Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
www.fortinet.com
Creating Reports with FortiAnalyzer 25 May 2006 05-30000-0323-20060525 Copyright 2006 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc. Trademarks Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate, FortiGate Unified Threat Management System, FortiGuard, FortiGuard-Antispam, FortiGuardAntivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Contents
Contents
Introduction ........................................................................................ 7
About this document......................................................................................... 7 Fortinet documentation .................................................................................... 7 Fortinet Knowledge Center .......................................................................... 7 Comments on Fortinet technical documentation .......................................... 7 Customer service and technical support ........................................................ 8
Configuring the FortiAnalyzer unit ................................................................ 11 Registering the FortiGate unit ..................................................................... 11 Configuring the mail server ......................................................................... 11
Using the report profile ................................................................................... 15 Running the report profile............................................................................ 16 Viewing the report ....................................................................................... 16 Understanding each section of the report ................................................... 16
Contents
Configuring the report profile ........................................................................ 19 Creating a new report profile....................................................................... Setting the devices...................................................................................... Setting the report scope .............................................................................. Setting the report type................................................................................. Setting the report format ............................................................................. Setting the report schedule ......................................................................... Setting the report output ............................................................................. Saving the report profile .............................................................................. 19 20 20 20 20 21 21 21
Using the report profile................................................................................... 22 Running the report profile ........................................................................... 22 Viewing the report ....................................................................................... 22 Understanding each section of the report ................................................... 22
Using the report profile................................................................................... 27 Running the report profile ........................................................................... 27 Viewing the report ....................................................................................... 28 Understanding each section of the report ................................................... 28
Using the report profile................................................................................... 33 Running the report profile ........................................................................... 33 Viewing the report ....................................................................................... 34 Understanding each section of the report ................................................... 34
Contents
Using the report profile ................................................................................... 39 Running the report profile............................................................................ 39 Viewing the report ....................................................................................... 40 Understanding each section of the report ................................................... 40
Contents
Introduction
Introduction
FortiAnalyzer units are network appliances that provide integrated tools for analysis, archive search, log collection, and data storage. Detailed log reports provide historical as well as current analysis of network traffic, such as email, FTP and web browsing activity, to help identify security issues and reduce network misuse and abuse. This chapter includes the following topics: About this document Fortinet documentation Customer service and technical support
Fortinet documentation
The most up-to-date publications and previous releases of Fortinet product documentation are available from the Fortinet Technical Documentation web site at http://docs.forticare.com.
Introduction
Enabling traffic logging Enabling event logging Enabling firewall policy traffic logging Enabling service logs
Select Apply
10
2 3 4
Select the Edit icon for a profile. Select the blue arrow for Logging to expand the logging options. Select the following options: Oversized Files / Emails Content Block URL Filter Log Intrusions
Select OK.
11
To configure the mail server 1 2 3 4 5 6 Go to System > Alerts > Mail Server. Select Create New. Select Enable Authentication. Enter the name/address of the SMTP server. Enter the user name for logging on to the SMTP server in the E-Mail Account field. Enter the password for logging on to the SMTP server. To configure the DNS server 1 2 3 Go to System > Network > DNS. Enter the primary DNS server IP address that the FortiAnalyzer unit can connect to. Enter a secondary DNS server IP address. To test the mail server configuration 1 2 3 4 Go to System > Alerts > Mail Server. Select Modify. Select Test Server. Enter an email address and select Test.
12
The situation
The situation
A manager suspects that an employee is surfing the Web during working hours. The manager has asked you to send him a report on the web activity of the suspected employee by email. The employees IP address in 192.68.2.110. In this situation, you will need to find: web sites the user visited the time of day the visits occurred
For this report, we will examine the web activity of the user over a two week period.
13
Enter a description of This report examines the web activity of a user for the past two weeks.
14
Running the report Viewing the report Understanding each section of the report
15
Table 1 gives information about each section of the web activity report.
16
Table 1: Sections of the web activity report Web Traffic by Day of Week Web Traffic by Hour of Day Top Web Sites (Connections) Top Web Sites (Traffic) Top Web Sites by Duration This section displays information about the volume of web traffic generated by the user on each day of the week. You can determine if the users web traffic is constant or if there are unusual variations that do not match the users workload or schedule. This section displays information about the volume of traffic the user generated during each hour of the day. You can determine if the users web traffic during work hours is reasonable. This section displays the number of times the user accessed a web site. You can use this information to compare the users access to work related and non-work related web sites. This section displays the volume of content accessed on the top web sites. You can use this information to compare the volume of data the user downloaded from work related and non-work related web sites. This section displays the amount of time spent on accessing information on each web site. Sites that are accessed or refreshed often will be at the top of this list. You can use this information to determine whether the user accessed or refreshed the content of web sites not related to work, such as news, sports, or stock sites too often.
17
18
The situation
The situation
The network administration wants to track the type of traffic through the FortiGate unit. They asked you to send them a weekly report by email to track the performance of the network with respect to the number of hits the network received during the week. Also, they want to be aware of the demand for certain services in order to allocate bandwidth more efficiently. For this report, you will examine the network activity during the last week.
