph is aligned to both the left and right margins and the text is not ragged on either side..
Field	Description
Remove Format	Click to remove formatting.

Filtering report output

You can apply log message filters to reports and charts.

To filter output in a report:

Click the Settings tab and scroll to the Filters section.

To filter output in a chart:

Click the Layout
Filter a new or existing chart:
- Click Insert Chart and scroll to the Filters
- Right-click a chart in the layout and select Chart Properties. Scroll to the Filters

In the Filters section, the following options are available.

Field		Description
Log messages that match		Available in the Settings tab only. Select All to filter log messages based on all of the added conditions, or select Any of the Following Conditions to filter log messages based on any one of the conditions.
Add Filter		Click to add filters. For each filter, select the field, and operator from the dropdown lists, then enter or select the values as applicable. Filters vary based on device type. When adding a filter, keep the following considerations in mind: l The Settings and Layout tabs use the same Log Field list to filter output; however, some log fields are not used in charts. The Log Field you use to filter a report may not apply to the log fields in a chart. l The Value field is case sensitive.
LDAP Query		Available in the Settings tab only. Click to add an LDAP query, then select the LDAP Server and the Case Change value from the dropdown lists. Use this option to query an LDAP server for group membership. The results of this query is used to filter the report to only match logs for users belonging to that group. You must specify the group name in the filter definition.
Field	Description
	If you enable LDAP Query, the group name is not used to match the group field in logs. The group name is only used for the LDAP query to determine group membership. The query will not retrieve the userPrincicpalName if the Distinguished Name in the System Settings does not contain an organization unit (ou). To retrieve the UPN, add the Distinguished Name as it appears in the System Settings to your query.

Reports – FortiAnalyzer – FortiOS 6.2.3

Leave a reply

Reports

You can generate data reports from logs by using the Reports feature. You can do the following:

l Use predefined reports. Predefined report templates, charts, and macros are available to help you create new reports. l Create custom reports.

Report files are stored in the reserved space for the FortiAnalyzer device. See Automatic deletion on page 56.

For more information on FortiAnalyzer report technology and troubleshooting report performance issues, see the FortiAnalyzerReport Performance Troubleshooting Guide.

How ADOMs affect reports

When ADOMs are enabled, each ADOM has its own reports, libraries, and advanced settings. Make sure you are in the correct ADOM before selecting a report. See Switching between ADOMs on page 15.

Some reports are available only when ADOMs are enabled. For example, ADOMs must be enabled to access FortiCarrier, FortiCache, FortiClient, FortiDDoS, FortiMail, FortiSandbox, and FortiWeb reports. In a Security Fabric ADOM, all reports are displayed.

You can configure and generate reports for these devices within their respective default ADOM or a Security Fabric ADOM. These devices also have device-specific charts and datasets.

Predefined reports, templates, charts, and macros

FortiAnalyzer includes a number of predefined elements you can use to create and/or build reports.

Predefined…	GUI Location	Purpose
Reports	Reports > Report Definitions > All Reports	You can generate reports directly or with minimum setting configurations. Predefined reports are actually report templates with basic default setting configurations.
Templates	Reports > Report Definitions > Templates	You can use directly or build upon. Report templates include charts and/or macros and specify the layout of the report. A template populates the Layout tab of a report that is to be created. See List of report templates on page 128.
Predefined…	GUI Location		Purpose
Charts	Reports > Report Definitions > Chart Library		You can use directly or build upon a report template you are creating, or in the Layout tab of a report that you are creating. Charts specify what data to extract from logs.
Macros	Reports > Report Definitions > Macro Library		You can use directly or build upon a report template that you are creating, or in the Layout tab of a report that you are creating. Macros specify what data to extract from logs.

Logs used for reports

Reports uses Analytics logs to generate reports. Archive logs are not used to generate reports. For more information, see Data policy and automatic deletion on page 22.

For reports about users, the FortiGate needs to populate the user field in the logs sent to FortiAnalyzer.

How charts and macros extract data from logs

Reports include charts and/or macros. Each chart and macro is associated with a dataset. When you generate a report, the dataset associated with each chart and macro extracts data from the logs and populates the charts and macros. Each chart requires a specific log type.

FortiAnalyzer includes a number of predefined charts and macros. You can also create custom charts and macros.

How auto-cache works

When you generate a report, it can take days to assemble the required dataset and produce the report, depending on the required datasets. Instead of assembling datasets at the time of report generation, you can enable the auto-cache feature for the report.

Auto-cache is a setting that tells the system to automatically generate hcache. The hcache (hard cache) means that the cache stays on disk in the form of database tables instead of memory. Hcache is applied to “matured” database tables. When a database table rolls, it becomes “mature”, meaning the table will not grow anymore. Therefore, it is unnecessary to query this database table each time for the same SQL query, so hcache is used. Hcache runs queries on matured database tables in advance and caches the interim results of each query. When it is time to generate the report, much of the datasets are already assembled, and the system only needs to merge the results from hcaches. This reduces report generation time significantly.

The auto-cache process uses system resources to assemble and cache the datasets and it takes extra space to save the query results. You should only enable auto-cache for reports that require a long time to assemble datasets.

Generating reports

You can generate reports by using one of the predefined reports or by using a custom report that you created. You can find all the predefined reports and custom reports listed in Reports > Report Definitions > All Reports.

To generate a report:

Go to Reports > Report Definitions > All Reports.
In the content pane, select a report from the list.
(Optional) Click Edit in the toolbar and edit settings on the Settings and Layout For a description of the fields in the Settings and Layout tabs, see Reports Settings tab on page 117 and Creating charts on page 130 and Macro library on page 134.
In the toolbar, click Run Report.

Viewing completed reports

After you generate reports, you can view completed reports in Reports > Generated Reports or Reports > Report Definitions > All Reports. You can view reports in the following formats: HTML, PDF, XML, and CSV.

To view completed reports in Generated Reports:

Go to Reports > Generated Reports.

This view shows all generated reports for the specified time period.

To sort the report list by date, click Orderby Time.To sort the report list by report name, click Orderby Name.
Locate the report and click the format in which you want to view the report to open the report in that format. For example, if you want to review the report in HTML format, click the HTML

To view completed reports in All Reports:

Go to Reports > Report Definitions > All Reports.
On the report list, double-click a report to open it.
In the View Report tab, locate the report and click the format in which you want to view the report to open the report in that format.

For example, if you want to review the report in HTML format, click the HTML link.

Enabling auto-cache

You can enable auto-cache to reduce report generation time for reports that require a long time to assemble datasets. For information about auto-cache and hcache, see How auto-cache works on page 112.

You can see the status of building the cache in Reports > Report Definitions > All Reports in the Cache Status column.

To enable auto-cache:

Go to Reports > Report Definitions > All Reports.
Select the report from the list, and click Edit in the toolbar.
In the Settings tab, select the Enable Auto-cache
Click Apply.

Grouping reports

If you are running a large number of reports which are very similar, you can significantly improve report generation time by grouping the reports. Grouping reports has these advantages:

l Reduce the number of hcache tables. l Improve auto-hcache completion time. l Improve report completion time.

Step 1: Configure report grouping

For example, to group reports with titles containing string Security_Report by device ID and VDOM, enter the following CLI commands:

config system report group edit 0 set adom root config group-by edit devid next edit vd next

end

set report-like Security_Report

end

Notes:

The report-like field specifies the string in report titles that is used for report grouping. This string is casesensitive. l The group-by value controls how cache tables are grouped.
To view report grouping information, enter the following CLI command, then check the Report Group column of the table that is displayed.

execute sql-report list-schedule <ADOM>

Step 2: Initiate a rebuild of hcache tables

To initiate a rebuild of hcache tables, enter the following CLI command: diagnose sql hcache rebuild-report <start-time> <end-time>

Where <start-time> and <end-time> are in the format: <yyyy-mm-dd hh:mm:ss>.

Retrieving report diagnostic logs

Once you start to run a report, FortiAnalyzer creates a log about the report generation status and system performance. Use this diagnostic log to troubleshoot report performance issues. For example, if your report is very slow to generate, you can use this log to check system performance and see which charts take the longest time to generate.

For information on how to interpret the report diagnostic log and troubleshoot report performance issues, see the FortiAnalyzerReport Performance Troubleshooting Guide.

To retrieve report generation logs:

In Reports > Generated Report, right-click the report and select Retrieve Diagnostic to download the log to your computer.
Use a text editor to open the log.

Auto-Generated Reports

The CyberThreat Assessment report is automatically generated. By default, the report will run at 3:00AM every Monday. For more information on report scheduling, see Scheduling reports on page 115.

Schedules can be viewed in the Report Calendar. See Report calendar on page 141.

Scheduling reports

You can configure a report to generate on a regular schedule. Schedules can be viewed in the Report Calendar. See Report calendar on page 141.

To schedule a report:

Go to Reports > Report Definitions > All Reports.
Select a report and click Edit in the toolbar.
Click Settings in the toolbar.
Select the Enable Schedule checkbox and configure the schedule.
Click Apply.

Enabling and disabling SOC – FortiAnalyzer – FortiOS 6.2.3

Leave a reply

Enabling and disabling SOC

The FortiAnalyzer SOC module can be disabled for performance tuning through the CLI. When disabled, the GUI will hide the SOC modules as well as the FortiView and Monitors panes, and stop background processing for this feature.

To disable SOC in the CLI:

config system global set disable-module fortiview-noc

end

To enable SOC in the CLI:

config system global unset disable-module end

Disabling the SOC module will cause the FortiAnalyzer to return the following error message when the FortiGate attempts to retrieve FortiAnalyzer data: Server Error: FortiView\/NOC function is disabled on FortiAnalyzer.

The FortiGate GUI displays the message: Failed to retrieve FortiView data.

Using FortiView – FortiAnalyzer – FortiOS 6.2.3

1 Reply

Using FortiView

Viewing FortiView dashboards

When viewing FortiView dashboards, use the controls in the toolbar to select a device, specify a time period, refresh the view, and switch to full-screen mode.

Many widgets on FortiView dashboards let you drill down to view more details. To drill down to view more details, click, double-click, or right-click an element to view details about different dimensions in different tabs. You can continue to drill down by double-clicking an entry. Click the close icon in the widget’s toolbar to return to the previous view. Many FortiView widgets support multiple chart types such as table view, bubble view, map view, tile view, etc.

In widgets that support multiple views, select the settings icon in the top-right corner of the widget to choose another view.
If sorting is available, there is a Sort By dropdown list in the top-left. l Some widgets have a Show dropdown list in the bottom-right for you to select how many items to display. l To sort by a column in table view, click the column title.
To view more information in graphical views such as bubble, map, or user view, hover the mouse over a graphical element.

Some dashboards include multiple widgets. For example, Applications & Websites > Top Cloud Applications includes widgets for Top Cloud Application and Top Cloud User.

Viewing the threat map

You can view an animated world map that displays threats from unified threat management logs. Threats are displayed in real-time. No replay or additional details are available.

You must specify the longitude and latitude of the device to enable threats for the device to display in the threat map. You can edit the device settings to identify the geographical location of the device in Device Manager. For more information, see Editing device information on page 29

To view the threat map:

Go to FortiView > Threats > Threat Map.
In the map, view the geographic location of the threats.

Threats are displayed when the threat level is greater than zero. l A yellow line indicates a high threat. l A red line indicates a critical threat.

In the Threat Window, view the Time, Threat, Source, Destination, and Severity(score).

Filtering FortiView

Filter FortiView widgets using the Add Filter box in the toolbar or by right-clicking an entry and selecting a contextsensitive filter. You can also filter by specific devices or log groups and by time.

