• Matt Sherif

Resolving Source IPs in FortiAnalyzer FortiView





One of my main views in FortiAnalyzer is FortiView, it's a powerful, easy to use and understand dashboard. One question I hear frequently is for the "Top Sources" in the Traffic section "How do I resolve the IPs into Hostnames?". This is a great question, as your default view would look something like this:



You still need to translate these IPs into hostnames, wouldn't be nice if it was done automatically?

The information provided is useful albeit limited, because you still have to turn around and figure out who is who, what IP address is owned by what host. Now this isn't too bad for a handful of IPs, but if your organization spans more than one FortiGate and several tens, hundreds, or thousands of VLANs and IP ranges, then you're really going to want to know the host name of a device off the bat. The good news is this is easily configurable.


Assumptions

  • Your FortiAnalyzer is configured to use your organizational DNS servers

  • Your DNS servers are reachable by the FortiAnalyzer


Configuring FortiView to resolve IPs to hostnames


To configure FortView to resolve IPs to hostnames using your DNS server, log into the CLI of your FortiAnalyzer and issue the following commands:




Once these are issued, got get some coffee, or run around the building, or do whatever it is you do for about 10 minutes, to allow FortiView to resolve these IPs. When you come back you should see something like this:



Yay! Now I know my FortiManager is my top source.

It may take a while for the hostnames to populate depending on the size of your network, but they will eventually show up. Thanks for your time, I hope this was helpful.