Category Archives: Questions

Custom FortiAnalyzer Report To See Blocked URLs for a Category

Ian on Fortinet’s forums asked a good question. You can see the question below:

Hi

I want to create a report that allows me to select a category and then to list all the activity for users where the URLS match that category. For example a report that lists user name, source IP, date time, url for the “Explicit Violence” category.

I have had a look at the datasets but my SQL coding is not to good 🙁

Has anyone tried this or any tips on what I need to do.

Regards

Ian

This is an awesome question and would be an incredible report to have right? Well, CrisP replied with an incredible solution to this issue.

Hello Ian,
I hate unanswered questions on a forum like this…
So here you have my two pennies on this.

Create a new dataset using
==============================
select
from_dtime(dtime) as timestamp, user_src, catdesc, hostname as website,
action as status, sum(bandwidth) as bandwidth
from
###(
select coalesce(nullifna(`user`), ipstr(`srcip`)) as user_src,
dtime, catdesc, hostname, utmaction as action,
sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth
from $log-traffic
where $filter and
hostname is not null and
logid_to_int(logid) not in (4, 7, 14) and ((logver>=52 and countweb>0)
or
((logver is null) and utmevent in (‘webfilter’, ‘banned-word’, ‘web-content’,
‘command-block’, ‘script-filter’)))
group by user_src, dtime, catdesc, hostname, utmaction
order by dtime desc
)### t
group by user_src, dtime, catdesc, website, status
order by dtime desc
===================================
(slightly modified from default dataset called “web-Detailed-Website-Browsing-Log”)
then build a new chart using the dataset, and a report using that chart.

Use a filter specifying the categories you want to detail in the Advanced settings of the report.

Now, if you really need the URLs, the story becomes quite ugly. You could see the post called “URL field” in this forum.
Best regards and good luck

CategBrowsingDetail-AdvSettings

CategBrowsingDetail

Extended-UTM-Log Enable Error

I received the following question through my consulting form:

Question: when configuring application list, setting the “extended-utm-log” the I got the following error:

burgfg01 (list) $ edit “RogersStandard”
new entry ‘RogersStandard’ added

set extended-utm-log enable
burgfg01 (RogersStandard) $ set extended-utm-log enable

command parse error before ‘extended-utm-log’
Command fail. Return code -61
———

Please advise.
Thanks

Answer: Chances are the user is utilizing FortiOS 5.2 or later which no longer has the extended-utm-log enable feature.

Fortinet Web Filtering

SSL Inspection – Office 365

I saw this post over on the Fortinet Support forums and wanted to cross post it here in case no one has experienced this issue. Always check the web filter and make sure domains are rated properly! Some situations it makes sense to allow websites if they are unrated or if a rating failure occurs. Especially in environments where down time hurts. Granted, I like to keep my environment more secure than that so it just makes sense for me to be quick with the troubleshooting.

Question: Hi all,

I am trying to get Office 365 to work on site behind a Fortigate 50E. Unfortunately I’m having a lot of trouble.

I found this document: http://cookbook.fortinet.com/exempting-google-ssl-inspection/

I was able to translate that into 5.4 and create the addresses that should be used by Office 365, but it still isn’t working. When I look at the IP4 policy, it appears to just be doing SSL Certificate Inspection. Do the exceptions I put into the Deep Inspection apply to SSL Certificate Inspection as well? Because that is very not clear. And if not, how do I exempt sites from SSL Certificate Inspection?

Thanks!

Correct Answer: This was actually being blocked in Webfiltering because the autodiscover.domain.com was unrated, which was set to block by default. I created an exception for it and changed the category from unrated to business IT use, and it now works.

Thanks!

AV Throughput Removed From DataSheets

So, I am sure some of you have been running around a little bit like chickens with your heads cut off about that fact that the data sheets no longer list the AV throughput. Don’t worry, this is by design. They are switching to NGFW values for these to compete with Palo Alto and the likes in the NGFW market. Don’t worry, AV throughput is about to be useless anyways as 5.4 comes more mainstream. the 5.4 code is SO MUCH better on speed and reliability that even if they kept the AV numbers they would have to retest the hardware to get new numbers.

Official Fortinet Response:

“The Proxy AV specification will no longer be presented and removed from all existing FortiGate data sheet starting from 15th January 2016. An archive of old data sheets will be available. We’ll be replacing these specifics with more widely used NGFW values. The new data sheet should be out 28th January and Product Matrix updated in February Edition.”

Site to Site VPN Performance issues

Question: Was asked this a while back and while surfing the net it jogged my memory. A user was experiencing pretty poor performance when using site to site VPN’s. This is going to show the age of the question as they were using FortiOS 5.0.5. Normally, this is because of a bug relating to NPU acceleration on the tunnel experiencing the degraded performance. You can disable NPU acceleration for said tunnel and you will usually resolve the issue. Use the commands below.

config vpn ipsec phase1-interface
edit <tunnel name>
set npu-offload disable
end

What is Policy ID 0 and why a lot of denied traffic on this policy?

I was asked this question recently and also saw it being asked on the Fortinet Support Forums as well. This is really a simple question to answer though. Policy ID 0 is the default policy (the implicit deny) that comes by default on the FortiGate. They also come with an explicit allow right above it now which helps people utilize the device with no configuration right out of the box. FortiGate devices used to be deny by default on first use so that you had to allow the traffic you wanted. Either way, it is the deny traffic policy that comes built into the FortiGate.