Vous êtes sur la page 1sur 42
TECHNICAL NOTE
TECHNICAL
NOTE

Creating Reports with FortiAnalyzer

TECHNICAL NOTE Creating Reports with FortiAnalyzer www.fortinet.com

www.fortinet.com

Creating Reports with FortiAnalyzer 25 May 2006

05-30000-0323-20060525

© Copyright 2006 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc.

Trademarks Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate, FortiGate Unified Threat Management System, FortiGuard, FortiGuard-Antispam, FortiGuard- Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Contents

Contents

Introduction

7

About this document

7

Fortinet documentation

7

Fortinet Knowledge Center

7

Comments on Fortinet technical documentation

7

Customer service and technical support

8

Configuring log settings

9

Configuring the FortiGate unit

9

Enabling logging on the FortiGate unit

9

Enabling traffic logging

10

Enabling firewall policy traffic logging

10

Enabling event logging

10

Enabling service logs

10

Configuring the FortiAnalyzer unit

11

Registering the FortiGate unit

11

Configuring the mail server

11

Investigating suspected abuse of web access

13

The situation

13

Configuring the report profile

13

Creating a new report profile

13

Setting the devices

14

Setting the report scope

14

Setting the report type

14

Setting the report format

15

Setting the report output

15

Saving the report profile

15

Using the report profile

15

Running the report profile

16

Viewing the report

16

Understanding each section of the report

16

Logging IPs and requested services

The situation

Creating Reports with FortiAnalyzer

19

19

Contents

Configuring the report profile

19

Creating a new report profile

19

Setting the devices

20

Setting the report scope

20

Setting the report type

20

Setting the report format

20

Setting the report schedule

21

Setting the report output

21

Saving the report profile

21

Using the report profile

22

Running the report profile

22

Viewing the report

22

Understanding each section of the report

22

Finding the most visited web sites

25

The situation

25

Configuring the report profile

25

Creating a new report profile

25

Setting the devices

25

Setting the report scope

26

Setting the report type

26

Setting the report format

26

Setting the report schedule

26

Setting the report output

27

Saving the report profile

27

Using the report profile

27

Running the report profile

27

Viewing the report

28

Understanding each section of the report

28

Finding the top email users

31

Configuring the report profile

31

Creating a new report profile

31

Setting the devices

31

Setting the report scope

31

Setting the report type

32

Setting the report format

32

Setting the report schedule

32

Setting the report output

33

Saving the report profile

33

Using the report profile

33

Running the report profile

33

Viewing the report

34

Understanding each section of the report

34

Creating Reports with FortiAnalyzer

Contents

Logging access to blocked content

37

The situation

37

Configuring the report profile

37

Creating a new report profile

37

Setting the devices

37

Setting the report scope

38

Setting the report type

38

Setting the report format

38

Setting the report schedule

38

Setting the report output

39

Saving the report profile

39

Using the report profile

39

Running the report profile

39

Viewing the report

40

Understanding each section of the report

40

Creating Reports with FortiAnalyzer

Contents

Creating Reports with FortiAnalyzer

Introduction

Introduction

About this document

FortiAnalyzer units are network appliances that provide integrated tools for analysis, archive search, log collection, and data storage. Detailed log reports provide historical as well as current analysis of network traffic, such as email, FTP and web browsing activity, to help identify security issues and reduce network misuse and abuse.

This chapter includes the following topics:

About this document

Fortinet documentation

Customer service and technical support

About this document

Using sample scenarios, this document describes how to:

• Configure a FortiGate unit to send log information to a FortiAnalyzer unit

• Configure report profiles with a FortiAnalyzer unit to generate reports

This document contains the following chapters:

Configuring log settings

Investigating suspected abuse of web access

Logging IPs and requested services

Finding the most visited web sites

Finding the top email users

Logging access to blocked content

Fortinet documentation

The most up-to-date publications and previous releases of Fortinet product documentation are available from the Fortinet Technical Documentation web site at http://docs.forticare.com.

Fortinet Knowledge Center

Additional Fortinet technical documentation is available from the Fortinet Knowledge Center. The knowledge center contains troubleshooting and how-to articles, FAQs, technical notes, and more. Visit the Fortinet Knowledge Center at http://kc.forticare.com.

Comments on Fortinet technical documentation

Please send information about any errors or omissions in this document, or any Fortinet technical documentation, to techdoc@fortinet.com.

Creating Reports with FortiAnalyzer

Customer service and technical support

Introduction

Customer service and technical support

Fortinet Technical Support provides services designed to make sure that your Fortinet systems install quickly, configure easily, and operate reliably in your network.

Please visit the Fortinet Technical Support web site at http://support.fortinet.com to learn about the technical support services that Fortinet provides.

Creating Reports with FortiAnalyzer

Configuring log settings

Configuring the FortiGate unit

Configuring log settings

This section describes how to:

• configure the FortiGate unit to send log information to the FortiAnalyzer unit

• register the FortiGate unit with the FortiAnalyzer unit

The following topics are included in this section:

Configuring the FortiGate unit

Enabling logging on the FortiGate unit

Configuring the FortiAnalyzer unit

Configuring the FortiGate unit

Configure the FortiGate unit to send log information to the FortiAnalyzer unit and verify the connection. The FortiGate unit will send all log messages to the FortiAnalyzer unit.

To configure log settings

1 Go to Log&Report > Log Config > Log Setting.

2 Select FortiAnalyzer.

3 Select the blue arrow next to FortiAnalizer to expand the options.

4 Select a log level.

For maximum reporting capabilities, select Information.

5 Select Static IP Address.

6 Enter the IP address of the FrotiAnalyzer unit and select Apply.

To verify the connection

1 Select Test Connectivity.

You will see a connection summary window confirming the connection. If the connection fails, verify the IP address.

2 Select Close

The Fortigate unit is now configured to send log information to the FortiAnalyzer, enabling the FortiAnalyzer to generate reports.

Enabling logging on the FortiGate unit

You must enable logging on the FortiGate unit in order to send logs to the FortiAnalyzer unit. There are multiple logging options available.

For the examples in this document, you will enable logging options in the following steps:

Creating Reports with FortiAnalyzer

Enabling logging on the FortiGate unit

Configuring log settings

• Enabling traffic logging

• Enabling event logging

• Enabling firewall policy traffic logging

• Enabling service logs

Enabling traffic logging

Enable traffic logging to record any traffic to and from the interface.

To enable traffic logging

1 Go to System > Network > Interface

2 Select the Edit icon for an interface.

3 Select Log.

4 Select OK.

Enabling firewall policy traffic logging

Enable the firewall policy traffic logging to record the traffic, both permitted and denied by the firewall policy.

To enable firewall policy traffic logging

1 Go to Firewall > Policy.

2 Select the blue arrow for the traffic directional flow to expand the policy list.

3 Select the Edit icon for a policy.

4 Select Log Allowed Traffic.

5 Select OK.

Enabling event logging

Enable event logging to record management and activity events, such as when a configuration has changed, or when VPN events occur.

To enable event logging

1 Go to Log&Report > Log Config > Event Log.

2 Select Enable.

3 Select the following options:

• Firewall authentication event

• SSL VPN user authentication event

• SSL VPN session event

4 Select Apply

Enabling service logs

Enable service logging to record the activity of the FortiGate protection profile, such as blocked content or web sites.

To enable service logging

1 Go to Firewall > Protection Profile.

Creating Reports with FortiAnalyzer

Configuring log settings

Configuring the FortiAnalyzer unit

2 Select the Edit icon for a profile.

3 Select the blue arrow for Logging to expand the logging options.

4 Select the following options:

• Oversized Files / Emails

• Content Block

• URL Filter

• Log Intrusions

5 Select OK.

Configuring the FortiAnalyzer unit

You must configure the FortiAnalyzer unit to accept log information from registered FortiGate units and to send reports by email.

Configuring the FortiAnalyzer unit includes the following steps:

• Registering the FortiGate unit

• Configuring the mail server

Registering the FortiGate unit

You must register the FortiGate unit that sends log information to the FortiAnalyzer unit. By default, the FortiAnalyzer unit will add the FortiGate unit to its device list. However, you will not be able to generate reports until you register the FortiGate unit.

To register a FortiGate unit

1 Go to Devices > All.

The FortiGate unit will appear in the device list.

2 Select the Add icon for the FortiGate unit.

The Add icon for an unregistered FortiGate unit is the same as the Edit icon for a registered unit.

3 Select FortiGate from the Device Type list.

4 Enter a device name, such as WiFi-60A.

5 The serial number of the FortiGate unit automatically appears in the Device ID field.

Keep all other settings on the Add Device page as defaults.

6 Select OK

The FortiGate unit is now registered to send log information to the FortiAnalyzer.

Configuring the mail server

You must configure a DNS server and an SMTP server to send reports by email, and test the configuration. The FortiGate unit uses the SMTP server name to connect to the mail server, and must look up this name on your DNS server.

Creating Reports with FortiAnalyzer

Configuring the FortiAnalyzer unit

To configure the mail server

Configuring log settings

1 Go to System > Alerts > Mail Server.

2 Select Create New.

3 Select Enable Authentication.

4 Enter the name/address of the SMTP server.

5 Enter the user name for logging on to the SMTP server in the E-Mail Account field.

6 Enter the password for logging on to the SMTP server.

To configure the DNS server

1 Go to System > Network > DNS.

2 Enter the primary DNS server IP address that the FortiAnalyzer unit can connect to.

3 Enter a secondary DNS server IP address.

To test the mail server configuration

1 Go to System > Alerts > Mail Server.

2 Select Modify.

3 Select Test Server.

4 Enter an email address and select Test.

Creating Reports with FortiAnalyzer

Investigating suspected abuse of web access

The situation

Investigating suspected abuse of web access

This section describes how to configure a report about the web activity of a user.

The situation

A manager suspects that an employee is surfing the Web during working hours.

The manager has asked you to send him a report on the web activity of the suspected employee by email.

The employee’s IP address in 192.68.2.110.

In this situation, you will need to find:

• web sites the user visited

• the time of day the visits occurred

For this report, we will examine the web activity of the user over a two week period.

Configuring the report profile

Configuring a report profile includes the following steps:

• Creating a new report profile

• Setting the devices

• Setting the report scope

• Setting the report type

• Setting the report format

• Setting the report output

• Saving the report profile

Creating a new report profile

Create a new report profile.

To create a new report profile

1 Go to Report > Config.

2 Select Create New.

3 Enter “Web_Activity” in the Report Name field.

The report name cannot include spaces.

4 Enter a report title of “Monitoring Web Activity”.

Creating Reports with FortiAnalyzer

Configuring the report profile

Investigating suspected abuse of web access

5 Enter a description of “This report examines the web activity of a user for the past two weeks”.

Setting the devices

Select the FortiGate unit for the department or office where the user works. The FortiAnalyzer unit will examine the logs only from this unit.

To set the devices

1 Select the blue arrow for Devices to expand the options.

2 Select the FortiGate unit from the list.

Setting the report scope

Select the time period the report encompasses, and the data filters. For this report, you need specific information about a user during a two week period. You can narrow the report to only the requested user with the Data Filter.

To set the report scope

1 Select the blue arrow for Report Scope to expand the options.

2 Select the blue arrow for Time Period to expand the options.

3 Select Last 2 Weeks from the list.

4 Select the blue arrow for Data Filter to expand the options.

5 Select Custom.

6 In the Source(s) field, enter 192.168.2.110, the user’s IP address.

This narrows the scope of the report to only this user.

Setting the report type

Specify the type of information the FortiAnalyzer unit collects from the logs. For this report, you need information about the web activity of a particular user during working hours. You can narrow the report to the relevant information in the Web Activity list in the Report Type(s) section.

To set the report type

1 Select the blue arrow for Report Type(s) to expand the options.

2 Select Custom.

3 Clear all the report types.

4 Select the blue arrow for Web Activity to expand the report options.

5 Select the following report types:

• Web Traffic by Day of Week

• Web Traffic by Hour of Day

• Top Web Sites (Connections)

• Top Web Sites (Traffic)

• Top Web Sites by Duration

Creating Reports with FortiAnalyzer

Investigating suspected abuse of web access

Setting the report format

Using the report profile

Configure how the report displays information. Enable IP addresses to display as host names. Web sites visited by the user will appear as real URLs rather than as IP addresses.

To set the report format

1 Select the blue arrow for Report Format to expand the options.

2 Select For all devices from the Report Results.

3 Select Resolve Host Names to display web site address rather than IP addresses.

Setting the report output

Select the format and destination for the report. The FortiAnalyzer unit will email this report as a PDF to the manager who requested it.

To set the output

1 Select the blue arrow for Output to expand the options.

2 Select PDF for Email output.

3 Select Customize subject.

4 Enter the subject for the email.

When Customize subject is not selected, the subject of the email will be the name of the report.

5 Enter the email address of the manager in the Email list.

6 Select Add.

Note: The mail server must be configured for the FortiAnalyzer to send reports by email. To The mail server must be configured for the FortiAnalyzer to send reports by email. To configure the mail server, see “Configuring the mail server” on page 11.

Saving the report profile

The report profile is now configured to provide the information required.

To save the report profile, select OK.

The FortiAnalyzer unit saves the report profile on its hard drive.

Note: Setting a schedule is not required for this report because it is not used regularly, Setting a schedule is not required for this report because it is not used regularly, only when a similar problem occurs.

Using the report profile

Once the FortiAnalyzer unit has generated and saved the report, it is available for viewing. Reports stay in a catalog on the FortiAnalyzer hard drive. You can run the report again to retrieve updated information.

Using the report includes the following steps:

• Running the report

• Viewing the report

• Understanding each section of the report

Creating Reports with FortiAnalyzer

Using the report profile

Running the report profile

Investigating suspected abuse of web access

Running the report profile will generate all the information specified by the report scope and type.

To run the report

1 Go to Report > Config.

2 Select Go for the Web_Activity report.

The FortiAnalyzer unit generates the report and sends a PDF to the manager by email.

Viewing the report

You can view reports from the FortiAnalyzer web-based manager.

To view the report

1 Go to Report > Browse.

2 Select the Web_Activity report from the list.

The report name will be followed by a date and an assigned number, for example,

Web_Activity-2006-05-01-1001.

Understanding each section of the report

The report will display information in tables and graphs, for example, as shown in Figure 1.

Figure 1:

Tables and graphs in the web activity report

1 . Figure 1: Tables and graphs in the web activity report Table 1 gives information

Table 1 gives information about each section of the web activity report.

