FortiDB tutorials : Tutorial: Generating a vulnerability assessment (VA) report
Tutorial: Generating a vulnerability assessment (VA) report
The following example FortiDB configuration provides step-by-step instructions for creating a vulnerability assessment (VA) report for an Oracle target database.
To complete this example, the Oracle target database requires the following privileges:
For requirements for other types of target databases, see “Privileges for VA assessments, privilege summaries, and penetration tests”.
Use the following steps to complete this tutorial:
Create a FortiDB administrator
Create a target
Create a target group
Run a vulnerability assessment of the target group
View the assessment results as a report
Create a FortiDB administrator
The FortiDB admin account is required for administrative tasks related to vulnerability assessment (VA) (for example, making backups and creating new accounts). However, for general VA tasks, Fortinet recommends that you create additional administrators with appropriate roles to allow you to separate duties.
1. Log in to FortiDB using the following credentials:
User Name
2. In the navigation menu (on the left side of the web UI), click Administration to expand it, and then click Administrators.
3. On the Administrators page, click Add.
4. On General tab, enter information in the fields marked with an asterisk (*).
For this example, for User Name, enter vauser. For Password, enter fdb!23.
5. On the Roles tab, for Available Roles, select the following options, and then click to add them to the Assigned Roles list:
Target Manager
Operations Manager
Report Manager
6. Click Save.
7. To log out the admin user, click (Logout icon) at the top-right of the screen.
Create a target
A target specifies a database for FortiDB to assess.
1. Log in to FortiDB as the vauser user and the password fdb!23.
Because vauser cannot view or create other users, Administration is not displayed in the navigation menu.
2. In the navigation menu, go to Target Database Server > Targets.
3. On the Targets page, click Add.
4. On the General tab, enter the following information. For this example, the target is an Oracle database:
DB Host Name/IP
The IP address or name of the machine where the database is located (for example, test_machine or
The number of the port the database uses; the default port is 1521
DB Name
The name of the database (for example, orcl)
User Name
The database user name
The password for the database user
5. To verify that the connection parameters are correct, click Test Connection.
The message “Success” is displayed at the top of the page.
6. Click Save.
The vatarget item is displayed in the list of targets.
Create a target group
You configure FortiDB to assess target groups, not individual targets. A target group can consist of one or more targets.
1. In the navigation menu, click Target Database Server > Target Groups.
2. On the Target Groups page, select Add.
3. On the Targets page, for Group Name, enter a name for your group. For this example, enter mygroup.
4. To filter the list of targets, select the following values:
All or part of the name of the target (for example, vatarget or targ)
5. Click Search.
6. Ensure that only the target you created (vatarget) is displayed in the list, and then, to the right of the Group Name field, click Save Group.
7. To verify that the target group you created is in the list of target groups, click Target Database Server > Target Groups.
Run a vulnerability assessment of the target group
1. In the left-side menu, go to Vulnerability Assessment > Assessments.
2. On the Assessments page, click Add.
3. For Assessment Name, enter a name for your new assessment. For this example, enter myscan.
4. To add a target group to your assessment, on the Assessment page, click the Targets tab.
5. In the Available Target Groups list , select mygroup (the target group that you just created), and then select to move mygroup to the Assigned Target Groups list.
6. To add FortiDB policies to your assessment, click the Policies tab.
7. In the Available Policy Groups list, select Oracle Policy Group, and then select to move Oracle Policy Group name to the Assigned Policy Groups list.
When you select a policy group in the Available Policy Groups or Assigned Policy Groups list, the group’s policies are displayed in the Active Policies list.
Although you can select items in the Active Policies list, you cannot use this list to select policies to execute.
8. Click Save.
On the Assessments page, the myscan assessment is displayed.
9. To run your newly created assessment, select the check box for the myscan item, and then click Run.
In this example, you run the assessment manually and view the results in the web UI. However, FortiDB also allows you to schedule assessments and configure email and SNMP-trap notifications of assessment results. (See “Running an assessment at a specified date and time” and “Sending alert notifications”.)
After approximately a minute, a stop date and time is displayed in the Last Run Time column of the myscan item.
View the assessment results as a report
FortiDB provides several pre-defined reports that can help you analyze your assessments. This example uses the Target Summary Failed Report to view the assessment results. This report summarizes failed policies by number and type.
1. In the navigation menu, go to Report > Pre-Defined VA Reports.
2. On the Pre-Defined Reports page, click Target Summary Failed Report.
3. On the Vulnerability Assessment Target Summary Failed Report page, select the following values:
Assessment Name
Assessment Time
A date and time when FortiDB ran myscan
The target group associated with myscan (for this example, vatarget)
On the Target Information tab, the parameters of the selected assessment are displayed.
4. Click the Preview Report tab.
After FortiDB complies it, the report is displayed.
5. To view your report in another formats, at the bottom of the page, for Export as, select one of the following formats, and then click Export:
PDF (.pdf)
Excel (.xls)
Tab (.txt) (tab-delimited)
CSV (.csv) (comma-separated values)
See also
Connecting to target databases
Adding or modifying a target group
Vulnerability assessment (VA) policies
Adding or modifying assessments