Fortinet white logo
Fortinet white logo

Administration Guide

FortiView interface

FortiView interface

Use the FortiView interface to customize the view and visualizations within a dashboard to find the information you are looking for. The tools in the top menu bar allow you to change the time display, refresh the data, customize the data source, and filter the results. You can also right-click a table in the dashboard to view drilldown information for an entry.

Top menu bar

The top menu bar contains the following settings:

  • A time display dropdown to switch between current and historical data.
  • A Refresh button to update the displayed data.
  • A Settings dropdown to change the information shown on the dashboard.

Time period display

Use the time display dropdown to select the time period to display on the current dashboard. Time display options vary depending on the dashboard and can include current information (now) and historical information (1 hour, 24 hours, and 7 days).

Note

Disk logging or remote logging must be enabled to view historical information.

You can use a chart to create a custom time display by selecting the time range with your cursor.

The icon next to the time period identifies the data source (FortiGate Disk, FortiAnalyzer, or FortiGate Cloud). You can hover over the icon to see a description of the device.

View settings

Use the Settings menu to change the data source, sort by information, and visualization.

To change the widget settings:
  1. Click the dropdown menu at the right side of the top menu bar, and select Settings.

  2. Configure the widget settings, and click OK.

    Note

    The Data Source dropdown only appears when FortiGate is connected to another data source.

For information about widget settings, see Adding FortiView widgets

Note

For dashboards with multiple widgets, you cannot access the settings dropdown when the widget is expanded to full screen. To change the settings, click the back button to return to the dashboard, and click the dropdown.

Data source

FortiView gathers information from a variety of data sources. If there are no log disk or remote logging configured, the data will be drawn from the FortiGate's session table, and the Time Period is set to Now.

Other data sources that can be configured are:

  • FortiGates (disk)
  • FortiAnalyzer
  • FortiGate Cloud
Note

When Data Source is set to Best Available Device, FortiAnalyzer is selected when available, then FortiGate Cloud, and then FortiGate Disk.

Display types

Bubble charts

Display types include table view, bubble charts, and country maps. Not all display types are supported by all dashboards.

Bubble charts allow you to sort information using the Compare By dropdown menu. The size of each bubble represents the related amount of data. You can place your cursor over a bubble to display a tool-tip with detailed information on that item, and click on a bubble to drilldown into greater detail.

Country maps

Country maps display traffic activity as regions on a map. Hover over the highlighted region to view information about the entry. You can also compare data by Bytes, Sessions, Bandwidth, and Packets. Country maps are not available in all dashboards and widgets.

Table view

Table view displays traffic activity as a graph and a table. To remove the table, click close, at the top right corner of the graph. To view the graph, click Show Graph.

Source view

Time

  • Now entries are determined by the FortiGate's system session list.
  • Historical or 1 hour or later entries are determined by traffic logs, with additional information coming from UTM logs.
Note

The dropdown only shows now if there is no disk.

Graph

  • The graph shows the bytes sent/received in the time frame.
  • Users can customize the time frame by selecting a time period within the graph.

Columns

  • Source shows the IP address (and user as well as user avatar if configured) of the source device.
  • Device shows the device information as listed in the Device Inventory widget. Device detection should be enabled on the applicable interfaces for best function. For information about adding widgets, see Using widgets.

  • Threat Score is the threat score of the source based on UTM features such as Web Filter and antivirus. It shows threat scores allowed and threat scores blocked.
  • Bytes is the accumulated bytes sent/received. In realtime, this is calculated from the session list, and in historical it is from logs.
  • Sessions is the total sessions blocked/allowed. In realtime, this is calculated from the session list, and in historical it is from logs.
  • Source is a simplified version of the first column, including only the IP address without extra information.
  • Source Interface is the interface from which the traffic originates. In realtime, this is calculated from the session list, and in historical it is from the logs.
  • FortiGate is the name of the fabric device.
  • More information can be shown in a tooltip while hovering over these entries.
  • For realtime, two more columns are available, Bandwidth and Packets, both of which come from the session list.

Hover over linked items in an entry to view additional information. Some information windows provide links to other areas of FortiOS such as the application signatures page.

