Monitoring Security Profiles activity
The first two steps in monitoring activity covered by Security profiles is make sure that logging is enabled on the FortiGate and that the policies are configured to collect those logs as traffic goes through them.
Check the Logging and Reporting handbook for configuration of such details as to whether the logs are stored locally on a disk or in memory, or use a remote service of some kind such as a FortiAnalyzer or SNMP server. The important thing is that the storing of logs is taking place somewhere. This is configured by going to Log & Report > Log Config > Log Setting. If you are going to log locally you will also have to enable logging locally in the CLI.
The next step is to get the firewall policies to collect traffic logs. In the configuration of policies there are 3 logging options:
• No log
• Log Security events
• Log all Sessions
Make sure that either Log Security events or Log all sessions is selected.
There are two ways to view the Security Profiles activity based on the collected logs. The first gives you an overview based on a sampling of logs over time. This is good for spotting trends and giving you an idea of the overall impact of a type of Security Profiles threat. For instance you can see if you are a lot of your users are trying to get to sites that you have blocked or which email protocol is receiving the most blocked email.
Go to Security Profiles > Monitor. From here you can choose information from the differnt types of Security profile that you have running.
From the AV Monitor, you can see information relating to the Antivirus Profile.
• What are the Top Viruses coming through the FortiGate unit, listing:
• Virus name,
• Last time it was detected
• A count of how many times it was detected.
From the Web Monitor you can find information relating to Web filtering. You can choose:
• Report by FortiGuard Webfilter Category
• Top blocked Categories (pie chart and graph)
• Total blocked requests
• Report by Webfilter Technicue
• Pie chart of requests (allowed, etc.)
• Blocked Requests (Bar chart)
• Spam
• Banned Word
• Virus Archive
• FortiGuard
• URL Filter
• Fragmented
• DLP
From the Application Monitor you can get an idea of which applications are being used over your network and who is using them by looking at the charts:
• Top Application by Bandwidth
• Top Applications by Session Count
• Top IP/User for…
From the Intrusion Monitor you can determine what are the Top Attacks against your network. The report will list:
• Attack Name
• Last time the attack was detected
• A count of how many times the attack was used
From the Email Monitor
• Total Emails (pie chart)
• Blocked Emails, broken down by
• Protocol used
• Reason/technique used to block
From the Archive & Data Leak Monitor you can see what is the:
• Top DLP usage by policy
• Total Dropped Archives
From the FortiGuard Quota you can monitor the status of quotas by seeing which ones are in effect listing:
• User name
• Webfilter Profile
• Used Quota
The second way to look at the logs of the Security Profiles activity is to look at the individual logs. This is useful for trouble shooting and verification of what is being tracked and how because individual log display more information about what happened to the traffic in question.
To look at the logs go to Log and Report > Traffic Log > Forward Traffic and search for individual logged events. In order to see just the Security Profiles based events you may have to first display a column that relates to Security Profiles such as Security Action, Security Event or Security Sub type. Once the appropriate column is displayed in the log window you can then filter based on the criteria that you are searching on. For instance if you were looking for examples of where your DLP profile stopped some traffic from getting out you could go to the Security event column and then filter for the event “dlp”. The log page will now only display dlp events. You could not further refine your filter until you were only looking at the logs that relate to the events they you are trying to track.