Event Activity | Fortinet 3.0 MR7 manual

FortiGate reports

Appendix: FortiAnalyzer reports in 3.0 MR7

Table 22: VPN Activity reports

MR6 reports	MR7 reports

VPN Traffic by Direction and Date	VPN Traffic Volume per Direction

VPN Traffic by Direction and Month	VPN Traffic Volume per Direction

VPN Traffic Direction Day of Week	VPN Traffic Volume per Direction

VPN Traffic by Direction and Hour of	VPN Traffic Volume per Direction
Day

VPN Tunnels by Device	Total VPN Tunnels per Device

VPN Traffic by Device	VPN Traffic Volume per Device

VPN Tunnels by Device and Peer	Top VPN Peers per Device (by Number of
	Tunnels)

VPN Traffic by Device and Peer	Top VPN Peers per Device (by Traffic Volume)

VPN Traffic by Device and Service	Top Protocols over VPN per Device (by Traffic
	Volume)

Top VPN Traffic Sources	Top VPN Sources

Top VPN Traffic Destinations	Top VPN Destinations

VPN Traffic by Direction	VPN Traffic Volume per Direction

Top VPN Tunnels Date (Traffic)	Top VPN Tunnels

Top VPN Tunnels by Month (Traffic)	Top VPN Tunnels

Top VPN Tunnels by Day of Week	Top VPN Tunnels
(Traffic)

Top VPN Tunnels by Hour of Day	Top VPN Tunnels
(Traffic)

Top VPN Tunnels (Traffic)	Top VPN Tunnels

Event Activity

The following table explains what Event Activity reports have changed and what they were changed to in FortiAnalyzer 3.0 MR7.

Table 23: Event Activity reports

MR6 reports	MR7 reports

Top Events	Top Events (by Log ID)

Top Event Categories	Total Event Count per Severity

Top Event Types	Total Event Count per Software Module

Top Critical Events By Hour	Top Critical Events (by Log ID)

Top Critical Events By Date	Top Critical Events (by Log ID)

Top Warning Events By Hour	Top Warning Events (by Log ID)

Top Warning Events By Date	Top Warning Events (by Log ID)

Top Information Events By Hour	Top Information Events (by Log ID)

Top Information Events By Date	Top Information Events (by Log ID)

Top Emergency Events By Hour	Top Emergency Events (by Log ID)

Top Emergency Events By Date	Top Emergency Events (by Log ID)

Top Alert Events By Hour	Top Alert Events (by Log ID)

Top Alert Events By Date	Top Alert Events (by Log ID)

Top Error Events By Hour	Top Error Events (by Log ID)

FortiAnalyzer Version 3.0 MR7 Administration Guide 005-30007-0082-20080908

Image 210

Fortinet 3.0 MR7 manual Event Activity, VPN Activity reports MR6 reports MR7 reports

Contents

M I N I S T R a T I O N G U I D E Trademarks Regulatory complianceFCC Class a Part 15 CSA/CUS Contents Log Receive Monitor Intrusion Activity Radius Server Administrator SettingsViewing session information Filtering session information Adding a route Content Archive 107 DeviceLog Alert 133 Reports 113Quarantine 131 Network Analyzer 141 Tools 157 Managing firmware versions 169 Appendix FortiAnalyzer reports in 3.0 MR7 185 Index 213 Introduction About this document Describes how to install and set up the FortiAnalyzer unit Fortinet documentation Fortinet Knowledge Center Customer service and technical supportFortinet Tools and Documentation CD Comments on Fortinet technical documentation Customer service and technical support What’s new for 3.0 MR7 High-end FortiAnalyzer units support additional FortiAnalyzerVersion 3.0 MR7 Administration Guide Registered devices’ hard limits MR7 new features and changesPower supply monitoring for FortiAnlayzer-2000A and 4000A CLI displays the tasks in the upload queue Custom fields for log messages Report configuration enhancementsConfig log settings Set custom-field1-5 Reports VoIP reports All other reports, for exampleReportHeadquarters-2008-05-26-1030 Alert email configuration changes Administrative Domains ADOMs About administrative domains ADOMs About administrative domains ADOMs FortiAnalyzer Model Number of Administrative Domains Go to System Admin Settings Configuring ADOMsTo enable ADOMs Enable Admin Domain Configuration Select OK Message appears To add or edit an Adom To disable ADOMsGo to Global Configuration System Admin Settings Select OK FortiAnalyzer unit logs you out To access an Adom Accessing ADOMs as the admin administratorAssigning administrators to an Adom To assign an administrator to an Adom System DashboardSystem Information To rearrange a Dashboard widget Go to System Dashboard To refresh a Dashboard widget Go to System Dashboard To omit a Dashboard widget Go to System Dashboard TabsTo include a Dashboard widget Go to System Dashboard To add a tab Go to System Dashboard Enter a new name and press Enter Double-click on the name of the tab and select the X symbolRAID Monitor To delete a tab Go to System Dashboard System Information Rebuilding icon Setting the time 05-30007-0082-20080908 License Information Changing the host nameChanging the firmware To change the host name Go to System Dashboard RVS Plug-ins Device License System ResourcesViewing operational history Memory Usage To format the log disks Go to System Dashboard System OperationFormatting the log disks Systems Operations area, select Format Log Disks Select OK Viewing alert console messages Resetting to the default configurationAlert Message Console To view alert console messages Go to System Dashboard Select the delete icon StatisticsViewing session information Connections To view the session information Go to System Dashboard Filtering session informationReport Engine Statistics area, next to Connections, select Details Top N Log Receive MonitorType Period Intrusion Activity Virus ActivityDisplay by Top FTP Traffic Virus Activity widget Top Email Traffic Top Email Traffic, select Edit Top IM/P2P Traffic Top IM/P2P Traffic, select Edit in the title bar area Top Traffic To edit information for Top Traffic Go to System DashboardTop Traffic, select Edit in the title bar area Top Web Traffic Top Web Traffic, select Edit Network Interface Status Changing interface settingsAdministrative Modify Routing To configure DNS settings Go to System Network DNSAbout Fortinet Discovery Protocol Enter an IP address for a primary and secondary DNS server Adding a route AdminSelect Create New Configure the following options To add a static route Go to System Network Routing Adding or editing an administrator account Access Profile Changing an administrator’s passwordAccess Profile Admin Domain None To add a group Go to System Admin Auth GroupAuth Group Read Only Select Create New Configure the following and select OK Administrator SettingsTo add a Radius server Go to System Admin Radius Server Radius Server Adding share users Network SharingMonitor To add a user account Go to System Network Sharing User Configuring Windows shares Adding share groupsTo add a user group Go to System Network Sharing Group Assigning user permissions Permissions Configuring NFS shares Remote Clients Config Default file permissions on NFS sharesAutomatic file deletion and local log settings FortiAnalyzer unit log settings Log Locally Log Level Allocated Disk Space MB Configuring log aggregation FortiAnalyzer-2000/2000A FortiAnalyzer-400FortiAnalyzer-800/800B FortiAnalyzer-4000/4000A Configuring log forwarding Configuring an aggregation clientConfiguring an aggregation server To forward log events Go to System Config Log Forwarding To edit an IP alias Go to System Config IP Alias Configuring IP aliasesTo add an IP alias Go to System Config IP Alias To import the alias file Go to System Config IP Alias Configuring RAID IP alias rangesRAID levels Linear RAID Hot swapping hard disks RAID 5 with hot spare FortiAnalyzer-400 disk drive configuration FortiAnalyzer-800/800B disk drive configuration To swap a hard disk Go to System Config RAID FortiAnalyzer-2000/2000A disk drive configurationFortiAnalyzer-4000 disk drive configuration FortiAnalyzer-800/800B Configuring RAID on the FortiAnalyzer-400As well as from System Config RAID Level 1 Configuring Ldap connections Size GB To define an Ldap server query Go to System Config Ldap Select Create New. Complete the following Maintenance Backup & RestoreBackup Back up the current configuration FortiGuard Center 10.10.1.108889 Every UpdateScheduled Daily Maintenance Device Viewing the device list Unregistered Device Options Add DeviceShow Hardware Secure Connection Disk Space MB Used/Allocated Action Maximum number of devices To delete a device Go to Device All Device Unregistered vs. registered devices Configuring unregistered device connection attempt handling Or the following options for unknown device types Manually adding a device Mode Device NameDevice ID Member IDs When Allocated Disk Space is All Used Devices Privileges Group Membership FortiGate Interface Specification Classifying FortiGate network interfaces Configure the FortiGate device For more information, see Manually adding a device on To enable the FortiAnalyzer unit to reply to FDP packets On the FortiAnalyzer unit, go to Device AllGo to System Network Blocking device connection attempts Hardware Model Configuring device groups To block a device Go to Device All DeviceTo unblock a device Go to Device All Blocked Device Group Name To configure a device group Go to Device Group Device GroupTo delete a device group Go to Device Group Device Group Members Log Viewing log messagesViewing current log messages Viewing historical log messages Settings Column Browsing log files To view historical logs Go to Log Log Viewer HistoricalImport Viewing log file contents Importing a log file To import a log file Go to Log Browse To download a partial log file Go to Log Browse Downloading a log fileTo download a whole log file Go to Log Browse Convert to CSV format Compress with gzip Displaying and arranging log columns Select Download Current View Configure the followingCustomizing the log view To display logs in Raw or Formatted view Filtering logs To display or hide columnsTo change the order of the columns To filter log messages by column contents To disable a filterFiltering tips Searching the logs 101 Searching the logs From Search tips To search the logs Go to Log Search103 192.168.* action=login Printing the search resultsDownloading the search results Rolling and uploading logs To download log search results Go to Log Search105 Server IP address ExceedNot exceeded Username 107 108 Content Archive Viewing content archives View per page Page n of n Column Settings Printable Version Delete associated content archive filesTimeframe Customizing the content archive view 109 Filter icons in the content logs 111 Searching full email content archives Last activity 113 114 Configuring reports Reports Configuring report layout To configure a report layout Go to Report Config Layout Name Enter a name for the report Description115 Title Page Logo Header LogoCategory Editing charts in a report layout 117 To edit a chart Maximum Entries Top N Time Scale Advanced To edit section Configuring report schedulesTo edit text 119 Report layout Name To configure a report schedule Go to Report ScheduleSchedule Name Schedule Time Period Log Data FilteringData Filter 121 Configuring data filter templates Data filter templates Filter logic Sources123 Policy IDs DestinationsInterfaces Day of the Week Configuring report output templates 125 FTP/SFTP/SCP Server Action Output template 127 Configuring language Nomatch=No matching log data for this report Comment is # Localization uses a Latin character set129 Languages Font Language file error messages Error message Description Save the format file131 Browsing reports 133 134 Quarantined files for a specific device QuarantineViewing quarantined files See Checksum ServiceDate & Time Status Description Alert Alert EventsTriggers Adding an alert event To add a new alert event Go to Alert Alert Event To Email Address Configuring alerts by email serverOutput Add Enable Testing the mail server configurationConfiguring Snmp traps and alerts Smtp Server 137 Adding an Snmp server FortiAnalyzer Snmp support Fortinet MIB Logging Traps Fortinet MIB Administrator AccountsFortinet MIB System Traps Fortinet MIB VPN Traps RFC-1213 MIB Configuring alerts by Syslog serverAdding a Syslog server RFC-2665 Ethernet-like MIB Configure the following options, and select OK 141 142 Config log settings Set enableanalyzer yes End Network Analyzer Example network topology for Network Analyzer use Viewing Network Analyzer log messages Viewing current Network Analyzer log messages143 Protocol Protocol used when sending the traffic Message Viewing