To select the columns displayed in a table, hover over the header in the first column, and click the configure table icon.

Drilldown information

Double-click or right-click an entry in a FortiView dashboard and select Drill Down to Details to view additional details about the selected traffic activity. Click the Back icon in the toolbar to return to the previous view.

You can group drilldown information into different drilldown views. For example, you can group the drilldown information in the Top FortiView Destinations dashboard by Sources, Applications, Threats, and Policies.

Double-click an entry to view the logs in Sessions view. Double-click a session to view the logs.

Graph

  • The graph shows the bytes sent/received in the time frame. Realtime does not include a chart.
  • Users can customize the time frame by selecting a time period within the graph.

Summary Information

  • Shows information such as the user/avatar, avatar/source IP, bytes, and sessions total for the time period.
  • Can quarantine host (access layer quarantine) if they are behind a FortiSwitch or FortiAP.
  • Can ban IP addresses, adds the source IP address into the quarantine list.

Tabs

  • Drilling down entries in any of these tabs (except sessions tab) will take you to the underlying traffic log in the sessions tab.
  • Applications shows a list of the applications attributed to the source IP. This can include scanned applications (using Application Control in a firewall policy or unscanned applications.

    config log gui-display

    set fortiview-unscanned-apps enable

    end

  • Destinations shows destinations grouped by IP address/FQDN.
  • Threats lists the threats caught by UTM profiles. This can be from antivirus, IPS, Web Filter, Application Control, etc.
  • Web Sites contains the websites which were detected either with webfilter, or through FQDN in traffic logs.
  • Web Categories groups entries into their categories as dictated by the Web Filter Database.
  • Policies groups the entries into which polices they passed through or were blocked by.
  • Sessions shows the underlying logs (historical) or sessions (realtime). Drilldowns from other tabs end up showing the underlying log located in this tab.
  • Search Phrases shows entries of search phrases on search engines captured by a Web Filter UTM profile, with deep inspection enabled in firewall policy.
  • More information can be shown in a tooltip while hovering over these entries.

To view matching logs or download a log, click the Security tab in the Log Details .

FortiView interface

FortiView interface

Use the FortiView interface to customize the view and visualizations within a dashboard to find the information you are looking for. The tools in the top menu bar allow you to change the time display, refresh the data, customize the data source, and filter the results. You can also right-click a table in the dashboard to view drilldown information for an entry.

Top menu bar

The top menu bar contains the following settings:

  • A time display dropdown to switch between current and historical data.
  • A Refresh button to update the displayed data.
  • A Settings dropdown to change the information shown on the dashboard.

Time period display

Use the time display dropdown to select the time period to display on the current dashboard. Time display options vary depending on the dashboard and can include current information (now) and historical information (1 hour, 24 hours, and 7 days).

Note

Disk logging or remote logging must be enabled to view historical information.

You can use a chart to create a custom time display by selecting the time range with your cursor.

The icon next to the time period identifies the data source (FortiGate Disk, FortiAnalyzer, or FortiGate Cloud). You can hover over the icon to see a description of the device.

View settings

Use the Settings menu to change the data source, sort by information, and visualization.

To change the widget settings:
  1. Click the dropdown menu at the right side of the top menu bar, and select Settings.

  2. Configure the widget settings, and click OK.

    Note

    The Data Source dropdown only appears when FortiGate is connected to another data source.

For information about widget settings, see Adding FortiView widgets

Note

For dashboards with multiple widgets, you cannot access the settings dropdown when the widget is expanded to full screen. To change the settings, click the back button to return to the dashboard, and click the dropdown.

Data source

FortiView gathers information from a variety of data sources. If there are no log disk or remote logging configured, the data will be drawn from the FortiGate's session table, and the Time Period is set to Now.

Other data sources that can be configured are:

  • FortiGates (disk)
  • FortiAnalyzer
  • FortiGate Cloud
Note

When Data Source is set to Best Available Device, FortiAnalyzer is selected when available, then FortiGate Cloud, and then FortiGate Disk.

Display types

Bubble charts

Display types include table view, bubble charts, and country maps. Not all display types are supported by all dashboards.

Bubble charts allow you to sort information using the Compare By dropdown menu. The size of each bubble represents the related amount of data. You can place your cursor over a bubble to display a tool-tip with detailed information on that item, and click on a bubble to drilldown into greater detail.

Country maps

Country maps display traffic activity as regions on a map. Hover over the highlighted region to view information about the entry. You can also compare data by Bytes, Sessions, Bandwidth, and Packets. Country maps are not available in all dashboards and widgets.

Table view

Table view displays traffic activity as a graph and a table. To remove the table, click close, at the top right corner of the graph. To view the graph, click Show Graph.

Source view

Time

  • Now entries are determined by the FortiGate's system session list.
  • Historical or 1 hour or later entries are determined by traffic logs, with additional information coming from UTM logs.
Note

The dropdown only shows now if there is no disk.

Graph

  • The graph shows the bytes sent/received in the time frame.
  • Users can customize the time frame by selecting a time period within the graph.

Columns

  • Source shows the IP address (and user as well as user avatar if configured) of the source device.
  • Device shows the device information as listed in the Device Inventory widget. Device detection should be enabled on the applicable interfaces for best function. For information about adding widgets, see Using widgets.

  • Threat Score is the threat score of the source based on UTM features such as Web Filter and antivirus. It shows threat scores allowed and threat scores blocked.
  • Bytes is the accumulated bytes sent/received. In realtime, this is calculated from the session list, and in historical it is from logs.
  • Sessions is the total sessions blocked/allowed. In realtime, this is calculated from the session list, and in historical it is from logs.
  • Source is a simplified version of the first column, including only the IP address without extra information.
  • Source Interface is the interface from which the traffic originates. In realtime, this is calculated from the session list, and in historical it is from the logs.
  • FortiGate is the name of the fabric device.
  • More information can be shown in a tooltip while hovering over these entries.
  • For realtime, two more columns are available, Bandwidth and Packets, both of which come from the session list.

Hover over linked items in an entry to view additional information. Some information windows provide links to other areas of FortiOS such as the application signatures page.

To select the columns displayed in a table, hover over the header in the first column, and click the configure table icon.

Drilldown information

Double-click or right-click an entry in a FortiView dashboard and select Drill Down to Details to view additional details about the selected traffic activity. Click the Back icon in the toolbar to return to the previous view.

You can group drilldown information into different drilldown views. For example, you can group the drilldown information in the Top FortiView Destinations dashboard by Sources, Applications, Threats, and Policies.

Double-click an entry to view the logs in Sessions view. Double-click a session to view the logs.

Graph

  • The graph shows the bytes sent/received in the time frame. Realtime does not include a chart.
  • Users can customize the time frame by selecting a time period within the graph.

Summary Information

  • Shows information such as the user/avatar, avatar/source IP, bytes, and sessions total for the time period.
  • Can quarantine host (access layer quarantine) if they are behind a FortiSwitch or FortiAP.
  • Can ban IP addresses, adds the source IP address into the quarantine list.

Tabs

  • Drilling down entries in any of these tabs (except sessions tab) will take you to the underlying traffic log in the sessions tab.
  • Applications shows a list of the applications attributed to the source IP. This can include scanned applications (using Application Control in a firewall policy or unscanned applications.

    config log gui-display

    set fortiview-unscanned-apps enable

    end

  • Destinations shows destinations grouped by IP address/FQDN.
  • Threats lists the threats caught by UTM profiles. This can be from antivirus, IPS, Web Filter, Application Control, etc.
  • Web Sites contains the websites which were detected either with webfilter, or through FQDN in traffic logs.
  • Web Categories groups entries into their categories as dictated by the Web Filter Database.
  • Policies groups the entries into which polices they passed through or were blocked by.
  • Sessions shows the underlying logs (historical) or sessions (realtime). Drilldowns from other tabs end up showing the underlying log located in this tab.
  • Search Phrases shows entries of search phrases on search engines captured by a Web Filter UTM profile, with deep inspection enabled in firewall policy.
  • More information can be shown in a tooltip while hovering over these entries.

To view matching logs or download a log, click the Security tab in the Log Details .