SELECT
  policyid,
  policyname,
  dstport,
  COUNT(*) AS sessions,
  SUM(sentbyte + rcvdbyte) AS bytes
FROM $log
WHERE $filter
  AND (logflag & 1) > 0
GROUP BY policyid, policyname, dstport
ORDER BY sessions DESC

Use Case:
This dataset is particularly useful to detect high-volume traffic on unexpected ports, validate rule configurations, or identify potential misconfigurations where overly broad policies may allow unnecessary services.

Dataset 2: Policy Traffic by Application and Category:

The second dataset provides a more granular view of traffic, analyzing policies by application category and specific application. In addition to session counts, it also aggregates the total traffic in bytes, providing both volume and frequency insights.

SELECT
  policyid,
  policyname,
  appcat,
  app,
  COUNT(*) AS sessions,
  SUM(sentbyte + rcvdbyte) AS bytes
FROM $log
WHERE $filter
  AND (logflag & 1) > 0
GROUP BY policyid, policyname, appcat, app
ORDER BY sessions DESC

Use Case:
This dataset enables organizations to understand which applications are consuming the most bandwidth under specific policies. For example, it may highlight business-critical applications (such as Microsoft 365) or reveal bandwidth usage by recreational apps that may not align with corporate security guidelines.

Creating Chart Libraries:

After defining the datasets, the next phase is to design visual components that will bring the data to life inside the custom report. FortiAnalyzer uses Chart Libraries, which allow building reusable visualizations that can be easily inserted into multiple reports.

Chart Library 1: Policy Traffic by Destination Port.

For the dataset that aggregates traffic by destination port, the most effective visualization is a table. 

• Dataset used: Policy traffic by destination port

• Chart type: Table

• Regular Columns: policyid
• Drildown Columns: policyname and app
• Aggregation Columns: bytes and format Bandwidth (KB/MB/GB)

This visualization provides an immediate overview of which firewall rules are responsible for the largest share of traffic and highlights the most frequently used services.

Chart Library 2: Policy Traffic by Application and Category.

For the dataset that aggregates traffic by destination port, the most effective visualization is a table.

• Dataset used: Policy traffic by destination port

• Chart type: Table

• Regular Columns: policyid
• Drildown Columns: policyname and dstport
• Aggregation Columns: bytes and format Bandwidth (KB/MB/GB)

This chart provides a clear picture of the distribution of traffic across categories such as Business, Social Media, Cloud, or Unknown. It helps organizations evaluate whether bandwidth is being consumed by business-critical or non-essential applications. 

Building the Final Report.

With both datasets and their corresponding chart libraries created, the final step is to design a clean and structured report inside FortiAnalyzer. Reports allow combining visualizations, tables, and text descriptions into a professional document that can be scheduled or shared with stakeholders.

Report Creation Steps:

1. Create a New Report

   • Navigate to Reports -> Report Definitions and select Create New.

   • Assign a descriptive name, such as Firewall Policy Traffic Analysis.

2. Add Report Layout Sections

   • Insert a title page with the report name, author, and date.

   • Add a summary/introduction section where the purpose of the analysis is explained (e.g., to measure policy utilization and traffic distribution).

3. Insert the Charts

   • Chart 1 (Table): Displays sessions and bytes by policy and destination port. This chart highlights which firewall rules and ports generate the highest traffic volumes.

   • Chart 2 (Table): Shows traffic distribution by policy and application category. This visualization helps identify whether bandwidth is being consumed by business applications or recreational/unknown apps.

   Both charts can be dragged from the Chart Library into the report layout.

Follow an example.

DataSet Policy by application:

DataSet Policy by Destination port: