Finding usage of specific application data through your Fortigate firewall is easily done using Sumo Logic and a dashboard or scheduled search result.
Assumptions for this sample dashboard
- There is a partition named security_logs for indexing
- I have a class named fw_security as my category
- I do not want to see any results under 50 MiB of usage
- Inbound and outbound are together and hints on how to limit directionality are below
- port13 is my WAN port and you will need to adjust as needed if you want to look at specific traffic direction
Using some new parsing functions as everything in a Fortigate log is key<->value layout which allowed me to do in 2 lines what would have taken 5.
Examples of the if function used in the search query specifically to remap unknown services to a known value.
I also put in some comments (anything after // is a comment) to describe what I am doing or how to limit the results to incoming or outgoing interfaces.
_index=security_logs _sourceCategory=fw_security ("type=\"traffic\"" AND "utmaction=\"allow\"") | keyvalue regex "=(\d+)" keys "srcport", "dstport", "sentbyte", "rcvdbyte" | keyvalue regex "=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" keys "srcip", "dstip" | parse "service=\"*\" " as service nodrop | parse "app=\"*\" " as application nodrop | parse "appcat=\"*\" " as app_category nodrop | parse "srcintf=\"*\" " as src_intface | parse "dstintf=\"*\" " as dest_intface | if (service="", "unknown", service) as service // uh ho - service unknown | if (service="udp/54", "DNS-54", service) as service // RBL lookups on UDP port 54 | if (service="tcp/902", "vCenter", service) as service // vCenter remote console | if (service="udp/902", "vCenter", service) as service // vCenter remote console | if (service="tcp/5989", "vCenter", service) as service // vCenter remote to ESXi | if (service="vCenter-Web-9443", "vCenter", service) as service // vCenter on port 9443 | if (application="", "unknown", application) as application // uh ho - application unknown | if (app_category="", "unknown", app_category) as app_category // uh ho - application category unknown // | where src_intface="port13" // enable if you only want to see inbound traffic // | where dest_intface="port13" // enable if you only want to see outbound traffic | sentbyte+rcvdbyte as totalbytes | sum(totalbytes) as total_bytes by service, application, app_category | where total_bytes > 51200 | order by total_bytes, service | limit 20
Which results in the following output: