In order to create purposeful custom reports, you must consider the attributes or key pieces of information that you want to retrieve and analyze. This consideration guides you in making the following selections in a custom report:
Selection Description
Data Source The data file that is used to generate the report. The firewall offers two types of data sources—Summary databases and Detailed logs.
• Summary databases are available for traffic, threat, and application statistics. The firewall aggregates the detailed logs on traffic, application, and threat at 15-minute intervals. The data is condensed—duplicate sessions are grouped together and incremented with a repeat counter, and some attributes (or columns) are not included in the summary—to allow faster response time when generating reports.
• Detailed logs are itemized and are a complete listing of all the attributes (or columns) that pertain to the log entry. Reports based on detailed logs take much longer to run and are not recommended unless absolutely necessary.
Attributes The columns that you want to use as the match criteria. The attributes are the columns that are available for selection in a report. From the list of Available Columns, you can add the selection criteria for matching data and for aggregating the details (the Selected Columns).
Sort By/ Group By The Sort By and the Group By criteria allow you to organize/segment the data in the report; the sorting and grouping attributes available vary based on the selected data source.
The Sort By option specifies the attribute that is used for aggregation. If you do not select an attribute to sort by, the report will return the first N number of results without any aggregation.
The Group By option allows you to select an attribute and use it as an anchor for grouping data; all the data in the report is then presented in a set of top 5, 10, 25 or 50 groups. For example, when you select Hour as the Group By selection and want the top 25 groups for a 24-hr time period, the results of the report will be generated on an hourly basis over a 24-hr period. The first column in the report will be the hour and the next set of columns will be the rest of your selected report columns.
Reports and Logging Manage Reporting
The following example illustrates how the Selected Columns and Sort By/Group By criteria work together when generating reports:
The columns circled in red (above) depict the columns selected, which are the attributes that you match against for generating the report. Each log entry from the data source is parsed and these columns are matched on. If multiple sessions have the same values for the selected columns, the sessions are aggregated and the repeat count (or sessions) is incremented.
The column circled in blue indicates the chosen sort order. When the sort order (Sort By) is specified, the data is sorted (and aggregated) by the selected attribute.
The column circled in green indicates the Group By selection, which serves as an anchor for the report. The Group By column is used as a match criteria to filter for the top N groups. Then, for each of the top N groups, the report enumerates the values for all the other selected columns.
Selection Description
Manage Reporting Reports and Logging
For example, if a report has the following selections
:
The output will display as follows:
The report is anchored by Day and sorted by Sessions. It lists the 5 days (5 Groups) with maximum traffic in the Last 7 Days time frame. The data is enumerated by the Top 5 sessions for each day for the selected columns—App Category, App Subcategory and Risk.
Time Period The date range for which you want to analyze data. You can define a custom range or select a time period ranging from last 15 minutes to the last 30 days. The reports can be run on demand or scheduled to run at a daily or weekly cadence.
Query Builder The query builder allows you to define specific queries to further refine the selected attributes. It allows you see just what you want in your report using and and or operators and a match criteria, and then include or exclude data that matches or negates the query in the report. Queries enable you to generate a more focused collation of information in a report.
Selection Description
Reports and Logging Manage Reporting
Generate Custom Reports
1. Select Monitor > Manage Custom Reports. 2. Click Add and then enter a Name for the report.
To base a report on an predefined template, click Load Template and choose the template. You can then edit the template and save it as a custom report.
3. Select the database to use for the report.
Each time you create a custom report, a Log View report is automatically created. This report show the logs that were used to build the custom report. The log view report uses the same name as the custom report, but appends the phrase (Log View) to the report name.
When creating a report group, you can include the log view report with the custom report. For more information, see Manage Report Groups.
4. Select the Scheduled check box to run the report each night. The report is then available for viewing in the Reports column on the side.
5. Define the filtering criteria. Select the Time Frame, the Sort By order, Group By preference, and select the columns that must display in the report.
6. (Optional) Select the Query Builder attributes if you want to further refine the selection criteria. To build a report query, specify the following and click Add. Repeat as needed to construct the full query.
• Connector—Choose the connector (and/or) to precede the expression you are adding.
• Negate—Select the check box to interpret the query as a negation. If, for example, you choose to match entries in the last 24 hours and/or are originating from the untrust zone, the negate option causes a match on entries that are not in the past 24 hours and/or are not from the untrust zone.
• Attribute—Choose a data element. The available options depend on the choice of database.
• Operator—Choose the criterion to determine whether the attribute applies (such as =). The available options depend on the choice of database.
• Value—Specify the attribute value to match.
For example, the following figure (based on the Traffic Log database) shows a query that matches if the traffic log entry was received in the past 24 hours and is from the “untrust” zone.
7. To test the report settings, select Run Now. Modify the settings as required to change the information that is displayed in the report.
Manage Reporting Reports and Logging
Examples of Custom Reports
If you want to set up a simple report in which you use the traffic summary database from the last 30 days, and sort the data by the top 10 sessions and these sessions are grouped into 5 groups by day of the week. You would set up the custom report to look like this:
And the PDF output for the report would look as follows:
Generate Custom Reports (Continued)
Reports and Logging Manage Reporting
Now, if you want to use the query builder to generate a custom report that represents the top consumers of network resources within a user group, you would set up the report to look like this:
The report would display the top users in the product management user group sorted by bytes, as follows:
Generate Custom Reports (Continued)
Manage Reporting Reports and Logging