DescriptionThis article explains how to create a report on a FortiAnalyzer based upon a single users IP address.
It is applicable for FortiAnalyzer firmware versions v4.x and v5.x
Scope
Solution
Firmware v5.x
1) Select the report which needs to be generated on single IP based
2) Under "Advance Settings > Add Filter"
Select filter "Source IP"
Select the middle value as "Equal to"
3) In the third field, enter the IP address (For example: 10.0.0.1)
4) Click "Apply"
Firmware v4.x
1) Login to the FortiAnalyzer and navigate to "Report > Config > Layout". Click "Create New" or edit the existing one. Specify any name and then click "Add Charts > Add Charts" (Select the '+' icon to add) based on the requirement and apply the settings.
2) Create a new data filter from "Report > Config > Data Filter". Click "Create New", specify any name and configure the following settings:
- Filter Logic: select the "Any" radio button.
- Generic Filter: configure following settings. (Example: source ip as 10.10.11.1)
Key-
srcValue- 10.10.11.1
Click "Add". Leave the remainder of the settings at their default values and apply the settings.
3) Navigate to "Report > Schedule" and click "Create New". Specify any name and configure the following settings:
- In the Layout drop menu, select the layout created in step (1).
- In "Log Data Filtering > Device/Group" drop down menu select the firewall to which the user belongs.
- In the "Data Filter" drop down menu select the data filter created in step (2).
- In the "Time period" drop down menu select the "time scope" as required.
- Under "Output", select "PDF" as addition format if required and apply the settings.
Once the report is generated manually (or set to auto schedule), it will be based upon the one particular users IP address
Related Articles
Technical Note: How to create a FortiAnalyzer user forensic analysis report
