FAZ Reports Creation

TECHNICAL NOTE
Creating Reports with FortiAnalyzer
www.fortinet.com
Creating Reports with FortiAnalyzer 25 May 2006 05-30000-0323-20060525 Copyright 2006 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc. Trademarks Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate, FortiGate Unified Threat Management System, FortiGuard, FortiGuard-Antispam, FortiGuardAntivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Contents
Contents
Introduction ........................................................................................ 7
About this document......................................................................................... 7 Fortinet documentation .................................................................................... 7 Fortinet Knowledge Center .......................................................................... 7 Comments on Fortinet technical documentation .......................................... 7 Customer service and technical support ........................................................ 8
Configuring log settings.................................................................... 9

Configuring the FortiGate unit ......................................................................... 9 Enabling logging on the FortiGate unit ........................................................... 9 Enabling traffic logging ................................................................................ Enabling firewall policy traffic logging ......................................................... Enabling event logging................................................................................ Enabling service logs .................................................................................. 10 10 10 10
Configuring the FortiAnalyzer unit ................................................................ 11 Registering the FortiGate unit ..................................................................... 11 Configuring the mail server ......................................................................... 11
Investigating suspected abuse of web access ............................. 13

The situation .................................................................................................... 13 Configuring the report profile......................................................................... 13 Creating a new report profile ....................................................................... Setting the devices...................................................................................... Setting the report scope .............................................................................. Setting the report type ................................................................................. Setting the report format ............................................................................. Setting the report output.............................................................................. Saving the report profile .............................................................................. 13 14 14 14 15 15 15
Using the report profile ................................................................................... 15 Running the report profile............................................................................ 16 Viewing the report ....................................................................................... 16 Understanding each section of the report ................................................... 16
Logging IPs and requested services.............................................. 19

The situation .................................................................................................... 19
Creating Reports with FortiAnalyzer 05-30000-0323-20060525
Contents
Configuring the report profile ........................................................................ 19 Creating a new report profile....................................................................... Setting the devices...................................................................................... Setting the report scope .............................................................................. Setting the report type................................................................................. Setting the report format ............................................................................. Setting the report schedule ......................................................................... Setting the report output ............................................................................. Saving the report profile .............................................................................. 19 20 20 20 20 21 21 21
Using the report profile................................................................................... 22 Running the report profile ........................................................................... 22 Viewing the report ....................................................................................... 22 Understanding each section of the report ................................................... 22
Finding the most visited web sites ................................................ 25

The situation .................................................................................................... 25 Configuring the report profile ........................................................................ 25 Creating a new report profile....................................................................... Setting the devices...................................................................................... Setting the report scope .............................................................................. Setting the report type................................................................................. Setting the report format ............................................................................. Setting the report schedule ......................................................................... Setting the report output ............................................................................. Saving the report profile .............................................................................. 25 25 26 26 26 26 27 27
Finding the top email users ............................................................ 31

Configuring the report profile ........................................................................ 31 Creating a new report profile....................................................................... Setting the devices...................................................................................... Setting the report scope .............................................................................. Setting the report type................................................................................. Setting the report format ............................................................................. Setting the report schedule ......................................................................... Setting the report output ............................................................................. Saving the report profile .............................................................................. 31 31 31 32 32 32 33 33
Contents
Logging access to blocked content ............................................... 37

The situation .................................................................................................... 37 Configuring the report profile......................................................................... 37 Creating a new report profile ....................................................................... Setting the devices...................................................................................... Setting the report scope .............................................................................. Setting the report type ................................................................................. Setting the report format ............................................................................. Setting the report schedule ......................................................................... Setting the report output.............................................................................. Saving the report profile .............................................................................. 37 37 38 38 38 38 39 39
Using the report profile ................................................................................... 39 Running the report profile............................................................................ 39 Viewing the report ....................................................................................... 40 Understanding each section of the report ................................................... 40
Contents
Introduction
About this document
Introduction
FortiAnalyzer units are network appliances that provide integrated tools for analysis, archive search, log collection, and data storage. Detailed log reports provide historical as well as current analysis of network traffic, such as email, FTP and web browsing activity, to help identify security issues and reduce network misuse and abuse. This chapter includes the following topics: About this document Fortinet documentation Customer service and technical support
About this document

Using sample scenarios, this document describes how to: Configure a FortiGate unit to send log information to a FortiAnalyzer unit Configure report profiles with a FortiAnalyzer unit to generate reports Configuring log settings Investigating suspected abuse of web access Logging IPs and requested services Finding the most visited web sites Finding the top email users Logging access to blocked content
This document contains the following chapters:
Fortinet documentation
The most up-to-date publications and previous releases of Fortinet product documentation are available from the Fortinet Technical Documentation web site at http://docs.forticare.com.
Fortinet Knowledge Center

Additional Fortinet technical documentation is available from the Fortinet Knowledge Center. The knowledge center contains troubleshooting and how-to articles, FAQs, technical notes, and more. Visit the Fortinet Knowledge Center at http://kc.forticare.com.
Comments on Fortinet technical documentation

Please send information about any errors or omissions in this document, or any Fortinet technical documentation, to techdoc@fortinet.com.
Customer service and technical support
Introduction
Customer service and technical support

Fortinet Technical Support provides services designed to make sure that your Fortinet systems install quickly, configure easily, and operate reliably in your network. Please visit the Fortinet Technical Support web site at http://support.fortinet.com to learn about the technical support services that Fortinet provides.
Configuring log settings
Configuring the FortiGate unit

This section describes how to: configure the FortiGate unit to send log information to the FortiAnalyzer unit register the FortiGate unit with the FortiAnalyzer unit Configuring the FortiGate unit Enabling logging on the FortiGate unit Configuring the FortiAnalyzer unit The following topics are included in this section:
Configuring the FortiGate unit

Configure the FortiGate unit to send log information to the FortiAnalyzer unit and verify the connection. The FortiGate unit will send all log messages to the FortiAnalyzer unit. To configure log settings 1 2 3 4 5 6 Go to Log&Report > Log Config > Log Setting. Select FortiAnalyzer. Select the blue arrow next to FortiAnalizer to expand the options. Select a log level. For maximum reporting capabilities, select Information. Select Static IP Address. Enter the IP address of the FrotiAnalyzer unit and select Apply. To verify the connection 1 Select Test Connectivity. You will see a connection summary window confirming the connection. If the connection fails, verify the IP address. 2 Select Close The Fortigate unit is now configured to send log information to the FortiAnalyzer, enabling the FortiAnalyzer to generate reports.
Enabling logging on the FortiGate unit

You must enable logging on the FortiGate unit in order to send logs to the FortiAnalyzer unit. There are multiple logging options available. For the examples in this document, you will enable logging options in the following steps:
Enabling logging on the FortiGate unit
Enabling traffic logging Enabling event logging Enabling firewall policy traffic logging Enabling service logs
Enabling traffic logging

Enable traffic logging to record any traffic to and from the interface. To enable traffic logging 1 2 3 4 Go to System > Network > Interface Select the Edit icon for an interface. Select Log. Select OK.
Enabling firewall policy traffic logging

Enable the firewall policy traffic logging to record the traffic, both permitted and denied by the firewall policy. To enable firewall policy traffic logging 1 2 3 4 5 Go to Firewall > Policy. Select the blue arrow for the traffic directional flow to expand the policy list. Select the Edit icon for a policy. Select Log Allowed Traffic. Select OK.
Enabling event logging

Enable event logging to record management and activity events, such as when a configuration has changed, or when VPN events occur. To enable event logging 1 2 3 Go to Log&Report > Log Config > Event Log. Select Enable. Select the following options: 4 Firewall authentication event SSL VPN user authentication event SSL VPN session event
Select Apply
Enabling service logs

Enable service logging to record the activity of the FortiGate protection profile, such as blocked content or web sites. To enable service logging 1 Go to Firewall > Protection Profile.
10
Configuring the FortiAnalyzer unit
2 3 4
Select the Edit icon for a profile. Select the blue arrow for Logging to expand the logging options. Select the following options: Oversized Files / Emails Content Block URL Filter Log Intrusions
Select OK.

You must configure the FortiAnalyzer unit to accept log information from registered FortiGate units and to send reports by email. Configuring the FortiAnalyzer unit includes the following steps: Registering the FortiGate unit Configuring the mail server
Registering the FortiGate unit

You must register the FortiGate unit that sends log information to the FortiAnalyzer unit. By default, the FortiAnalyzer unit will add the FortiGate unit to its device list. However, you will not be able to generate reports until you register the FortiGate unit. To register a FortiGate unit 1 2 Go to Devices > All. The FortiGate unit will appear in the device list. Select the Add icon for the FortiGate unit. The Add icon for an unregistered FortiGate unit is the same as the Edit icon for a registered unit. 3 4 5 Select FortiGate from the Device Type list. Enter a device name, such as WiFi-60A. The serial number of the FortiGate unit automatically appears in the Device ID field. Keep all other settings on the Add Device page as defaults. 6 Select OK The FortiGate unit is now registered to send log information to the FortiAnalyzer.
Configuring the mail server

You must configure a DNS server and an SMTP server to send reports by email, and test the configuration. The FortiGate unit uses the SMTP server name to connect to the mail server, and must look up this name on your DNS server.
11
To configure the mail server 1 2 3 4 5 6 Go to System > Alerts > Mail Server. Select Create New. Select Enable Authentication. Enter the name/address of the SMTP server. Enter the user name for logging on to the SMTP server in the E-Mail Account field. Enter the password for logging on to the SMTP server. To configure the DNS server 1 2 3 Go to System > Network > DNS. Enter the primary DNS server IP address that the FortiAnalyzer unit can connect to. Enter a secondary DNS server IP address. To test the mail server configuration 1 2 3 4 Go to System > Alerts > Mail Server. Select Modify. Select Test Server. Enter an email address and select Test.
12
Investigating suspected abuse of web access
The situation

This section describes how to configure a report about the web activity of a user.
The situation
A manager suspects that an employee is surfing the Web during working hours. The manager has asked you to send him a report on the web activity of the suspected employee by email. The employees IP address in 192.68.2.110. In this situation, you will need to find: web sites the user visited the time of day the visits occurred
For this report, we will examine the web activity of the user over a two week period.
Configuring the report profile

Configuring a report profile includes the following steps: Creating a new report profile Setting the devices Setting the report scope Setting the report type Setting the report format Setting the report output Saving the report profile
Creating a new report profile

Create a new report profile. To create a new report profile 1 2 3 4 Go to Report > Config. Select Create New. Enter Web_Activity in the Report Name field. The report name cannot include spaces. Enter a report title of Monitoring Web Activity.
13
Enter a description of This report examines the web activity of a user for the past two weeks.
Setting the devices

Select the FortiGate unit for the department or office where the user works. The FortiAnalyzer unit will examine the logs only from this unit. To set the devices 1 2 Select the blue arrow for Devices to expand the options. Select the FortiGate unit from the list.
Setting the report scope

Select the time period the report encompasses, and the data filters. For this report, you need specific information about a user during a two week period. You can narrow the report to only the requested user with the Data Filter. To set the report scope 1 2 3 4 5 6 Select the blue arrow for Report Scope to expand the options. Select the blue arrow for Time Period to expand the options. Select Last 2 Weeks from the list. Select the blue arrow for Data Filter to expand the options. Select Custom. In the Source(s) field, enter 192.168.2.110, the users IP address. This narrows the scope of the report to only this user.
Setting the report type

Specify the type of information the FortiAnalyzer unit collects from the logs. For this report, you need information about the web activity of a particular user during working hours. You can narrow the report to the relevant information in the Web Activity list in the Report Type(s) section. To set the report type 1 2 3 4 5 Select the blue arrow for Report Type(s) to expand the options. Select Custom. Clear all the report types. Select the blue arrow for Web Activity to expand the report options. Select the following report types: Web Traffic by Day of Week Web Traffic by Hour of Day Top Web Sites (Connections) Top Web Sites (Traffic) Top Web Sites by Duration
14
Using the report profile
Setting the report format

Configure how the report displays information. Enable IP addresses to display as host names. Web sites visited by the user will appear as real URLs rather than as IP addresses. To set the report format 1 2 3 Select the blue arrow for Report Format to expand the options. Select For all devices from the Report Results. Select Resolve Host Names to display web site address rather than IP addresses.
Setting the report output

Select the format and destination for the report. The FortiAnalyzer unit will email this report as a PDF to the manager who requested it. To set the output 1 2 3 4 Select the blue arrow for Output to expand the options. Select PDF for Email output. Select Customize subject. Enter the subject for the email. When Customize subject is not selected, the subject of the email will be the name of the report. 5 6 Enter the email address of the manager in the Email list. Select Add.
Note: The mail server must be configured for the FortiAnalyzer to send reports by email. To configure the mail server, see Configuring the mail server on page 11.
Saving the report profile

The report profile is now configured to provide the information required. To save the report profile, select OK. The FortiAnalyzer unit saves the report profile on its hard drive.
Note: Setting a schedule is not required for this report because it is not used regularly, only when a similar problem occurs.

