This quick how-to guide will go through creating a chart/report on a FortiAnalyzer to show the upload, download and total data transfers for interfaces on a FortiGate.
Enter the following in the 'Query' section:
2. Create chart:
Goto Reports > Chart Library and create a new chart (don't use the wizard to create the chart).
Enter a name, select 'Traffic' for the category, select the dataset you created in step 1 and change the 'Only Show First' to the amount of interfaces you want to show on the chart.
Next go through each column and change the header and the display values to the following:
Column 1:
Header: Interface
Display: Text
Column 2:
Header: Download
Display: Bandwidth (KB/MB/GB)
Column 3:
Header: Upload
Display: Bandwidth (KB/MB/GB)
Column 4:
Header: Total
Display: Bandwidth (KB/MB/GB)
Click 'Ok' to save. Your end chart should look like this:
3. Create report:
Rightclick on the Report section and select 'Create New'
From here give your report a name, select the FortiGates you want to run the report for (or select 'All FortiGates to run it for all of them). Click Apply to save and you'll be taken to this screen:
Now click on 'Edit Template' to configure the chart to be run in the report.
Once here drag a textbox to the 'Header Text' section and type in your report name. Next drag a chart to the main body and select the chart we created in step 2. Your final report should look like this:
This config is done a FortiAnalyzer running 5.0.5.
***Updated with new CASE selector***
***Updated with new CASE selector***
The steps required are as follows:
1. Create dataset
2. Create chart
3. Create report
1. Create dataset:
To create a dataset goto the 'Reports' tab on your FortiAnalyzer then browse to Advanced > Dataset. From here click on 'Create New' and enter a name, select Traffic for the 'Log Type'.
Enter the following in the 'Query' section:
select `srcintf`,
sum(coalesce(`rcvdbyte`,0)) as total_recvd_bytes,
sum(coalesce(`sentbyte`,0)) as total_sent_bytes,
sum(coalesce(`rcvdbyte`,0)+coalesce(`sentbyte`,0))
as total_bytes from $log where $filter group by `srcintf` order by total_bytes desc
Once this is done you can click on the 'Test' button to make sure it's working correctly then click 'Ok' to save. Your final dataset should look something like this:
Goto Reports > Chart Library and create a new chart (don't use the wizard to create the chart).
Enter a name, select 'Traffic' for the category, select the dataset you created in step 1 and change the 'Only Show First' to the amount of interfaces you want to show on the chart.
Next go through each column and change the header and the display values to the following:
Column 1:
Header: Interface
Display: Text
Column 2:
Header: Download
Display: Bandwidth (KB/MB/GB)
Column 3:
Header: Upload
Display: Bandwidth (KB/MB/GB)
Column 4:
Header: Total
Display: Bandwidth (KB/MB/GB)
Click 'Ok' to save. Your end chart should look like this:
Rightclick on the Report section and select 'Create New'
From here give your report a name, select the FortiGates you want to run the report for (or select 'All FortiGates to run it for all of them). Click Apply to save and you'll be taken to this screen:
Once here drag a textbox to the 'Header Text' section and type in your report name. Next drag a chart to the main body and select the chart we created in step 2. Your final report should look like this:
Click 'Save' then 'Return' to go back to the report. Once here click on 'Run Now' to run the report. Once the report is finished click it to open and view!
*** Update ***
Having the interface names show up as system default isn't always ideal (not everyone reading the report will know what port1 references). Luckily you can change the names that the interfaces show up as to make them more relevant in the report.
While the main guts of the dataset remains the same, we add the 'CASE' function when selecting the srcintf and then proceed to change the names to better reflect what each interface is.
For example below I've renamed port1, port3, vdom-link0, ssl.WAN, port2 and vdom-link1 interfaces to WAN, DMZ, WAN-to-LAB, SSL, LAB and LAB-to-SSL respectively.
SELECT (CASE `srcintf`
WHEN 'port1' THEN 'WAN'
WHEN 'port3' THEN 'DMZ'
WHEN 'vdom-link0' THEN 'WAN-to-LAB'
WHEN 'ssl.WAN' THEN 'SSL'
WHEN 'port2' THEN 'LAB'
WHEN 'vdom-link1' THEN 'LAB-to-WAN'
ELSE `srcintf` END) AS src_intf,
sum(coalesce(`rcvdbyte`,0)) AS total_recvd_bytes,
sum(coalesce(`sentbyte`,0)) AS total_sent_bytes,
sum(coalesce(`rcvdbyte`,0)+coalesce(`sentbyte`,0))
AS total_bytes FROM $log WHERE $filter GROUP BY `srcintf` ORDER BY total_bytes desc
Below is a report that shows the original dataset without the CASE function, followed by the original dataset with the newly added CASE function (ie the example above). I'm sure you'll agree the second one makes more sense!
Having the interface names show up as system default isn't always ideal (not everyone reading the report will know what port1 references). Luckily you can change the names that the interfaces show up as to make them more relevant in the report.
While the main guts of the dataset remains the same, we add the 'CASE' function when selecting the srcintf and then proceed to change the names to better reflect what each interface is.
For example below I've renamed port1, port3, vdom-link0, ssl.WAN, port2 and vdom-link1 interfaces to WAN, DMZ, WAN-to-LAB, SSL, LAB and LAB-to-SSL respectively.
SELECT (CASE `srcintf`
WHEN 'port1' THEN 'WAN'
WHEN 'port3' THEN 'DMZ'
WHEN 'vdom-link0' THEN 'WAN-to-LAB'
WHEN 'ssl.WAN' THEN 'SSL'
WHEN 'port2' THEN 'LAB'
WHEN 'vdom-link1' THEN 'LAB-to-WAN'
ELSE `srcintf` END) AS src_intf,
sum(coalesce(`rcvdbyte`,0)) AS total_recvd_bytes,
sum(coalesce(`sentbyte`,0)) AS total_sent_bytes,
sum(coalesce(`rcvdbyte`,0)+coalesce(`sentbyte`,0))
AS total_bytes FROM $log WHERE $filter GROUP BY `srcintf` ORDER BY total_bytes desc
Below is a report that shows the original dataset without the CASE function, followed by the original dataset with the newly added CASE function (ie the example above). I'm sure you'll agree the second one makes more sense!
8 comments:
Fortianalyzer :Users Web Activity Complete Drill Down Report:
1)Dataset
select coalesce(nullifna(`user`), `srcip`) as dldn_user,
coalesce(nullifna(`srcip`), `srcip`) as user_src,
coalesce (abstime(itime)) as date,
coalesce(service) as requests,
coalesce(hostname, dstip, 'unknown') as web_site,
coalesce (status) as urlfilterlist ,
catdesc as category
from $log where $filter and status
in ('allowed', 'passthrough', 'exempted', 'filtered','blocked')
order by dldn_user desc
With Regards,
P.Sarathkumar
Sr.Technical Support Engineer
Dobuy Technologies
Chennai-India
Fortianalyzer: Users Application Control Activity Report:
1)Dataset
select app,appid,appcat, sum(coalesce(sentbyte, 0)+coalesce(rcvdbyte, 0)) as bandwidth,count(*) as num_session,
coalesce (abstime(itime)) as date,
coalesce(nullifna(`user`), `srcip`) as dldn_user,
coalesce(hostname, dstip, 'unknown') as web_site
from $log where $filter and app is not null and policyid != 0 group by app,appid,appcat,dldn_user,web_site,date order by dldn_user desc
With Regards,
P.Sarathkumar
Sr.Technical Support Engineer
Dobuy Technologies
Chennai-India
Hi,
Please let me know how to get the report for single ip.
i want to get the info of x.x.x.x ip, url, content and bandwidth.
Regards,
Nagesh.
can you suggest a query for a report on how to see all traffic allowed or denied by any particular policy [policyid]
this result in below error
ERROR: COALESCE types text and inet cannot be matched
LINE 1: select * from (select coalesce(nullifna("user"), "srcip") as...
Unfortunately, I don't get the wan-load-balance interface from these datasets. Any way to get it included? (We use the WAN Link load balancing feature that combines 3 different WAN links).
Hi,
Do someone know if we can sort the information by day ?
Regards,
Quentin.
HI,
this article is very useful!
is there any query to get only WAN interface total bandwidth.
Post a Comment