Fortianalyzer 5.0 Administration Guide

FortiAnalyzer v5.
0
Administration Guide
FortiAnalyzer v5.0 Administration Guide November 20, 2012 05-500-187572-20121120 Copyright 2012 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, and FortiGuard, are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were attained in internal lab tests under ideal conditions, and performance may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinets General Counsel, with a purchaser that expressly warrants that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinets internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.
Technical Documentation Knowledge Base Customer Service & Support Training Services FortiGuard Document Feedback
docs.fortinet.com kb.fortinet.com support.fortinet.com training.fortinet.com fortiguard.com techdocs@fortinet.com
Table of Contents
Table of Figures ................................................................................................ 6 Change Log....................................................................................................... 9 Introduction..................................................................................................... 10
Scope..................................................................................................................... 11 Entering FortiAnalyzer configuration data.............................................................. Entering text strings (names) ........................................................................... Selecting options from a list ............................................................................ Enabling or disabling options .......................................................................... 11 11 11 11
Key Concepts ................................................................................................. 12

Administrative domains ......................................................................................... 12 Operation modes ................................................................................................... 12 Standalone mode............................................................................................. 13 Analyzer and collector mode ........................................................................... 14 Log storage............................................................................................................ 16 Workflow ................................................................................................................ 17
Web-based Manager...................................................................................... 18
System requirements............................................................................................. 18 Web browser.................................................................................................... 18 Resolution ........................................................................................................ 18 Connecting to the Web-based Manager ............................................................... 18 Web-based Manager overview.............................................................................. 19 Web-based Manager configuration ....................................................................... Language ......................................................................................................... Administrative access ...................................................................................... Restricting access by trusted hosts ................................................................ Idle timeout ...................................................................................................... 21 21 22 22 22
Reboot and shutdown the FortiAnalyzer unit ........................................................ 23
Device Manager.............................................................................................. 24
ADOMs .................................................................................................................. 25 Devices and groups ............................................................................................... 27 Groups ............................................................................................................. 27 Devices and VDOMs ........................................................................................ 29 Real-time monitor .................................................................................................. 34
Page 3
System Settings.............................................................................................. 36
Dashboard ............................................................................................................. Customizing the dashboard............................................................................. System Information widget .............................................................................. System Resource widget ................................................................................. License Information widget.............................................................................. Unit Operation widget ...................................................................................... Alert Messages Console widget ...................................................................... CLI Console widget.......................................................................................... RAID Monitor widget........................................................................................ General settings..................................................................................................... All ADOMs........................................................................................................ Network............................................................................................................ Certificates ....................................................................................................... Log Access ...................................................................................................... Diagnostic tools ............................................................................................... Admin..................................................................................................................... Monitoring administrator sessions................................................................... Administrator.................................................................................................... Profile ............................................................................................................... Remote authentication server.......................................................................... Administrator settings ...................................................................................... Advanced............................................................................................................... SNMP v1/v2c ................................................................................................... Advanced settings ........................................................................................... Alerts ................................................................................................................ Device Log ....................................................................................................... 37 39 40 48 49 50 50 51 52 56 56 59 64 66 66 67 67 68 71 74 80 81 82 85 86 91
RTM Profiles ................................................................................................... 96

RTM Profiles .......................................................................................................... 96 Dashboards ........................................................................................................... 99 Charts .................................................................................................................. 100 View RTM data..................................................................................................... 103
Log View........................................................................................................ 106

Viewing log messages ......................................................................................... Customizing the log view............................................................................... Log details ..................................................................................................... Archive ........................................................................................................... 106 107 109 109
Browsing log files................................................................................................. 110 Importing a log file ......................................................................................... 112 Downloading a log file.................................................................................... 112 Configuring rolling and uploading of logs............................................................ 113
Fortinet Technologies Inc.
Page 4
FortiAnalyzer v5.0 Administration Guide
Reports .......................................................................................................... 116

Templates ............................................................................................................ 117 Configure report templates ............................................................................ 117 Schedules ............................................................................................................ 123 History.................................................................................................................. 126 Calendar .............................................................................................................. 127 Advanced............................................................................................................. Charts ............................................................................................................ Datasets ......................................................................................................... Output profiles ............................................................................................... Language ....................................................................................................... 128 128 131 134 136
Appendix A: SNMP MIB Support................................................................. 139 Appendix B: Port Numbers .......................................................................... 140 Index .............................................................................................................. 142
Page 5
Table of Figures
Topology of the FortiAnalyzer unit in standalone mode .............................................. 13 Topology of the FortiAnalyzer units in analyzer/collector mode .................................. 14 Change operation mode to analyzer ........................................................................... 15 Change operation mode to collector ........................................................................... 15 Logging, analyzing, and reporting workflow ................................................................ 17 The tab bar .................................................................................................................. 20 Main menu bar ............................................................................................................. 20 Administration settings ................................................................................................ 21 Unit operation actions in the Web-based Manager ..................................................... 23 Device manager tab ..................................................................................................... 24 Device list right-click menu .......................................................................................... 25 Create an ADOM .......................................................................................................... 25 Edit an ADOM .............................................................................................................. 26 Add a device group ..................................................................................................... 28 Add device wizard login screen ................................................................................... 30 Add device wizard add device screen ......................................................................... 30 Add device wizard add device screen two .................................................................. 31 Add device wizard summary screen ............................................................................ 32 Edit a device ................................................................................................................ 33 Real time monitor pane ................................................................................................ 34 Refresh a chart ............................................................................................................ 35 FortiAnalyzer system dashboard ................................................................................. 38 Adding a widget ........................................................................................................... 39 A minimized widget ..................................................................................................... 40 System Information widget .......................................................................................... 40 Edit Host Name dialog box .......................................................................................... 42 Time Settings dialog box ............................................................................................. 43 Backup dialog box ....................................................................................................... 46 All Settings Configuration Restore dialog box ............................................................. 46 Change operation mode .............................................................................................. 47 System Resource widget (Real Time display) ............................................................. 48 System Resource widget (Historical display) .............................................................. 48 Edit System Resources Settings window .................................................................... 49 VM License Information widget ................................................................................... 49 Unit Operation widget .................................................................................................. 50 Alert Message Console widget .................................................................................... 51 List of all alert messages ............................................................................................. 51 CLI Console widget ..................................................................................................... 52 RAID monitor widget .................................................................................................... 53 RAID Settings .............................................................................................................. 53 All ADOMs list .............................................................................................................. 56 Create a new ADOM .................................................................................................... 57 Edit an ADOM .............................................................................................................. 58 Network screen ............................................................................................................ 59 Network interface list ................................................................................................... 60 Configure network interfaces ....................................................................................... 61 Routing Table ............................................................................................................... 62
Page 6
Create New route ......................................................................................................... 62 Create New route ......................................................................................................... 63 New local certificate .................................................................................................... 64 Local certificate details ................................................................................................ 65 Administrator session list ............................................................................................. 67 Administrator list .......................................................................................................... 68 Creating a new administrator account ........................................................................ 69 Administrator profile list ............................................................................................... 72 Create new administrator profile ................................................................................. 73 RADIUS server list ....................................................................................................... 74 New RADIUS Server window ....................................................................................... 75 LDAP server list ........................................................................................................... 76 New LDAP server dialog box ....................................................................................... 77 New TACACS+ server dialog box ................................................................................ 79 Administrative settings dialog box ............................................................................... 80 SNMP configuration .................................................................................................... 83 New SNMP community ............................................................................................... 84 Advanced settings ....................................................................................................... 86 Alert event window ...................................................................................................... 86 Create new alert event window ................................................................................... 87 Mail server window ...................................................................................................... 88 Mail server settings ...................................................................................................... 89 Syslog server window .................................................................................................. 89 Syslog server settings .................................................................................................. 90 Alert message console window ................................................................................... 90 Alert console settings .................................................................................................. 91 Log setting window ..................................................................................................... 92 Log access window ..................................................................................................... 93 Task monitor window .................................................................................................. 94 RTM profiles tab .......................................................................................................... 96 Create a new RTM profile ............................................................................................ 97 Edit an RTM profile ...................................................................................................... 97 Clone an RTM profile ................................................................................................... 98 Add dashboard dialog box .......................................................................................... 99 Dashboard options dialog box .................................................................................. 100 Add charts dialog box ............................................................................................... 102 Chart placeholder ...................................................................................................... 102 Moving a chart ........................................................................................................... 103 Viewing RTM data ...................................................................................................... 104 Chart data details ...................................................................................................... 104 Refresh a charts data ............................................................................................... 105 Log view ..................................................................................................................... 106 Column settings ......................................................................................................... 108 Log details ................................................................................................................. 109 Log archive ................................................................................................................ 109 View packet log dialog box ........................................................................................ 110 Log file list .................................................................................................................. 111 Import a log file .......................................................................................................... 112 Log setting window ................................................................................................... 114 Report templates ....................................................................................................... 117 Template and section tool bars ................................................................................. 118 Add a new section ..................................................................................................... 118
Fortinet Technologies Inc. Page 7 FortiAnalyzer v5.0 Administration Guide
Add a new chart ......................................................................................................... 119 Chart preview ............................................................................................................. 119 Choose a graphic ...................................................................................................... 120 Heading element ........................................................................................................ 120 Edit a heading ............................................................................................................ 121 Edit text ...................................................................................................................... 121 Move a report template element ................................................................................ 122 Edit an element .......................................................................................................... 122 Delete an element ...................................................................................................... 123 Report schedules page .............................................................................................. 123 Create a new report schedule ................................................................................... 124 Report history page ................................................................................................... 126 Report calendar ......................................................................................................... 127 Report schedule calendar details .............................................................................. 127 Charts ........................................................................................................................ 128 Create a new chart .................................................................................................... 129 Datasets ..................................................................................................................... 131 Create a new dataset ................................................................................................. 131 Output profile page .................................................................................................... 134 Create new output profile dialog box ........................................................................ 135 Report language ........................................................................................................ 136 Create a new language .............................................................................................. 137
Page 8
Change Log
Date 2012-11-20 Change Description Initial Release.
Page 9
Introduction
The FortiAnalyzer family of logging, analyzing, and reporting appliances securely aggregates log data from Fortinet network security devices and other syslog-compatible devices. A comprehensive suite of easily customized reports enables you to analyze, report, and archive security event, network traffic, web content, and messaging data to measure policy compliance. This guide contains the following chapters: Key Concepts Web-based Manager Device Manager System Settings RTM Profiles Log View Reports
FortiAnalyzer features
Over 550 reports and customizable charts help monitor and maintain identify attack patterns, acceptable use policies, and demonstrate policy compliance Network capacity and utilization data reporting allow you to plan and manage networks more efficiently Scalable architecture allows the device to run in collector or analyzer modes for optimized log processing Advanced features such as event correlation, forensic analysis, and vulnerability assessment provide essential tools for in-depth protection of complex networks Secure data aggregation from multiple FortiGate and FortiMail security appliances provides network-wide visibility and compliance Fully integrated with FortiManager appliances for a single point of command, control, analysis, and reporting Up to 24 TB of log data capacity and choice of RAID levels allow you to balance capacity and data assurance to match organizational needs.
Page 10
Scope
This document describes how to use the Web-based Manger to set up and configure the FortiAnalyzer unit. It assumes you have already successfully installed the FortiAnalyzer unit by following the instructions in your units QuickStart guide. At this stage: You have administrative access to the Web-based Manger and/or CLI. The FortiAnalyzer unit can connect to the Web-based Manger and CLI. This document explains how to use the Web-based Manger to: maintain the FortiAnalyzer unit, including backups configure basic settings, such as system time, DNS settings, administrator password, and network interfaces configure advanced features, such as adding devices, DLP archiving, vulnerability management, logging, and reporting. This document does not cover commands for the command line interface (CLI). For information on the CLI, see the FortiAnalyzer CLI Reference.
Entering FortiAnalyzer configuration data

The configuration of a FortiAnalyzer unit is stored as a series of configuration settings in the FortiAnalyzer configuration database. To change the configuration you can use the Web-based Manger or CLI to add, delete or change configuration settings. These configuration changes are stored in the configuration database as they are made. Individual settings in the configuration database can be text strings, numeric values, selections from a list of allowed options, or on/off (enable/disable).
Entering text strings (names)

Text strings are used to name entities in the configuration. For example, the name of a report chart, administrative user, and so on. You can enter any character in a FortiAnalyzer configuration text string except, to prevent Cross-Site Scripting (XSS) vulnerabilities, text strings in FortiAnalyzer configuration names cannot include the following characters: " (double quote), & (ampersand), ' (single quote), < (less than), and < (greater than)
Selecting options from a list

If a configuration field can only contain one of a number of selected options, the Web-based Manger and CLI present you a list of acceptable options and you can select one from the list. No other input is allowed. From the CLI, you must spell the selection name correctly.
Enabling or disabling options

If a configuration field can only be on or off (enabled or disabled), the Web-based Manger shows a check box or other control that can only be enabled or disabled. From the CLI, you can set the option to enable or disable.
Page 11
Key Concepts
This chapter defines basic FortiAnalyzer concepts and terms. If you are new to FortiAnalyzer, this chapter can help you to quickly understand this document and your FortiAnalyzer platform. This topic includes: Administrative domains Operation modes Log storage Workflow
Administrative domains
Administrative domains (ADOMs) enable the admin administrator to constrain other FortiAnalyzer unit administrators access privileges to a subset of devices in the device list. For Fortinet devices with virtual domains (VDOMs), ADOMs can further restrict access to only data from a specific devices VDOM. Enabling ADOMs alters the structure of and the available functions in the Web-based Manager and CLI, according to whether or not you are logging in as the admin administrator, and, if you are not logging in as the admin administrator, the administrator accounts assigned access profile. See System Information widget on page 40 for information on enabling and disabling ADOMs. For information on working with ADOMs, see ADOMs on page 25. For information on configuring administrators and administrator settings, seeAdmin on page 67.
Operation modes
The FortiAnalyzer unit has three operation modes: Standalone - The default mode that supports all FortiAnalyzer features. Analyzer - The mode used for aggregating logs from one or more log collectors. In this mode, the log aggregation configuration function is disabled. Collector - The mode used for saving and uploading logs. For example, instead of writing logs into the database, the collector can retain the logs in original (binary) format for uploading. In this mode, the report function and some functions under System and Tools are disabled. The analyzer and collector modes are used together to increase the analyzers performance. The collector provides a buffer to the analyzer by off-loading the log receiving task from the
Page 12
analyzer. Since log collection from the connected devices is the dedicated task of the collector, its log receiving rate and speed are maximized.
The FortiAnalyzer 100 and 400 models do not support the analyzer mode.
The mode of operation that you choose will depend on your network topology and individual requirements. For information on how to select an operation mode, see Changing the operation mode on page 47.
Standalone mode
The standalone mode is the default mode that supports all FortiAnalyzer features. If your network log volume is reasonable and does not compromise the performance of your FortiAnalyzer unit, you can choose this mode. Figure 1 illustrates the network topology of the FortiAnalyzer unit in standalone mode. Figure 1: Topology of the FortiAnalyzer unit in standalone mode
Page 13
Analyzer and collector mode

The analyzer and collector modes are used together to increase the analyzers performance. The collector provides a buffer to the analyzer by off-loading the log receiving task from the analyzer. Since log collection from the connected devices is the dedicated task of the collector, its log receiving rate and speed are maximized. In most cases, the volume of logs fluctuates dramatically during a day or week. You can deploy a collector to receive and store logs during the high traffic periods and transfer them to the analyzer during the low traffic periods. As a result, the performance of the analyzer is guaranteed as it will only deal with log insertion and reporting when the log transfer process is over. As illustrated in Figure 2: company A has two remote branch networks protected by multiple FortiGate units. The networks generate large volumes of logs which fluctuate significantly during a day. It used to have a FortiAnalyzer 4000A in standalone mode to collect logs from the FortiGate units and generate reports. To further boost the performance of the FortiAnalyzer-4000A, the company deploys a FortiAnalyzer 400B in collector mode in each branch to receive logs from the FortiGate units during the high traffic period and transfer bulk logs to the analyzer during the low traffic period. Figure 2: Topology of the FortiAnalyzer units in analyzer/collector mode
Page 14
To set up the analyzer/collector configuration 1. On the FortiAnalyzer unit, go to System > Dashboard > Status. 2. In the System Information widget, in the Operation Mode field, select Change. The Change Operation Mode dialog box opens. 3. Select Analyzer. Figure 3: Change operation mode to analyzer
4. To enable log aggregation service, select enable Log Aggregation Service, enter the desired disk quota, then enter a password for the analyzer server and confirm it. 5. Select OK. 6. On the first collector unit, go to System > Dashboard > Status. 7. In the System Information widget, in the Operation Mode field, select Change. The Change Operation Mode dialog box opens. 8. Select Collector. Figure 4: Change operation mode to collector
Page 15
9. Enter the following information: Remote Server IP Enable Log Aggregation Password Confirm Password Upload Daily at Enter the IP address of the analyzer unit to which this log collector uploads logs. Select to enable log aggregation.
Enter the password of the analyzer unit. Reenter the password if the analyzer unit. Select a time from the drop-down list to upload logs on a daily basis. The collector archives all logs that are uploaded. During the uploading, if the connection with the analyzer fails, the collector will keep trying to reconnect until the connection restores.
Enable Real-time Forwarding Minimum Log Level 10. Select OK.
Select to upload logs in real-time. This action will upload log if the selected level and logs of the levels more serious than the select level. Select the minimum log level to be uploaded in real-time.
11. On the second collector unit, repeat step 6 to 10.
Log storage
The FortiAnalyzer unit supports Structured Query Language (SQL) logging and reporting. The log data is inserted into the SQL database for generating reports. Both local and remote SQL database options are supported. For more information, see Reports on page 116.
Page 16
Workflow
Once you have successfully deployed the FortiAnalyzer platform in your network, using and maintaining your FortiAnalyzer unit involves the following: Configuration of optional features, and re-configuration of required features if required by changes to your network Backups Updates Monitoring reports, logs, and alerts Figure 5 illustrates the process of data logging, data analyzing, and report generation by the FortiAnalyzer unit in standalone or analyzer mode. Figure 5: Logging, analyzing, and reporting workflow
Page 17
Web-based Manager
This section describes general information about using the Web-based Manager to access the Fortinet system with a web browser. This section includes the following topics: System requirements Connecting to the Web-based Manager Web-based Manager overview Web-based Manager configuration Reboot and shutdown the FortiAnalyzer unit
Additional configuration options and short-cuts are sometimes available through right-click menus. Right-clicking the mouse in various location in the interface accesses these options.
System requirements
Web browser
The FortiAnalyzer Web-based Manager supports the following web browsers: Microsoft Internet Explorer 9.0 Mozilla Firefox 13.0, and 14.0
Resolution
Fortinet recommends setting your monitor to a screen resolution of 1280x1024. This allows for all the objects in the Web-based Manager to be properly viewed.
Connecting to the Web-based Manager

The FortiAnalyzer unit can be configured and managed using the Web-based Manager or the Command Line Interface (CLI). This section will step you through connecting to the unit via the Web-based Manager. For more information on connecting your specific Fortianalyzer unit, read that devices QuickStart guide.
Page 18
To connect to the Web-based Manager: 1. Connect the unit to a management computer using an Ethernet cable. 2. Configure the management computer to be on the same subnet as the internal interface of the FortiAnalyzer unit: a. Browse to Network and Sharing Center > Change Adapter Settings > Local Area Connection Properties > Internet Protocol Version 4 (TCP/IPv4) Properties. b. Change the IP address of the management computer to 192.168.1.2 and the netmask to 255.255.255.0. 3. On the management computer, start a supported internet browser and browse to https://192.168.1.99 (remember to include the s in https://). 4. Type admin in the Name field, leave the Password field blank, and select Login. You should now be able to use the FortiAnalyzer Web-based Manager.
If the network interfaces have been configured differently during installation, the URL and/or permitted administrative access protocols (such as HTTPS) may no longer be in their default state.
For information on enabling administrative access protocols and configuring IP addresses, see Configuring network interfaces on page 61.
If the URL is correct and you still cannot access the Web-based Manager, you may also need to configure static routes. For details, see Configuring static routes on page 61.
Web-based Manager overview

The FortiAnalyzer Web-based Manager consists of four primary parts: the tab bar, the main menu bar, the tree menu, and the content pane. The content pane includes a tool bar and, on some tabs, is horizontally split into two sections. The main menu bar is only visible on certain tabs when ADOMs are disabled (see System Information widget on page 40). You can use the Web-based Manager menus, lists, and configuration pages to configure most FortiAnalyzer settings. Configuration changes made using the Web-based Manager take effect immediately without resetting the FortiAnalyzer system or interrupting service. The Web-based Manager also includes online help, accessed by selecting the help icon on right side of the tab bar.
Page 19
Tab bar
The Web-based Manager tab bar contains the device type, the available tabs, the Help button, and the Log Out button. Figure 6: The tab bar
Device Manager tab RTM Profiles tab Log View tab Reports tab
Manage groups, devices, and VDOMs, and view real-time monitor data. For more information, see Device Manager on page 24. Configure and manage real-time monitor profiles. For more information, see RTM Profiles on page 96. View and download logs for connected devices. For more information, see Log View on page 106. Configure report templates, schedules, and output profiles, and manage charts and datasets. For more information, see Reports on page 116. Configure system settings such as network interfaces, administrators, system time, server settings, and others. You can also perform maintenance and firmware operations. For more information, see System Settings on page 36. Open the Fortianalyzer online help. Log out of the Web-based Manager.
System Settings tab
Help button Log Out button
Main menu bar

The main menu bar is only available in the device manager tab, when ADOMs are disabled. Figure 7: Main menu bar
Add Device Add Group
Add a device using the Add Device wizard. For more information, see Devices and VDOMs on page 29. Add a device group. For more information, see Groups on page 27.
Tree menu
The Web-based Manager tree menu content varies depending on which tab is selected and how your FortiAnalyzer unit is configured. If ADOMs are enabled, the contents of the tree menu on all tabs except the System Settings tab, will be organized by ADOM. Some elements in the tree menu can be right-clicked to access different configuration options.
Page 20
Content pane
The content pane information changes depending on which tab is being viewed, and what element is selected in the tree menu. The content pane of the device manager and log view tabs is split horizontally into two frames.
Web-based Manager configuration

Global settings for the Web-based Manager apply regardless of which administrator account you use to log in. Global settings include the idle timeout, TCP port number on which the Web-based Manager listens for connection attempts, the network interface(s) on which it listens, and the language of its display. This section includes the following topics: Language Administrative access Restricting access by trusted hosts Idle timeout
Language
The Web-based Manager supports multiple languages, the default language is English. You can change the Web-based Manager to display language in English, Simplified Chinese, Traditional Chinese, Japanese, or Korean. For best results, you should select the language that the management computer operating system uses. You can also set the interface to automatically detect the system language. To change the Web-based Manager language: 1. Go to System Settings > Admin > Admin Settings. 2. In the Language field, select a language from the drop-down list, or select Auto Detect to use the same language as configured for your web browser. 3. Select OK. Figure 8: Administration settings
Page 21
Administrative access
Administrative access enables an administrator to connect to the system to view and change configuration settings. The default configuration of your system allows administrative access to one or more of the interfaces of the unit as described in the QuickStart and installation guides for your device. Administrative access can be configured in IPv4 or IPv6 and includes settings for: HTTPS, HTTP, PING, SSH, TELNET, SNMP, Web Service, and Aggregator. To change administrative access: 1. Go to System Settings > General > Network. By default, port1 settings will be presented. To configure administrative access for a different interface, select All Interfaces, and then select the interface from the list. 2. Set the IPv4 IP/Netmask or the IPv6 Address, select one or more Administrative Access types for the interface, and set the default gateway and DNS servers. 3. Select OK to finish changing the access. For more information, seeNetwork on page 59.
Restricting access by trusted hosts

To prevent unauthorized access to the Web-based Manager you can configure administrator accounts with trusted hosts. With trusted hosts configured, the admin user can only log in to the Web-based Manager when working on a computer with the trusted host as defined in the admin account. For more information, see Administrator on page 68.
Idle timeout
By default, the Web-based Manager disconnects administrative sessions if no activity takes place for fifteen minutes. This idle timeout is recommended to prevent someone from using the Web-based Manager from a PC that is logged in and then left unattended. To change the Web-based Manager idle timeout: 1. Go to System Settings > Admin > Admin Settings. 2. Change the Idle Timeout minutes as required. 3. Select OK For more information, see Administrator settings on page 80.
Page 22
Reboot and shutdown the FortiAnalyzer unit

Always reboot and shutdown the FortiAnalyzer system using the unit operation options in the Web-based Manager or the CLI commands to avoid potential configuration problems. Figure 9: Unit operation actions in the Web-based Manager
To reboot the FortiAnalyzer unit: 1. From the Web-based Manager, go to System Settings > General > Dashboard. 2. In the Unit Operation widget, select Reboot or, in the CLI Console widget, enter: execute reboot To shutdown the FortiAnalyzer unit: 1. From the Web-based Manager, go to System Settings > General > Dashboard. 2. In the Unit Operation widget, select Shutdown or, in the CLI Console widget, enter: execute shutdown
Page 23
Device Manager
The device manager tab allows you to add and edit devices, groups, and VDOMs, and view real-time monitor data for those devices. It also allows you to create, edit, and delete ADOMs, when they are enabled (see System Information widget on page 40). Figure 10:Device manager tab
The tree menu, on the left side of the interface, shows the ADOMs and the device groups within those ADOMs. If ADOMs are disabled, the tree menu simple shows the device groups. When a device group is selected, the devices and VDOMs within that group are listed in the top half of the content pane on the right of the interface. The device and VDOM list can be searched using the search box in the content pane tool bar. The columns shown in the list can be changed, and the list can be sorted by selecting a column header. To change the column settings: 1. Right-click anywhere in the content pane to open the right-click menu. 2. Select Column Settings. Columns currently included in the content pane table have a green check mark next them.
Page 24
Figure 11:Device list right-click menu
3. Select a column from the list to add or remove that column from the table.
ADOMs
When ADOMs are enabled, the device manager tab has collapsible ADOM navigation, where all of the ADOMs are displayed on the tree menu on the left of the interface. The devices within each ADOM are shown in the configured device groups, or in the default All FortiGate group if no other groups have been created. When ADOMs are disabled, the tree menu simply displays the device groups. The number of devices within each group is shown in parentheses next to the group name. To add an ADOM: 1. In the device manager tab, right-click on an ADOM name. 2. In the right-click menu, under the ADOM heading, select Create New. The Create ADOM dialog box opens. Figure 12:Create an ADOM
Page 25
3. Enter the following information: Name Version Search Devices Enter a name that will allow you to distinguish this ADOM from your other ADOMs. Select the version of the devices that will be in the ADOM. Enter a search term to find a specific device (optional). Select members from the available member list on the left and transfer them to the Selected member list on the right to assign the devices to the ADOM.
4. Select OK to create the ADOM. To edit an ADOM: 1. In the device manager tab, right-click on the ADOM you need to edit. 2. In the right-click menu, under the ADOM heading, select Edit. The Edit ADOM dialog box opens. Figure 13:Edit an ADOM
3. Edit the following information as required: Search Devices Enter a search term to find a specific device (optional). Select members from the available member list on the left and transfer them to the Selected member list on the right to assign the devices to the ADOM. Enable or disable the ADOM.
Status
Page 26
4. Select OK to finish editing the ADOM. To delete an ADOM 1. In the device manager tab, right-click on the ADOM you need to delete. 2. In the right-click menu, under the ADOM heading, select Delete.
The root ADOM cannot be deleted.
3. In the confirmation dialog box, select OK to delete the ADOM.
Devices and groups

Devices are organized by device type and, if you have created groups and added devices to them, by group. When a group is selected, the devices in that group are listed in the content pane on the right of the device manager tab. Groups can be created, deleted, and edited, allowing devices and VDOMs added to them as needed. VDOMs and model devices can be created and deleted, and added to groups to help organize the devices and VDOMs and to simplify the process of updating their firmware.
Groups
Groups are used to organize devices and VDOMs and to update the firmware on the devices within the group. Groups can also contain other groups. To create a new group: 1. In the device manager tab, right-click on an element in the tree menu. 2. In the right-click menu, under the Device Group heading, select Create New. The Add Device Group dialog box opens.
Page 27
Figure 14:Add a device group
3. Enter the following information: Group Name Description OS Type Search Enter a name for the group Enter a description of the group (optional). Select the device type from the drop-down list. Enter a search term to find a specific device (optional).
Devices and groups Select members from the available member list on the left and transfer them to the Selected member list on the right to add the devices to the group. Select All Deselect All Show All Devices/Groups Use this button to select all the devices and groups in the device list. Use this button to deselect all the devices and groups in the device list. Select to show all devices and groups.
4. Select OK to create the group. To edit a group: 1. In the device manager tab, right-click on the group you need to edit in the tree menu. 2. In the right-click menu, under the Device Group heading, select Edit. The Edit Device Group dialog box opens.
3. Change the group information and the devices, groups, and VDOMs that are in the group as needed, and then select OK to finish editing the group. To delete a group: 1. In the device manager tab, right-click on the group you need to delete in the tree menu. 2. In the right-click menu, under the Device Group heading, select Delete. 3. Select OK in the confirmation window to delete the group. To update device firmware: 1. In the device manager tab, right-click on the group containing the device whose firmware will be updated in the tree menu. 2. In the right-click menu, under the Device Group heading, select Firmware Update. This option is only available on user created groups. 3. The Group Firmware Information dialog box opens in the content pane, showing the available firmware upgrades and the upgrade history.
Devices and VDOMs

Device models and VDOMs can be added and deleted, and devices can be edited. The Add Device wizard is used to add model devices. To add a VDOM: 1. Right-click within the device list in the content pane. 2. In the right-click menu, select Add VDOM. 3. Fill out the required information and select OK to create the VDOM.
To add a model device: 1. Right-click on a group in the tree menu or in the content pane and, from the right-click menu, select Add Device. The Add Device wizard opens.
Page 29
Figure 15:Add device wizard login screen
2. Enter the device IP address, name, and password in the requisite fields. 3. Select Next to continue to the next wizard page: Add Device. Figure 16:Add device wizard add device screen
4. Enter the following information: Name Description Enter a name for the device. Enter a description for the device (optional).
Page 30
Device Type Device Model Firmware Version Serial Number Enable Interface Mode Hard Disk Installed Disk Log Quota. When Allocated Disk Space is Full
Select the device type on the drop-down list. Select the device model on the drop-down list. Select the firmware version and major release on the drop-down list. Enter the device serial number. This value must match the device model selected. Select to enable interface mode. If the device does not support interface mode, this option is not available. This option is available when the device model has a hard disk. Enter the disk log quota in MB. Select to overwrite the oldest logs or to stop logging when the allocated disk space is full.
Device Permissions Select the device permissions from: Logs, DLP Archive, Quarantine, and IPS Packet Log. Add to Groups Other Device Information Select to add the device to any predefined groups. Enter other device information (optional), including: Company/Organization, Contact, City, Province/State, and Country.
5. Select Next to proceed to the next add device page. Figure 17:Add device wizard add device screen two
6. After the device has been created successfully, select Next to proceed to the summary page.
Page 31
Figure 18:Add device wizard summary screen
7. Select Finish to add the device model. To edit a device: 1. In the device manager tab, in the tree menu, select the group that contains the device you need to edit. 2. In the content pane, right-click on the on the device and select Edit from the right-click menu. The Edit Device dialog box opens.
Page 32
Figure 19:Edit a device
3. Edit the following information as needed: Name Description The name of the device. Descriptive information about the device.
Company/Organization Company or organization information. Country Province/State City Contact IP Address Admin User Password Enter the country. Enter the province or state. Enter the city. Enter the contact name. The IP address of the device. The administrator username. The administrator password.
Page 33
Device Information
Information about the device, including serial number, device model, firmware version, connected interface, HA mode, cluster name, and cluster members. The amount of space that the disk log is allowed to use, in MB. The action for the system to take when the disk log quota is filled, either Overwrite Oldest Logs, or Stop Logging. Select check box to enable this feature. Secure Connection secures OFTP traffic through an IPsec tunnel. The device serial number. The pre-shared key for the IPsec connection between the FortiGate and FortiAnalyzer. The devices permissions. Select any of: Logs, DLP Archive, Quarantine, and IPS Packet Log.
Disk Log Quota When Allocated Disk Space is Full Secure Connection ID Pre-Shared Key Device Permissions
4. Select OK to finish editing the device. To delete a device or VDOM: 1. In the device manager tab, in the tree menu, select the group that contains the device or VDOM you need to delete. 2. In the content pane, right-click on the on the device or VDOM and select Delete in the right-click menu. 3. Select OK in the confirmation window to delete the device or VDOM.
Real-time monitor
When a device is selected in the upper content pane, real-time monitor data for that device based on the RTM profile to which that device is assigned, is displayed in the lower content pane. For more information on RTM profiles, see RTM Profiles on page 96. Figure 20:Real time monitor pane
Page 34
To change the dashboard that is shown, select Real-time Monitor in the tool bar, and then select the desired dashboard from the drop-down list. To refresh the data displayed in any of the available charts, select the refresh button on the chart (Figure 21). Figure 21:Refresh a chart
To change the charts that are displayed in the pane, the RTM profile must be changed. See RTM Profiles on page 96 for more information on configuring RTM profiles.
Page 35
System Settings
The System Settings module enables you to manage and configure the basic system options for the FortiAnalyzer unit. This includes the basic network settings to connect the device to the corporate network, the configuration of administrators and their access privileges, and managing and updating firmware for the device
Additional configuration options and short-cuts are available using the right-click menu. Right-click the mouse on different navigation panes on the Web-based Manager page to access these options.
The System Settings tab provides access to the following menus and sub-menus: General Select this menu to configure, monitor, and troubleshoot the main system information. Dashboard All ADOMs Network Certificates Log Access Diagnostic tools
Page 36
Admin
Select this menu to configure administrator user accounts, as well as configure global administrative settings for the FortiAnalyzer unit. Monitoring administrator sessions Administrator Profile Remote authentication server RADIUS server LDAP server TACACS+ server Administrator settings
Advanced
Select to configure mail server settings, remote output, SNMP, metafield data and other advanced settings. SNMP v1/v2c Advanced settings Alerts Alerts event Mail server Syslog Server Alert Console Device Log Log Setting Log Access Task Monitor
Dashboard
When you select the System Settings tab, it automatically opens at the System Settings > General > Dashboard page; see Figure 22. The Dashboard page displays widgets that provide performance and status information and enable you to configure basic system settings. The dashboard also contains a CLI widget that enables you to use the command line through the Web-based Manager. These widgets appear on a single dashboard.
Page 37
Figure 22:FortiAnalyzer system dashboard
The following widgets are available: System Information Displays basic information about the FortiAnalyzer system, such as up time and firmware version. For more information, see General settings on page 56. From this widget you can also manually update the FortiAnalyzer firmware to a different release. For more information, see System Information widget on page 40. License Information Displays the devices being managed by the FortiAnalyzer unit and the maximum numbers of devices allowed. For more information, see License Information widget on page 49. Displays status and connection information for the ports of the FortiAnalyzer unit. It also enables you to shutdown and restart the FortiAnalyzer unit or reformat a hard disk. For more information, see Unit Operation widget on page 50. Displays the real-time and historical usage status of the CPU, memory and hard disk. For more information, see System Resource widget on page 48. Displays log-based alert messages for both the Fortinet unit itself and connected devices. For more information, see Alert Messages Console widget on page 50. Opens a terminal window that enables you to configure the FortiAnalyzer unit using CLI commands directly from the Web-based Manager. This widget is hidden by default. For more information, see CLI Console widget on page 51. Displays information about the status of RAID disks as well as what RAID level has been selected. It also displays how much disk space is currently consumed. For more information, see RAID Monitor widget on page 52.
Page 38 FortiAnalyzer v5.0 Administration Guide
Unit Operation
System Resources
Alert Message Console CLI Console
RAID Monitor
Customizing the dashboard

The FortiAnalyzer system dashboard is customizable. You can select which widgets to display, where they are located on the page, and whether they are minimized or maximized.
To move a widget
Position your mouse cursor on the widgets title bar, then click and drag the widget to its new location.
To add a widget
In the dashboard tool bar, select Add Widget, then select the names of widgets that you want to show. To hide a widget, in its title bar, select the Close icon. Figure 23:Adding a widget
Multiple System Resources widgets can be added to the dashboard. Only one of all of the other widgets may be added.
To reset the dashboard

In the dashboard tool bar, select Dashboard > Reset Dashboard. The dashboard will be reset to the default view, which includes the System Information, License Information, Unit Operation, System Resources, and Alert Message Console widgets.
To see the available options for a widget

Position your mouse cursor over the icons in the widgets title bar. Options vary slightly from widget to widget, but always include options to close or show/hide the widget.
Page 39
Figure 24:A minimized widget
Widget title Show/Hide arrow Show/Hide arrow Widget Title More Alerts Display or minimize the widget. The name of the widget. Show the Alert Messages dialog box.
Edit Close Refresh
This option appears only on the Alert Message Console widget. Edit Select to change settings for the widget. This option appears only on certain widgets. Detach Detach the CLI Console widget from the dashboard and open it in a separate window. This option appears only on the CLI Console widget. RAID Settings Show the RAID Settings dialog box, which displays the current RAID settings and allows for configuration of the RAID level if available. This option appears only on the RAID Monitor widget. Refresh Close Select to update the displayed information. Select to remove the widget from the dashboard. You will be prompted to confirm the action. To add the widget, select Widget in the toolbar and then select the name of the widget you want to show.
System Information widget

The system dashboard includes a System Information widget, shown in Figure 25, which displays the current status of the FortiAnalyzer unit and enables you to configure basic system settings. Figure 25:System Information widget
Page 40
The following information is available on this widget: Host Name Serial Number The identifying name assigned to this FortiAnalyzer unit. For more information, see Changing the host name on page 41. The serial number of the FortiAnalyzer unit. The serial number is unique to the FortiAnalyzer unit and does not change with firmware upgrades. The serial number is used for identification when connecting to the FortiGuard server. Displays the FortiAnalyzer platform type, for example FMG-VM (virtual machine). The current time on the FortiAnalyzer internal clock. For more information, see Configuring the system time on page 42. The version number and build number of the firmware installed on the FortiAnalyzer unit. To update the firmware, you must download the latest version from the Customer Service & Support web site at https://support.fortinet.com. Select Update and select the firmware image to load from the local hard disk or network volume. For more information, see Updating the system firmware on page 44. The date of the last system configuration backup. The following actions are available: Select Backup to backup the system configuration to a file; see Backing up the system on page 45. Select Restore to restore the configuration from a backup file; see Restoring the configuration on page 46. Current Administrators The number of administrators that are currently logged in. The following actions are available: Select Change Password to change your own password. Select Details to view the session details for all currently logged in administrators. See Monitoring administrator sessions on page 67 for more information. Up Time Administrative Domain Operation Mode The duration of time the FortiAnalyzer unit has been running since it was last started or restarted. Displays whether ADOMs are enabled, and allows for enabling and disabling ADOMs. Display and change the current operating mode.
Platform Type System Time Firmware Version
System Configuration
Changing the host name

The host name of the Fortinet unit is used in several places. It appears in the System Information widget on the Dashboard. For more information about the System Information widget, see System Information widget on page 40. It is used in the command prompt of the CLI. It is used as the SNMP system name. For information about SNMP, see SNMP v1/v2c on page 82. The System Information widget and the get system status CLI command will display the full host name. However, if the host name is longer than 16 characters, the CLI and other places
display the host name in a truncated form ending with a tilde ( ~ ) to indicate that additional characters exist, but are not displayed. For example, if the host name is Fortinet1234567890, the CLI prompt would be Fortinet123456~#. To change the host name 1. Go to System Settings > General > Dashboard. 2. In the System Information widget, next to the Host Name field, select Change. The Change Host Name dialog box appears; see Figure 26. Figure 26:Edit Host Name dialog box
3. In the Host Name field, type a new host name. The host name may be up to 35 characters in length. It may include US-ASCII letters, numbers, hyphens, and underscores. Spaces and special characters are not allowed. 4. Select OK.
Configuring the system time

You can either manually set the Fortinet system time or configure the Fortinet unit to automatically keep its system time correct by synchronizing with a Network Time Protocol (NTP) server.
For many features to work, including scheduling, logging, and SSL-dependent features, the Fortinet system time must be accurate.
To configure the date and time 1. Go to System Settings > General > Dashboard. 2. In the System Information widget, in the System Time field, select Change. The Change System Time Settings dialog box appears, see Figure 27.
Page 42
Figure 27:Time Settings dialog box
3. Configure the following settings to either manually configure the system time, or to automatically synchronize the Fortinet units clock with an NTP server: System Time The date and time according to the Fortinet units clock at the time that this tab was loaded, or when you last selected the Refresh button. Select the time zone in which the Fortinet unit is located and whether or not the system automatically adjusts for daylight savings time. Select this option to manually set the date and time of the Fortinet units clock, then select the Hour, Minute, Second, Year, Month, and Day fields before you select OK. Select this option to automatically synchronize the date and time of the Fortinet units clock with an NTP server, then configure the Syn Interval and Server fields before you select OK. Enter how often in minutes the Fortinet unit should synchronize its time with the NTP server. For example, entering 1440 causes the Fortinet unit to synchronize its time once a day. Enter the IP address or domain name of an NTP server. To find an NTP server that you can use, go to http://www.ntp.org.
Time Zone Set Time
Synchronize with NTP Server Sync Interval
Server
4. Select OK to apply your changes.
Page 43
Updating the system firmware

To take advantage of the latest features and fixes, Fortinet provides two ways to upgrade its firmware: manually or through the FDN. Back up the configuration and database before changing the firmware of your Fortinet unit. Changing the firmware to an older or incompatible version may reset the configuration and database to the default values for that firmware version, resulting in data loss. For information on backing up the configuration, see Backing up the system on page 45.
Before you can download firmware updates for your Fortinet unit, you must first register your Fortinet unit with Customer Service & Support. For details, go to https://support.fortinet.com/ or contact Customer Service & Support.
To manually update the Fortinet firmware 1. Download the firmware (the .out file) from the Customer Service & Support web site, https://support.fortinet.com/. 2. Go to System Settings > General > Dashboard. 3. In the System Information widget, in the Firmware Version field, select Update. The Firmware Upgrade window opens. 4. Select Browse to locate the firmware package (.out file) that you downloaded from the Customer Service & Support web site, and select Open. 5. Select OK to upload the file. Your browser uploads the firmware file. The time required varies by the size of the file and the speed of your network connection. When the file transfer is complete, a prompt appears: Manual upload release complete. It will take a few minutes to unpack the uploaded release. Please wait. 6. Wait until the unpacking process completes, then refresh the page. The firmware package file name will appear in the Releases Available For Upgrade section after you refresh the page. 7. Select the firmware package, then select the icon in the Upgrade Firmware column and select OK in the dialog box that appears. The Fortinet unit installs the firmware and restarts. If you changed the firmware to an earlier version whose configuration is not compatible, you may need to do first-time setup again. For instructions, see the QuickStart guide for your unit.
Installing firmware replaces the current network vulnerability management engine with the version included with the firmware release that you are installing. After you install the new firmware, make sure that your vulnerability definitions are up-to-date.
To change the FortiAnalyzer system firmware through FDN 1. The FortiAnalyzer system can automatically download firmware updates from FDN, if you have a valid support license. To access these updates, go to System > Dashboard > Status. 2. In the System Information widget, in the Firmware Version row, select Update. The Firmware Upgrade dialog box appears. When new versions of firmware are available on FDN, new entries are shown in the From Server drop-down list.
Page 44
3. Select the Download icon to start downloading the new upgrade firmware. The time required varies by the size of the file and the speed of your network connection. 4. Wait until the unpacking process completes, then refresh the page. The new firmware package will appear in the Releases Available For Upgrade section after you refresh the page. 5. Select the firmware package, then select the icon in the Upgrade Firmware column and select OK in the dialog box that appears. The Fortinet unit installs the firmware and restarts.
Upgrading firmware through FDN requires proper setup.
FortiAnalyzer does not support downgrading firmware to an older version.
Backing up the system

Fortinet recommends that you back up your FortiAnalyzer configuration to your management PC or central management server on a regular basis to ensure that, should the system fail, you can quickly get the system back to its original state with minimal affect to the network. You should also perform a back up after making any changes to the FortiAnalyzer configuration or settings that affect the managed devices. You can perform backups manually or at scheduled intervals. You can also create backups called checkpoints - that define a point where the FortiAnalyzer and network management is stable and functioning. Should any future configurations cause issues, you have a point where the system is stable. Fortinet recommends backing up all configuration settings from your FortiAnalyzer unit before upgrading the FortiAnalyzer firmware. The following procedures enable you to back up your current configuration through the Web-based Manager. To back up the FortiAnalyzer configuration 1. Go to System Settings > General > Dashboard. 2. In the System Information widget, under System Configuration, select Backup. The Backup dialog box appears; see Figure 28.
Page 45
Figure 28:Backup dialog box
3. Configure the following settings: Encryption Select to encrypt the backup file with a password. The password is required to restore the configuration. The check box is selected by default. (Optional) Select a password. This password is used to encrypt the backup file, and is required to restore the file. (This option is available only when the encryption check box is selected.) Re-enter the password to confirm it.
Password
Confirm Password
4. If you want to encrypt the backup file, select the Encryption check box, then enter and confirm the password you want to use. 5. Select OK and save the backup file on your management computer.
Restoring the configuration