Creating Reports with FortiAnalyzer

Investigating suspected abuse of web access

Table 1: Sections of the web activity report

Using the report profile

Web Traffic by Day of Week

This section displays information about the volume of web traffic generated by the user on each day of the week. You can determine if the user’s web traffic is constant or if there are unusual variations that do not match the user’s workload or schedule.

Web Traffic by Hour of Day

This section displays information about the volume of traffic the user generated during each hour of the day. You can determine if the user’s web traffic during work hours is reasonable.

Top Web Sites (Connections)

This section displays the number of times the user accessed a web site. You can use this information to compare the user’s access to work related and non-work related web sites.

Top Web Sites (Traffic)

This section displays the volume of content accessed on the top web sites. You can use this information to compare the volume of data the user downloaded from work related and non-work related web sites.

Top Web Sites by Duration

This section displays the amount of time spent on accessing information on each web site. Sites that are accessed or refreshed often will be at the top of this list. You can use this information to determine whether the user accessed or refreshed the content of web sites not related to work, such as news, sports, or stock sites too often.

Creating Reports with FortiAnalyzer

Using the report profile

Investigating suspected abuse of web access

Creating Reports with FortiAnalyzer

Logging IPs and requested services

The situation

Logging IPs and requested services

This section describes how to find the IPs that visited the FortiGate unit, and to find what services were requested in the last week.

The situation

The network administration wants to track the type of traffic through the FortiGate unit. They asked you to send them a weekly report by email to track the performance of the network with respect to the number of hits the network received during the week. Also, they want to be aware of the demand for certain services in order to allocate bandwidth more efficiently.

For this report, you will examine the network activity during the last week.

Configuring the report profile

Configuring the report includes the following steps:

• Creating a new report profile

• Setting the devices

• Setting the report scope

• Setting the report type

• Setting the report format

• Setting the report schedule

• Setting the report output

• Saving the report profile

Creating a new report profile

Create a new report profile.

To create a new report profile

1 Go to Report > Config.

2 Select Create New.

3 Enter “IPs_and_services” in the Report Name field.

The report name cannot include spaces.

4 Enter a report title of “IPs and requested services”.

5 Enter a description of “This report lists the IPs that visited the FortiGate unit, and the services requested during the past week”.

Creating Reports with FortiAnalyzer

Configuring the report profile

Setting the devices

Logging IPs and requested services

Select the FortiGate unit. The FortiAnalyzer unit will examine the logs from this unit.

To set the devices

1 Select the blue arrow for Devices to expand the options.

2 Select the FortiGate unit from the list.

Setting the report scope

Select the time period the report encompasses.

To set the report scope

1 Select the blue arrow for Report Scope to expand the options.

2 Select the blue arrow for Time Period to expand the options.

3 Select Last 7 Days for Time Period.

Setting the report type

Select the type of information the report will collect from the logs. For this report, you need information about:

• network use by IPs

• the services, such as http and ssh, requested by network users

You can narrow the report to the relevant information in the Network Activity and Terminal Activity lists in the Report Type(s) section.

To set the report type

1 Select the blue arrow for Report Type(s) to expand the options.

2 Select Custom.

3 Clear all the boxes in the list of report types.

4 Select the blue arrow for Network Activity to expand the options.

5 Select the following report types:

• Traffic by Top Services and Direction

• Traffic by Top Sources and Top Services

• Traffic by Top Destinations and Top Services

6 Select the blue arrow for Terminal Activity to expand the options.

7 Select Terminal Traffic by Date and Service.

Setting the report format

Configure how the report displays information. Enable IP addresses to display as host names. Web pages visited by users will appear as real URLs rather than as IP addresses. The FortiAnalyzer unit can also display services by names rather than by port numbers.

To set the report format

1 Select the blue arrow next to Report Format to expand the options.

Creating Reports with FortiAnalyzer

Logging IPs and requested services

Configuring the report profile

2 Select For all devices from the Report Results list.

3 Select Resolve Host Names to display host names by name, not IP address.

4 Select Resolve Service Names to display network service names rather than port numbers. For example, HTTP rather than port 80.

By default, there are six items in tables and graphs in the report. For example, in the Traffic by Top Services and Direction table, the top six services will be shown. The default number can be changed in the Advanced section of the Report Format page. For this report, you will need the top ten services.

To set the number of items in lists

1 Select the blue arrow next to Advanced to expand the options.

2 Enter 10 for the values for the first variable (1 12).

Setting the report schedule

Configure the schedule so that the report runs automatically every week.

To set the schedule

1 Select the blue arrow for Schedule to expand the options.

2 Select These Days.

3 Select Sun.

4 Select a time of 18 to run the report at 6 p.m.

Setting the report output

Select the format and destination for the report. the FortiAnalyzer will email this report will as a PDF to the network administration staff.

To set the output

1 Select the blue arrow for Output.

2 Select PDF for Email output.

3 Select Customize subject.

4 Enter the subject for the email.

When Customize subject is not selected, the subject of the email will be the name of the report.

5 Enter the email addresses of the network administration staff in the Email list.

6 Select Add.

administration staff in the Email list. 6 Select Add. Note: The mail server must be configured

Note: The mail server must be configured for the FortiAnalyzer to send reports by email. To configure the mail server, see “Configuring the mail server” on page 11.

Saving the report profile

The report profile is now configured to provide the information required.

To save the report profile, select OK.

The FortiAnalyzer unit saves the report profile on its hard drive.

Creating Reports with FortiAnalyzer

Using the report profile

Using the report profile

Logging IPs and requested services

Once the FortiAnalyzer unit has generated and saved the report, it is available for viewing. Reports stay in a catalog, and you can run the report again to retrieve updated information.

Using the report includes the following steps:

• Running the report

• Viewing the report

• Understanding each section of the report

Running the report profile

Running the report profile will generate all the information specified by the report scope and type.

To run the report

1 Go to Report > Config.

2 Select Go for the IPs_and_services report.

The FortiAnalyzer unit generates the report and sends a PDF to the network administrators by email.

Viewing the report

You can view reports from the FortiAnalyzer web-based browser.

To view the report

1 Go to Report > Browse.

2 Select the IPS_and_services report from the list.

The report name will be followed by a date and an assigned number, for example,

IPs_and_services-2006-05-01-1001.

Understanding each section of the report

The report will display information in tables and graphs, for example, as shown in Figure 2 and Figure 3.

Figure 2:

Table in the IPs and services report

Figure 3 . Figure 2: Table in the IPs and services report Creating Reports with FortiAnalyzer

Creating Reports with FortiAnalyzer

Logging IPs and requested services

Figure 3:

Graph in the IPs and services report

services Figure 3: Graph in the IPs and services report Using the report profile Table 2

Using the report profile

Table 2 gives information about each section of the IPs and services report.

Table 2: Sections of the IPs and services report

Traffic by Top Services and Direction

This section displays the direction of traffic for the most popular services. The direction can be internal, external, outgoing or incoming. Network administrators can find the percentage of network capacity used for each service and determine the need for a network upgrade.

Traffic by Top Sources and Top Services

This section displays the services used by the most active users (sources) of the network. The total volume of traffic generated by each user is broken down by service, such as http, pop3 or dns. Network administrators can find the most popular services and determine the market for new services, or for the expansion of existing ones.

Traffic by Top Destinations and Top Services

This section displays the most visited web sites and the services accessed through those web sites. Network administrators can determine what the bulk of network traffic is used for.

Terminal Traffic by Date and Service

This section displays the traffic used by each service, for every day of the week. Network administrators can use this information to locate peaks in network traffic, and to identify the services that take up the bulk of network capacity. They can further use this information to correlate network traffic with network performance indicators from other sources to see if the volume of traffic affects performance.

Creating Reports with FortiAnalyzer

Using the report profile

Logging IPs and requested services

Creating Reports with FortiAnalyzer

Finding the most visited web sites

The situation

Finding the most visited web sites

This section describes how to determine the most visited web sites in the last month.

The situation

The marketing department of your company publishes a monthly newsletter, and wants to include a section on the surfing habits and interests of network users. They have asked you to send them a monthly report by email, showing the most visited web sites by network users.

Configuring the report profile

Configuring the report profile includes the following steps:

• Creating a new report profile

• Setting the devices

• Setting the report scope

• Setting the report type

• Setting the report format

• Setting the report schedule

• Setting the report output

• Saving the report

Creating a new report profile

Create a new report profile.

To create a new report profile

1 Go to Report > Config.

2 Select Create New.

3 Enter “hottest_website” in the Report Name field.

The report name cannot include spaces.

4 Enter a report title of “Hottest web sites last month”.

5 Enter a description of “This report shows the most visited web sites last month””

Setting the devices

Select the FortiGate unit. The FortiAnalyzer unit will examine the logs from this unit.

Creating Reports with FortiAnalyzer

Configuring the report profile

To set the devices

Finding the most visited web sites

1 Select the blue arrow for Devices to expand the options.

2 Select the FortiGate unit from the list.

Setting the report scope

Select the time period the report encompasses.

To set the report scope

1 Select the blue arrow for Report Scope to expand the options.

2 Select the blue arrow for Time Period to expand the options.

3 Select Last Month for Time Period.

Setting the report type

Specify the type of information the report will collect from the logs.

To set the report type

1 Select the blue arrow for Report Type(s) to expand the options.

2 Select Custom.

3 Clear all the boxes in the list of report types.

4 Select the blue arrow for WebFilter Activity to expand the options.

5 Select the following report types:

• Top Categories by Hits

• Top Client Requests to Permitted Categories

6 Select the blue arrow for Web Activity to expand the options.

• Top Web Sites (Connections)

• Top Web Sites (Traffic)

Setting the report format

Configure how the report displays information. Enable IP addresses to display as host names so you can identify web sites visited by the users.

To set the report format

1 Select the blue arrow next to Report Format to expand the options.

2 Select For all devices from the Report Results list.

3 Select Resolve Host Names to display host names by name, not IP address.

Setting the report schedule

Configure the schedule so that the report runs automatically every month.

To set the schedule

1 Select the blue arrow for Schedule to expand the options.

2 Select These Dates.

3 Enter 28 to run the report on the 28th of every month.

Creating Reports with FortiAnalyzer

Finding the most visited web sites

4 Select a time of 18 to run the report at 6 p.m.

Setting the report output

Using the report profile

Select the format and destination for the report. The FortiAnalyzer unit will email this report as a PDF to the marketing department.

To set the output

1 Select the blue arrow for Output to expand the options.

2 Select PDF for Email output.

3 Select Customize subject.

4 Enter the subject for the email.

When Customize subject is not selected, the subject of the email will be the name of the report.

5 Enter the email addresses of the marketing department staff in the Email list.

6 Select Add.

marketing department staff in the Email list. 6 Select Add. Note: The mail server must be

Note: The mail server must be configured for the FortiAnalyzer to send reports by email. To configure the mail server, see “Configuring the mail server” on page 11.

Saving the report profile

The report profile is now configured to provide the information required.

To save the report profile, select OK.

The FortiAnalyzer unit saves the report profile on its hard drive.

Using the report profile

Once the FortiAnalyzer unit has generated and saved the report, it is available for viewing. Reports stay in a catalog on the FortiAnalyzer hard drive. You can run the report again to retrieve updated information.

Using the report includes the following steps:

• Running the report

• Viewing the report

• Understanding each section of the report

Running the report profile

Running the report profile will generate all the information specified by the report scope and type.

To run the report

1 Go to Report > Config.

2 Select Go for the hottest_website report.

The FortiAnalyzer unit will generate the report and send a PDF to the manager by email.

Creating Reports with FortiAnalyzer

Using the report profile

Finding the most visited web sites

Viewing the report

You can view reports from the FortiAnalyzer web-based manager.

To view the report

1 Go to Report > Browse.

2 Select the hottest_website report from the list.

The report name will be followed by a date and an assigned number, for example,

hottest_website-2006-05-01-1001.

Understanding each section of the report

The report will display information in tables and graphs, for example, as shown in Figure 4 and Figure 5.

Figure 4: Table in the most visited web site report Figure 5: Graph in the
Figure 4:
Table in the most visited web site report
Figure 5:
Graph in the most visited web site report
report Figure 5: Graph in the most visited web site report Creating Reports with FortiAnalyzer 28

Creating Reports with FortiAnalyzer

Finding the most visited web sites

Using the report profile

Table 3 gives information about each section of the hottest web site report.

Table 3: Sections of the most visited web site report

Top Categories

This section displays the number of times web sites in each category were accessed by users on the network. The most popular categories show the surfing habits and interests of users.

by Hits

Top Client

This section displays the most active users on the network and the number of times those users accessed web sites in each category.

Requests to

Permitted

 

Categories

Top Web Sites (Connections)

This section displays the top web sites rated by the number of hits they received. This is one of the methods of rating the popularity of a web site.

Top Web Sites (Traffic)

This section displays the top web sites rated by the volume of content users downloaded. This is one of the methods of rating the popularity of the content on a web site. A web site accessed often but with low traffic may not be popular since users are not staying to access its content.

Creating Reports with FortiAnalyzer

Using the report profile

Finding the most visited web sites

Creating Reports with FortiAnalyzer

Finding the top email users

Configuring the report profile

Finding the top email users

This section describes how to configure a report about the top email users on a network.

Configuring the report profile

Configuring a report includes the following steps:

• Creating a new report profile

• Setting the devices

• Setting the report scope

• Setting the report type

• Setting the report format

• Setting the report schedule

• Setting the report output

• Saving the report profile

Creating a new report profile

Create a new report profile.

To create a new report profile

1 Go to Report > Config.

2 Select Create New.

3 Enter “Mail_users” in the Report Name field.

The report name cannot include spaces.

4 Enter a report title of “Top mail users”.

5 Enter a description of “This report displays the top email users on the network for the past month”.

Setting the devices

Select the FortiGate unit to examine. The FortiAnalyzer unit will examine the logs from this unit.

To set the devices

1 Select the blue arrow for Devices to expand the options.

2 Select the FortiGate unit from the list.

Setting the report scope

Select the time period the report encompasses.

Creating Reports with FortiAnalyzer

Configuring the report profile

To set the report scope

Finding the top email users

1 Select the blue arrow for Report Scope to expand the options.

2 Select the blue arrow for Time Period to expand the options.

3 Select Last 2 Weeks from the list.

Setting the report type

You will now specify the type of information the report will collect from the logs. For this report, you need information about the email use on the network. You can narrow the report to the relevant information in the MailFilter Activity and the Mail Activity lists in the Report Type(s) section.

