Finding usage of specific IPs behind your Fortigate firewall is easily done using Sumo Logic and a dashboard or scheduled search result.
Assumptions
- I have a partition name security_logs for indexing
- I have a class named fw_security as my category
- My WAN port is port13
- I do not want to see any results under 50 MiB of usage
_index=security_logs _sourceCategory=fw_security "action=\"close\"" | parse "srcip=* " as src_ip | parse "srcintf=\"*\" " as src_int | parse "dstip=* " as dest_ip | parse "dstintf=\"*\" " as dest_int | parse "action=* " as action | parse "sentbyte=* rcvdbyte=* " as sentbytes, recvbytes | where dest_int="port13" | sum(sentbytes) as sent_bytes by src_ip, src_int, dest_ip, dest_int | where sent_bytes > 50*1024*1024 | sort by sent_bytes | limit 30
Which results in the following output:
