You can enable FortiView from SSD disk, FortiAnalyzer and FortiGate Cloud.
FortiView from disk
FortiView from disk is available on all FortiGates with an SSD disk.
Restrictions
Model Supported view
Entry-level models with SSD Five minutes and one hour Mid-range models with SSD Up to 24 hours
High-end models with SSD Up to seven days
To enable seven days view:
config log setting
set fortiview-weekly-data enable end
Configuration
A firewall policy needs to be in place with traffic logging enabled. For optimal operation with FortiView, internal interface roles should be clearly defined as LAN. DMZ and internet facing or external interface roles should be defined as WAN.
To configure logging to disk:
config log disk setting set status enable end
To include sniffer traffic and local-deny traffic when FortiView from Disk:
config report setting
set report-source forward-traffic sniffer-traffic local-deny-traffic end
This feature is only supported through the CLI.
Troubleshooting
Useexecute report flush-cacheandexecute report recreate-dbto clear up any irregularities that may be caused by upgrading or cache issues.
Traffic logs
To view traffic logs from disk:
1. Go toLog & Report, and select either theForward Traffic,Local Traffic,Sniffer Traffic, orZTNA Trafficviews.
2. In the toolbar, selectDiskfor the log location dropdown.
FortiView from FortiAnalyzer
Connect FortiGate to a FortiAnalyzer to increase the functionality of FortiView. Adding a FortiAnalyzer is useful when adding monitors such as theCompromised Hosts. FortiAnalyzer also allows you to view historical information for up to seven days.
Requirements
l A FortiGate or FortiOS
l A compatible FortiAnalyzer (seeCompatibility with FortiOS)
To configure logging to the FortiAnalyzer, seeConfiguring FortiAnalyzer on page 2870 To enable FortiView from FortiAnalyzer:
1. Go toDashboard > FortiView Sources.
2. Select a time range other thanNowfrom the dropdown list to view historical data.
3. In top menu, click the dropdown, and selectSettings. TheEdit Dashboard Widgetdialog is displayed.
a. In theData Sourcearea, clickSpecify.
b. From the dropdown, selectFortiAnalyzer, and clickOK.
All the historical information now comes from the FortiAnalyzer.
WhenData Sourceis set toBest Available Device, FortiAnalyzer is selected when available, then FortiGate Cloud, and then FortiGate.
FortiView from FortiGate Cloud
This function requires a FortiGate that is registered and logged into a compatible FortiGate Cloud. When using FortiGate Cloud, theTime Periodcan be set to up to 24 hours.
To configure logging to FortiGate Cloud, seeConfiguring cloud logging on page 2873.
To enable FortiView with log source as FortiGate Cloud:
1. Go toDashboard > FortiView Sources.
2. In the top menu, click the dropdown, and selectSettings. TheEdit Dashboard Widgetwindow opens.
a. In theData Sourcearea, clickSpecify.
b. From the dropdown, selectFortiGate Cloud, then clickOK.
You can select FortiGate Cloud as the data source for all available FortiView pages and widgets.
FortiView sources
TheFortiView Sourcesmonitor displays top sources sorted by Bytes, Sessions or Threat Score. The information can be displayed in real time or historical views. You can use the monitor to create or edit a firewall device address or IP address definitions, quarantine hosts, and temporarily or permanently ban IPs.
To add a firewall device or IP address:
1. In the table, hover over the source or device MAC address. An information window opens.
2. ClickFirewall Address > Create Firewall Device AddressorFirewall Address > Create Firewall IP Address. The New Addresspane opens.
3. Configure the address settings as needed, then clickOK.
Use theNamefield to assign a descriptive name to a device so it is easier to find it in the Devicecolumn. After you finish configuring the device, refresh the page to see the new name in the monitor.
To quarantine a host:
1. In the table, hover over the source or device MAC address. An information window opens.
2. ClickQuarantine > Quarantine Host. TheQuarantine Hostdialog is displayed.
3. Configure the quarantine settings, then clickOK.
To ban an IP address:
1. In the table, hover over the source or device MAC address. An information window opens.
2. ClickQuarantine > Ban IP. TheBan IPdialog is displayed.
3. Configure the ban IP settings, then clickOK.
FortiView Sessions
TheFortiView Sessionsmonitor displaysTop Sessionsby traffic source and can be used to end sessions.
To view theFortiView Sessionsdashboard, go toDashboard > FortiView Sessions.
The session table displayed on theFortiView Sessionsmonitor is useful when verifying open connections. For example, if you have a web browser open to browse the Fortinet website, you would expect a session entry from your computer on port 80 to the IP address for the Fortinet website. You can also use a session table to investigate why there are too many sessions for FortiOS to process.
You can filter the sessions displayed in the session table by setting up the available filtering options.
To filter sessions in the session table:
1. Click on theAdd Filterbutton at the top of the session table.
2. Select the required filtering option. The session table updates to the filter selection.
3. You may add one or more filters depending upon your requirements. To add more filters, repeat the above steps for a different set of filters.
You can be very specific with how you use filters and target sessions based on different filter combinations. For example, you may want to view all sessions from a device with a particular IP by adding theSource IPfilter. Similarly, you may need to target all the sessions having a particularDestination IPandDestination Port, and so on.
You may also view the session data in the CLI.
To view session data using the CLI:
# diagnose sys session list
The session table output in the CLI is very large. You can use the supported filters in the CLI to show only the data you need.
To view session data with filters using the CLI:
# diagnose sys session filter <option>
See to learn more about using the supported filters in the CLI.
You may also decide to end a particular session or all sessions for administrative purposes.
To end sessions from the GUI:
1. Select the session you want to end. To select multiple sessions, hold theCtrlorShiftkey on your keyboard while clicking the sessions.
2. Click onEnd Session(s)to end the selected sessions, orEnd All Sessionsto end all active sessions.
3. ClickOKin the confirmation dialog.
FortiView Top Source and Top Destination Firewall Objects monitors
TheFortiView Source Firewall ObjectsandFortiView Destination Firewall Objectsmonitors leverage UUID to resolve firewall object address names for improved usability.