To set the report type

1 Select the blue arrow for Report Type(s) to expand the options.

2 Select Custom.

3 Clear all the report types.

4 Select the blue arrow for MailFilter Activity to expand the options.

5 Select the following report types:

• Top Mail Senders

• Top Mail Receivers

6 Select the blue arrow for Mail Activity to expand the options.

7 Select the following report types:

• Top Mail Clients (Connections)

• Top Mail Clients (Traffic)

Setting the report format

Configure how the report displays information. Enable IP addresses to display as host names so you can identify web sites visited by the users.

To set the report format

1 Select the blue arrow for Report Format to expand the options.

2 Select For all devices from the Report Results.

By default, there are six items in tables and graphs in the report. For example, in the Top Mail Senders table, the top six senders will be shown. The default number can be changed in the Advanced section of the Report Format page. For this report, you will need the top five email users.

To set the number of items in lists

1 Select the blue arrow next to Advanced to expand the options.

2 Enter 5 for the values for the first variable (1 12).

Setting the report schedule

Select the schedule so that the report runs automatically every week.

To set the schedule

1 Select the blue arrow for Schedule to expand the options.

Creating Reports with FortiAnalyzer

Finding the top email users

2 Select These Days.

3 Select Sun.

4 Select a time of 18 to run the report at 6 p.m.

Setting the report output

Using the report profile

Select the format and destination for the report. The FortiAnalyzer will email this report as a PDF to the manager who requested it.

To set the output

1 Select the blue arrow for Output to expand the options.

2 Select PDF for Email output.

3 Select Customize subject.

4 Enter the subject for the email.

When Customize subject is not selected, the subject of the email will be the name of the report.

5 Enter the email addresses of the managers in the Email list.

6 Select Add.

addresses of the managers in the Email list. 6 Select Add. Note: The mail server must

Note: The mail server must be configured for the FortiAnalyzer to send reports by email. To configure the mail server, see “Configuring the mail server” on page 11.

Saving the report profile

The report profile is now configured to provide the information required.

To save the report profile, select OK.

The FortiAnalyzer unit saves the report profile on its hard drive.

Using the report profile

Once the FortiAnalyzer unit has generated and saved the report, it is available for viewing. Reports stay in a catalog, and you can run the report again to retrieve updated information.

Using the report includes the following steps:

• Running the report

• Viewing the report

• Understanding each section of the report

Running the report profile

Running the report profile will generate all the information specified by the report scope and type.

To run the report

1 Go to Report > Config.

2 Select Go for the Mail_users report.

Creating Reports with FortiAnalyzer

Using the report profile

Finding the top email users

The FortiAnalyzer unit will generate the report and send a PDF to the manager by email.

Viewing the report

You can view reports from the FortiAnalyzer web-based browser.

To view the report

1 Go to Report > Browse.

2 Select the Mail_users report from the list.

The report name will be followed by a date and an assigned number, for example,

Mail_users-2006-05-01-1001.

Understanding each section of the report

The report will display information in tables and graphs, for example, as shown in

Figure 6 and Figure 7.

Figure 6:

Table in the mail users report

6 and Figure 7 . Figure 6: Table in the mail users report Figure 7: Graph

Figure 7:

Graph in the mail users report

mail users report Figure 7: Graph in the mail users report Creating Reports with FortiAnalyzer 34

Creating Reports with FortiAnalyzer

Finding the top email users

Using the report profile

Table 4 gives information about each section of the report.

Table 4: Sections of the mail users report

Top Mail

This section displays the email addresses of users that sent the most emails to users on the network.

Senders

Top Mail

This section displays the email addresses of users that received the most mail on the network.

Receivers

Top Mail

This section displays the IP addresses or host names of the mail clients that received the most hits on the network.

Clients

(Connections)

 

Top Mail

This section displays the IP addresses or host names of the mail clients that received the highest volume of email on the network.

Clients (Traffic)

Creating Reports with FortiAnalyzer

Using the report profile

Finding the top email users

Creating Reports with FortiAnalyzer

Logging access to blocked content

The situation

Logging access to blocked content

This section describes how to configure a report about users who attempted to surf to blocked web sites last month.

The situation

The network managers need a report to assess the effectiveness of the web filter used by the network and the surfing trends of network users. They have asked you to send them a weekly report on the number of attempts to access blocked content.

Configuring the report profile

Configuring a report profile includes the following steps:

• Creating a new report profile

• Setting the devices

• Setting the report scope

• Setting the report type

• Setting the report format

• Setting the report schedule

• Setting the report output

• Saving the report profile

Creating a new report profile

Create a new report profile.

To create a new report profile

1 Go to Report > Config.

2 Select Create New.

3 Enter “Blocked_content” in the Report Name field.

The report name cannot include spaces.

4 Enter a report title of “Accessing blocked content”.

5 Enter a description of “This report displays users who attempted to access blocked content on the web every week”.

Setting the devices

Select the FortiGate unit to examine. The FortiAnalyzer unit will examine the logs from this unit.