Once the FortiAnalyzer unit has generated and saved the report, it is available for viewing. Reports stay in a catalog on the FortiAnalyzer hard drive. You can run the report again to retrieve updated information. Using the report includes the following steps:
Running the report Viewing the report Understanding each section of the report
15
Running the report profile

Running the report profile will generate all the information specified by the report scope and type. To run the report 1 2 Go to Report > Config. Select Go for the Web_Activity report. The FortiAnalyzer unit generates the report and sends a PDF to the manager by email.
Viewing the report

You can view reports from the FortiAnalyzer web-based manager. To view the report 1 2 Go to Report > Browse. Select the Web_Activity report from the list. The report name will be followed by a date and an assigned number, for example, Web_Activity-2006-05-01-1001.
Understanding each section of the report

The report will display information in tables and graphs, for example, as shown in Figure 1.
Figure 1: Tables and graphs in the web activity report
Table 1 gives information about each section of the web activity report.
16
Table 1: Sections of the web activity report Web Traffic by Day of Week Web Traffic by Hour of Day Top Web Sites (Connections) Top Web Sites (Traffic) Top Web Sites by Duration This section displays information about the volume of web traffic generated by the user on each day of the week. You can determine if the users web traffic is constant or if there are unusual variations that do not match the users workload or schedule. This section displays information about the volume of traffic the user generated during each hour of the day. You can determine if the users web traffic during work hours is reasonable. This section displays the number of times the user accessed a web site. You can use this information to compare the users access to work related and non-work related web sites. This section displays the volume of content accessed on the top web sites. You can use this information to compare the volume of data the user downloaded from work related and non-work related web sites. This section displays the amount of time spent on accessing information on each web site. Sites that are accessed or refreshed often will be at the top of this list. You can use this information to determine whether the user accessed or refreshed the content of web sites not related to work, such as news, sports, or stock sites too often.
17
18
Logging IPs and requested services
The situation

This section describes how to find the IPs that visited the FortiGate unit, and to find what services were requested in the last week.
The situation
The network administration wants to track the type of traffic through the FortiGate unit. They asked you to send them a weekly report by email to track the performance of the network with respect to the number of hits the network received during the week. Also, they want to be aware of the demand for certain services in order to allocate bandwidth more efficiently. For this report, you will examine the network activity during the last week.

Configuring the report includes the following steps: Creating a new report profile Setting the devices Setting the report scope Setting the report type Setting the report format Setting the report schedule Setting the report output Saving the report profile

Create a new report profile. To create a new report profile 1 2 3 4 5 Go to Report > Config. Select Create New. Enter IPs_and_services in the Report Name field. The report name cannot include spaces. Enter a report title of IPs and requested services. Enter a description of This report lists the IPs that visited the FortiGate unit, and the services requested during the past week.
19
Setting the devices

Select the FortiGate unit. The FortiAnalyzer unit will examine the logs from this unit. To set the devices 1 2 Select the blue arrow for Devices to expand the options. Select the FortiGate unit from the list.

Select the time period the report encompasses. To set the report scope 1 2 3 Select the blue arrow for Report Scope to expand the options. Select the blue arrow for Time Period to expand the options. Select Last 7 Days for Time Period.

Select the type of information the report will collect from the logs. For this report, you need information about: network use by IPs the services, such as http and ssh, requested by network users
You can narrow the report to the relevant information in the Network Activity and Terminal Activity lists in the Report Type(s) section. To set the report type 1 2 3 4 5 Select the blue arrow for Report Type(s) to expand the options. Select Custom. Clear all the boxes in the list of report types. Select the blue arrow for Network Activity to expand the options. Select the following report types: 6 7 Traffic by Top Services and Direction Traffic by Top Sources and Top Services Traffic by Top Destinations and Top Services
Select the blue arrow for Terminal Activity to expand the options. Select Terminal Traffic by Date and Service.

Configure how the report displays information. Enable IP addresses to display as host names. Web pages visited by users will appear as real URLs rather than as IP addresses. The FortiAnalyzer unit can also display services by names rather than by port numbers. To set the report format 1 Select the blue arrow next to Report Format to expand the options.
20
2 3 4
Select For all devices from the Report Results list. Select Resolve Host Names to display host names by name, not IP address. Select Resolve Service Names to display network service names rather than port numbers. For example, HTTP rather than port 80. By default, there are six items in tables and graphs in the report. For example, in the Traffic by Top Services and Direction table, the top six services will be shown. The default number can be changed in the Advanced section of the Report Format page. For this report, you will need the top ten services. To set the number of items in lists
1 2
Select the blue arrow next to Advanced to expand the options. Enter 10 for the values for the first variable (1..12).
Setting the report schedule

Configure the schedule so that the report runs automatically every week. To set the schedule 1 2 3 4 Select the blue arrow for Schedule to expand the options. Select These Days. Select Sun. Select a time of 18 to run the report at 6 p.m.

Select the format and destination for the report. the FortiAnalyzer will email this report will as a PDF to the network administration staff. To set the output 1 2 3 4 Select the blue arrow for Output. Select PDF for Email output. Select Customize subject. Enter the subject for the email. When Customize subject is not selected, the subject of the email will be the name of the report. 5 6 Enter the email addresses of the network administration staff in the Email list. Select Add.

21

Once the FortiAnalyzer unit has generated and saved the report, it is available for viewing. Reports stay in a catalog, and you can run the report again to retrieve updated information. Using the report includes the following steps: Running the report Viewing the report Understanding each section of the report

Running the report profile will generate all the information specified by the report scope and type. To run the report 1 2 Go to Report > Config. Select Go for the IPs_and_services report. The FortiAnalyzer unit generates the report and sends a PDF to the network administrators by email.
Viewing the report

You can view reports from the FortiAnalyzer web-based browser. To view the report 1 2 Go to Report > Browse. Select the IPS_and_services report from the list. The report name will be followed by a date and an assigned number, for example, IPs_and_services-2006-05-01-1001.

The report will display information in tables and graphs, for example, as shown in Figure 2 and Figure 3.
Figure 2: Table in the IPs and services report
22
Figure 3: Graph in the IPs and services report
Table 2 gives information about each section of the IPs and services report.
Table 2: Sections of the IPs and services report Traffic by Top Services and Direction Traffic by Top Sources and Top Services Traffic by Top Destinations and Top Services Terminal Traffic by Date and Service This section displays the direction of traffic for the most popular services. The direction can be internal, external, outgoing or incoming. Network administrators can find the percentage of network capacity used for each service and determine the need for a network upgrade. This section displays the services used by the most active users (sources) of the network. The total volume of traffic generated by each user is broken down by service, such as http, pop3 or dns. Network administrators can find the most popular services and determine the market for new services, or for the expansion of existing ones. This section displays the most visited web sites and the services accessed through those web sites. Network administrators can determine what the bulk of network traffic is used for. This section displays the traffic used by each service, for every day of the week. Network administrators can use this information to locate peaks in network traffic, and to identify the services that take up the bulk of network capacity. They can further use this information to correlate network traffic with network performance indicators from other sources to see if the volume of traffic affects performance.
23
24
Finding the most visited web sites
The situation

This section describes how to determine the most visited web sites in the last month.
The situation
The marketing department of your company publishes a monthly newsletter, and wants to include a section on the surfing habits and interests of network users. They have asked you to send them a monthly report by email, showing the most visited web sites by network users.

Configuring the report profile includes the following steps: Creating a new report profile Setting the devices Setting the report scope Setting the report type Setting the report format Setting the report schedule Setting the report output Saving the report

Create a new report profile. To create a new report profile 1 2 3 4 5 Go to Report > Config. Select Create New. Enter hottest_website in the Report Name field. The report name cannot include spaces. Enter a report title of Hottest web sites last month. Enter a description of This report shows the most visited web sites last month
Setting the devices

Select the FortiGate unit. The FortiAnalyzer unit will examine the logs from this unit.
25
To set the devices 1 2 Select the blue arrow for Devices to expand the options. Select the FortiGate unit from the list.

Select the time period the report encompasses. To set the report scope 1 2 3 Select the blue arrow for Report Scope to expand the options. Select the blue arrow for Time Period to expand the options. Select Last Month for Time Period.

Specify the type of information the report will collect from the logs. To set the report type 1 2 3 4 5 Select the blue arrow for Report Type(s) to expand the options. Select Custom. Clear all the boxes in the list of report types. Select the blue arrow for WebFilter Activity to expand the options. Select the following report types: 6 Top Categories by Hits Top Client Requests to Permitted Categories Top Web Sites (Connections) Top Web Sites (Traffic)
Select the blue arrow for Web Activity to expand the options.

Configure how the report displays information. Enable IP addresses to display as host names so you can identify web sites visited by the users. To set the report format 1 2 3 Select the blue arrow next to Report Format to expand the options. Select For all devices from the Report Results list. Select Resolve Host Names to display host names by name, not IP address.

Configure the schedule so that the report runs automatically every month. To set the schedule 1 2 3 Select the blue arrow for Schedule to expand the options. Select These Dates. Enter 28 to run the report on the 28th of every month.
26
Select a time of 18 to run the report at 6 p.m.

Select the format and destination for the report. The FortiAnalyzer unit will email this report as a PDF to the marketing department. To set the output 1 2 3 4 Select the blue arrow for Output to expand the options. Select PDF for Email output. Select Customize subject. Enter the subject for the email. When Customize subject is not selected, the subject of the email will be the name of the report. 5 6 Enter the email addresses of the marketing department staff in the Email list. Select Add.


Once the FortiAnalyzer unit has generated and saved the report, it is available for viewing. Reports stay in a catalog on the FortiAnalyzer hard drive. You can run the report again to retrieve updated information. Using the report includes the following steps: Running the report Viewing the report Understanding each section of the report

Running the report profile will generate all the information specified by the report scope and type. To run the report 1 2 Go to Report > Config. Select Go for the hottest_website report. The FortiAnalyzer unit will generate the report and send a PDF to the manager by email.
27
Viewing the report

You can view reports from the FortiAnalyzer web-based manager. To view the report 1 2 Go to Report > Browse. Select the hottest_website report from the list. The report name will be followed by a date and an assigned number, for example, hottest_website-2006-05-01-1001.

Figure 4: Table in the most visited web site report
Figure 5: Graph in the most visited web site report
28
Table 3 gives information about each section of the hottest web site report.
Table 3: Sections of the most visited web site report Top Categories This section displays the number of times web sites in each category were accessed by users on the network. The most popular categories by Hits show the surfing habits and interests of users. Top Client Requests to Permitted Categories Top Web Sites (Connections) Top Web Sites (Traffic) This section displays the most active users on the network and the number of times those users accessed web sites in each category.
This section displays the top web sites rated by the number of hits they received. This is one of the methods of rating the popularity of a web site. This section displays the top web sites rated by the volume of content users downloaded. This is one of the methods of rating the popularity of the content on a web site. A web site accessed often but with low traffic may not be popular since users are not staying to access its content.
29
30
Finding the top email users

This section describes how to configure a report about the top email users on a network.

Configuring a report includes the following steps: Creating a new report profile Setting the devices Setting the report scope Setting the report type Setting the report format Setting the report schedule Setting the report output Saving the report profile

Create a new report profile. To create a new report profile 1 2 3 4 5 Go to Report > Config. Select Create New. Enter Mail_users in the Report Name field. The report name cannot include spaces. Enter a report title of Top mail users. Enter a description of This report displays the top email users on the network for the past month.
Setting the devices

Select the FortiGate unit to examine. The FortiAnalyzer unit will examine the logs from this unit. To set the devices 1 2 Select the blue arrow for Devices to expand the options. Select the FortiGate unit from the list.

Select the time period the report encompasses.
31
To set the report scope 1 2 3 Select the blue arrow for Report Scope to expand the options. Select the blue arrow for Time Period to expand the options. Select Last 2 Weeks from the list.

You will now specify the type of information the report will collect from the logs. For this report, you need information about the email use on the network. You can narrow the report to the relevant information in the MailFilter Activity and the Mail Activity lists in the Report Type(s) section. To set the report type 1 2 3 4 5 Select the blue arrow for Report Type(s) to expand the options. Select Custom. Clear all the report types. Select the blue arrow for MailFilter Activity to expand the options. Select the following report types: 6 7 Top Mail Senders Top Mail Receivers
Select the blue arrow for Mail Activity to expand the options. Select the following report types: Top Mail Clients (Connections) Top Mail Clients (Traffic)

Configure how the report displays information. Enable IP addresses to display as host names so you can identify web sites visited by the users. To set the report format 1 2 Select the blue arrow for Report Format to expand the options. Select For all devices from the Report Results. By default, there are six items in tables and graphs in the report. For example, in the Top Mail Senders table, the top six senders will be shown. The default number can be changed in the Advanced section of the Report Format page. For this report, you will need the top five email users. To set the number of items in lists 1 2 Select the blue arrow next to Advanced to expand the options. Enter 5 for the values for the first variable (1..12).

Select the schedule so that the report runs automatically every week. To set the schedule 1 Select the blue arrow for Schedule to expand the options.
32
2 3 4
Select These Days. Select Sun. Select a time of 18 to run the report at 6 p.m.

Select the format and destination for the report. The FortiAnalyzer will email this report as a PDF to the manager who requested it. To set the output 1 2 3 4 Select the blue arrow for Output to expand the options. Select PDF for Email output. Select Customize subject. Enter the subject for the email. When Customize subject is not selected, the subject of the email will be the name of the report. 5 6 Enter the email addresses of the managers in the Email list. Select Add.


Once the FortiAnalyzer unit has generated and saved the report, it is available for viewing. Reports stay in a catalog, and you can run the report again to retrieve updated information. Using the report includes the following steps: Running the report Viewing the report Understanding each section of the report

Running the report profile will generate all the information specified by the report scope and type. To run the report 1 2 Go to Report > Config. Select Go for the Mail_users report.
33
The FortiAnalyzer unit will generate the report and send a PDF to the manager by email.
Viewing the report

You can view reports from the FortiAnalyzer web-based browser. To view the report 1 2 Go to Report > Browse. Select the Mail_users report from the list. The report name will be followed by a date and an assigned number, for example, Mail_users-2006-05-01-1001.

Figure 6: Table in the mail users report
Figure 7: Graph in the mail users report
34
Table 4 gives information about each section of the report.

Table 4: Sections of the mail users report Top Mail Senders Top Mail Receivers Top Mail Clients (Connections) This section displays the email addresses of users that sent the most emails to users on the network. This section displays the email addresses of users that received the most mail on the network. This section displays the IP addresses or host names of the mail clients that received the most hits on the network.
Top Mail This section displays the IP addresses or host names of the mail clients Clients (Traffic) that received the highest volume of email on the network.
35
36
Logging access to blocked content
The situation

This section describes how to configure a report about users who attempted to surf to blocked web sites last month.
The situation
The network managers need a report to assess the effectiveness of the web filter used by the network and the surfing trends of network users. They have asked you to send them a weekly report on the number of attempts to access blocked content.

Configuring a report profile includes the following steps: Creating a new report profile Setting the devices Setting the report scope Setting the report type Setting the report format Setting the report schedule Setting the report output Saving the report profile

Create a new report profile. To create a new report profile 1 2 3 4 5 Go to Report > Config. Select Create New. Enter Blocked_content in the Report Name field. The report name cannot include spaces. Enter a report title of Accessing blocked content. Enter a description of This report displays users who attempted to access blocked content on the web every week.
Setting the devices

Select the FortiGate unit to examine. The FortiAnalyzer unit will examine the logs from this unit.
37
To set the devices 1 2 Select the blue arrow for Devices to expand the options. Select the FortiGate unit from the list.

Select the time period the report encompasses, and the data filters. For this report, you need specific information about a user during a two week period. You can narrow the report to only the requested user with the Data Filter. To set the report scope 1 2 3 Select the blue arrow for Report Scope to expand the options. Select the blue arrow for Time Period to expand the options. Select Last 7 Days from the list.

Specify the type of information the report will collect from the logs. For this report, you need information about users whose web activity was blocked. You can narrow the report to the relevant information in the WebFilter Activity list in the Report Type(s) section. To set the report type 1 2 3 4 5 Select the blue arrow for Report Type(s) to expand the options. Select Custom. Clear all the report types. Select the blue arrow for WebFilter Activity to expand the options. Select the following report types: Top Client Attempts at Blocked Web Sites Total WebFilter Events by Status WebFilter Events by Top Sources and Status Top Blocked Users Top Blocked Sites Top Client Attempts to Blocked Categories

Configure how the report displays information. Enable IP addresses to display as host names so you can identify web sites visited by the users. To set the report format 1 2 3 Select the blue arrow for Report Format to expand the options. Select For all devices from the Report Results. Select Resolve Host Names to display web site address rather than IP addresses.

Configure the schedule so that the report runs automatically every week.
38
To set the schedule 1 2 3 4 Select the blue arrow for Schedule to expand the options. Select These Days. Select Sun. Select a time of 18 to run the report at 6 p.m.

Select the format and destination for the report. The FortiAnalyzer unit will email this report as a PDF to the network managers who requested it. To set the output 1 2 3 4 Select the blue arrow for Output to expand the options. Select PDF for Email output. Select Customize subject. Enter the subject for the email. When Customize subject is not selected, the subject of the email will be the name of the report. 5 6 Enter the email addresses of the network managers in the Email list. Select Add.


Once the FortiAnalyzer unit has generated and saved the report, it is available for viewing. Reports stay in a catalog on the FortiAnalyzer hard drive. You can run the report again to retrieve updated information. Using the report includes the following steps: Running the report Viewing the report Understanding each section of the report

Running the report profile will generate all the information specified by the report scope and type.
39
To run the report 1 2 Go to Report > Config. Select Go for the Blocked_content report. The FortiAnalyzer unit will generate the report and send a PDF to the manager by email.
Viewing the report

You can view reports from the FortiAnalyzer web-based manager. To view the report 1 2 Go to Report > Browse. Select the Blocked_content report from the list. The report name will be followed by a date and an assigned number, for example, Blocked_content-2006-05-01-1001.

Figure 8: Tables in the blocked content report
Figure 9: Graphs in the blocked content report
40
Table 5 gives information about each section of the report.

Table 5: Sections of the blocked content report Top Client Attempts to Blocked Web Sites WebFilter Events by Top Sources and Status Top Client Attempts at Blocked Categories This section displays the number of attempts to access blocked web sites for users who made the highest number of attempts.
This section displays the amount of traffic blocked by and allowed through the FortiGate unit, rated by the top users on the network.
This section displays the top clients that attempted to access blocked content rated by the number of attempts.
Total WebFilter This section displays the amount of traffic blocked by and allowed through the FortiGate unit. Events by Status Top Blocked Users Top Blocked Sites This section displays the top blocked users rated by the number of blocked attempts at accessing content. This section displays the top blocked sites rated by the number of blocked attempts at accessing them.
41
42

FAZ Reports Creation

Caricato da

Informazioni sul documento

Descrizione originale:

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

FAZ Reports Creation

Caricato da

Copyright:

Formati disponibili

TECHNICAL NOTE

Creating Reports with FortiAnalyzer

Configuring log settings.................................................................... 9

Investigating suspected abuse of web access ............................. 13

Logging IPs and requested services.............................................. 19

Creating Reports with FortiAnalyzer 05-30000-0323-20060525

Finding the most visited web sites ................................................ 25

Finding the top email users ............................................................ 31

Creating Reports with FortiAnalyzer 05-30000-0323-20060525

Logging access to blocked content ............................................... 37

Creating Reports with FortiAnalyzer 05-30000-0323-20060525

Creating Reports with FortiAnalyzer 05-30000-0323-20060525

About this document

About this document

This document contains the following chapters:

Fortinet Knowledge Center

Comments on Fortinet technical documentation

Creating Reports with FortiAnalyzer 05-30000-0323-20060525

Customer service and technical support

Customer service and technical support

Creating Reports with FortiAnalyzer 05-30000-0323-20060525

Configuring log settings

Configuring the FortiGate unit

Configuring log settings

Configuring the FortiGate unit

Enabling logging on the FortiGate unit

Creating Reports with FortiAnalyzer 05-30000-0323-20060525

Enabling logging on the FortiGate unit

Configuring log settings

Enabling traffic logging

Enabling firewall policy traffic logging

Enabling event logging

Enabling service logs

Creating Reports with FortiAnalyzer 05-30000-0323-20060525

Configuring log settings

Configuring the FortiAnalyzer unit

Configuring the FortiAnalyzer unit

Registering the FortiGate unit

Configuring the mail server

Creating Reports with FortiAnalyzer 05-30000-0323-20060525

Configuring the FortiAnalyzer unit

Configuring log settings

Creating Reports with FortiAnalyzer 05-30000-0323-20060525

Investigating suspected abuse of web access

Investigating suspected abuse of web access

Configuring the report profile

Creating a new report profile

Creating Reports with FortiAnalyzer 05-30000-0323-20060525

Configuring the report profile

Investigating suspected abuse of web access

Setting the devices

Setting the report scope

Setting the report type

Creating Reports with FortiAnalyzer 05-30000-0323-20060525

Investigating suspected abuse of web access

Using the report profile

Setting the report format

Setting the report output

Saving the report profile

Using the report profile

Using the report profile

Investigating suspected abuse of web access

Running the report profile