Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
aseques
New Contributor

Browsing time listing blocked sites

I am using the web usage report, one of the graphics it's showing is the "Top 50 sites by browsing time", the problem is that most of this time is just accounted to blocked sites, for example connect.facebook.net or plus.google.com

If I watch the same data in fortiview they show indeed as blocked. I'd like to know if there are any graphs that exclude the blocked data in this case? I've been looking in the graphs an doesn't seem to be anything (even though this what most of the audience will expect)

1 Solution
CrisP_
New Contributor

It's a valid option, of course. As a matter of fact, how exactly does one define the "browsing time", and is it meaningful to chart it by hostname, if we get a lot of separated servers involved in complex apps? I mean I'd be interested in the "active" time spent "on" Facebook and Google, not only using their specific apps, not in dozens of storage servers thereof and not in tabs left open. Seems very complicated, and who knows what exactly is the FG/FAZ tandem doing... So we can put a limited trust in our black box, or completely distrust it and just make sure that our customers and managers don't notice anything fishy.

View solution in original post

8 REPLIES 8
aseques
New Contributor

Just attaching the image showing that the traffic is indeed blocked.

CrisP
New Contributor III

Hello

You can use the filter 'utmaction not equal to block' or 'utmaction equal to allow' in the chart.

Regards

 

hzhao_FTNT

Currently we do not consider utmaction when FAZ calculate browsing time. It will be counted based on traffic session, if one session contains both allowed and blocked websites, browsing time will be also counted for blocked sites. 

 

CrisP
New Contributor III

Hello Zhao,

In this case, it means that the utmaction-based report contains partial and erroneous information, in the sense that

-it includes sessions that have been blocked due to security events totally not related to web filtering (like viruses and application exploits, but on allowed site categories)

-all the portions of the sessions that were finally blocked for site category violation are ignored, so the bandwidth usage reported is false (the allowed sites used more traffic than reported)

It is important to note that the notion of SESSION in the context of the logs seems to refer not to low-level protocol sessions, but to high-level, user sessions. This means that more low-level sessions (with different src/dst ports) are logged as linked into a high-level user session. Could you please confirm or infirm this?

 

We could try to refine the filter by selecting countapp, countav, countips etc. = 0. As for the traffic before the session gets blocked, do you have any suggestion how to include it in the report?

 

Thank you in advance, you are by far the most customer-friendly Fortinet team member I ever seen! (Keep it up like this, PLEASE! Things get more complicated and less documented day after day...)

Cristian

 

hzhao_FTNT

Hi Cristian,

 

Don't worry, this issue only exists in browse time calculation, since the field "ebtime" is not sent from FGT, but based on FAZ calculation. I have already logged a bug for it, hope we can have a fix in 5.4.2. 

 

We will always query utm logs when it is available. For FOS5.2+ webfilter bandwidth, we do use countweb and logver to query traffic log, but for virus/ips/app-ctrl session count, we will use utm logs. 

 

I really appreciate your efforts to keep this forum active.

 

Regards,

hz

aseques

Thanks both for your help, so, if I understood, there is no real way to get this data properly graphed as of today. I cannot really give it to my managers as it is, first question will always be "how can users have been for more that one hour in facebook if it's blocked?"

My only option at the moment is to delete this part of report?

CrisP_
New Contributor

It's a valid option, of course. As a matter of fact, how exactly does one define the "browsing time", and is it meaningful to chart it by hostname, if we get a lot of separated servers involved in complex apps? I mean I'd be interested in the "active" time spent "on" Facebook and Google, not only using their specific apps, not in dozens of storage servers thereof and not in tabs left open. Seems very complicated, and who knows what exactly is the FG/FAZ tandem doing... So we can put a limited trust in our black box, or completely distrust it and just make sure that our customers and managers don't notice anything fishy.

aseques
New Contributor

Yes, the browsing time is really a complicated metric, not really easy to defend the values it gives, moreover when it's accounting as browsing time the time spent by fortigate blocking the views of some sites.

Thanks a lot for your help