Skip to main content
agomes
Staff
agomes
Staff
September 18, 2025

Technical Tip: FortiAnalyzer custom report to analysis FortiGate rules

  • September 18, 2025
  • 0 replies
  • 2024 views
Description This article describes setting up FortiAnalyzer custom report to analysis FortiGate rules.
Scope FortiAnalyzer 7.x and earlier.
Solution

In enterprise environments, network security teams often require detailed visibility into firewall traffic to identify trends, optimize rule sets, and ensure compliance with security policies. FortiAnalyzer provides a powerful reporting engine that allows the creation of custom datasets and reports, making it possible to extract precise insights from FortiGate logs.

This article demonstrates how to build a custom report in FortiAnalyzer focusing on firewall policy utilization, using two datasets that highlight traffic distribution by destination ports and by applications.

 

Dataset 1: Policy Traffic by Destination Port.

 

The first dataset provides a breakdown of sessions and traffic volume (bytes) per firewall policy, aggregated by the destination port. This allows analysts to identify which services (e.g., HTTPS, DNS, or custom ports) are most utilized within a specific policy.

 

SELECT   policyid,   policyname,   dstport,   COUNT(*) AS sessions,   SUM(sentbyte + rcvdbyte) AS bytes FROM $log WHERE $filter   AND (logflag & 1) > 0 GROUP BY policyid, policyname, dstport ORDER BY sessions DESC

 

Use Case:
This dataset is particularly useful to detect high-volume traffic on unexpected ports, validate rule configurations, or identify potential misconfigurations where overly broad policies may allow unnecessary services.

 

Dataset 2: Policy Traffic by Application and Category:

 

The second dataset provides a more granular view of traffic, analyzing policies by application category and specific application. In addition to session counts, it also aggregates the total traffic in bytes, providing both volume and frequency insights.

 

SELECT   policyid,   policyname,   appcat,   app,   COUNT(*) AS sessions,   SUM(sentbyte + rcvdbyte) AS bytes FROM $log WHERE $filter   AND (logflag & 1) > 0 GROUP BY policyid, policyname, appcat, app ORDER BY sessions DESC

 

Use Case:
This dataset enables organizations to understand which applications are consuming the most bandwidth under specific policies. For example, it may highlight business-critical applications (such as Microsoft 365) or reveal bandwidth usage by recreational apps that may not align with corporate security guidelines.

 

Creating Chart Libraries:

 

After defining the datasets, the next phase is to design visual components that will bring the data to life inside the custom report. FortiAnalyzer uses Chart Libraries, which allow building reusable visualizations that can be easily inserted into multiple reports.

 

Chart Library 1: Policy Traffic by Destination Port.

 

For the dataset that aggregates traffic by destination port, the most effective visualization is a table

 

  • Dataset used: Policy traffic by destination port

  • Chart type: Table

  • Regular Columns: policyid
  • Drildown Columns: policyname and app
  • Aggregation Columns: bytes and format Bandwidth (KB/MB/GB)

This visualization provides an immediate overview of which firewall rules are responsible for the largest share of traffic and highlights the most frequently used services.

 

Chart Library 2: Policy Traffic by Application and Category.

 

For the dataset that aggregates traffic by destination port, the most effective visualization is a table.

 

  • Dataset used: Policy traffic by destination port

  • Chart type: Table

  • Regular Columns: policyid
  • Drildown Columns: policyname and dstport
  • Aggregation Columns: bytes and format Bandwidth (KB/MB/GB)

 

This chart provides a clear picture of the distribution of traffic across categories such as Business, Social Media, Cloud, or Unknown. It helps organizations evaluate whether bandwidth is being consumed by business-critical or non-essential applications. 

 

Building the Final Report.

With both datasets and their corresponding chart libraries created, the final step is to design a clean and structured report inside FortiAnalyzer. Reports allow combining visualizations, tables, and text descriptions into a professional document that can be scheduled or shared with stakeholders.

 

Report Creation Steps:

 

  1. Create a New Report

    • Navigate to Reports -> Report Definitions and select Create New.

    • Assign a descriptive name, such as Firewall Policy Traffic Analysis.

  2. Add Report Layout Sections

    • Insert a title page with the report name, author, and date.

    • Add a summary/introduction section where the purpose of the analysis is explained (e.g., to measure policy utilization and traffic distribution).

  3. Insert the Charts

    • Chart 1 (Table): Displays sessions and bytes by policy and destination port. This chart highlights which firewall rules and ports generate the highest traffic volumes.

    • Chart 2 (Table): Shows traffic distribution by policy and application category. This visualization helps identify whether bandwidth is being consumed by business applications or recreational/unknown apps.

    Both charts can be dragged from the Chart Library into the report layout.

 

Follow an example.

 

DataSet Policy by application:

 

2025-09-12 20_19_30-Chat _ banco pan _ Microsoft Teams.png

 

DataSet Policy by Destination port:

 

2025-09-12 20_19_42-Chat _ banco pan _ Microsoft Teams.png
      Terms & ConditionsAccessibility statement