I am using the web usage report, one of the graphics it's showing is the "Top 50 sites by browsing time", the problem is that most of this time is just accounted to blocked sites, for example connect.facebook.net or plus.google.com
If I watch the same data in fortiview they show indeed as blocked. I'd like to know if there are any graphs that exclude the blocked data in this case? I've been looking in the graphs an doesn't seem to be anything (even though this what most of the audience will expect)
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
It's a valid option, of course. As a matter of fact, how exactly does one define the "browsing time", and is it meaningful to chart it by hostname, if we get a lot of separated servers involved in complex apps? I mean I'd be interested in the "active" time spent "on" Facebook and Google, not only using their specific apps, not in dozens of storage servers thereof and not in tabs left open. Seems very complicated, and who knows what exactly is the FG/FAZ tandem doing... So we can put a limited trust in our black box, or completely distrust it and just make sure that our customers and managers don't notice anything fishy.
Hello
You can use the filter 'utmaction not equal to block' or 'utmaction equal to allow' in the chart.
Regards
Currently we do not consider utmaction when FAZ calculate browsing time. It will be counted based on traffic session, if one session contains both allowed and blocked websites, browsing time will be also counted for blocked sites.
Hello Zhao,
In this case, it means that the utmaction-based report contains partial and erroneous information, in the sense that
-it includes sessions that have been blocked due to security events totally not related to web filtering (like viruses and application exploits, but on allowed site categories)
-all the portions of the sessions that were finally blocked for site category violation are ignored, so the bandwidth usage reported is false (the allowed sites used more traffic than reported)
It is important to note that the notion of SESSION in the context of the logs seems to refer not to low-level protocol sessions, but to high-level, user sessions. This means that more low-level sessions (with different src/dst ports) are logged as linked into a high-level user session. Could you please confirm or infirm this?
We could try to refine the filter by selecting countapp, countav, countips etc. = 0. As for the traffic before the session gets blocked, do you have any suggestion how to include it in the report?
Thank you in advance, you are by far the most customer-friendly Fortinet team member I ever seen! (Keep it up like this, PLEASE! Things get more complicated and less documented day after day...)
Cristian
Hi Cristian,
Don't worry, this issue only exists in browse time calculation, since the field "ebtime" is not sent from FGT, but based on FAZ calculation. I have already logged a bug for it, hope we can have a fix in 5.4.2.
We will always query utm logs when it is available. For FOS5.2+ webfilter bandwidth, we do use countweb and logver to query traffic log, but for virus/ips/app-ctrl session count, we will use utm logs.
I really appreciate your efforts to keep this forum active.
Regards,
hz
Thanks both for your help, so, if I understood, there is no real way to get this data properly graphed as of today. I cannot really give it to my managers as it is, first question will always be "how can users have been for more that one hour in facebook if it's blocked?"
My only option at the moment is to delete this part of report?
It's a valid option, of course. As a matter of fact, how exactly does one define the "browsing time", and is it meaningful to chart it by hostname, if we get a lot of separated servers involved in complex apps? I mean I'd be interested in the "active" time spent "on" Facebook and Google, not only using their specific apps, not in dozens of storage servers thereof and not in tabs left open. Seems very complicated, and who knows what exactly is the FG/FAZ tandem doing... So we can put a limited trust in our black box, or completely distrust it and just make sure that our customers and managers don't notice anything fishy.
Yes, the browsing time is really a complicated metric, not really easy to defend the values it gives, moreover when it's accounting as browsing time the time spent by fortigate blocking the views of some sites.
Thanks a lot for your help
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1633 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.