Help
FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
aportnov
Staff
Staff

Created on ‎01-14-2024 10:06 PM Edited on ‎09-02-2025 09:42 PM By Community Manager

Article Id 293955

Technical Tip: Bandwidth Over the Time for specific interface in FortiAnalyzer reports

Description This article provides a dataset that can be used to analyze specific interface bandwidth in FortiAnalyzer. Pre-defining the FortiAnalyzer dataset and report (Bandwidth and Application Report) allows for the analysis of bandwidth for a device overall only.
Scope FortiAnalyzer.
Solution

In the example below, the inbound (source) and outbound (destination) bandwidth is calculated for both wan1 and wan2 interfaces

  • Create the following SQL dataset that will be used to generate a report:

 

SELECT dom, firewall, interface, sum(byte_sent) AS total_sent, sum(byte_rcvd) AS total_rcvd, sum(byte_total) AS total
FROM (###(
SELECT
$flex_timescale(itime) AS dom, devid AS firewall, srcintf AS interface,
sum(COALESCE(sentbyte, 0)) AS byte_sent,
sum(COALESCE(rcvdbyte, 0)) AS byte_rcvd,
sum(COALESCE(sentbyte, 0) + COALESCE(rcvdbyte, 0)) AS byte_total
FROM $log-traffic
WHERE $filter AND srcintf IN ('wan1', 'wan2')
GROUP BY dom, firewall, interface
ORDER BY dom
)###
UNION ALL
###(
SELECT
$flex_timescale(itime) AS dom, devid AS firewall, dstintf AS interface,
sum(COALESCE(sentbyte, 0)) AS byte_sent,
sum(COALESCE(rcvdbyte, 0)) AS byte_rcvd,
sum(COALESCE(sentbyte, 0) + COALESCE(rcvdbyte, 0)) AS byte_total
FROM $log-traffic
WHERE $filter AND dstintf IN ('wan1', 'wan2')
GROUP BY dom, firewall, interface
ORDER BY dom
)###) t
GROUP BY dom, firewall, interface
ORDER BY dom

 

  • Create a new Chart (Table) and then use the dataset above in the chart. After, create a new Report and use the Chart that was created. Make adjustments to the report settings to select the devices and time range.
  • The report interface filter must not be used for specifying the interface, as they are already part of the query.

 

in some cases, $DAY_OF_MONTH AS dom can be used instead of $flex_timescale(itime) AS dom

Change interface name(s) appropriately in srcintf IN ('wan1', 'wan2') and dstintf IN ('wan1', 'wan2')

  • Throughput utilization billing reporting can be useful. This report enables users to generate the throughput consumption reporting for billing purposes by utilizing interface bandwidth consumption information logged by FortiGate. Enable the 'billing-report' option under interface-stats in the FortiAnalyzer CLI to use this report. More details can be found in the document below: Throughput utilization billing reporting 6.4.3

 

Related article:

Technical Tip: How to generate data sampling report
5497
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.