Fortinet white logo
Fortinet white logo

Administration Guide

Cloud application view

Cloud application view

To see different cloud application views, set up the following:

  • A FortiGate with a firewall policy that uses the Application Control security profile.

  • A FortiGate with log data from the local disk or FortiAnalyzer.

  • Optional but highly recommended: SSL Inspection set to deep-inspection in the related firewall policies.

Viewing cloud applications

Cloud applications

All cloud applications require SSL Inspection set to deep-inspection on the firewall policy. For example, Facebook_File.Download can monitor Facebook download behavior which requires SSL deep-inspection to parse the deep information in the network packets.

To view cloud applications:
  1. Go to Security Profiles > Application Control.

  2. Select a relative Application Control profile used by the firewall policy and click Edit.

  3. On the Edit Application Sensor page, click View Application Signatures.

  4. Hover over a column heading or the Application Signature bar. In the right gutter area, click the filter icon to filter the applications.

    Cloud applications have a cloud icon beside them.

    The lock icon indicates that the application requires SSL deep inspection.

  5. Hover over an item to see its details.

    This example shows Gmail_Attachment.Download, a cloud application signature based sensor which requires SSL deep inspection. If any local network user behind the firewall logs into Gmail and downloads a Gmail attachment, that activity is logged.

Applications with cloud behavior

Applications with cloud behavior is a superset of cloud applications.

Some applications do not require SSL deep inspection, such as Facebook, Gmail, and YouTube. This means that if any traffic trigger application sensors for these applications, there is a FortiView cloud application view for that traffic.

Other applications require SSL deep inspection, such as Gmail attachment, Facebook_Workplace, and so on.

To view applications with cloud behavior:
  1. In the Application Signature page, ensure the Behavior column is displayed. If necessary, add the Behavior column.

    1. Hover over the left side of the table column headings to display the Configure Table icon.

    2. Click Configure Table and select Behavior.

    3. Click Apply.

  2. Click the filter icon in the Behavior column and select Cloud to filter by Cloud. Then click Apply.

  3. The Application Signature page displays all applications with cloud behavior.

  4. Use the Search box to search for applications. For example, you can search for youtube.

  5. Hover over an item to see its details.

    This example shows an application sensor with no lock icon which means that this application sensor does not require SSL deep inspection. If any local network user behind the firewall tries to navigate to the YouTube website, that activity is logged.

Configuring the Cloud Applications monitor

On the Edit Application Sensor page in the Categories section, the eye icon next to a category means that category is monitored and logged.

To add the Cloud Applications monitor in the GUI:
  1. Click Add Monitor. The Add monitor window opens.

  2. In the Search field, enter FortiView Cloud Applications and click the Add button next to the monitor.

  3. In the FortiGate area, select the FortiGate(s) from the dropdown.

  4. In the Data Source area, click Best Available Device or Specify to select a device in the security fabric.

  5. From the Time Period dropdown, select a time period greater than Now.

  6. From the Sort By dropdown, select Bytes, Sessions, or Files (Up/Down).

  7. Click Add Monitor. The monitor is added to the tree menu.

  8. Open the monitor. If SSL deep inspection is enabled in the firewall, then the monitor shows the additional details that are logged, such as Files (Up/Down) and Videos Played.

    • For YouTube, the Videos Played column is triggered by the YouTube_Video.Play cloud application sensor. This shows the number of local network users who logged into YouTube and played YouTube videos.

    • For Dropbox, the Files (Up/Down) column is triggered by Dropbox_File.Download and Dropbox_File.Upload cloud application sensors. This shows the number of local network users who logged into Dropbox and uploaded or downloaded files.

Using the Cloud Applications monitor

To see additional information in the Cloud Applications monitor:
  1. In the tree menu, click the FortiView Cloud Applications monitor to open it.

  2. For details about a specific entry, double-click the entry or right-click the entry and select Drill Down to Details.

  3. To see all the sessions for an application, click Sessions.

    In this example, the Application Name column shows all applications related to YouTube.

  4. To view log details, double-click a session to display the Log Details pane.

    Sessions monitored by SSL deep inspection (in this example, Youtube_Video.Play) captured deep information such as Application User, Application Details, and so on. The Log Details pane also shows additional deep information such as application ID, Message, and so on.

    Sessions not monitored by SSL deep inspection (YouTube) did not capture the deep information.

  5. To display a specific time period, select and drag in the timeline graph to display only the data for that time period.

Cloud application view

Cloud application view

To see different cloud application views, set up the following:

  • A FortiGate with a firewall policy that uses the Application Control security profile.

  • A FortiGate with log data from the local disk or FortiAnalyzer.

  • Optional but highly recommended: SSL Inspection set to deep-inspection in the related firewall policies.

Viewing cloud applications

Cloud applications

All cloud applications require SSL Inspection set to deep-inspection on the firewall policy. For example, Facebook_File.Download can monitor Facebook download behavior which requires SSL deep-inspection to parse the deep information in the network packets.

To view cloud applications:
  1. Go to Security Profiles > Application Control.

  2. Select a relative Application Control profile used by the firewall policy and click Edit.

  3. On the Edit Application Sensor page, click View Application Signatures.

  4. Hover over a column heading or the Application Signature bar. In the right gutter area, click the filter icon to filter the applications.

    Cloud applications have a cloud icon beside them.

    The lock icon indicates that the application requires SSL deep inspection.

  5. Hover over an item to see its details.

    This example shows Gmail_Attachment.Download, a cloud application signature based sensor which requires SSL deep inspection. If any local network user behind the firewall logs into Gmail and downloads a Gmail attachment, that activity is logged.

Applications with cloud behavior

Applications with cloud behavior is a superset of cloud applications.

Some applications do not require SSL deep inspection, such as Facebook, Gmail, and YouTube. This means that if any traffic trigger application sensors for these applications, there is a FortiView cloud application view for that traffic.

Other applications require SSL deep inspection, such as Gmail attachment, Facebook_Workplace, and so on.

To view applications with cloud behavior:
  1. In the Application Signature page, ensure the Behavior column is displayed. If necessary, add the Behavior column.

    1. Hover over the left side of the table column headings to display the Configure Table icon.

    2. Click Configure Table and select Behavior.

    3. Click Apply.

  2. Click the filter icon in the Behavior column and select Cloud to filter by Cloud. Then click Apply.

  3. The Application Signature page displays all applications with cloud behavior.

  4. Use the Search box to search for applications. For example, you can search for youtube.

  5. Hover over an item to see its details.

    This example shows an application sensor with no lock icon which means that this application sensor does not require SSL deep inspection. If any local network user behind the firewall tries to navigate to the YouTube website, that activity is logged.

Configuring the Cloud Applications monitor

On the Edit Application Sensor page in the Categories section, the eye icon next to a category means that category is monitored and logged.

To add the Cloud Applications monitor in the GUI:
  1. Click Add Monitor. The Add monitor window opens.

  2. In the Search field, enter FortiView Cloud Applications and click the Add button next to the monitor.

  3. In the FortiGate area, select the FortiGate(s) from the dropdown.

  4. In the Data Source area, click Best Available Device or Specify to select a device in the security fabric.

  5. From the Time Period dropdown, select a time period greater than Now.

  6. From the Sort By dropdown, select Bytes, Sessions, or Files (Up/Down).

  7. Click Add Monitor. The monitor is added to the tree menu.

  8. Open the monitor. If SSL deep inspection is enabled in the firewall, then the monitor shows the additional details that are logged, such as Files (Up/Down) and Videos Played.

    • For YouTube, the Videos Played column is triggered by the YouTube_Video.Play cloud application sensor. This shows the number of local network users who logged into YouTube and played YouTube videos.

    • For Dropbox, the Files (Up/Down) column is triggered by Dropbox_File.Download and Dropbox_File.Upload cloud application sensors. This shows the number of local network users who logged into Dropbox and uploaded or downloaded files.

Using the Cloud Applications monitor

To see additional information in the Cloud Applications monitor:
  1. In the tree menu, click the FortiView Cloud Applications monitor to open it.

  2. For details about a specific entry, double-click the entry or right-click the entry and select Drill Down to Details.

  3. To see all the sessions for an application, click Sessions.

    In this example, the Application Name column shows all applications related to YouTube.

  4. To view log details, double-click a session to display the Log Details pane.

    Sessions monitored by SSL deep inspection (in this example, Youtube_Video.Play) captured deep information such as Application User, Application Details, and so on. The Log Details pane also shows additional deep information such as application ID, Message, and so on.

    Sessions not monitored by SSL deep inspection (YouTube) did not capture the deep information.

  5. To display a specific time period, select and drag in the timeline graph to display only the data for that time period.