Creating Reports with FortiAnalyzer

Configuring the report profile

To set the devices

Logging access to blocked content

1 Select the blue arrow for Devices to expand the options.

2 Select the FortiGate unit from the list.

Setting the report scope

Select the time period the report encompasses, and the data filters. For this report, you need specific information about a user during a two week period. You can narrow the report to only the requested user with the Data Filter.

To set the report scope

1 Select the blue arrow for Report Scope to expand the options.

2 Select the blue arrow for Time Period to expand the options.

3 Select Last 7 Days from the list.

Setting the report type

Specify the type of information the report will collect from the logs. For this report, you need information about users whose web activity was blocked. You can narrow the report to the relevant information in the WebFilter Activity list in the Report Type(s) section.

To set the report type

1 Select the blue arrow for Report Type(s) to expand the options.

2 Select Custom.

3 Clear all the report types.

4 Select the blue arrow for WebFilter Activity to expand the options.

5 Select the following report types:

• Top Client Attempts at Blocked Web Sites

• Total WebFilter Events by Status

• WebFilter Events by Top Sources and Status

• Top Blocked Users

• Top Blocked Sites

• Top Client Attempts to Blocked Categories

Setting the report format

Configure how the report displays information. Enable IP addresses to display as host names so you can identify web sites visited by the users.

To set the report format

1 Select the blue arrow for Report Format to expand the options.

2 Select For all devices from the Report Results.

3 Select Resolve Host Names to display web site address rather than IP addresses.

Setting the report schedule

Configure the schedule so that the report runs automatically every week.

Creating Reports with FortiAnalyzer

Logging access to blocked content

To set the schedule

Using the report profile

1 Select the blue arrow for Schedule to expand the options.

2 Select These Days.

3 Select Sun.

4 Select a time of 18 to run the report at 6 p.m.

Setting the report output

Select the format and destination for the report. The FortiAnalyzer unit will email this report as a PDF to the network managers who requested it.

To set the output

1 Select the blue arrow for Output to expand the options.

2 Select PDF for Email output.

3 Select Customize subject.

4 Enter the subject for the email.

When Customize subject is not selected, the subject of the email will be the name of the report.

5 Enter the email addresses of the network managers in the Email list.

6 Select Add.

of the network managers in the Email list. 6 Select Add. Note: The mail server must

Note: The mail server must be configured for the FortiAnalyzer to send reports by email. To configure the mail server, see “Configuring the mail server” on page 11.

Saving the report profile

The report profile is now configured to provide the information required.

To save the report profile, select OK.

The FortiAnalyzer unit saves the report profile on its hard drive.

Using the report profile

Once the FortiAnalyzer unit has generated and saved the report, it is available for viewing. Reports stay in a catalog on the FortiAnalyzer hard drive. You can run the report again to retrieve updated information.

Using the report includes the following steps:

• Running the report

• Viewing the report

• Understanding each section of the report

Running the report profile

Running the report profile will generate all the information specified by the report scope and type.

Creating Reports with FortiAnalyzer

Using the report profile

To run the report

1 Go to Report > Config.

2 Select Go for the Blocked_content report.

Logging access to blocked content

The FortiAnalyzer unit will generate the report and send a PDF to the manager by email.

Viewing the report

You can view reports from the FortiAnalyzer web-based manager.

To view the report

1 Go to Report > Browse.

2 Select the Blocked_content report from the list.

The report name will be followed by a date and an assigned number, for example,

Blocked_content-2006-05-01-1001.

Understanding each section of the report

The report will display information in tables and graphs, for example, as shown in Figure 8 and Figure 9.

Figure 8: Tables in the blocked content report Figure 9: Graphs in the blocked content
Figure 8:
Tables in the blocked content report
Figure 9:
Graphs in the blocked content report
report Figure 9: Graphs in the blocked content report Creating Reports with FortiAnalyzer 40

Creating Reports with FortiAnalyzer

Logging access to blocked content

Using the report profile

Table 5 gives information about each section of the report.

Table 5: Sections of the blocked content report

Top Client

This section displays the number of attempts to access blocked web sites for users who made the highest number of attempts.

Attempts to

Blocked Web

 

Sites

WebFilter Events by Top Sources and Status

This section displays the amount of traffic blocked by and allowed through the FortiGate unit, rated by the top users on the network.

Top Client

This section displays the top clients that attempted to access blocked content rated by the number of attempts.

Attempts at

Blocked

 

Categories

Total WebFilter

This section displays the amount of traffic blocked by and allowed through the FortiGate unit.

Events by

Status

 

Top Blocked

This section displays the top blocked users rated by the number of blocked attempts at accessing content.

Users

Top Blocked

This section displays the top blocked sites rated by the number of blocked attempts at accessing them.

Sites

Creating Reports with FortiAnalyzer

Using the report profile

Logging access to blocked content

Creating Reports with FortiAnalyzer