Data is the lifeblood of modern cybersecurity, but raw data alone is simply noise. To protect an infrastructure effectively, IT teams need to translate millions of daily log entries into clear, actionable narratives. This is where fortianalyzer becomes an indispensable tool for network administrators. As a centralized logging and reporting appliance, it aggregates data from your Fortinet security Fabric and transforms it into the intelligence required to spot threats, monitor usage, and maintain compliance.
If you have deployed Fortinet firewalls but aren’t leveraging the reporting capabilities of FortiAnalyzer, you are likely missing half the picture. This guide will walk you through the essentials of generating security reports, helping you turn improved visibility into better security posture.
Why Security Reporting Matters
Before diving into the technical steps, it is vital to understand what good reporting achieves. It is not just about generating a PDF to satisfy a manager; it is about forensic readiness and operational efficiency.
By centralising logs and automating reports, organisations gain three critical advantages:
- ol]:!pb-0 [&>ol]:!pt-0 [&>ul]:!pb-0 [&>ul]:!pt-0″ dir=”ltr” value=”1″>Compliance Adherence: whether you are governed by PCI-DSS, GDPR, or HIPAA, auditors require proof that logs are being reviewed. FortiAnalyzer simplifies this with pre-built compliance templates.
- ol]:!pb-0 [&>ol]:!pt-0 [&>ul]:!pb-0 [&>ul]:!pt-0″ dir=”ltr” value=”2″>Threat Hunting: Reports can highlight anomalies that real-time alerts might miss, such as a slow-drip brute force attack or unusual outbound traffic patterns occurring during off-hours.
- ol]:!pb-0 [&>ol]:!pt-0 [&>ul]:!pb-0 [&>ul]:!pt-0″ dir=”ltr” value=”3″>Resource Optimisation: Understanding ‘Top Talkers’ (users or applications consuming the most bandwidth) helps in capacity planning and policy adjustment.
Step-by-Step Guide to Generating Basic Reports
FortiAnalyzer creates reports based on data gathered from the logs of connected devices (primarily FortiGates). The process is designed to be intuitive, utilising a vast library of pre-defined templates.
Here is the standard workflow for generating a basic security report:
1. Access the Reports View
Log in to your FortiAnalyzer unit and navigate to the Reports module in the left-hand menu. If you are running multiple ADOMs (Administrative Domains), ensure you have selected the correct ADOM where your device logs are stored.
2. Select a Template
Go to Report Definitions > Templates. Fortinet provides a comprehensive list of default templates covering everything from “Top 3000 Web Sites” to “VPN Usage”. For a general security overview, the “FortiGate Security Analysis” or “Threat Report” templates are excellent starting points.
3. Create the Report Definition
You should rarely edit a default template directly. Instead, select a template and click Create Report. Give your new report a specific name (e.g., “Monthly_Threat_Overview”). This creates a tailored instance of the template that you can modify without altering the original.
4. Configure the Scope
Once the report definition is created, go to the Settings tab. Here, you define the parameters:
- ol]:!pb-0 [&>ol]:!pt-0 [&>ul]:!pb-0 [&>ul]:!pt-0″ dir=”ltr” value=”1″>Time Period: Choose from presets like “Last 7 Days” or define a custom range.
- ol]:!pb-0 [&>ol]:!pt-0 [&>ul]:!pb-0 [&>ul]:!pt-0″ dir=”ltr” value=”2″>Devices: Select whether this report covers all devices in the ADOM or specific firewalls.
- ol]:!pb-0 [&>ol]:!pt-0 [&>ul]:!pb-0 [&>ul]:!pt-0″ dir=”ltr” value=”3″>Filters: You can add specific log filters here, though for a basic report, the defaults are usually sufficient.
5. Run the Report
Click Run Report. The system will process the logs against your chosen template. Depending on the volume of data and the time range, this may take anywhere from a few seconds to several minutes.
6. View and Export
Navigate to the Generated Reports tab to see your completed report. You can view it directly in the browser (HTML) or download it as a PDF, XML, or CSV file for external analysis or presentation.
Customising Reports for Specific Needs
While default templates are useful, every network is unique. You might need to report solely on a specific department’s web usage or deep-dive into a particular type of malware attack.
Cloning and Modifying
To customise, navigate to Report Definitions > All Reports. Select your report and click Edit. In the Layout tab, you will see the charts and macros that make up the report. You can remove irrelevant sections or add new ones by dragging and dropping from the chart library.
The Chart Builder
If the library doesn’t have exactly what you need, use the Chart Builder. This tool allows you to create custom visualisations based on specific datasets. For example, if you want a pie chart showing “Blocked Applications by User Source,” you can construct this by selecting the relevant dataset and setting your X and Y axis parameters.
Macro Variables
For more advanced customisation, FortiAnalyzer uses macros. These are essentially snippets of SQL code that query the log database. If you are comfortable with SQL, you can modify the datasets to produce highly specific granular data, though the GUI-based chart builder suffices for most administrators.
Advanced Reporting Features
Once you have mastered manual report generation, you can leverage advanced features to make the system work for you automatically.
Scheduling
Manual reporting is prone to human error—mainly forgetting to do it. In the report settings, enable Scheduling. You can set the report to run daily, weekly, or monthly. Furthermore, you can configure an email Output Profile to automatically email the finished PDF to the CISO or IT Manager every Monday morning.
Drill-Down Capabilities
When viewing a report in HTML format within FortiAnalyzer, many charts are interactive. If you see a spike in traffic from a specific country, you can often right-click or double-click to “drill down” into the raw logs associated with that graphical data. This bridges the gap between high-level reporting and deep-dive forensics.
Event Handlers
While reports look at historical data, Event Handlers look for patterns in real-time. You can link reporting to event handlers so that if a critical severity event occurs (like a detected intrusion), a specific report is generated and sent immediately, providing context to the alert.
Tips for Interpreting Report Data
Generating the report is only half the battle; understanding the narrative it presents is the other.
- ol]:!pb-0 [&>ol]:!pt-0 [&>ul]:!pb-0 [&>ul]:!pt-0″ dir=”ltr” value=”1″>Look for Deviations: A consistent flat line on a bandwidth graph is normal. A sudden spike at 3:00 AM is not. Focus your attention on deviations from the baseline.
- ol]:!pb-0 [&>ol]:!pt-0 [&>ul]:!pb-0 [&>ul]:!pt-0″ dir=”ltr” value=”2″>Contextualise “Top Talkers”: Just because a user is the top bandwidth consumer doesn’t mean they are doing something wrong. They might be a video editor uploading large files. Always cross-reference volume with application type.
- ol]:!pb-0 [&>ol]:!pt-0 [&>ul]:!pb-0 [&>ul]:!pt-0″ dir=”ltr” value=”3″>Check the “Uncategorised”: In web filtering reports, pay attention to high volumes of “Uncategorised” traffic. This is often where shadow IT or zero-day phishing sites hide.
- ol]:!pb-0 [&>ol]:!pt-0 [&>ul]:!pb-0 [&>ul]:!pt-0″ dir=”ltr” value=”4″>Verify False Positives: If your report shows a massive number of blocked attacks from a trusted partner, investigate immediately. It could be a false positive in your IPS signature, or your partner may be compromised.
Turning Insight into Action
FortiAnalyzer is a robust platform that does much more than simply archive logs. By utilising its reporting engine, you transform raw data into a strategic asset. Whether you are generating high-level summaries for executive leadership or detailed forensic logs for the incident response team, the ability to customise and automate these outputs is a critical skill.
Start by setting up the basic weekly threat reports. Once you are comfortable with the workflow, explore the chart builder and SQL datasets to tailor the output to your organisation’s specific risks. In network security, visibility is the precursor to control—and effective reporting is the lens through which that visibility is achieved.