To filter FortiView widgets using filters in the toolbar:

Specify filters in the Add Filter
- Filter Mode: In the selected summary view, click Add Filter and select a filter from the dropdown list, then type a value. Click NOT to negate the filter value. You can add multiple filters and connect them with “and” or “or”.
- Text Search: Click the Switch to Text Search icon at the right end of the Add Filter In Text Search mode, enter the search criteria (log field names and values). Click the Switch to FilterMode icon to go back to Filter Mode.
In the Device list, select a device.
In the Time list, select a time period.

To filter FortiView widgets using the right-click menu:

In the selected view, right-click an entry and select a filter criterion (Search <filtervalue>).

Depending on the column in which your mouse is placed when you right-click, FortiView uses the column value as the filter criteria. This context-sensitive filter is only available for certain columns.

Viewing related logs

You can view the related logs for a FortiView summary in Log View. When you view related logs, the same filters that you applied to the FortiView summary are applied to the log messages.

To view related logs for a FortiView summary, right-click the entry and select View Related Logs.

Exporting filtered summaries

You can export filtered FortiView summaries or from any level of drilldown to PDF and report charts. Filtered summaries are always exported in table format.

To export a filtered summary:

In the filtered summary view or its drilldown, select the tools icon in the top-right corner of the widget and choose Export to PDF or Export to Report Chart.
In the dialog box, review and configure settings:
- Specify a file name for the exported file. l In the Top field, specify the number of entries to export.
- If you are in a drilldown view, the tab you are in is selected by default. You can select more tabs. If you are exporting to report charts, the export creates one chart for each tab.
Click OK.

Charts are saved in the Chart Library. You can use them in the same way you use other charts.

Monitoring resource usage of devices

You can monitor how much FortiAnalyzer system resources (e.g., CPU, memory, and disk space) each device uses. When ADOMs are enabled, this information is displayed per ADOM. In a specific ADOM, you can view the resource usage information of all the devices under the ADOM.

Go to SOC > FortiView > System > Resource Usage to monitor resource usage for devices.

Long-lived session handling

Because traffic logs are only sent at the end of a session, long-lived sessions can be unintentionally excluded when narrowing searches in FortiView. To account for this, interim traffic logs can be enabled through FortiOS, allowing FortiView to show the trend of session history rather than one large volume once the session is closed.

For a long-lived session with a duration greater than two minutes, interim traffic logs are generated with the Log ID of 20.

For interim traffic logs, the sentdelta and rcvddelta fields are filled in with an increment of bytes which are sent/received after the start of the session or previous interim traffic log.
Interim traffic logs are not counted in Sessions, but the sentdelta and recvddelta in related traffic logs will be added when calculating the sent and received bytes.

When a long-lived session ends, a traffic log with a Log ID of 13 is sent which indicates the session is closed.

Viewing Compromised Hosts

Compromised Hosts or Indicators of Compromise Service (IOC) is a licensed feature.

To view Compromised Hosts, you must turn on the UTM web filter of FortiGate devices and subscribe your

FortiAnalyzer unit to FortiGuard to keep its local threat database synchronized with the FortiGuard threat database. See Subscribing FortiAnalyzer to FortiGuard on page 106.

The Indicators of Compromise Service (IOC) downloads the threat database from FortiGuard. The FortiGuard threat database contains the blacklist and suspicious list. IOC detects suspicious events and potentially compromised network traffic using sophisticated algorithms on the threat database.

FortiAnalyzer identifies possible compromised hosts by checking the threat database against an event’s IP, domain, and URL in the following logs of each end user:

l Web filter logs. l DNS logs. l Traffic logs.

When a threat match is found, sophisticated algorithms calculate a threat score for the end user. When the check is complete, FortiAnalyzer aggregates all the threat scores of an end user and gives its verdict of the end user’s overall IOC.

Compromised Hosts displays the results showing end users with suspicious web usage which can indicate that the endpoint is compromised. You can drill down to view threat details.

Understanding Compromised Hosts entries

When a log entry is received and inserted into the SQL database, the log entry is scanned and compared to the blacklist and suspicious list in the IOC threat database that is downloaded from FortiGuard.

If a match is found in the blacklist, then FortiAnalyzer displays the endpoint in Compromised Hosts with a Verdict of Infected.

If a match is found in the suspicious list, then FortiAnalyzer flags the endpoint for further analysis.

In the analysis, FortiAnalyzer compares the flagged log entries with the previous endpoint’s statistics for the same day and then updates the score.

If the score exceeds the threshold, that endpoint is listed or updated in Compromised Hosts.

When an endpoint is displayed in Compromised Hosts, all the suspicious logs which contributed to the score are listed.

When the database is rebuilt, all log entries are reinserted and rescanned.

Working with Compromised Hosts information

Go to SOC > FortiView > Threats > Compromised Hosts.

When viewing Compromised Hosts:

Use the widget settings icon to select Table or Users format, set the refresh interval, and modify other widget settings.
Use the tools icon to export the information, edit rescan configuration, and set additional display options.
Use the toolbar to select devices, specify a time period, refresh the view, select a theme (Day, Night, and Ocean), and switch to full-screen mode.

When you view an event, the # of Threats is the number of unique Threat Names associated with that compromised host (end user).

When you drill down to view details, the # of Events is the number of logs matching each blacklist entry for that compromised host (end user).

To acknowledge a Compromised Hosts line item, click Ack on that line. l To filter entries, click Add Filter and specify devices or a time period.
To drill down and view threat details, double-click a tile or a row.

Incorrectly rated IOCs can be reported within the Threat Intel Lookup screen, accessible by double-clicking on an End User, selecting the detected pattern from the Blacklist, and clicking Report Misrated IOC.

Subscribing FortiAnalyzer to FortiGuard

To keep your FortiAnalyzer threat database up to date:

Ensure your FortiAnalyzer can reach FortiGuard at fortinet.com.
Purchase a FortiGuard Indicators of Compromise Service license and apply that license to the product registration.

No change is needed on the FortiAnalyzer side.

To subscribe FortiAnalyzer to FortiGuard:

Go to System Settings > Dashboard.
In the License Information widget, find the FortiGuard > Indicators of Compromise Service field and click Purchase.
After purchasing the license, check that the FortiGuard > Indicators of Compromise Service is Licensed and shows the expiry date.

Managing a Compromised Hosts rescan policy

The Compromised Hosts scan time range can be customized to scan previous entries so that when a new package is received from FortiGuard, FortiAnalyzer can immediately rescan using the new definitions.

Requirements for managing a Compromised Hosts rescan policy: l This feature requires a valid indicators of compromise (IOC) license. The rescan options will not be available in the GUI or CLI without a license.

l The administrator must have System Settings write privileges to enable or disable and configure Global IOC Rescan.

To configure rescan settings and check rescan results:

Go to SOC > FortiView > Threats > Compromised Hosts.
From the Tools menu on the right-side of the toolbar, select Edit Rescan Configuration. The Edit Compromised Hosts Rescan Policy Settings window opens.
Under Compromised Hosts Rescan Global Settings:
1. Enable Global Compromised Hosts Rescan.
2. Set the running time to either a specific hour of the day, or select package update to rescan when the package is updated.
Under Compromised Hosts Rescan Current ADOM Settings:
1. Enable Current ADOM Compromised Hosts Rescan.
2. Select the log types to be scanned (DNS, Web Filter, and Traffic logs).
3. Set the number of previous days’ logs that are scanned.

By default, all log types are selected, and the scan will cover the past 14 days. The maximum recommended number of scan days is calculated based on historical scan speeds, or 30 days if no previous scans have been done.

All tasks are shown in the Rescan tasks table, which includes:

l The start and end time of each task. l The status of the task (complete, running, etc.). l How complete a task is, as a percentage. l The total number of scanned logs and the threat count (the number of logs with threats) for each task. l The IOC package update time. l A count of the new threats that were added in this update.

Running tasks can be canceled by clicking the Cancel button in the Status column.

Select a non-zero threat count number in the Rescan tasks table to drill down to a specific scans task details. These details include the Detect Pattern, Threat Type, Threat Name, # of Events, and the Endpoint.
Click Back to return to the settings window.
Click OK to return to the compromised hosts list.
In the compromised hosts list, a rescan icon will be shown in the Last Detected column if any threats where found during a rescan. To view only those hosts that had threats found during a rescan, select Only Show Rescan from the Tools menu in the toolbar.

Examples of using FortiView

You can use FortiView to find information about your network. The following are some examples.

Finding application and user information

Company ABC has over 1000 employees using different applications across different divisional areas, including supply chain, accounting, facilities and construction, administration, and IT.

The administration team received a $6000 invoice from a software provider to license an application called Widget-Pro. According to the software provider, an employee at Company ABC is using Widget-Pro software.

The system administrator wants to find who is using applications that are not in the company’s list of approved applications. The administrator also wants to determine whether the user is unknown to FortiGuard signatures, identify the list of users, and perform an analysis of their systems.

To find application and user information:

If using ADOMs, ensure that you are in the correct ADOM.
Go to SOC > FortiView > Applications & Websites > Top Applications.
Click Add Filter, select Application, type Widget-Pro.
If you do not find the application in the filtered results, go to Log View > Traffic.
Click the Add Filter box, select Source IP, type the source IP address, and click Go.

Analyzing and reporting on network traffic

A new administrator starts at #1 Technical College. The school has a free WiFi for students on the condition that they accept the terms and policies for school use.

The new administrator is asked to analyze and report on the top source and destinations students visit, the source and destinations that consume the most bandwidth, and the number of attempts to visit blocked sites.

To review the source and destination traffic and bandwidth:

If using ADOMs, ensure that you are in the correct ADOM.
Go to SOC > FortiView > Traffic > Top Sources.
Go to SOC > FortiView > Traffic > Top Destinations.

If available, select the icon beside the IP address to see its WHOIS information.

FortiView – FortiAnalyzer – FortiOS 6.2.3

Leave a reply

FortiView

FortiView is a comprehensive monitoring system for your network that integrates real-time and historical data into a single view. It can log and monitor threats to networks, filter data on multiple levels, keep track of administrative activity, and more.

FortiView allows you to use multiple filters in the consoles, enabling you to narrow your view to a specific time, by user ID or local IP address, by application, and others. You can use it to investigate traffic activity such as user uploads/downloads or videos watched on YouTube on a network-wide user group or on an individual-user level.

In FortiView dashboards, you can view summaries of log data such as top threats to your network, top sources of network traffic, and top destinations of network traffic.

Depending on which dashboard you are viewing, information can be viewed in different formats: table, bubble, map, or tile. Alternative chart types are available in each widget’s Settings menu.

For each summary, you can drill down to see more details.

FortiGate, FortiCarrier, and FortiClient EMS devices support FortiView.

How ADOMs affect FortiView

When ADOMs are enabled, each ADOM has its own data analysis in FortiView.

Fabric ADOMs will show data analysis from all eligible devices in the Security Fabric.

Logs used for FortiView

FortiView displays data from Analytics logs. Data from Archive logs is not displayed in FortiView. For more information, see Analytics and Archive logs on page 22.

FortiView dashboards

Many dashboards display a historical chart in a table format to show changes over the selected time period.

If you sort by a different column, the chart shows the history of the sorted column. For example, if you sort by Sessions Blocked/Allowed, the chart shows the history of blocked and allowed sessions. If you sort by Bytes Sent/Received, the chart shows the history of bytes sent and received.

When you drill down to view a line item, the historical chart show changes for that line item.

FortiView dashboards for FortiGate and FortiCarrier devices

Category View		Description
Threats	Top Threats	Lists the top threats to your network. The following incidents are considered threats: l Risk applications detected by application control. l Intrusion incidents detected by IPS. l Malicious web sites detected by web filtering. l Malware/botnets detected by antivirus.
	Threat Map	Displays a map of the world that shows the top traffic destinations starting at the country of origin. Threats are displayed when the threat score is greater than zero and either the source or destination IP is a public IP address. The Threat Window below the map, shows the threat, source, destination, severity, and time. The color gradient of the lines indicate the traffic risk. A yellow line indicates a high risk and a red line indicates a critical risk. This view does not support filtering and Day, Night, and Ocean themes. See also Viewing the threat map on page 102.
	Compromised Hosts	Displays end users with suspicious web use compromises, including end users’ IP addresses, overall threat rating, and number of threats. To use this feature: 1. UTM logs of the connected FortiGate devices must be enabled. 2. The FortiAnalyzer must subscribe to FortiGuard to keep its threat database up-to-date.
	FortiSandbox Detection	Displays a summary of FortiSandbox related detections. The following information is displayed: Filename, End User and/or IP, Destination IP, Analysis (Clean, Suspicious or Malicious rating), Action (Passthrough, Blocked, etc.), and Service (HTTP, FTP, SMTP, etc.). Select an entry to view additional information in the drilldown menu. Clicking a FortiSandbox action listed in the Process Flow displays details about that action, including the Overview, Indicators, Behavior Chronology Chart, Tree View, and more. Information included in the Details and Tree View tab is only available with FortiSandbox 3.1.0 and above.

Category View		Description
Traffic	Top Source	Displays the highest network traffic by source IP address and interface, device, threat score (blocked and allowed), sessions (blocked and allowed), and bytes (sent and received).
	Top Source Addresses	Displays the top source addresses by source object, interface, device, threat score (blocked and allowed), sessions (blocked and allowed), and bytes (sent and received).
	Top Destinations	Displays the highest network traffic by destination IP addresses, the applications used to access the destination, sessions, and bytes. If available, click the icon beside the IP address to see its WHOIS information.
	Top Destination Addresses	Displays the top destination addresses by destination objects, applications, sessions, and bytes. If available, click the icon beside the IP address to see its WHOIS information.
	Top Country/Region	Displays the highest network traffic by country in terms of traffic sessions, including the destination, threat score, sessions, and bytes.
	Policy Hits	Lists the policy hits by policy, device name, VDOM, number of hits, bytes, and last used time and date.
	DNS Logs	Summarizes the DNS activity on the network. Double click an entry to drill down to the specific details about that domain.
Applications & Websites	Top Applications	Displays the top applications used on the network including the application name, category, risk level, and sessions blocked and allowed. Bytes sent and received can also be enabled through the widget settings. For a usage example, see Finding application and user information on page 109.
	Top Cloud Applications	Displays the top cloud applications used on the network.
	Top Cloud Users	Displays the top cloud users on the network.
	Top Website Domains	Displays the top allowed and blocked website domains on the network.
	Top Website Categories	Displays the top website categories.
	Top Browsing Users	Displays the top web-browsing users, including source, group, number of sites visited, browsing time, and number of bytes sent and received.
VPN SSL & Dialup IPsec		Displays the users who are accessing the network by using the following types of security over a virtual private network (VPN) tunnel: secure socket layers (SSL) and Internet protocol security (IPsec).
Category View		Description
System		You can view VPN traffic for a specific user from the top view and drilldown views. In the top view, double-click a user to view the VPN traffic for the specific user. In the drilldown view, click an entry from the table to display the traffic logs that match the VPN user and the destination.
	Site-to-Site IPsec	Displays the names of VPN tunnels with Internet protocol security (IPsec) that are accessing the network.
	Admin Logins	Displays the users who logged into the managed device.
	System Events	Displays events on the managed device.
	Resource Usage	Displays device CPU, memory, logging, and other performance information for the managed device. Resource Usage includes two widgets: Resource Usage Average and Resource Usage Peak.
	Failed Authentication Attempts	Displays the IP addresses of the users who failed to log into the managed device.

SOC Monitoring – FortiAnalyzer – FortOS 6.2.3

Leave a reply

SOC Monitoring

Use the Security Operations Center (SOC) to view Monitors and FortiView.

Monitors are designed for network and security operation centers where dashboards are displayed across multiple large monitors.

Monitors

SOC (Security Operations Center) Monitors are designed for a network and security operations center where multiple dashboards are displayed in large monitors.

In the Monitors view, dashboards display both real-time monitoring and historical trends. Centralized monitoring and awareness help you to effectively monitor network events, threats, and security alerts. Use Monitors dashboards to view multiple panes of network activity, including monitoring network security, compromised hosts, endpoints, Security Fabric, WiFi security, and FAZ system performance.

A typical scenario is to set up dashboards and widgets to display information most relevant to your network and security operations. Use the main monitors in the middle to display important dashboards in a larger size. Then use the monitors on the sides to display other information in smaller widgets.

For example, use the top monitor in the middle to display the Top Threat Destinations widget in full screen, use the monitor(s) below that to display other Threat Monitor widgets, use the monitors on the left to display WiFi Monitor widgets at the top and FAZ Performance Monitor widgets at the bottom, and use the monitors on the right as a workspace to display widgets showing the busiest network activity. You can move, add, or remove widgets.

Monitors dashboards and widgets are very flexible and have the following features:

You can create predefined or custom dashboards. l For both predefined and custom dashboards, you can add, delete, move, or resize widgets. l You can add the same dashboard multiple times on the same or different monitors. l Each widget monitors one activity.
You can add the same widget multiple times and apply different settings to each one. For example, you can add widgets to monitor the same activity using a different chart type, refresh interval, or time period.
You can resize widgets or display a widget in full screen.

SOC monitor dashboards

SOC monitors include predefined dashboards.

Both predefined and custom dashboards can be modified with widgets, including: Threats widgets, Compromised Hosts widgets, Traffic widgets, Applications & Websites widgets, VPN widgets, WiFi widgets, Endpoints widgets, System widgets, Threat Research widgets, Security Fabric widgets, and FortiClient Software widgets.

For example, the default Threat Monitor dashboard includes four widgets: Threat Map, Top Threat Destinations, Top Threats, and Top Virus Incidents OverTime. These widgets can be removed, enlarged, reduced, or customized, and new widgets can be added to the dashboard.

For more information, see Customizing the Monitors dashboard on page 96.

SOC Monitors includes the following predefined dashboards:

Threats	Monitors the top security threats to your network.
Traffic	Monitors the traffic on your network.
Applications & Websites		Monitors the application and website traffic on your network.
Compromised Hosts		Monitors compromises and suspicious web use in your network.
FortiSandbox Detections		Monitors FortiSandbox detections on your network.
Endpoints		Monitors endpoint activity on your network.
Fabric State of Security		Monitors your network’s Security Fabric rating, score, and topology. This information for this dashboard is available after you create a Security Fabric group in FortiGate and add it in FortiAnalyzer. The Security Fabric can be selected in the settings options for each widget.
VPN		Monitors VPN activity on your network.
WiFi		Monitors WiFi access points and SSIDs.
Local System Performance		Monitors the local system performance of the FortiAnalyzer unit.
FortiClient Software Inventory		Monitors the FortiClient endpoints sending logs to FortiAnalyzer.
Archive		Includes FortiAnalyzer NOC-SOC modules from versions prior to 6.2.0.

Threats widgets

Threats includes the following widgets:

Top Threat Destinations	A world map, spinning 3D globe, or table showing the top 10, 20, 50, 100 threat destinations. On the map view, hover the cursor over data points to see the source device and IP address, destination IP address and country, threat level, and the number of incidents (blocked and allowed).
Top Threats	The top threats to your network. Hover the cursor over data points to see the threat, category, threat level, threat score (blocked and allowed), and the number of incidents (blocked and allowed). The following incidents are considered threats: l Risk applications detected by application control l Intrusion incidents detected by IPS l Malicious web sites detected by web filtering l Malware/botnets detected by antivirus
Top Threats (FortiClient)	The top threats to your network from risk applications, intrusion incidents, malicious websites, and malware/botnets. Only visible in a Fabric ADOM.
Top Threats Over Time by Threat Scores		The historical threats to your network from risk applications, intrusion incidents, malicious web sites, and malware/botnets.
Top Threats by Weight & Count		The top threats by weight and count to your network from risk applications, intrusion incidents, malicious websites, and malware/botnets.
FortiSandbox Detection		FortiSandbox detection detail, including scan doc name, source user, destination IP, verdict level, action, and service.
FortiSandbox – Scanning Statistics		The number of files detected by FortiSandbox by type: Malicious, Suspicious, Clean, and Others.
FortiSandbox – Top Malicious & Suspicious File Users		Users or IP addresses that have the highest number of malicious and suspicious files detected by FortiSandbox.
Threat Map		Threats happening right now across the world.

Compromised Hosts widgets

Compromised Hosts includes the following widget:

Compromised Hosts

Suspicious web use compromises. By default, this widget includes two panes: Compromised Hosts and Compromised Hosts Incidents.

The Compromised Hosts pane automatically rotates through compromised hosts. You can pause autoplay or click > or < to manually move to another compromised host.

The Compromised Hosts Incidents pane displays a map of compromised hosts incidents.

Click Settings to change the number of top compromised hosts, Time Period, Refresh Interval, Autoplay Interval, and to show or hide Compromised Hosts Incidents.

Traffic widgets

Traffic includes the following widgets:

User Data Flow	Bandwidth breakdown of top user destination country/region or application usage.
Top Sources Today	Near real-time network traffic by blocked and allowed sessions.
Top Sources	The highest network traffic by source IP address and interface, sessions (blocked and allowed), threat score (blocked and allowed), and bytes (sent and received).
Top Source Address Objects	The highest network traffic by source address objects, sessions (blocked and allowed), threat score (blocked and allowed), and bytes (sent and received).
Top Country/Region	The highest network traffic by country/region, sessions (blocked and allowed), and bytes (sent and received).
Top Country/Region Over Time by Sessions	The historical network traffic by country/region, sessions (blocked and allowed), and bytes (sent and received).
Top Policy Hits	Top policy hits from recent traffic.
Policy Hits Over Time by Bandwidth	The historical policy hits from recent traffic.
Top Destinations	Top destinations from recent traffic.
Top Destination Address Objects	Top destination address objects from recent traffic.
Traffic Over Time by Sessions	The historical destinations from recent traffic.
Top Cloud Users	Top cloud users from recent traffic.
DNS Logs	Top DNS logs from recent traffic.
Top Source (FortiDDoS)	Top source IP addresses from recent traffic. Only available in a Fabric ADOM.
Top Destination (FortiDDoS)	Top destination IP addresses from recent traffic. Only available in a Fabric ADOM.
Top Type (FortiDDoS)	Top types from recent traffic. Only available in a Fabric ADOM.

Applications & Websites widgets

Applications & Websites includes the following widgets:

Top Applications	The top applications used on the network, including application name, risk level, category, sessions (blocked and allowed), and bytes (sent and received).
Top Applications Over Time by Sessions	The historical sessions of applications used on the network, including application name, risk level, category, sessions (blocked and allowed), and bytes (sent and received).
Top Applications (FortiClient)	The top applications used on the network, including application name, risk level, category, sessions (blocked and allowed), and bytes (sent and received). Only available in a Fabric ADOM.
Top Cloud Applications	Top cloud applications from recent traffic.
Cloud Applications Over Time by Sessions	The historical sessions of cloud applications used on the network.
Top Website Domains	Top website domains from recent traffic.
Top Website Categories		Top website categories from recent traffic.
Top Website (FortiClient)		Top website domains from recent traffic. Only available in a Fabric ADOM.
Website Browsing Over Time by Sessions		The historical websites browsing sessions from recent traffic.
Top Browsing User		Top browsing users from recent traffic.
Browsing User Over Time by Bandwidth		The historical browsing users from recent traffic.

VPN widgets

VPN includes the following widgets:

Top Dialup VPN	The users accessing the network using SSL or IPsec over a VPN tunnel.
VPN Site-to-Site	The names of VPN tunnels with Internet protocol security (IPsec) that are accessing the network.

WiFi widgets

WiFi includes the following widgets:

Authorized APs	The names of authorized WiFi access points on the network.
Top SSID	The top SSID (service set identifiers) of authorized WiFi access points on the network. Hover the cursor over data points to see the SSID and bytes (sent and received).
Top SSID Over Time by Bandwidth	The historical SSID (service set identifiers) traffic of authorized WiFi access points on the network.
Top Rogue APs	The top SSID (service set identifiers) of unauthorized WiFi access points on the network. Hover the cursor over data points to see the SSID and total live time.
WiFi Clients	The top WiFi access points on the network by bandwidth/sessions.

Endpoints widgets

Endpoints includes the following widgets:

Top Endpoint Vulnerabilities	Vulnerability information about FortiClient endpoints including vulnerability name and CVE ID.
Top Endpoint Vulnerabilities (FortiClient)		Vulnerability information about FortiClient endpoints including vulnerability name and CVE ID. Only available in a Fabric ADOM.
Top Endpoint Devices with Vulnerabilities		Vulnerability information about FortiClient endpoints including source IP address and device.
Top Endpoint Devices with Vulnerabilities (FortiClient)		Vulnerability information about FortiClient endpoints including source IP address and device. Only available in a Fabric ADOM.
User Vulnerabilities Summary		User vulnerabilities summary.
All Endpoints		All endpoints.
All Endpoints (FortiClient)		All endpoints.
Top Endpoint Threats		Top threats from all endpoints.
Top Endpoints Applications		Top applications from all endpoints. Only available in a Fabric ADOM.

System widgets

This dashboard monitors the system performance of the FortiAnalyzer unit running SOC and not the logging devices. It includes the following widgets:

CPU & Memory Usage	The usage status of the CPU and memory.
Multi Core CPU Usage	The usage status of a multi-core CPU.
Insert Rate vs Receive Rate	The number of logs received vs the number of logs actively inserted into the database, including the maximum and minimum rates. l Receive rate: how many logs are being received. l Insert rate: how many logs are being actively inserted into the database. If the insert rate is higher than the log receive rate, then the database is rebuilding. The lag is the number of logs waiting to be inserted.
Receive Rate vs Forwarding Rate	The number of logs received vs the number of logs forwarded out, including the maximum and minimum rates. l Receive rate: how many logs are being received. l Forward rate: how many logs are being forwarded out.
Disk I/O		The disk Transaction Rate (I/Os per second), Throughput (KB/s), or Utilization (%). The Transaction Rate and Throughput graphs also show the maximum and minimum disk activity.
Resource Usage Average		Overview of average resource usage history across all devices.
Resource Usage Peak		Overview of peak resource usage history across all devices.
Admin Logins		Top admin logins from recent traffic.
System Events		Top system events from recent traffic.
Failed Authentication Attempts		Top unauthorized connections from recent traffic.

Threat Research widgets

Threat Research includes the following widgets:

Worldwide Threat

Prevalence – Today

(UTC)

The top virus, IPS, botnet, and application threats globally today based on UTC. This data is from FortiGuard and not from FortiGate.

Top Virus

Incidents Over

Time

Local virus incidents in the last one month.

Security Fabric widgets

Security Fabric includes the following widgets.

This information for this dashboard is available after you create a Security Fabric group in FortiGate and add it in FortiAnalyzer. The Security Fabric can be selected in the settings options for each widget.

Security Fabric Rating Report	A report showing the security rating details of connected Security Fabric devices. Click a milestone to drill down and hover the cursor over data points to see more details.
Security Fabric Score	The current and historical Security Fabric scores. The Historical Security Fabric Scores pane displays your Security Fabric score over time and how it compares to the industry average and the industry score range. You can hide the Historical Security Fabric Scores pane.
Security Fabric Topology	A topology map showing the logical structure of connected Security Fabric devices.
Best Practices Overview	Overview of the device best practices across regions of North America, Latin America, EMEA, and APAC.

FortiClient Software widgets

FortiClient Software includes the following widget:

FortiClient

Software Inventory

The total number of apps installed, top apps, new apps installed, top apps by installs, and top hosts by number of apps.

Using the Monitors dashboard

SOC monitors dashboards contain widgets that provide network and security information. Use the controls in the dashboard toolbar to work with a dashboard.

Add Widget	Add widgets to a predefined or custom dashboard. For details, see Customizing the Monitors dashboard on page 96.
Dashboard	Create a new dashboard or reset a predefined dashboard to its default settings. For custom dashboards, you can rename or delete the custom dashboard. For details, see Customizing the Monitors dashboard on page 96.
Create New	Create a new dashboard.
Reset	Reset a predefined dashboard to its default widgets and settings.
Rename	Rename a custom dashboard.
Delete	Delete a custom dashboard.
Devices	Select the devices to include in the widget data. The device list will also include a Security Fabric if available. To select a Security Fabric, you need to first create a Security Fabric group in FortiGate and add the Security Fabric group in FortiAnalyzer.
Time Period	Select a time period from the dropdown menu, or set a custom time period.
Refresh	Refresh the data in the widgets.
Background color	Change the background color of the dashboard to make widgets easier to view in different room lighting. l Day shows a brighter gray background color. l Night shows a black background. l Ocean shows a blue background color.
Hide Side-menu or Show Side-menu	Hide or show the tree menu on the left. In a typical SOC environment, the side menu is hidden and dashboards are displayed in full screen mode.

Use the controls in the widget title bar to work with widgets.

Settings icon	Change the settings of the widget. Widgets have settings applicable to that widget, such as how many of the top items to display, Time Period, Refresh Interval, and Chart Type.
View different chart types		Some widget settings let you choose different chart types such as the Disk I/O and Top Countries widget. You can add these widgets multiple times and set each widget to show a different chart type.
Hide or show a data type		For widgets that show different data types, click a data type in the title bar to hide or show that data type in the graph. For example, in the Insert Rate vs Receive Rate widget, click Receive Rate or Insert Rate in the title bar to hide or show that data. In the Disk I/O widget, click Read or Write in the title bar to hide or show that data type.
Remove widget icon		Delete the widget from a predefined or custom dashboard.
Move widget		Click and drag a widget’s title bar to move it to another location.
Resize widget		Click and drag the resize button in the bottom-right of the widget.
View more details		Hover the cursor over a widget’s data points to see more details.
View a narrower time period		Some widgets have buttons below the graph. Click and drag the buttons to view a narrower time period.
Zoom in and out		For widgets that show information on a map such as the Top Threat Destinations widget, use the scroll wheel to change the zoom level. Click and drag the map to view a different area.

Customizing the Monitors dashboard

You can add any widget to a predefined dashboard. You can also move, resize, or delete widgets. You cannot rename or delete a predefined dashboard. To reset a predefined dashboard to its default settings, click Dashboard > Reset.

You can add the same widget multiple times and configure each one differently, such as showing a different Time Period, Refresh Interval, or Chart Type.

To create a dashboard:

In the toolbar, click Dashboard > Create New.
Specify the Name and whether you want to create a blank dashboard or use a template.

If you select From Template, specify which predefined dashboard you want to use as a template.

Click OK. The new dashboard appears In the tree menu.

To display Security Fabric in Monitors:

Create a Security Fabric in FortiGate.
Add the Security Fabric in FortiAnalyzer.
Go to SOC > Monitors > Dashboards.
Select the Fabric State of Security dashboard.
Select the Security Fabric from the Devices

To add a widget:

Select the predefined or custom dashboard where you want to add a widget.
Click Add Widget to expand the menu; then locate the widget you want to add.
Click the + button to add widgets.
When you have finished adding widgets, click the close button to close the Add Widget

Incidents – FortiAnalyzer – FortiOS 6.2.3

Leave a reply

Incidents

To view incidents, go to Incidents & Events > Incidents > All Incidents.

To configure incident settings, go to Incidents & Events > Incidents > Incident Settings.

Raising an incident

You can raise an incident only from alerts generated for one endpoint.

You can raise an incident in the following ways:

In Incidents & Events > Incidents > All Incidents, click Create New in the toolbar. This opens the Create New Incident
In Incidents & Events > All Events, right-click an event and select Raise Incident. This opens the Raise Incident pane with the applicable fields filled in, such as the Affected Endpoint.

Following is a description of the options available in the Create New Incident and Raise Incident pane.

Incident Reporter	The admin account raising the incident. This field cannot be changed.
Incident Category	Select a category from the dropdown list.
Severity	Select a severity level from the dropdown list.
Status	Select a status from the dropdown list.
Affected Endpoint	In the Raise Incident pane, the affected endpoint is filled in and cannot be changed. In the Create New Incident pane, select the affected endpoint from the dropdown list.
Description	If you wish, enter a description.

Analyzing an incident

In Incidents & Events > Incidents > All Incidents, double-click an incident or right-click an incident and select Analysis Page.

The incident analysis page shows the incident’s Affected Endpoint and User, Incident Life Cycle, Incident Info, Timeline, and Events related to the incident.

In the Incident Info panel, you can change the Incident Category, Severity, Status, and Description.

In the Events panel, you can review and delete events attached to the incident.

Configuring incident settings

To configure incident settings, go to Incidents & Events > Incidents > Incident Settings.

When an incident is created, updated, or deleted, you can send a notification to external platforms using selected fabric connectors.

To configure incident notification settings:

Go to Incidents & Events > Incidents > Incident Settings.
Select a Fabric Connector from the dropdown list.
Select which notifications you want to receive: l Send notification when new incident is created. Incidents with draft status will not triggernotification. l Send notification when new incident is updated. l Send notification when new incident is deleted.
To add more fabric connectors, click Add Fabric Connector and repeat the above steps to configure notification settings.

Subnet lists – FortiAnalyzer – FortiOS 6.2.3

Leave a reply

Subnet lists

In Incidents & Events, you can define subnet lists which can be added to subnet groups.

Subnet lists and groups can be used to create a whitelist or blacklist in event handlers.

Creating a subnet list

To create a new subnet:

Go to Incidents & Events > Subnet Lists.
Select Create New > Subnet.
Enter a name for the subnet.
Select a Subnet type and configure the corresponding information. Subnet types include: l Subnet Notation l IP Range l Batch Add
Select OK.

Once a subnet has been created, it can be edited, cloned, or deleted by highlighting it and selecting the corresponding action in Subnet List toolbar.

Creating a subnet group

To create a subnet group:

Go to Incidents & Events > Subnet List.
Select Create New > Subnet Group.
Enter a name for the subnet group.
Select the subnet entries to be included in the group and select OK in the pop-up window.
Select OK.

Once a subnet group has been created, it can be edited, cloned, or deleted by highlighting it and selecting the corresponding action in Subnet List toolbar.

Assigning subnet filters to event handlers

You can streamline SOC processes by defining a subnet whitelist/blacklist for event handlers. These addresses can be linked to any event handler to enable or prevent it from triggering an event. Creating a subnet whitelist/blacklist for event handlers eliminates the need to specify common networks in every event handler.

To include or exclude subnets in an event handler:

Go to Incidents & Events > Event HandlerList.
Select an event handler to edit from the list.
In the Subnet category, select Specify.
Choose which subnets to include or exclude by selecting them from the corresponding dropdown menu.
Select OK.