Reporter for FortiGate Release Notes
Reporter for FortiGate 1.0.1.81 (2024-08-08)

Entra ID Support

We have added support for importing user and group information directly from Entra ID (formerly Azure AD) in Settings > Directory. For information on creating an Entra ID application with the required permissions and connecting Fastvue Reporter to the Entra ID application, see Importing User and Group information from Entra ID.

Download Update
Reporter for FortiGate 1.0.1.80 (2024-08-07)

Reports

Fortinet FortiGate administrators can now keep on top of all changes made to their FortiGate with the new FortiGate Configuration Changes widget in the IT Network and Security report.

Settings

We’ve added User Principal Name as an option in Settings > Directory / LDAP > User Display Settings, so that users can be represented by their UPN in all reports and alerts. There is also the option to use their displayName with their UPN in parentheses.

Fixes & Improvements
  • Fixed session logic that caused blocked applications to show as allowed
  • Fixed an issue that prevented editing the IT Security Productivity group in Settings > Productivity.
  • Improved Search Term extraction for Spotify
  • Safeguarding Report: Revised the calculation of incidents in “Web Category Incidents” section

Reporter for FortiGate 1.0.1.79 (2024-05-16)

IT Security Reports and Dashboards

In our previous release, we introduced the IT Security Productivity group in Settings > Productivity to separate security concerns from unacceptable browsing / safeguarding concerns.

In this release, we have added widgets to the Firewall Dashboard and the IT Network and Security reports to clearly highlight activity in IT Security categories such as Phishing and Malicious Websites.

Fixes
  • AI Prompts: The AI Prompts widget in the Internet Usage report now supports Google Gemini again. This broke when Google changed the product’s name and domain from Bard to Gemini. This relies on FortiGate ‘Monitoring’ the Google.Gemini_Post application in Application Control which also requires DPI.
  • YouTube Reports: Fixed the issue where YouTube videos accessed via the YouTube ‘App’ (as opposed to the web browser) were not shown in reports.
  • Firewall Dashboard: Fixed issue where the Viruses Detected widget on the Firewall Dashboard could show blank virus names.
  • Categories and Productivity: Fixed the display of categories and their association to Productivity groups when logged in non-English languages.
  • Keyword Reports: Fixed the Edit Keyword functionality when viewing Private Reports
  • Reports: Fixed Report Error: Object of type ‘System.DateTime’ cannot be converted to type ‘System.String’
  • Keywords: Improved drag-and-drop functionality to re-order Keyword Groups in Settings > Keywords. This enables you to change the order of Keyword Groups in the Safeguarding Report.
  • Search Terms: Improved search term extraction for Amazon

Reporter for FortiGate 1.0.1.78 (2024-02-20)

Introducing Fastvue’s New Safeguarding Report

We’re excited to launch our new Safeguarding Report, designed specifically for Digital Safeguarding Leads (DSLs), Student Well-being Officers, and Pastoral Care Teams. This streamlined report focuses on identifying ‘risky’ online behaviors among students, pinpointing searches, videos, and web content related to self-harm, extremism, drugs, and other unacceptable categories as defined by your school.

For a brief overview, watch our quick guide here.

Getting started with the Safeguarding Report:

  • Navigate to Reports > Overview Report > Safeguarding.
  • Optionally, apply filters to exclude staff or include only certain year groups.
  • Select your desired date range and click Run Report, or click Schedule to automatically send the report to the appropriate recipients daily, weekly, or monthly.

This is the initial version, and we’re eager for your honest feedback to refine it further!

Productivity Settings

With the introduction of the Safeguarding report detailing access to categories in the ‘Unacceptable Productivity’ list, we felt it important to separate IT Security concerns, such as Botnet and Malware, from this list, as they are not safeguarding concerns.

We have therefore added a new ‘IT Security’ list in Settings > Productivity, which separates categories such as Botnet and Malware from the existing ‘Unacceptable’ Productivity list.

For new installations, the ‘Unacceptable’ Productivity list is ordered by safeguarding priorities. Existing installations will retain their current ordering, but categories can be re-ordered by dragging and dropping in the ‘Unacceptable’ list under Settings > Productivity. This order is reflected in the ‘Unacceptable Web Categories’ sections of the new Safeguarding report.

If needed, existing installations can reset their Productivity settings to the new defaults by:

  1. Going to Settings > Data Storage > Settings and noting the Data Location.
  2. Stopping the Fastvue Reporter service in services.msc.
  3. Navigating to the data location on the Fastvue server.
  4. Deleting all Aliases.* files.
  5. Starting the Fastvue Reporter service in services.msc. It may take a few minutes for the database to initialize, visible in Settings > Diagnostic > Database.
  6. Navigating to Settings > Productivity to review the new Productivity settings.
Keywords
  • Keyword Groups can now be reordered in Settings > Keywords, reflecting the order of Keyword sections in the new Safeguarding report.
FortiGate Import Logic

We have adjusted the import logic to merge key information from application control events with the records created in the existing session.

This provides a range of advantages:

  • You can now drilldown or run an Activity Report on an application and view the URLs from the web filtering events an application has requested.
  • Applications will no longer display 0 bytes in the size columns depending on the filter used in your report.
  • The size of the Fastvue database is reduced as we’re no longer importing noisy app-ctrl events as their own independent record. In certain cases, this reduction can be as significant as 50% depending on the applications in use on the network. Spotify, for example, is a culprit for generating a lot of app-ctrl data.
FortiGate New and Adjusted Fields
  • Added an Application Productivity field that groups Application Categories into Productive, Acceptable, Unproductive, Unacceptable and IT Security. This is in addition to the existing Productivity field that groups Web Categories into these lists.
  • The Policy field will now show “Implicit Deny” instead of 0 for traffic that hits the implicit deny policy.
  • The Reason field now shows the FortiGate Policy in the absence of a more descriptive message field in the log event.
  • For SSL log events, the Event Message field is now populated with the more descriptive message in the sslaction field.
  • The Application field is populated with the service field when an Application is not logged in the session. This is mainly traffic that does not pass through application control.
  • The Reason field no longer shows (null) for SSL Anomaly events.
Improvements
  • Added a Blocked Applications widget to the Internet Usage report and reordered the widgets in the Blocked Traffic section.
  • Added an Applications widget into the Network section of the IT Network and Security report.
Fixes
  • Adjusted the search term extraction rules for YouTube to prevent duplicated searches appearing in alerts and reports.
  • Fixed an issue where adding multiple email addresses using commas in the Schedule dialog on the Reports tab didn’t separate the addresses correctly.
  • When YouTube integration is not configured, Internet Usage reports will show raw YouTube URLs instead.
  • AV Threats widgets are no longer cluttered with informational AV events, such as FortiGate submitting files to FortiSandbox and coming back clean.

Reporter for FortiGate 1.0.1.77 (2023-11-21)

General
  • All changes in this build relate to other Fastvue Reporter brands. Specifically, Reporter for Palo Alto Networks, Cisco Firepower and Barracuda. See all release notes here.

Reporter for FortiGate 1.0.1.76 (2023-10-13)

Security Update
New Fields
  • You can now filter Reports and Alerts by the ‘isJunk’ field, allowing you to remove or include URLs in the Junk URLs list (see Settings > Site Clean > Junk URLs). Note that the ‘Clean (on)’ option in Overview Reports already removes Junk URLs or substitutes them with the actual/visited domain.
Site Clean
  • Added Junk URLs associated with background LinkedIn activity that can bloat browsing time when not actually using LinkedIn.
  • Added over 42,500 known ad servers to the list of Junk URLs.
  • Added domain substitutes for known TikTok CDNs.
Keywords
  • Added a range of exclude keywords to many drugs in the Drugs Keyword group to remove false positives associated with researching issues related to drugs (statistics, prevention, long term effects, etc).
  • Added new keywords and exclude keywords to Extremism, Self Harm and Adult and Profanity keyword groups.

Note: Site Clean and Keyword updates are delivered automatically behind the scenes, but if your Fastvue Reporter server is air-gapped, simply update the software to obtain these updates.


Reporter for FortiGate 1.0.1.75 (2023-09-22)

General
  • When filtering an Activity Report by multiple Security Groups, the selected Security Groups are now shown as a comma separated list in a single row in the report, rather than creating duplicated rows for each Security Group a person is a member of. This fix also applies to filtering by other multi-value (arrayed) fields such as categories.
  • Source host resolution now only occurs on internal IP address ranges, or ranges specified in the ResolveSourceHostsIPRanges property in the Settings.xml file.
  • Added Search Term extraction for quora.com.
  • Fixed the handling of value-less URL query parameters (e.g. ‘?ab&c=123’ -> ab=(blank), c=123)
  • Elasticsearch *.mdmp files now get deleted as part of the cleanup task when a low disk space warning is triggered.
Performance Improvements
  • Incoming syslog data is no longer queued in memory when the database is not operational.
  • Elasticsearch is now configured to enable memory locking by default, configurable via setting DatabaseElasticMemoryLock in the Settings.xml file.
  • Elasticsearch Java process priority is now set to Normal by default, can now be optionally set to BelowNormal by setting DatabaseElasticProcessPriorityLow in the Settings.xml file.

Reporter for FortiGate 1.0.1.74 (2023-08-09)

AI Prompt Reporting (ChatGPT, Google Bard)
General
  • Fixed an issue where the Blocked Sites widget in the Internet Usage reports was not including sites blocked by the URL Filter feature. It included sites blocked by a Web Filter profile (e.g., a Category block), but not by the URL filter inside a Web Filter profile.
  • SecurityProtocols now enforces a minimum of TLS 1.2 by default, with an option to specify SecurityProtocols via XML settings.
  • Data Retention Policy enforcement now includes the size of today’s data in calculating the total size of data for the size policy, while still not deleting today’s data if it alone exceeds the size policy.
  • Fixed an issue introduced in the previous build where no records would be written to the Elasticsearch database until a minimum number of 10,000 syslog records were reached.
  • Fixed index management being unable to delete indexes in certain situations when an index has unassigned shards.
  • Fixed an issue with YouTube enrichment where some records would be imported without the enriched video metadata from YouTube. This meant you would see both the original YouTube URL as well as the enriched video title as separate items in the YouTube Videos report widget.
  • Switch buttons above Report widgets (e.g., Clean (on) | Clean (off) | Show Both) now indicate which option is currently selected.
Performance Improvements
  • Optimized memory and resource usage in a range of areas across the application. Note that if you have a large amount of data, you may still see memory usage often pegged near 100% due to the way Elasticsearch uses memory-mapped files; however, this memory is made available to other processes when needed and should not affect general performance.

Reporter for FortiGate 1.0.1.73 (2023-07-14)

Added FortiClient EMS Support (Experimental)
  • FortiClient EMS support: Use EMS to configure FortiClients to send UTM and Security logs to FortiAnalyzer (see Fortinet EMS System Settings, and configure FortiAnalyzer to forward logs to Fastvue Reporter.
  • Known Issues

    No size: No ‘size’ values are logged with FortiClient data so you will likely not see the data in any widget sorted by Size, such as Bandwidth reports, especially when normal FortiGate data is also being imported.

    No searches or videos: FortiClient does not log query strings in URLs therefore Fastvue Reporter is unable to extract or report on web searches or YouTube videos.

    Incomplete Categories: Some categories are not logged with their full name, for example, the URL category ‘Global Religion’ is just logged as ‘Global’, and ‘Real Estate’ is just logged as ‘Real’. We have mapped these truncated categories to the full category name where possible, however some categories such as ‘Web’ category could potentially mean Web Analytics, Web Chat or Web Hosting. ‘Personal’ could potentially mean Personal Privacy, Personal Vehicles or Personal Websites and Blogs. In these cases, we have added a new Category called ‘Web’ and ‘Personal’ and added them to the ‘Acceptable’ Productivity group. Not ideal, but the best we can do based on the data FortiClient supplies.
General
  • Fixed issue where log data will stop importing if the IP sending the syslog data changes. When adding syslog sources by a hostname / FQDN, Fastvue Reporter will now re-resolve the Source’s hostname to an IP when they detect they are no longer receiving syslog data from the IP the hostname last resolved to. The hostname to IP resolution previously only occurred when a Source is added, or when the Fastvue Reporter service is started.
  • Fixed issue where users logged with their UPN instead of their sAMAccountName would not be aliased to a user object in Active Directory. This meant they would not be displayed with their Display Name, or included in reports on AD Security Groups or Departments, Offices, or Companies)
  • Fixed issue where users with the same sAMAccountName from different domains would be aliased to the same user.
  • Top downloads widget on the Bandwidth dashboard now handles long URLs by truncating to one line, with the rest of the URL shown in a hover-over ellipsis.
Performance Improvements:
  • Further optimized the data import pipeline.
  • Reduced the performance impact of source host resolution by increasing the TTL for cached entries and reducing resolution attempts for failed resolutions.

Reporter for FortiGate 1.0.1.72 (2023-06-26)

Improved FortiGate Integration
  • New Fields Added: Introduced new fields for Mime Type and HTTP Method.
Improved performance:
  • Optimized the live dashboard query processing and timing to reduce CPU wastage.
  • Optimized the import pipeline to reduce RAM, CPU, and I/O.
  • Adjusted the default database memory settings. JVM Heap Size now defaults to 50% of RAM or 1GB, whichever is larger, clamped up to 32GB. These settings are used when Memory Settings are set to ‘Automatic’ in Settings > Diagnostic > Database > Memory Settings.
General
  • Improved Search Term extraction rules including TikTok, brave.com, webcrawler.com, Yahoo, and Bing chat.
  • Activity Reports now insert a column for Keyword Group when filtering by more than one Keyword Group.
  • The YouTube Videos widget now shows the original YouTube URL if YouTube integration is not enabled in Settings > YouTube.
  • Fixed an issue that may prevent users from being notified about errors saving configuration, such as Alerts being created with the same name.