Threat Research

A Picture is Worth a Thousand Words: Visualizing FortiOS

By Jeff Crawford | April 15, 2010

Inside-FortiOS_Blog_Logo-150pxSo you have your firewall in place and all is working great. You are collecting logs on everything that you need to keep an eye on. But then the problems start. You know something unexpected is happening in the network but what is it? You can look through all that data trying to find the problem, but this can become quite tedious and analogous to looking for the proverbial needle in a haystack.

This is where a picture can greatly help; a chart to be specific. A chart can help for continuous monitoring and alert you to abnormal data patterns at a glance. Also the ability to generate specific charts when trying to find a problem can significantly reduce the time to hunt through a log.

Besides hunting down problems, using charts for reports is very useful for seeing historical trends and patterns which would be difficult to see in the data alone.

What's In The Box

FortiOS 4.0 MR2 introduces new reporting capabilities, similar to the FortiAnalyzer product family. Users will be able to create charts from their local FortiGate logs for specific reports as well as dashboard monitoring. This powerful reporting system is highly customizable, allowing the user to create their own chart layouts with custom logos. Following is a list of some of the new features available in this new reporting system.

  • Customizable page layout.

  • Reports can support multiple columns

  • Individual fonts, coloring and size for titles, sub titles, headings and more.

  • Ability to embed graphics throughout the report

  • Large selection of pre-configured charts. Just add one to a report with a few easy mouse clicks.

  • Fully customized charts can be created using SQL queries of the log data.

  • Frequently used charts can be added to the favorites list for quick and easy access.

  • Output the report in multiple formats such as PDF and HTML.

  • Schedule the generation time of any report. Useful for running reports in off peak hours and periodic daily, weekly or monthly reports.

Charts and Reports

There will be several types of charts to use when graphing log data such as Pie, Bar, Line and Area charts. Users can create their own custom reports and choose from many of the built-in default charts.

To create a new report the following steps can be followed.

Enabling Report Configuration

  1. Login to your FortiGate and go to the Log & Report menu item. If you are using vdoms, choose the appropriate vdom at the bottom of the menu first.

  2. Navigate to Log Config->Log Setting.

  3. Enable "Local Logging & Archiving" and enable logging to "Disk".

  4. Enable any or all of the SQL Logging options. For example AntiVirus Log.

  5. Choose apply, then refresh your browser.


Create the Report

  1. Navigate again to the Log & Report menu and you will now see a new section called "Report Config"

  2. Expand "Report Config" and choose "Layout"

  3. Click the "Create New" button in the title bar.

  4. Give your report a name, description and you may choose a theme (new themes may be created in the "Theme" section)

  5. Choose an output format and schedule.

  6. Set a report title and subtitle as necessary.

  7. Enable any other options as you like, such as "Table of Contents", "HTML Navigation Bar" etc.

Adding Charts and Other Items

  1. Click the Add button in the "Report Components" section

  2. In the dialog that appears, choose from one of the component types (e.g. text, chart, image, misc)

  3. Then choose an item from the available components.

  4. When adding charts you will have the option of filtering by chart category and favorites to quickly choose from default and/or custom made charts.

  5. Choose the OK button to add the component.

  6. Repeat these steps to add more Report components.

  7. You may edit or delete any of the components.

  8. When satisfied with the layout choose the OK button to save the new report.

top10virusesRunning the Report

  1. If the report is scheduled the report will run at the scheduled time.

  2. To run the report immediately go to Report Config->Layout and enable one or more reports to run.

  3. Choose the Run button on the title bar.

  4. It may take a bit of time to run.

  5. Navigate to Report Access->Disk and view the report by clicking the "Report File" name or a link in the "Other Formats" column.

In the next section I'll discuss an advanced method for getting exactly the type of chart you want to see in your reports.

Advanced Charting

Custom charts can be built using direct SQL queries of the log data. For example, the following steps can be used to create a custom chart for showing the latest virus events over the past 48 hours instead of the default 24 hours.

Create the Dataset

  1. Login using the terminal, either directly with a third party application or via the gui console widget.

  2. Be sure to enter the appropriate vdom if using vdoms, for example to enter the root vdom.

    config vdom edit root

  3. Create custom dataset using the following cli commands

    config report dataset edit "latest-virus-last48h" set query "select virus, timestamp, src, sport, dst, dport, service, filetype, filefilter, status, msg from antivirus_log where timestamp >= F_TIMESTAMP(\'now\',\'hour\',\'-47\') order by timestamp desc limit 100" end end


  1. Navigate to Log&Report->Report Config->Chart on the web based gui

  2. Click the "Create New" button in the title bar

  3. Enter a name for the chart.

  4. Find the new data set "latest-virus-last48h" in the dataset drop list.

  5. Add any comments and choose a graph type.

  6. Choose the appropriate X and Y databindings (e.g. timestamp and virus respectively)

  7. Setup scale information

  8. Click the OK button.

Now your chart is ready for use as described previously in creating a report above.


The new log reporting feature for FortiOS 4.0 MR2 is a powerful tool to help visualize what is happening in your network. I hope you enjoyed this article and this new feature will become a much used tool in your security toolbox.

Join the Discussion