Skip to main content
aseques
aseques
Visitor III
June 23, 2016
Solved

Browsing time listing blocked sites

  • June 23, 2016
  • 2 replies
  • 14537 views

I am using the web usage report, one of the graphics it's showing is the "Top 50 sites by browsing time", the problem is that most of this time is just accounted to blocked sites, for example connect.facebook.net or plus.google.com

If I watch the same data in fortiview they show indeed as blocked. I'd like to know if there are any graphs that exclude the blocked data in this case? I've been looking in the graphs an doesn't seem to be anything (even though this what most of the audience will expect)

Best answer by CrisP_

It's a valid option, of course. As a matter of fact, how exactly does one define the "browsing time", and is it meaningful to chart it by hostname, if we get a lot of separated servers involved in complex apps? I mean I'd be interested in the "active" time spent "on" Facebook and Google, not only using their specific apps, not in dozens of storage servers thereof and not in tabs left open. Seems very complicated, and who knows what exactly is the FG/FAZ tandem doing... So we can put a limited trust in our black box, or completely distrust it and just make sure that our customers and managers don't notice anything fishy.

2 replies

aseques
asequesAuthor
Visitor III
June 23, 2016

Just attaching the image showing that the traffic is indeed blocked.

CrisP
CrisP
New Member
June 29, 2016

Hello

You can use the filter 'utmaction not equal to block' or 'utmaction equal to allow' in the chart.

Regards

 

hzhao_FTNT
Staff
hzhao_FTNT
Staff
June 29, 2016

Currently we do not consider utmaction when FAZ calculate browsing time. It will be counted based on traffic session, if one session contains both allowed and blocked websites, browsing time will be also counted for blocked sites. 

 

CrisP
CrisP
New Member
June 29, 2016

Hello Zhao,

In this case, it means that the utmaction-based report contains partial and erroneous information, in the sense that

-it includes sessions that have been blocked due to security events totally not related to web filtering (like viruses and application exploits, but on allowed site categories)

-all the portions of the sessions that were finally blocked for site category violation are ignored, so the bandwidth usage reported is false (the allowed sites used more traffic than reported)

It is important to note that the notion of SESSION in the context of the logs seems to refer not to low-level protocol sessions, but to high-level, user sessions. This means that more low-level sessions (with different src/dst ports) are logged as linked into a high-level user session. Could you please confirm or infirm this?

 

We could try to refine the filter by selecting countapp, countav, countips etc. = 0. As for the traffic before the session gets blocked, do you have any suggestion how to include it in the report?

 

Thank you in advance, you are by far the most customer-friendly Fortinet team member I ever seen! (Keep it up like this, PLEASE! Things get more complicated and less documented day after day...)

Cristian

 

Terms & ConditionsAccessibility statement