19
You can narrow the report to the relevant information in the Network Activity and Terminal Activity lists in the Report Type(s) section. To set the report type 1 2 3 4 5 Select the blue arrow for Report Type(s) to expand the options. Select Custom. Clear all the boxes in the list of report types. Select the blue arrow for Network Activity to expand the options. Select the following report types: 6 7 Traffic by Top Services and Direction Traffic by Top Sources and Top Services Traffic by Top Destinations and Top Services
Select the blue arrow for Terminal Activity to expand the options. Select Terminal Traffic by Date and Service.
20
2 3 4
Select For all devices from the Report Results list. Select Resolve Host Names to display host names by name, not IP address. Select Resolve Service Names to display network service names rather than port numbers. For example, HTTP rather than port 80. By default, there are six items in tables and graphs in the report. For example, in the Traffic by Top Services and Direction table, the top six services will be shown. The default number can be changed in the Advanced section of the Report Format page. For this report, you will need the top ten services. To set the number of items in lists
1 2
Select the blue arrow next to Advanced to expand the options. Enter 10 for the values for the first variable (1..12).
21
22
Table 2 gives information about each section of the IPs and services report.
Table 2: Sections of the IPs and services report Traffic by Top Services and Direction Traffic by Top Sources and Top Services Traffic by Top Destinations and Top Services Terminal Traffic by Date and Service This section displays the direction of traffic for the most popular services. The direction can be internal, external, outgoing or incoming. Network administrators can find the percentage of network capacity used for each service and determine the need for a network upgrade. This section displays the services used by the most active users (sources) of the network. The total volume of traffic generated by each user is broken down by service, such as http, pop3 or dns. Network administrators can find the most popular services and determine the market for new services, or for the expansion of existing ones. This section displays the most visited web sites and the services accessed through those web sites. Network administrators can determine what the bulk of network traffic is used for. This section displays the traffic used by each service, for every day of the week. Network administrators can use this information to locate peaks in network traffic, and to identify the services that take up the bulk of network capacity. They can further use this information to correlate network traffic with network performance indicators from other sources to see if the volume of traffic affects performance.
23
24
The situation
The situation
The marketing department of your company publishes a monthly newsletter, and wants to include a section on the surfing habits and interests of network users. They have asked you to send them a monthly report by email, showing the most visited web sites by network users.
25
To set the devices 1 2 Select the blue arrow for Devices to expand the options. Select the FortiGate unit from the list.
Select the blue arrow for Web Activity to expand the options.
26
27
28
Table 3 gives information about each section of the hottest web site report.
Table 3: Sections of the most visited web site report Top Categories This section displays the number of times web sites in each category were accessed by users on the network. The most popular categories by Hits show the surfing habits and interests of users. Top Client Requests to Permitted Categories Top Web Sites (Connections) Top Web Sites (Traffic) This section displays the most active users on the network and the number of times those users accessed web sites in each category.
This section displays the top web sites rated by the number of hits they received. This is one of the methods of rating the popularity of a web site. This section displays the top web sites rated by the volume of content users downloaded. This is one of the methods of rating the popularity of the content on a web site. A web site accessed often but with low traffic may not be popular since users are not staying to access its content.
29
30
31
To set the report scope 1 2 3 Select the blue arrow for Report Scope to expand the options. Select the blue arrow for Time Period to expand the options. Select Last 2 Weeks from the list.
Select the blue arrow for Mail Activity to expand the options. Select the following report types: Top Mail Clients (Connections) Top Mail Clients (Traffic)
32
2 3 4
Select These Days. Select Sun. Select a time of 18 to run the report at 6 p.m.
33
The FortiAnalyzer unit will generate the report and send a PDF to the manager by email.
34
Top Mail This section displays the IP addresses or host names of the mail clients Clients (Traffic) that received the highest volume of email on the network.
35
36
The situation
The situation
The network managers need a report to assess the effectiveness of the web filter used by the network and the surfing trends of network users. They have asked you to send them a weekly report on the number of attempts to access blocked content.
37
To set the devices 1 2 Select the blue arrow for Devices to expand the options. Select the FortiGate unit from the list.
38
To set the schedule 1 2 3 4 Select the blue arrow for Schedule to expand the options. Select These Days. Select Sun. Select a time of 18 to run the report at 6 p.m.
39
To run the report 1 2 Go to Report > Config. Select Go for the Blocked_content report. The FortiAnalyzer unit will generate the report and send a PDF to the manager by email.
40
This section displays the amount of traffic blocked by and allowed through the FortiGate unit, rated by the top users on the network.
This section displays the top clients that attempted to access blocked content rated by the number of attempts.
Total WebFilter This section displays the amount of traffic blocked by and allowed through the FortiGate unit. Events by Status Top Blocked Users Top Blocked Sites This section displays the top blocked users rated by the number of blocked attempts at accessing content. This section displays the top blocked sites rated by the number of blocked attempts at accessing them.
41
42