historical Network Analyzer log messages Viewing Network Analyzer log file contents Browsing Network Analyzer log files Resolve Service View n per page Page n of n Column Settings Printable Version Download Current View Downloading a Network Analyzer log file 147 Customizing the Network Analyzer log view Displaying and arranging Network Analyzer log columns Filter icons in Network Analyzer 149 150 Quick Search Searching the Network Analyzer logsKeywords Full Search To search the logs Go to Tools Network Analyzer Search Other 172.20.120.127 tcp 153 Rolling and uploading Network Analyzer logs Select the download options that you want, then select OK Log file should be rolled... even if size is not exceeded 155 Select the protocol to use when uploading to the server Tools Preparing for the vulnerability scan job157 Preparing Windows target hosts 159 To enable NetBIOS Go to Start Control Panel Viewing vulnerability scan modules Preparing Unix target hosts161 Vulnerability Scan modules View modules with severity Configuring vulnerability scan jobs Details163 Job Name Target Scan Targets Remote Authentication User NameSelect Create New Complete the following Quick Scan File output Email AttachmentEmail Body Viewing vulnerability scan reports 167 File Explorer End TimeFormats File Explorer with Storage directory expanded 169 170 Backing up your configuration Managing firmware versions To back up your configuration file using the CLI Backing up your configuration using the web-based managerBacking up your configuration using the CLI Execute backup config filename addressip passwd 171 Testing firmware before upgrading Press any key to display configuration menu…To test the firmware image before upgrading Enter firmware image file name image.out Enter Tftp server addressEnter Local Address 173 Upgrading to FortiAnalyzer Upgrading using the web-based managerUpgrading your FortiAnalyzer unit Only To upgrade to FortiAnalyzer 3.0 using the CLI Upgrading using the CLITo upgrade to FortiAnalyzer 3.0 using the web-based manager Execute restore image namestr tftpip4 Verifying the upgrade Get system status Select OK Following message appears Reverting to a previous firmware versionDowngrading to FortiLog 177 Execute restore image tftp namestr tftpipv4 Downgrading to FortiLog 1.6 using the CLITo downgrade using the CLI Execute restore image tftp image.out 179 To restore a firmware image to the FortiAnalyzer unit Restoring your configurationRestoring configuration settings on a FortiAnalyzer unit Execute reboot Enter File Name image.out When this message appearsPress any key to display configuration menu 181 Execute restore config namestr tftpipv4 passwrd Restoring your configuration settings using the CLITo restore configuration settings using the CLI Execute restore config confall 192.168.1.168 ghrffdt123 183 184 Appendix FortiAnalyzer reports in 3.0 MR7 FortiGate reports185 Antivirus Activity Intrusion Activity reports MR6 reports MR7 reportsAntivirus Activity reports MR6 reports MR7 reports Antivirus Activity reports 187 Top Virus Destinations over POP3 Webfilter Activity WebFilter Activity reports MR6 reports MR7 reports189 Antispam Activity WebFilter Activity reportsAntispam Activity reports MR6 reports MR7 reports IM reports MR6 reports MR7 reports IM ActivityAntispam Activity reports 191 IM reports VoIP reports MR7 reports Content Activity VoIP reports193 Content Activity reports MR6 reports MR7 reports Network ActivityNetwork Activity reports MR6 reports MR7 reports Web Activity Network Activity reports195 Mail Activity FTP ActivityReport, Top Mail Servers Connections remains unchanged FTP Activity reports Terminal ActivityVPN Activity Terminal Activity reports MR6 reports MR7 reports Event Activity VPN Activity reports MR6 reports MR7 reportsEvent Activity reports MR6 reports MR7 reports Event Activity reports P2P ActivityReport, Top Event Categories by Status, was removed P2P Activity reports MR6 reports MR7 reports Audit Activity P2P Activity reports Summary Reports 201 Detailed Forensic ReportsAudit Report, Top Client Requests to Permitted Sites, was removed Mail High Level FortiMail ReportsSummary 203 Mail High Level reports Mail Sender Mail Sender reports MR6 reports MR7 reports205 Mail Sender reports Mail Recipient ActivityMail Destination IP Mail Recipient Activity reports MR6 reports MR7 reports Spam Sender reports MR6 reports MR7 reports Spam SenderMail Destination IP reports MR6 reports MR7 reports 207 Spam Recipient Spam Sender reportsSpam Recipient reports MR6 reports MR7 reports Spam Recipient reports Spam Destination IPVirus Sender Spam Destination IP reports MR6 reports MR7 reports Virus Sender reports MR6 reports MR7 reports Virus Recipient reports MR6 reports MR7 reports Virus RecipientVirus Sender reports 211 FortiClient Reports Virus Destination IP Index 213 FDN FTP 215 Mail server 135 Main Menu 20 managing firmware RFC 217 See also protocol test 219 Index FortiAnalyzer Version 3.0 MR7 Administration Guide