FortiView is a graphical analysis tool. It displays real-time and historical web traffic data so that you can visualize and drill down into your FortiWeb configuration and its environment, including server/IP configurations, attack and traffic logs, attack maps, and user activity. You can see information about specific types of attacks, where attacks are originating, who carries out attacks, and how policies and settings handle attacks.
FortiView makes it easy to get an actionable picture of your network's web traffic. This information allows you to precisely configure FortiWeb according to your environment and ensure that your configuration is set up to defend against common threats. FortiView has four menus: Topology, Security, Traffic and Sessions.
FortiView's Topology menu allows you to monitor policy information for:
- A single server
- Server pools
- Content routing settings
You can view the status of each server policy, their server or server pool(s), and the status of each server. You can also view the status of each content routing policy associated with each server policy.
For details, see Topology.
FortiView's Security menu allows you to monitor threats, including:
- Countries originating attacks
- Devices originating attacks
- Server policies filtered attacks
- Specific types of attacks
You can also view a real-time threat map and set up scanner integration to learn more about your environment to tighten security.
For details, see Security.
FortiView's Traffic menu allows you to monitor:
- The source of each session
- The originating country of each session
You can also view information such as HTTP/S transactions and versions, HTTP methods, and HTTP response codes of web traffic.
For details, see Traffic.
FortiView's Sessions menu allows you to monitor the following information about each session:
- Server policy
- Source IP
- Destination IP
You can also view the source port and destination port of each session, view the established connection time of each session, and end sessions as needed.
For more information, See Sessions.
This section shows you how to navigate the FortiView interface for the Security, Traffic, and Sessions menus. FortiView's Topology menu uses a unique interface; for details, see Topology.
FortiView's Security, Traffic, and Sessions menus each have a top menu bar and graphical analysis window that you can use to filter information and toggle between various view modes.
Use these settings along the top of the window to view and filter web traffic data:
Click the Refresh icon to update the web traffic data.
Click the Add Filter icon to filter the web traffic data. From here, you can enter the specific category or categories for which you want to filter, or select available categories from a drop-down menu.
Alternatively, you can double-click web traffic data to filter information for the category you select.
Use the View Type icon to select how FortiWeb presents web traffic data. The default view type is Table View. The available view types are:
Note: All view types may not be available for all types of web traffic data in FortiView.
Select the time period within which to view web traffic data.
Example: Filtering web traffic data
You can filter web traffic data to drill down from a high-level overview to a detailed analysis of particular elements of your environment. From the Security, Traffic, and Sessions menus, the process is essentially the same.
Below is an example using the Security menu to illustrate how the filtering and drill down process works.
- Go to Dashboard > FortiView Countries.
- Click Add Filter, select Country, and either enter the name of the country or select the country from the drop-down menu.
- Double-click the country in the list below to view a summary of the country.
- Double-click the Bad Robot threat category under the Threats tab. Every bad robot attack launched from the specified country within the selected time period will be viewable.
- Optionally, you can further drill down into your environment and set filters for the selected threat category. Click the Add Filter icon and select among the available categories to drill down into:
- Double-click a specific attack to view its Log Details. The Log Details provide all of the available information about a specific attack:
You will see the country's Threats, Threat Score, Action (Block/Alert), and Service (HTTP/HTTPS) in the specified time period; you will also be able to select tabs to view specific Threats, Sources, Client Devices, HTTP Methods, URLs, and CVE ID from the country.
If you want to block traffic from certain source IP, you can click Ban IP, then configure whether to temporarily block this IP for a specified time or permanently block it. You can also right click the banned IP to remove IP ban.
This step could be completed for any threat category in the Threats tab, or under any other tab from the country summary page in Double-click the country in the list below to view a summary of the country. . For example, if you select the Sources tab, you will be able to see every source IP address from the selected country, and can drill down into attacks from each source IP address.
You can set multiple filters to more precisely drill down into the environment.
Three view types are available below and you can switch among them:
- Table View
- Bubble Chart
- Country Map
Use the Sort By drop-down menu in the top-right corner of the Bubble Chart or Country Map window to view data by:
- Threat Score
For the Bubble Chart window, the size of the bubble represents the relative amount of data. Click a bubble to drill down into the element and view more information.
You can also mouse over an element to learn more information about it:
For Country Map window, mouse over an element to learn more information about it:
You can locate a specific country on the map using the Add Filter icon. The selected country will be highlighted, and every other country will be greyed out: