FAZ Top Services In a Rule

Forum|Forum|4 years ago
May 9, 2022
1 reply
1911 views

Hi all,

I have a number of overly permissive rules using any services. What would be the most effecient way of extracting a report in FAZ, so I can see what services are actually hitting the rule, and design a policy around that?

Thanks.

FortiAnalyzer

Best answer by Debbie_FTNT

Hey FortiDave,

you could put together a dataset roughly like this:

select service, count(*) as num_hits

from $log

where $filter and policyid=<policy ID>

group by service

order by num_hits desc

That would list the services and associated number of logs for each service for that policy ID

You would need to map that dataset to a custom chart and add that to a report to display the information, and you might want to do a bit of fine tuning, but this should give you at least a rough overview.

Debbie_FTNTAnswer

Staff & Editor

Hey FortiDave,

you could put together a dataset roughly like this:

select service, count(*) as num_hits

from $log

where $filter and policyid=<policy ID>

group by service

order by num_hits desc

That would list the services and associated number of logs for each service for that policy ID

You would need to map that dataset to a custom chart and add that to a report to display the information, and you might want to do a bit of fine tuning, but this should give you at least a rough overview.

FortiDaveAuthor

Explorer

Thanks Debbie. Im not getting the top 10 services. Woyuld you know how I can expand that to top 50, or all services?

FortiDaveAuthor

Explorer

Also, If i wanted this report to have details for say 8-10 rules, separete sections, is that possible?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded