Skip to main content
djcarrington
djcarrington
New Member
January 14, 2017
Question

FortiAnalyzer report of FortiClient application names blocks

  • January 14, 2017
  • 1 reply
  • 6204 views

I would like to create a custom report showing the application being blocked on our FortiClients.

 

Our Forticlients are successfully uploading their logs to the FortiAnalyzer.

 

FortiView/Security/FortiClient/Traffic log shows application name in the Security Event List field. 

However I do not know how to add that information to a dataset.

 

I found a canned dataset "fct-Application-Firewall" that shows the appfirewall blocks but it does not include the application name.  I am not sure how to add the application name to this dataset

 

fct-Application-Firewall

Log type: 

FortiClient traffic

Query:

select srcname, hostname, coalesce(nullifna(`user`), 'Unknown') as hostuser, utmaction from $log where $filter and lower(utmevent)='appfirewall' group by srcname, hostname, hostuser, utmaction

 

FortiAnayzer 400C ver 5.2.7

 

Any assistance is appreciated.

thanks

Dave

    1 reply

    hzhao_FTNT
    Staff
    hzhao_FTNT
    Staff
    January 17, 2017

    Hi there,

     

    Application name is recorded in "threat" field in forticlient traffic log, so the dataset will be:

    select srcname, threat as app,  hostname, coalesce(nullifna(`user`), 'Unknown') as hostuser, utmaction from $log where $filter and lower(utmevent)='appfirewall' group by srcname, threat, hostname, hostuser, utmaction

     

    Regards,

    hz

    djcarrington
    djcarringtonAuthor
    New Member
    January 24, 2017

    That did the trick, it works now,

    thanks.

     

    I did not see a "threat" field in the FortiOS log reference document.

    Is there a different log reference document for FortiClient?

    If so could you please point me in the right direction?

     

    thanks again.

     

    Dave

    Terms & ConditionsAccessibility statement