Resolving Source IPs in FortiAnalyzer FortiView
One of my main views in FortiAnalyzer is FortiView, it's a powerful, easy to use and understand dashboard. One question I hear frequently is for the "Top Sources" in the Traffic section "How do I resolve the IPs into Hostnames?". This is a great question, as your default view would look something like this:
The information provided is useful albeit limited, because you still have to turn around and figure out who is who, what IP address is owned by what host. Now this isn't too bad for a handful of IPs, but if your organization spans more than one FortiGate and several tens, hundreds, or thousands of VLANs and IP ranges, then you're really going to want to know the host name of a device off the bat. The good news is this is easily configurable.
Your FortiAnalyzer is configured to use your organizational DNS servers
Your DNS servers are reachable by the FortiAnalyzer
Configuring FortiView to resolve IPs to hostnames
To configure FortView to resolve IPs to hostnames using your DNS server, log into the CLI of your FortiAnalyzer and issue the following commands:
Once these are issued, got get some coffee, or run around the building, or do whatever it is you do for about 10 minutes, to allow FortiView to resolve these IPs. When you come back you should see something like this:
It may take a while for the hostnames to populate depending on the size of your network, but they will eventually show up. Thanks for your time, I hope this was helpful.