FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home > Online Help

> Chapter 9 - FortiView > What's new in FortiOS 5.4

What's new in FortiOS 5.4

New Consoles

In FortiOS 5.4, a variety of new consoles have been added to FortiView:

FortiView Policies console

The new Policies console works similarly to other FortiView consoles, yet allows administrators to monitor policy activity, and thereby decide which policies are most and least active. This helps the administrator to discern which policies are unused and can be deleted.

In addition, you have the ability to click on any policy in the table to drill down to the Policies list and view or edit that policy. You can view this new console in either Table or Bubble Chart view.

FortiView Interfaces console

The new Interfaces console works similarly to other FortiView consoles and allows administrators to perform current and historical monitoring per interface, with the ability to monitor bandwidth in particular. You can view this new console in either Table or Bubble Chart view.

FortiView Countries console

A new Countries console has been introduced to allow administrators to filter traffic according to source and destination countries. This console includes the option to view the Country Map visualization (see below).

FortiView Device Topology console

The new Device Topology console provides an overview of your network structure in the form of a Network Segmentation Tree diagram (see below).

FortiView Traffic Shaping console

A new Traffic Shaping console has been introduced to improve monitoring of existing Traffic Shapers.

Information displayed includes Shaper info, Sessions, Bandwidth, Dropped Bytes, and more.

FortiView Threat Map console

A new Threat Map console has been introduced to monitor risks coming from various international locations arriving at a specific location, depicted by the location of a FortiGate on the map (see below).

FortiView Failed Authentication console

A Failed Authentication console has been added under FortiView that allows you to drill down an entry to view the logs. This new console is particularly useful in determining whether or not the FortiGate is under a brute force attack. If an administrator sees multiple failed login attempts from the same IP, they could (for example) add a local-in policy to block that IP.

The console provides a list of unauthorized connection events in the log, including the following:

  • unauthorized access to an admin interface (telnet, ssh, http, https, etc.)
  • failure to query for SNMP (v3) or outside of authorized range (v1, v2, v3)
  • failed attempts to establish any of the following:
  • Dial-up IPsec VPN connections
  • Site-to-site IPsec VPN connections
  • SSL VPN connections
  • FGFM tunnel

FortiView WiFi Clients console

The WiFi Clients console has been added to FortiView in FortiOS 5.4. As you might expect, you can use this console to display top wireless user network usage and information. You can drilldown to filter the information that is displayed.

Information displayed includes Device, Source IP, Source SSID, AP, and more.

New FortiView Visualizations

New visualization support has been added to FortiView via the Bubble Chart and the Country Map.

Bubble Chart Visualization

Notes about the Bubble Chart:
  • It is possible to sort on the Bubble Chart using the Sort By: dropdown menu.
  • The size of each bubble represents the related amount of data.
  • Place your cursor over a bubble to display a tool-tip with detailed info on that item.
  • You can click on a bubble to drilldown into greater (filtered) detail.

Country Map Visualization

Notes about the Country Map:
  • The Country Map is only available in the Countries dashboard.
  • It is possible to sort on the Country Map using the Sort By: dropdown menu.
  • Place your cursor over any country to display a tool-tip with detailed info on that country's traffic.
  • The colour gradiant on the map indicates the traffic load, where red indicates the more critical load.
  • Click on any country to drilldown into greater (filtered) detail.

Threat Map Visualization

Notes about the Threat Map:
  • Threats from various international destinations will be shown, but only those arriving at your destination, as depicted by the FortiGate.
  • Place your cursor over the FortiGate's location to display the device name, the IP address, and the city name/location.
  • A visual lists of threats is shown at the bottom, displaying the location, severity, and nature of the attacks.
  • The colour gradiant of the darts on the map indicate the traffic risk, where red indicates the more critical risk.
  • Click on any country to drilldown into greater (filtered) detail.

Device Topology Visualization

Notes about Device Topology:
  • Place your cursor over any object in the visualization to display the device name, the IP address, Sessions, sent and received Bytes and Packets, Bandwidth, and Dropped Bytes.
  • In many cases, such as Internal Network Firewall (INFW) deployments, there are multiple Fortigates performing NAT before a host reaches the external-facing WAN. In such a situation, a bubble chart depicting internal traffic may be inaccurate because the biggest bubble will be a Fortigate that is NAT'ing hundreds of endpoints behind it. This page solves that issue by ensuring all network elements are given visibility and structured in a human-readable format.

Realtime visualization

In addition to these new visualization options, you can now also enable realtime visualization.

To enable realtime visualization:
  1. Click on the Settings icon next to the upper right-hand corner and select Auto update realtime visualizations.

An option is displayed to set the Interval (seconds). The maximum value is 300.

  1. Enter a desired Interval and click Apply.

Links created between FortiView and View/Create Policy

The Policy column in FortiView consoles and the Log Viewer pages has changed to a link, which navigates to the IPv4 or IPv6 policy list and highlights the policy.

Right-clicking on a row in FortiView or the Log Viewer has menu items for Block Source, Block Destination and Quarantine Source where appropriate columns are available to determine these values. When multiple rows are selected, the user will be prompted to create a named Address Group to contain the new addresses.

When the user clicks Block Source or Block Destination they are taken to a policy creation page with enough information filled in to create a policy blocking the requested IP traffic.

The policy page will feature an informational message block at the top describing the actions that will be taken. Once the user submits the form, the requisite addresses, groups and policy will be created at once.

If the user clicks on Quarantine User then they will be prompted for a duration. They may also check a box for a Permanent Ban. The user can manage quarantined users under Monitor > User Quarantine Monitor.

Visualization support for the Admin Logins page

A useful chart is now generated for Admin login events under FortiView > Admin Logins. You can view the information in either Table View or Timeline View (shown below). In Timeline View, each line represents on administrator, with individual sessions indicated per administrator line. When you hover over a particular timeline, detailed information appears in a tooltip.

New bandwidth column added to realtime FortiView pages

The FortiView console provides a new bandwidth column that displays information for bandwidth calculated on a per-session level, providing administrators the ability to sort realtime bandwidth usage in descending order.

Accelerated session filtering on All Sessions page

By default, on a FortiGate unit with NP6 processors, when you enable traffic logging in a firewall policy this also enables NP6 per-session accounting. If you disable traffic logging this also disables NP6 per-session accounting. This behavior can be changed using the following command:

config system np6

edit np6_0

set per-session-accounting {disable | all-enable | enable-by-log}

end

By default, per-session-accounting is set to enable-by-log, which results in per-session accounting being turned on when you enable traffic logging in a policy. This configuration is set separately for each NP6 processor.

When offloaded sessions appear on the FortiView All Sessions console they include an icon identifying them as NP sessions:

You can hover over the NP icon to see some information about the offloaded sessions.

You can also use a FortiASIC Filter to view just the accelerated sessions.

WHOIS Lookup anchor for public IPv4 addresses

Reverse IP lookup is now possible in FortiOS 5.4. A WHOIS lookup icon is available when you mouse over a public IP address in a FortiView log. If you left-click on the lookup icon, a new tab is opened in your browser for www.networksolutions.com, and a lookup is performed on the selected IP address (this option persists after drilling down one level in FortiView).

FortiGuard Cloud App DB identification

FortiView now recognizes FortiGuard Cloud Application database traffic, which is mainly monitored and validated by FortiFlow, an internal application that identifies cloud applications based on IP, Port, and Protocol. Administrators can potentially use this information for WAN Link Load Balancing, for example.

7-day time display

In FortiOS 5.4, the following FortiGate models now support 7-day time display:

  • FortiGate 1000D
  • FortiGate 1500D
  • FortiGate 3700DX
  • FortiGate 3700D

The option for 7-day time display, however, can only be configured in the CLI using the following command:

config log setting

set fortiview-weekly-data {enable|disable}

end

NP4 and NP6 icons showing accelerated sessions (282180)

When viewing sessions in the All Sessions console, information pertaining to NP4/ NP6 acceleration is now reflected via an appropriate icon. The tooltip for the icon includes the NP chip type and its total number of accelerated sessions.

Filtering on accelerated sessions (282180)

In addition to NP4/NP6 icons, you can now filter the console on 'FortiASIC' ('Accelerated' versus 'Not Accelerated') sessions.

WHOIS Lookup anchor for public IPv4 addresses (282701)

Reverse IP lookup is now possible in FortiOS 5.4. A WHOIS lookup icon is available when you mouse over a public IP address in a FortiView log. If you left-click on the lookup icon, a new tab is opened in your browser for www.networksolutions.com, and a lookup is performed on the selected IP address (this option persists after drilling down one level in FortiView).

New Report database construction (280398 267019)

This will improve performance with reports and FortiView without requiring any configuration changes.

Added a Timeline graph for admin events (271389)

 

Improved monitoring of traffic shapers; added traffic shaping to FortiView (290363)

 

Failed Authentication Attempts are now visible in FortiView (265890)

 

Added bandwidth column to FortiView (260896)

 

FortiView now displays Quarantine Source and appropriate icon in lists (289206)