FAZ Reports Creation

8/22/2019 FAZ Reports Creation

1/42

www.fortinet.com

Creating Reports with FortiAnalyzer

T E C H N I C A L N O T E


2/42


25 May 2006

05-30000-0323-20060525

Copyright 2006 Fortinet, Inc. All rights reserved. No part of this

publication including text, examples, diagrams or illustrations may be

reproduced, transmitted, or translated in any form or by any means,

electronic, mechanical, manual, optical or otherwise, for any purpose,

without prior written permission of Fortinet, Inc.

Trademarks

Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC,

FortiBIOS, FortiBridge, FortiClient, FortiGate, FortiGate Unified Threat

Management System, FortiGuard, FortiGuard-Antispam, FortiGuard-

Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer,

FortiManager, Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter,

FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of

Fortinet, Inc. in the United States and/or other countries. The names of

actual companies and products mentioned herein may be the trademarks

of their respective owners.


3/42

Contents


05-30000-0323-20060525

Contents

Introduction ........................................................................................ 7

About this document......................................................................................... 7

Fortinet documentation .................................................................................... 7

Fortinet Knowledge Center .......................................................................... 7Comments on Fortinet technical documentation .......................................... 7

Customer service and technical support ........................................................ 8

Configuring log settings.................................................................... 9

Configuring the FortiGate unit ......................................................................... 9

Enabling logging on the FortiGate unit ........................................................... 9

Enabling traffic logging................................................................................ 10

Enabling firewall policy traffic logging ......................................................... 10

Enabling event logging................................................................................ 10

Enabling service logs .................................................................................. 10Configuring the FortiAnalyzer unit ................................................................ 11

Registering the FortiGate unit ..................................................................... 11

Configuring the mail server ......................................................................... 11

Investigating suspected abuse of web access ............................. 13

The situation .................................................................................................... 13

Configuring the report profile......................................................................... 13

Creating a new report profile....................................................................... 13

Setting the devices...................................................................................... 14

Setting the report scope .............................................................................. 14

Setting the report type................................................................................. 14

Setting the report format ............................................................................. 15

Setting the report output.............................................................................. 15

Saving the report profile .............................................................................. 15

Using the report profile................................................................................... 15

Running the report profile............................................................................ 16

Viewing the report ....................................................................................... 16

Understanding each section of the report ................................................... 16

Logging IPs and requested services.............................................. 19

The situation .................................................................................................... 19


4/42


4 05-30000-0323-20060525

Contents

Configuring the report profile ........................................................................ 19



Setting the report scope.............................................................................. 20



Setting the report schedule......................................................................... 21

Setting the report output ............................................................................. 21

Saving the report profile.............................................................................. 21


Running the report profile ........................................................................... 22

Viewing the report....................................................................................... 22


Finding the most visited web sites ................................................ 25

The situation .................................................................................................... 25







Setting the report schedule......................................................................... 26

Setting the report output ............................................................................. 27



Running the report profile ........................................................................... 27Viewing the report....................................................................................... 28


Finding the top email users ............................................................ 31







Setting the report schedule......................................................................... 32Setting the report output ............................................................................. 33



Running the report profile ........................................................................... 33

Viewing the report....................................................................................... 34



5/42

Contents


05-30000-0323-20060525

Logging access to blocked content ............................................... 37

The situation .................................................................................................... 37

Configuring the report profile......................................................................... 37



Setting the report scope .............................................................................. 38Setting the report type................................................................................. 38


Setting the report schedule ......................................................................... 38

Setting the report output.............................................................................. 39

Saving the report profile .............................................................................. 39


Running the report profile............................................................................ 39

Viewing the report ....................................................................................... 40



6/42


6 05-30000-0323-20060525

Contents


7/42

Introduction About this docum


05-30000-0323-20060525

Introduction

FortiAnalyzer units are network appliances that provide integrated tools foranalysis, archive search, log collection, and data storage. Detailed log reports

provide historical as well as current analysis of network traffic, such as email, FTP

and web browsing activity, to help identify security issues and reduce network

misuse and abuse.

This chapter includes the following topics:

About this document

Fortinet documentation

Customer service and technical support

About this documentUsing sample scenarios, this document describes how to:

Configure a FortiGate unit to send log information to a FortiAnalyzer unit

Configure report profiles with a FortiAnalyzer unit to generate reports

This document contains the following chapters:

Configuring log settings

Investigating suspected abuse of web access

Logging IPs and requested services

Finding the most visited web sites

Finding the top email users Logging access to blocked content

Fortinet documentation

The most up-to-date publications and previous releases of Fortinet product

documentation are available from the Fortinet Technical Documentation web site

at http://docs.forticare.com.

Fortinet Knowledge Center

Additional Fortinet technical documentation is available from the FortinetKnowledge Center. The knowledge center contains troubleshooting and how-to

articles, FAQs, technical notes, and more. Visit the Fortinet Knowledge Center at

http://kc.forticare.com.

Comments on Fortinet technical documentation

Please send information about any errors or omissions in this document, or any

Fortinet technical documentation, to [email protected].
http://docs.forticare.com/http://kc.forticare.com/http://kc.forticare.com/http://docs.forticare.com/


8/42


8 05-30000-0323-20060525

Customer service and technical support Introduction

Customer service and technical support

Fortinet Technical Support provides services designed to make sure that your

Fortinet systems install quickly, configure easily, and operate reliably in your

network.

Please visit the Fortinet Technical Support web site at http://support.fortinet.com

to learn about the technical support services that Fortinet provides.
http://support.fortinet.com/http://support.fortinet.com/


9/42

Configuring log settings Configuring the FortiGate u


05-30000-0323-20060525

Configuring log settings

This section describes how to: configure the FortiGate unit to send log information to the FortiAnalyzer unit

register the FortiGate unit with the FortiAnalyzer unit

The following topics are included in this section:

Configuring the FortiGate unit

Enabling logging on the FortiGate unit

Configuring the FortiAnalyzer unit

Configuring the FortiGate unit

Configure the FortiGate unit to send log information to the FortiAnalyzer unit and

verify the connection. The FortiGate unit will send all log messages to the

FortiAnalyzer unit.

To configure log settings

1 Go to Log&Report > Log Config > Log Setting.

2 Select FortiAnalyzer.

3 Select the blue arrow next to FortiAnalizer to expand the options.

4 Select a log level.

For maximum reporting capabilities, select Information.

5 Select Static IP Address.

6 Enter the IP address of the FrotiAnalyzer unit and select Apply.

To verify the connection

1 Select Test Connectivity.

You will see a connection summary window confirming the connection. If the

connection fails, verify the IP address.

2 Select Close

The Fortigate unit is now configured to send log information to the FortiAnalyzer,

enabling the FortiAnalyzer to generate reports.

Enabling logging on the FortiGate unit

You must enable logging on the FortiGate unit in order to send logs to the

FortiAnalyzer unit. There are multiple logging options available.

For the examples in this document, you will enable logging options in the following

steps:


10/42


10 05-30000-0323-20060525

Enabling logging on the FortiGate unit Configuring log settings

Enabling traffic logging

Enabling event logging

Enabling firewall policy traffic logging

Enabling service logs

Enabling traffic logging

Enable traffic logging to record any traffic to and from the interface.

To enable traffic logging

1 Go to System > Network > Interface

2 Select the Edit icon for an interface.

3 Select Log.

4 Select OK.

Enabling firewall policy traffic logging

Enable the firewall policy traffic logging to record the traffic, both permitted and

denied by the firewall policy.

To enable firewall policy traffic logging

1 Go to Firewall > Policy.

2 Select the blue arrow for the traffic directional flow to expand the policy list.

3 Select the Edit icon for a policy.

4 Select Log Allowed Traffic.

5 Select OK.

Enabling event logging

Enable event logging to record management and activity events, such as when aconfiguration has changed, or when VPN events occur.

To enable event logging

1 Go to Log&Report > Log Config > Event Log.

2 Select Enable.

3 Select the following options:

Firewall authentication event

SSL VPN user authentication event

SSL VPN session event

4 Select Apply

Enabling service logs

Enable service logging to record the activity of the FortiGate protection profile,

such as blocked content or web sites.

To enable service logging

1 Go to Firewall > Protection Profile.


11/42

Configuring log settings Configuring the FortiAnalyzer u


05-30000-0323-20060525

2 Select the Edit icon for a profile.

3 Select the blue arrow for Logging to expand the logging options.

4 Select the following options:

Oversized Files / Emails

Content Block

URL Filter

Log Intrusions

5 Select OK.

Configuring the FortiAnalyzer unit

You must configure the FortiAnalyzer unit to accept log information from

registered FortiGate units and to send reports by email.

Configuring the FortiAnalyzer unit includes the following steps:

Registering the FortiGate unit Configuring the mail server

Registering the FortiGate unit

You must register the FortiGate unit that sends log information to the

FortiAnalyzer unit. By default, the FortiAnalyzer unit will add the FortiGate unit to

its device list. However, you will not be able to generate reports until you register

the FortiGate unit.

To register a FortiGate unit

1 Go to Devices > All.

The FortiGate unit will appear in the device list.

2 Select the Add icon for the FortiGate unit.

The Add icon for an unregistered FortiGate unit is the same as the Edit icon for a

registered unit.

3 Select FortiGate from the Device Type list.

4 Enter a device name, such as WiFi-60A.

5 The serial number of the FortiGate unit automatically appears in the Device ID

field.

Keep all other settings on the Add Device page as defaults.

6 Select OK

The FortiGate unit is now registered to send log information to the FortiAnalyzer.

Configuring the mail server

You must configure a DNS server and an SMTP server to send reports by email,

and test the configuration. The FortiGate unit uses the SMTP server name to

connect to the mail server, and must look up this name on your DNS server.


12/42


12 05-30000-0323-20060525

Configuring the FortiAnalyzer unit Configuring log settings

To configure the mail server

1 Go to System > Alerts > Mail Server.

2 Select Create New.

3 Select Enable Authentication.

4 Enter the name/address of the SMTP server.

5 Enter the user name for logging on to the SMTP server in the E-Mail Account field.

6 Enter the password for logging on to the SMTP server.

To configure the DNS server

1 Go to System > Network > DNS.

2 Enter the primary DNS server IP address that the FortiAnalyzer unit can connect

to.

3 Enter a secondary DNS server IP address.

To test the mail server configuration

1 Go to System > Alerts > Mail Server.2 Select Modify.

3 Select Test Server.

4 Enter an email address and select Test.


13/42

Investigating suspected abuse of web access The situat


05-30000-0323-20060525 1

Investigating suspected abuse of

web accessThis section describes how to configure a report about the web activity of a user.

The situation

A manager suspects that an employee is surfing the Web during working hours.

The manager has asked you to send him a report on the web activity of the

suspected employee by email.

The employees IP address in 192.68.2.110.

In this situation, you will need to find:

web sites the user visited

the time of day the visits occurred

For this report, we will examine the web activity of the user over a two week

period.

Configuring the report profile

Configuring a report profile includes the following steps:

Creating a new report profile Setting the devices

Setting the report scope

Setting the report type

Setting the report format

Setting the report output

Saving the report profile

Creating a new report profile

Create a new report profile.

To create a new report profile

1 Go to Report > Config.


3 Enter Web_Activity in the Report Name field.

The report name cannot include spaces.

4 Enter a report title of Monitoring Web Activity.


14/42


14 05-30000-0323-20060525

Configuring the report profile Investigating suspected abuse of web access

5 Enter a description of This report examines the web activity of a user for the past

two weeks.

Setting the devices

Select the FortiGate unit for the department or office where the user works. The

FortiAnalyzer unit will examine the logs only from this unit.

