Fortinet black logo

User Guide

FortiView

Copy Link
Copy Doc ID 2ffc9903-bcb4-11e9-8977-00505692583a:963294
Download PDF

FortiView

FortiWeb Cloud detects attacks to your application and displays the threats in FortiView in the following categories:

  • Threat by OWASP TOP10: Displays threats by OWASP top10 to analyze the 10 most critical attacks targeted to your application.
  • Threats by Types: Displays threats in specific types, such as Known Attacks, Information Leakage, etc.
  • Threat by Source IPs: Displays threats by source IP to provide a deep insight in the IP addresses from which attacks originate.
  • Threats by Countries: Displays threats by countries in which attacks originate.
  • Threat Map: Displays threats by geographic region. You can see a global map that shows threats in real-time from specific countries.
  • Traffic Summary: Displays traffic statistics such as source IP addresses, URL, User Agent, Return Code, and Request Method.

You can see the overview of the threats, such as the total number of threats, threat scores, the types of actions FortiWeb Cloud carries out in response to specific types of attacks, and how severe attacks are.

You can also drill down from a high-level overview to a detailed analysis of particular threat. Below is an example using the Threats by Countries menu to illustrate how the filtering and drilling down process works.

To view the detailed analysis of a particular threat:

  1. Go to FortiView > Threats by Countries.
  2. Click Add Filter, select Country, and either enter the name of the country or select the country from the drop-down menu. In this case, United States is selected.
  3. Double-click the country row to view a summary of the threat data from this country.
  4. Select tabs to view the threat data categorized by Threats, Sources, HTTP Methods, URLs, CVE ID, and OWASP Top10.
  5. In this example, we double click the row of 3.83.218.56 to view the threats originated from this source IP address.
  6. Click the arrow icon to unfold the detailed analysis of a particular threat.
  7. If you know that certain URL tends to falsely trigger violations by matching an attack signature during normal use, you can click Add Exception beside the signature ID. The traffic to that URL will not be treated as an attack even if it matches this particular signature.

Please note that the number of attacks displayed in Attack Logs, FortiView , and Blocked Requests widget on Dashboard are slightly different.

  • Certain attack types such as Bot and DDoS attacks generate a large amount of requests in a short time. To prevent numerous identical attack logs flooding the UI, FortiWeb Cloud only logs the first request in Attack Logs and FortiView , while it shows the actual count in Blocked Requests Widget so you can know how many actual attack requests were blocked.
  • To prevent Information Leakage, FortiWeb Cloud may cloak the error pages or erase sensitive HTTP headers in response packets. Such item are logged only once per minute in Attack Logs and FortiView for you to know the Information Leakage rule took effect. In the meanwhile, the actual count is recorded in Blocked Requests Widget.
  • If you have set FortiWeb Cloud to block attacks but do not generate a log when certain violation occurs, such as Deny(no log), then the attacks will not be logged in Attack Logs and FortiView , but will be counted in the Blocked Requests widget.

FortiView

FortiWeb Cloud detects attacks to your application and displays the threats in FortiView in the following categories:

  • Threat by OWASP TOP10: Displays threats by OWASP top10 to analyze the 10 most critical attacks targeted to your application.
  • Threats by Types: Displays threats in specific types, such as Known Attacks, Information Leakage, etc.
  • Threat by Source IPs: Displays threats by source IP to provide a deep insight in the IP addresses from which attacks originate.
  • Threats by Countries: Displays threats by countries in which attacks originate.
  • Threat Map: Displays threats by geographic region. You can see a global map that shows threats in real-time from specific countries.
  • Traffic Summary: Displays traffic statistics such as source IP addresses, URL, User Agent, Return Code, and Request Method.

You can see the overview of the threats, such as the total number of threats, threat scores, the types of actions FortiWeb Cloud carries out in response to specific types of attacks, and how severe attacks are.

You can also drill down from a high-level overview to a detailed analysis of particular threat. Below is an example using the Threats by Countries menu to illustrate how the filtering and drilling down process works.

To view the detailed analysis of a particular threat:

  1. Go to FortiView > Threats by Countries.
  2. Click Add Filter, select Country, and either enter the name of the country or select the country from the drop-down menu. In this case, United States is selected.
  3. Double-click the country row to view a summary of the threat data from this country.
  4. Select tabs to view the threat data categorized by Threats, Sources, HTTP Methods, URLs, CVE ID, and OWASP Top10.
  5. In this example, we double click the row of 3.83.218.56 to view the threats originated from this source IP address.
  6. Click the arrow icon to unfold the detailed analysis of a particular threat.
  7. If you know that certain URL tends to falsely trigger violations by matching an attack signature during normal use, you can click Add Exception beside the signature ID. The traffic to that URL will not be treated as an attack even if it matches this particular signature.

Please note that the number of attacks displayed in Attack Logs, FortiView , and Blocked Requests widget on Dashboard are slightly different.

  • Certain attack types such as Bot and DDoS attacks generate a large amount of requests in a short time. To prevent numerous identical attack logs flooding the UI, FortiWeb Cloud only logs the first request in Attack Logs and FortiView , while it shows the actual count in Blocked Requests Widget so you can know how many actual attack requests were blocked.
  • To prevent Information Leakage, FortiWeb Cloud may cloak the error pages or erase sensitive HTTP headers in response packets. Such item are logged only once per minute in Attack Logs and FortiView for you to know the Information Leakage rule took effect. In the meanwhile, the actual count is recorded in Blocked Requests Widget.
  • If you have set FortiWeb Cloud to block attacks but do not generate a log when certain violation occurs, such as Deny(no log), then the attacks will not be logged in Attack Logs and FortiView , but will be counted in the Blocked Requests widget.