The first two steps in monitoring activity covered by Security profiles is make sure that logging is enabled on the FortiGate and that the policies are configured to collect those logs as traffic goes through them.

Check the Logging and Reporting handbook for configuration of such details as to whether the logs are stored locally on a disk or in memory, or use a remote service of some kind such as a FortiAnalyzer or SNMP server. The important thing is that the storing of logs is taking place somewhere. This is configured by going to Log & Report > Log Config > Log Setting. If you are going to log locally you will also have to enable logging locally in the CLI.

The next step is to get the firewall policies to collect traffic logs. In the configuration of policies there are 3 logging options:

Make sure that either Log Security events or Log all sessions is selected.

There are two ways to view the Security Profiles activity based on the collected logs. The first gives you an overview based on a sampling of logs over time. This is good for spotting trends and giving you an idea of the overall impact of a type of Security Profiles threat. For instance you can see if you are a lot of your users are trying to get to sites that you have blocked or which email protocol is receiving the most blocked email.

Go to Security Profiles > Monitor. From here you can choose information from the differnt types of Security profile that you have running.

From the AV Monitor, you can see information relating to the Antivirus Profile.

From the Web Monitor you can find information relating to Web filtering. You can choose:

From the Application Monitor you can get an idea of which applications are being used over your network and who is using them by looking at the charts:

From the Intrusion Monitor you can determine what are the Top Attacks against your network. The report will list:

From the Email Monitor

From the Archive & Data Leak Monitor you can see what is the:

From the FortiGuard Quota you can monitor the status of quotas by seeing which ones are in effect listing:

The second way to look at the logs of the Security Profiles activity is to look at the individual logs. This is useful for trouble shooting and verification of what is being tracked and how because individual log display more information about what happened to the traffic in question.

To look at the logs go to Log and Report > Traffic Log > Forward Traffic and search for individual logged events. In order to see just the Security Profiles based events you may have to first display a column that relates to Security Profiles such as Security Action, Security Event or Security Sub type. Once the appropriate column is displayed in the log window you can then filter based on the criteria that you are searching on. For instance if you were looking for examples of where your DLP profile stopped some traffic from getting out you could go to the Security event column and then filter for the event “dlp”. The log page will now only display dlp events. You could not further refine your filter until you were only looking at the logs that relate to the events they you are trying to track.