After a FortiGate unit is added to the FortiAnalyzer unit, you need to assign each FortiGate network interface to a network interface class (None, LAN, WAN, or DMZ) based on your FortiGate network interface usage. Traffic between classes determines traffic flow directionality for reports.

Through the FortiAnalyzer CLI command config log device, you can classify network interfaces and VLAN subinterfaces according to their connections in your network topology. Functionally classifying the device’s network interfaces and VLAN subinterfaces as None, LAN, WAN or DMZ indirectly defines the directionality of traffic flowing between those network interfaces. For example, FortiAnalyzer units consider log messages of traffic flowing from a WAN class interface to a LAN or DMZ class interface to represent incoming traffic.

Some report types for FortiGate devices include traffic direction, inbound or outbound traffic flow. When the FortiAnalyzer unit generates reports involving traffic direction, the FortiAnalyzer unit compares values located in the source and destination interface fields of the log messages with your defined network interface classifications to determine the traffic directionality.

The table below illustrates the traffic directionality derived from each possible combination of source and destination interface class.

For more information on classifying FortiGate network interfaces, see the FortiAnalyzer v4.0 MR3 CLI Reference.

Example:

Your FortiGate unit has four interfaces: port 1 to 4. Port 1 is connected to WAN; Port 2 and Port 3 are connected to LAN; and Port 4 is connected to DMZ.

In this case, traffic from Port 1 (WAN) to Port 2 (LAN) is considered as incoming, while traffic from Port 2 to Port 1 is considered outgoing.