To set the devices

1 Select the blue arrow for Devices to expand the options.

2 Select the FortiGate unit from the list.


Select the time period the report encompasses, and the data filters. For this

report, you need specific information about a user during a two week period. You

can narrow the report to only the requested user with the Data Filter.

To set the report scope

1 Select the blue arrow for Report Scope to expand the options.

2 Select the blue arrow for Time Period to expand the options.

3 Select Last 2 Weeks from the list.

4 Select the blue arrow for Data Filter to expand the options.

5 Select Custom.

6 In the Source(s) field, enter 192.168.2.110, the users IP address.

This narrows the scope of the report to only this user.


Specify the type of information the FortiAnalyzer unit collects from the logs. For

this report, you need information about the web activity of a particular user duringworking hours. You can narrow the report to the relevant information in the Web

Activity list in the Report Type(s) section.

To set the report type

1 Select the blue arrow for Report Type(s) to expand the options.

2 Select Custom.

3 Clear all the report types.

4 Select the blue arrow for Web Activity to expand the report options.

5 Select the following report types:

Web Traffic by Day of Week Web Traffic by Hour of Day

Top Web Sites (Connections)

Top Web Sites (Traffic)

Top Web Sites by Duration


15/42

Investigating suspected abuse of web access Using the report pro


05-30000-0323-20060525 1


Configure how the report displays information. Enable IP addresses to display as

host names. Web sites visited by the user will appear as real URLs rather than as

IP addresses.

To set the report format

1 Select the blue arrow for Report Format to expand the options.

2 Select For all devices from the Report Results.

3 Select Resolve Host Names to display web site address rather than IP addresses.


Select the format and destination for the report. The FortiAnalyzer unit will email

this report as a PDF to the manager who requested it.

To set the output

1 Select the blue arrow for Output to expand the options.

2 Select PDF for Email output.3 Select Customize subject.

4 Enter the subject for the email.

When Customize subject is not selected, the subject of the email will be the name

of the report.

5 Enter the email address of the manager in the Email list.

6 Select Add.


The report profile is now configured to provide the information required.

To save the report profile, select OK.

The FortiAnalyzer unit saves the report profile on its hard drive.

Using the report profileOnce the FortiAnalyzer unit has generated and saved the report, it is available for

viewing. Reports stay in a catalog on the FortiAnalyzer hard drive. You can run

the report again to retrieve updated information.

Using the report includes the following steps:

Running the report

Viewing the report

Understanding each section of the report

Note: The mail server must be configured for the FortiAnalyzer to send reports by email. To

configure the mail server, see Configuring the mail server on page 11.

Note: Setting a schedule is not required for this report because it is not used regularly, only

when a similar problem occurs.


16/42


16 05-30000-0323-20060525

Using the report profile Investigating suspected abuse of web access

Running the report profile

Running the report profile will generate all the information specified by the report

scope and type.

To run the report


2 Select Go for the Web_Activity report.

The FortiAnalyzer unit generates the report and sends a PDF to the manager by

email.

Viewing the report

You can view reports from the FortiAnalyzer web-based manager.

To view the report

1 Go to Report > Browse.

2 Select the Web_Activity report from the list.

The report name will be followed by a date and an assigned number, for example,Web_Activity-2006-05-01-1001.


The report will display information in tables and graphs, for example, as shown in

Figure 1.

Figure 1: Tables and graphs in the web activity report

Table 1 gives information about each section of the web activity report.
http://-/?-http://-/?-http://-/?-http://-/?-


17/42

Investigating suspected abuse of web access Using the report pro


05-30000-0323-20060525 1

Table 1: Sections of the web activity report

Web Traffic by

Day of Week

This section displays information about the volume of web trafficgenerated by the user on each day of the week. You can determine ifthe users web traffic is constant or if there are unusual variations thatdo not match the users workload or schedule.

Web Traffic byHour of Day This section displays information about the volume of traffic the usergenerated during each hour of the day. You can determine if the usersweb traffic during work hours is reasonable.

Top Web Sites

(Connections)

This section displays the number of times the user accessed a web site.You can use this information to compare the users access to workrelated and non-work related web sites.

Top Web Sites

(Traffic)

This section displays the volume of content accessed on the top websites. You can use this information to compare the volume of data theuser downloaded from work related and non-work related web sites.

Top Web Sites

by Duration

This section displays the amount of time spent on accessinginformation on each web site. Sites that are accessed or refreshedoften will be at the top of this list. You can use this information todetermine whether the user accessed or refreshed the content of websites not related to work, such as news, sports, or stock sites too often.


18/42


18 05-30000-0323-20060525

Using the report profile Investigating suspected abuse of web access


19/42

Logging IPs and requested services The situat


05-30000-0323-20060525 1

Logging IPs and requested services

This section describes how to find the IPs that visited the FortiGate unit, and tofind what services were requested in the last week.

The situation

The network administration wants to track the type of traffic through the FortiGate

unit. They asked you to send them a weekly report by email to track the

performance of the network with respect to the number of hits the network

received during the week. Also, they want to be aware of the demand for certain

services in order to allocate bandwidth more efficiently.

For this report, you will examine the network activity during the last week.


Configuring the report includes the following steps:


Setting the devices




Setting the report schedule Setting the report output







3 Enter IPs_and_services in the Report Name field.


4 Enter a report title of IPs and requested services.

5 Enter a description of This report lists the IPs that visited the FortiGate unit, and

the services requested during the past week.


20/42


20 05-30000-0323-20060525

Configuring the report profile Logging IPs and requested services

Setting the devices

Select the FortiGate unit. The FortiAnalyzer unit will examine the logs from this

unit.

To set the devices




Select the time period the report encompasses.




3 Select Last 7 Days for Time Period.

Setting the report typeSelect the type of information the report will collect from the logs. For this report,

you need information about:

network use by IPs

the services, such as http and ssh, requested by network users

You can narrow the report to the relevant information in the Network Activity and

Terminal Activity lists in the Report Type(s) section.



2 Select Custom.

3 Clear all the boxes in the list of report types.

4 Select the blue arrow for Network Activity to expand the options.


Traffic by Top Services and Direction

Traffic by Top Sources and Top Services

Traffic by Top Destinations and Top Services

6 Select the blue arrow for Terminal Activity to expand the options.

7 Select Terminal Traffic by Date and Service.

Setting the report formatConfigure how the report displays information. Enable IP addresses to display as

host names. Web pages visited by users will appear as real URLs rather than as

IP addresses. The FortiAnalyzer unit can also display services by names rather

than by port numbers.


1 Select the blue arrow next to Report Format to expand the options.


21/42

Logging IPs and requested services Configuring the report pro


05-30000-0323-20060525 2

2 Select For all devices from the Report Results list.

3 Select Resolve Host Names to display host names by name, not IP address.

4 Select Resolve Service Names to display network service names rather than port

numbers. For example, HTTP rather than port 80.

By default, there are six items in tables and graphs in the report. For example, in

the Traffic by Top Services and Direction table, the top six services will be shown.The default number can be changed in the Advanced section of the Report

Format page. For this report, you will need the top ten services.

To set the number of items in lists

1 Select the blue arrow next to Advanced to expand the options.

2 Enter 10 for the values for the first variable (1..12).

Setting the report schedule

Configure the schedule so that the report runs automatically every week.

To set the schedule

1 Select the blue arrow for Schedule to expand the options.

2 Select These Days.

3 Select Sun.

4 Select a time of 18 to run the report at 6 p.m.


Select the format and destination for the report. the FortiAnalyzer will email this

report will as a PDF to the network administration staff.

To set the output

1 Select the blue arrow for Output.

2 Select PDF for Email output.

3 Select Customize subject.



of the report.

5 Enter the email addresses of the network administration staff in the Email list.

6 Select Add.








22/42


22 05-30000-0323-20060525

Using the report profile Logging IPs and requested services

Using the report profile

Once the FortiAnalyzer unit has generated and saved the report, it is available for

viewing. Reports stay in a catalog, and you can run the report again to retrieve

updated information.


Running the report

Viewing the report




scope and type.

To run the report


2 Select Go for the IPs_and_services report.

The FortiAnalyzer unit generates the report and sends a PDF to the network

administrators by email.

Viewing the report

You can view reports from the FortiAnalyzer web-based browser.

To view the report


2 Select the IPS_and_services report from the list.

The report name will be followed by a date and an assigned number, for example,

IPs_and_services-2006-05-01-1001.



Figure 2 and Figure 3.

Figure 2: Table in the IPs and services report


23/42

Logging IPs and requested services Using the report pro


05-30000-0323-20060525 2

Figure 3: Graph in the IPs and services report

Table 2 gives information about each section of the IPs and services report.

Table 2: Sections of the IPs and services report

Traffic by Top

Services andDirection

This section displays the direction of traffic for the most popular

services. The direction can be internal, external, outgoing or incoming.Network administrators can find the percentage of network capacityused for each service and determine the need for a network upgrade.

Traffic by Top

Sources and

Top Services

This section displays the services used by the most active users(sources) of the network. The total volume of traffic generated by eachuser is broken down by service, such as http, pop3 or dns. Networkadministrators can find the most popular services and determine themarket for new services, or for the expansion of existing ones.

Traffic by Top

Destinations

and Top

Services

This section displays the most visited web sites and the servicesaccessed through those web sites. Network administrators candetermine what the bulk of network traffic is used for.

Terminal

Traffic by Date

and Service

This section displays the traffic used by each service, for every day ofthe week. Network administrators can use this information to locatepeaks in network traffic, and to identify the services that take up the

bulk of network capacity. They can further use this information tocorrelate network traffic with network performance indicators from othersources to see if the volume of traffic affects performance.


24/42


24 05-30000-0323-20060525

Using the report profile Logging IPs and requested services


25/42

Finding the most visited web sites The situat


05-30000-0323-20060525 2

Finding the most visited web sites

This section describes how to determine the most visited web sites in the lastmonth.

The situation

The marketing department of your company publishes a monthly newsletter, and

wants to include a section on the surfing habits and interests of network users.

They have asked you to send them a monthly report by email, showing the most

visited web sites by network users.


Configuring the report profile includes the following steps:


Setting the devices






Saving the report






3 Enter hottest_website in the Report Name field.


4 Enter a report title of Hottest web sites last month.5 Enter a description of This report shows the most visited web sites last month

Setting the devices

Select the FortiGate unit. The FortiAnalyzer unit will examine the logs from this

unit.


26/42


26 05-30000-0323-20060525

Configuring the report profile Finding the most visited web sites

To set the devices








3 Select Last Month for Time Period.


Specify the type of information the report will collect from the logs.



2 Select Custom.

3 Clear all the boxes in the list of report types.

4 Select the blue arrow for WebFilter Activity to expand the options.


Top Categories by Hits

Top Client Requests to Permitted Categories

6 Select the blue arrow for Web Activity to expand the options.

Top Web Sites (Connections)

Top Web Sites (Traffic)



host names so you can identify web sites visited by the users.


1 Select the blue arrow next to Report Format to expand the options.

2 Select For all devices from the Report Results list.

3 Select Resolve Host Names to display host names by name, not IP address.

Setting the report scheduleConfigure the schedule so that the report runs automatically every month.

To set the schedule


2 Select These Dates.

3 Enter 28 to run the report on the 28th of every month.


27/42

Finding the most visited web sites Using the report pro


05-30000-0323-20060525 2




this report as a PDF to the marketing department.

To set the output






of the report.

5 Enter the email addresses of the marketing department staff in the Email list.

6 Select Add.










Running the report

Viewing the report




scope and type.

To run the report


2 Select Go for the hottest_website report.

The FortiAnalyzer unit will generate the report and send a PDF to the manager by

email.




28/42


28 05-30000-0323-20060525

Using the report profile Finding the most visited web sites

Viewing the report


To view the report


2 Select the hottest_website report from the list.The report name will be followed by a date and an assigned number, for example,

hottest_website-2006-05-01-1001.




Figure 4: Table in the most visited web site report

Figure 5: Graph in the most visited web site report


29/42

Finding the most visited web sites Using the report pro


05-30000-0323-20060525 2

Table 3 gives information about each section of the hottest web site report.

Table 3: Sections of the most visited web site report

Top Categories

by Hits

This section displays the number of times web sites in each categorywere accessed by users on the network. The most popular categoriesshow the surfing habits and interests of users.

Top Client

Requests to

Permitted

Categories

This section displays the most active users on the network and thenumber of times those users accessed web sites in each category.

Top Web Sites

(Connections)

This section displays the top web sites rated by the number of hits theyreceived. This is one of the methods of rating the popularity of a website.

Top Web Sites

(Traffic)

This section displays the top web sites rated by the volume of contentusers downloaded. This is one of the methods of rating the popularity ofthe content on a web site. A web site accessed often but with low trafficmay not be popular since users are not staying to access its content.


30/42


30 05-30000-0323-20060525

Using the report profile Finding the most visited web sites


31/42

Finding the top email users Configuring the report pro


05-30000-0323-20060525 3

Finding the top email users

This section describes how to configure a report about the top email users on anetwork.


Configuring a report includes the following steps:


Setting the devices












3 Enter Mail_users in the Report Name field.


4 Enter a report title of Top mail users.

5 Enter a description of This report displays the top email users on the network for

the past month.

Setting the devices

Select the FortiGate unit to examine. The FortiAnalyzer unit will examine the logs

from this unit.

To set the devices1 Select the blue arrow for Devices to expand the options.





32/42


32 05-30000-0323-20060525

Configuring the report profile Finding the top email users




3 Select Last 2 Weeks from the list.

Setting the report typeYou will now specify the type of information the report will collect from the logs.

For this report, you need information about the email use on the network. You can

narrow the report to the relevant information in the MailFilter Activity and the Mail

Activity lists in the Report Type(s) section.



2 Select Custom.


4 Select the blue arrow for MailFilter Activity to expand the options.


Top Mail Senders

Top Mail Receivers

6 Select the blue arrow for Mail Activity to expand the options.


Top Mail Clients (Connections)

Top Mail Clients (Traffic)







By default, there are six items in tables and graphs in the report. For example, in

the Top Mail Senders table, the top six senders will be shown. The default number

can be changed in the Advanced section of the Report Format page. For this

report, you will need the top five email users.

To set the number of items in lists

1 Select the blue arrow next to Advanced to expand the options.

2 Enter 5 for the values for the first variable (1..12).


Select the schedule so that the report runs automatically every week.

To set the schedule



33/42

Finding the top email users Using the report pro


05-30000-0323-20060525 3


3 Select Sun.



Select the format and destination for the report. The FortiAnalyzer will email thisreport as a PDF to the manager who requested it.

To set the output






of the report.

5 Enter the email addresses of the managers in the Email list.6 Select Add.







viewing. Reports stay in a catalog, and you can run the report again to retrieve

updated information.


Running the report

Viewing the report




scope and type.

To run the report


2 Select Go for the Mail_users report.




34/42


34 05-30000-0323-20060525

Using the report profile Finding the top email users


email.

Viewing the report

You can view reports from the FortiAnalyzer web-based browser.

To view the report


2 Select the Mail_users report from the list.


Mail_users-2006-05-01-1001.




Figure 6: Table in the mail users report

Figure 7: Graph in the mail users report


35/42

Finding the top email users Using the report pro


05-30000-0323-20060525 3

Table 4 gives information about each section of the report.

