Logging FortiGate traffic and using FortiView

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this example, you will configure logging to record information about sessions processed by your FortiGate. You will then use FortiView to look at the traffic logs and see how your network is being used.

FortiView is a logging tool made up of a number of dashboards that show real time and historical logs. The dashboards can be filtered to show specific results, and many of them also allow you to drill down for more information about a particular session. Each dashboard focuses on a different aspect of your network traffic, such as traffic sources of WiFi clients.

Some FortiView dashboards, such as Applications and Web Sites, require security profiles to be applied to traffic before they can display any results.

1. Configuring log settings

Go to Log & Report > Log Settings.

Select where log messages will be recorded. In this example, Local Log is used, because it is required by FortiView.

Enable DiskLocal Reports, and Historical FortiView.

 

You can also use Remote Logging and Archiving to send logs to either a FortiAnalyzer/FortiManager, FortiCloud, or a Syslog server.

Under Log Settings, enable both Local Traffic Log and Event Logging.

You can choose to Enable All logging or only specific types, depending on how much network data you want to collect.

Under the GUI Preferences, set Display Logs From to the same location where the log messages are recorded (in the example, Disk).

 

2. Enabling logging in security policies

Go to Policy & Objects > IPv4 Policy. Edit the policies controlling the traffic you wish to log.

Under Logging Options, select All Sessions

 

In most cases, it is recommended to select security events, as all sessions requires more system resources and storage space. For now, however, all sessions will be used to verify that logging has been set up successfully.

3. Results

Generate network traffic through the FortiGate, then go to FortiView > All Sessions and select the now view. A real time display of active sessions is shown.

If you right-click on a listed session, you can choose to remove that session, remove all sessions, or quarantine the source address of that session.

 
Select the 24 hours view. A historical view of your traffic is shown. If you select a session, more information about it is shown below.  
Go to FortiView > Sources and select the 5 minutes view. A list of the sources of your network traffic is shown, as well as a graph showing their activity during the last five minutes.  

Right-click on any of the sources listed and select Drill Down to Details.

You can view a variety of information about the source address, including traffic destinations, security policies used, and if any threats are linked to traffic from this address.

 
   
   

For further reading, check out FortiView in the FortiOS 5.4 Handbook.

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

  • Was this helpful?
  • Yes   No
Local logging is not supported on all FortiGate models. If your FortiGate does not support local logging, it is recommended to use FortiCloud.
Historical views are only available on FortiGate models with internal hard drives.
  • Pablo Gavarini

    Hi! I wonder why when I start a session and begin downloading a big file in the “now” option I have 300MB and click the “5 minute” option and it’s 600MB but really downloaded 300MB?
    Fortigate 600C
    Thanks in advance.

  • Matt Carrington

    My FortiGate 50E with UTM bundle doesn’t have the 5 minute, 1 hour, and 24 hour options in the upper right portion of the menu as described in the article. Is there a reason for that?

    • Victoria Martin

      Hi Matt,

      Those views are only available on FortiGate models that have an internal hard drive.

      • Matt Carrington

        Ah, that explains it. Thank you!

        • Victoria Martin

          You’re welcome! I’ve added a note to the recipe, in case someone else wonders the same thing.

  • Abdulaziz Alatar

    Hello Victoria,
    I need ask about Threat Map in FortiView, it’s displayed real threats for my fortigate or my country ?

    Thank you….

    • JDavidson

      Hello Abdulaziz,
      The Threat Map in FortiView displays attacks to the country that you drag the FortiGate icon onto, not actual threats to your FortiGate.
      The idea of the map is that it allows you limited access to http://threatmap.fortiguard.com/ for a single country at a time, just so you can see general attack volumes around the world.

      • Abdulaziz Alatar

        Thank you very much ,