Table 4: Sections of the mail users report

Top Mail

Senders

This section displays the email addresses of users that sent the mostemails to users on the network.

Top Mail

Receivers

This section displays the email addresses of users that received the

most mail on the network.Top Mail

Clients

(Connections)

This section displays the IP addresses or host names of the mail clientsthat received the most hits on the network.

Top Mail

Clients (Traffic)

This section displays the IP addresses or host names of the mail clientsthat received the highest volume of email on the network.


36/42


36 05-30000-0323-20060525

Using the report profile Finding the top email users


37/42

Logging access to blocked content The situat


05-30000-0323-20060525 3

Logging access to blocked content

This section describes how to configure a report about users who attempted tosurf to blocked web sites last month.

The situation

The network managers need a report to assess the effectiveness of the web filter

used by the network and the surfing trends of network users. They have asked

you to send them a weekly report on the number of attempts to access blocked

content.


Configuring a report profile includes the following steps:


Setting the devices












3 Enter Blocked_content in the Report Name field.


4 Enter a report title of Accessing blocked content.5 Enter a description of This report displays users who attempted to access

blocked content on the web every week.

Setting the devices

Select the FortiGate unit to examine. The FortiAnalyzer unit will examine the logs

from this unit.


38/42


38 05-30000-0323-20060525

Configuring the report profile Logging access to blocked content

To set the devices




Select the time period the report encompasses, and the data filters. For thisreport, you need specific information about a user during a two week period. You

can narrow the report to only the requested user with the Data Filter.




3 Select Last 7 Days from the list.


Specify the type of information the report will collect from the logs. For this report,

you need information about users whose web activity was blocked. You cannarrow the report to the relevant information in the WebFilter Activity list in the

Report Type(s) section.



2 Select Custom.


4 Select the blue arrow for WebFilter Activity to expand the options.


Top Client Attempts at Blocked Web Sites

Total WebFilter Events by Status

WebFilter Events by Top Sources and Status

Top Blocked Users

Top Blocked Sites

Top Client Attempts to Blocked Categories







3 Select Resolve Host Names to display web site address rather than IP addresses.


Configure the schedule so that the report runs automatically every week.


39/42

Logging access to blocked content Using the report pro


05-30000-0323-20060525 3

To set the schedule



3 Select Sun.




this report as a PDF to the network managers who requested it.

To set the output





When Customize subject is not selected, the subject of the email will be the nameof the report.

5 Enter the email addresses of the network managers in the Email list.

6 Select Add.










Running the report

Viewing the report Understanding each section of the report



scope and type.




40/42


40 05-30000-0323-20060525

Using the report profile Logging access to blocked content

To run the report


2 Select Go for the Blocked_content report.


email.

Viewing the report


To view the report


2 Select the Blocked_content report from the list.


Blocked_content-2006-05-01-1001.




Figure 8: Tables in the blocked content report

Figure 9: Graphs in the blocked content report


41/42

Logging access to blocked content Using the report pro


05-30000-0323-20060525 4

Table 5 gives information about each section of the report.

Table 5: Sections of the blocked content report

Top Client

Attempts to

Blocked Web

Sites

This section displays the number of attempts to access blocked websites for users who made the highest number of attempts.

WebFilter

Events by Top

Sources and

Status

This section displays the amount of traffic blocked by and allowedthrough the FortiGate unit, rated by the top users on the network.

Top Client

Attempts at

Blocked

Categories

This section displays the top clients that attempted to access blockedcontent rated by the number of attempts.

Total WebFilter

Events by

Status

This section displays the amount of traffic blocked by and allowedthrough the FortiGate unit.

Top Blocked

Users

This section displays the top blocked users rated by the number of

blocked attempts at accessing content.

Top Blocked

Sites

This section displays the top blocked sites rated by the number ofblocked attempts at accessing them.


42/42

Using the report profile Logging access to blocked content

FAZ Reports Creation

Documents

Transcript of FAZ Reports Creation