You can use the following procedure to restore your FortiAnalyzer configuration from a backup file on your management computer. To restore the FortiAnalyzer configuration: 1. Go to System Settings > General > Dashboard. 2. In the System Information widget, under System Configuration, select Restore. The Restore dialog box appears; see Figure 29. Figure 29:All Settings Configuration Restore dialog box
Page 46
3. Configure the following settings and select OK. From Local Password Overwrite current IP, routing Select Browse to find the configuration backup file you want to restore. Enter the encryption password, if applicable. Select the check box to overwrite the current IP, routing settings.
Changing the operation mode

The FortiAnalyzer unit has three operation modes: standalone, analyzer, and collector. For more information, see Operation modes on page 12. To change the operation mode: 1. On the FortiAnalyzer unit, go to System > Dashboard > Status. 2. In the System Information widget, in the Operation Mode field, select Change. The Change Operation Mode dialog box opens. Figure 30:Change operation mode
3. Select the required operation mode for the unit and, if necessary, enter any required information for the selected mode. See Operation modes on page 12 for more information. 4. Select OK to change the operation mode.
Page 47
System Resource widget

The System Resources widget on the dashboard displays the usage status of the CPU, memory and hard disk. You can view system resource information in both real-time and historical format. Figure 31:System Resource widget (Real Time display)
Figure 32:System Resource widget (Historical display)
CPU Usage
The current CPU utilization. The Web-based Manager displays CPU usage for core processes only. CPU usage for management processes (for example, for HTTPS connections to the Web-based Manager) is excluded. The current memory utilization. The Web-based Manager displays memory usage for core processes only. Memory usage for management processes (for example, for HTTPS connections to the web-based manager) is excluded. The current hard disk usage, shown on a pie chart as a percentage of total hard disk space. This item does not appear when viewing historical system resources.
Memory Usage
Hard Disk Usage
Network Utilization The network utilization over the specified historical time period. This item does not appear when viewing current (Real Time) system resources.
Page 48
Change the system resource widget display settings: 1. Go to System Settings > General > Dashboard. 2. In the System Resources widget, hover the mouse over the title bar and select the Edit icon. The Edit System Resources Settings dialog box appears. Figure 33:Edit System Resources Settings window
3. You can configure the following settings: To view only the most current information about system resources, from View Type, select Real Time. This is the default. To view historical information about system resources, from View Type, select History. To change the time range, from Time Period, select one of the following: Last 10 minutes, Last 1 hour, or Last 24 hours. To automatically refresh the widget at intervals, in Refresh Interval, type a number between 10 and 240 seconds. To disable the refresh interval feature, type 0. 4. Select OK to apply your settings.
License Information widget

The license information displayed on the dashboard shows information on features that vary by a purchased license or contract, such as FortiGuard subscription services. It also displays how many devices are connected or attempting to connect to the FortiAnalyzer unit. Figure 34:VM License Information widget
Page 49
Unit Operation widget

The Unit Operation widget on the dashboard is a graphical representation of the FortiAnalyzer unit. It displays status and connection information for the ports on the FortiAnalyzer unit. It also enables you to reboot or shutdown the FortiAnalyzer hard disk with a quick click of the mouse. Figure 35:Unit Operation widget
Port numbers (vary The image below the port name indicates its status by its color. Green depending on indicates the port is connected. Grey indicates there is no connection. model) For more information about a ports configuration and throughput, position your mouse over the icon for that port. You will see the full name of the interface, the IP address and netmask, the status of the link, the speed of the interface, and the number of sent and received packets. Reboot Shutdown Select to restart the FortiAnalyzer unit. You are prompted to confirm before the reboot is executed. Select to shutdown the FortiAnalyzer unit. You are prompted to confirm before the shutdown is executed.
Alert Messages Console widget

The Alert Message Console widget displays log-based alert messages for both the Fortinet unit itself and connected devices. Alert messages help you track system events on your Fortinet unit such as firmware changes, and network events such as detected attacks. Each message shows the date and time that the event occurred.
Alert messages can also be delivered by email, syslog or SNMP.
Page 50
Figure 36:Alert Message Console widget
The widget displays only the most current alerts. For a complete list of unacknowledged alert messages (see Figure 37), select the More Alerts icon in the widgets title bar. A popup window appears. To clear the list, select Clear Alert Messages. Figure 37:List of all alert messages
Select the Edit icon in the title bar to open the Edit Alert Message Console Settings dialog box so that you can adjust the number of entries visible, and their refresh interval.
CLI Console widget

The CLI Console widget enables you to enter command lines through the Web-based Manager, without making a separate Telnet, SSH, or local console connection to access the CLI.
The CLI Console widget requires that your web browser support JavaScript.
Page 51
To use the console, click within the console area. Doing so will automatically log you in using the same administrator account you used to access the Web-based Manager. You can then enter commands by typing them. You can copy and paste commands into or from the console.
The command prompt, by default the model number such as Fortinet-800B #, contains the host name of the Fortinet unit. To change the host name, see Changing the host name on page 41.
For information on available CLI commands, see the FortiAnalyzer CLI Reference. Figure 38:CLI Console widget
RAID Monitor widget

RAID (Redundant Array of Independent Disks) helps to divide data storage over multiple disks which provides increased data reliability. FortiAnalyzer units that contain multiple hard disks can configure the RAID array for capacity, performance, and availability. You can view the status of the RAID array from the RAID Monitor widget on the System Settings > General > Dashboard page. The RAID Monitor widget displays the status of each disk in the RAID array, including the disks RAID level. This widget also displays how much disk space is being used. The Alert Message Console widget, located in System Settings> General > Dashboard, will provides detailed information about RAID array failures. For more information see Alert Messages Console widget on page 50. If you need to remove a disk from the FortiAnalyzer unit, you might be able to hot swap it. Hot swapping means that you can remove a failed hard disk and replace it with a new one while the FortiAnalyzer unit is in operation. Hot swapping is a quick and efficient way to replace hard disks. For more information about hot swapping, see Hot-swapping hard disks on page 54.
Page 52
Figure 39:RAID monitor widget
To configure RAID: 1. Go to System Settings > General > Dashboard. 2. From the RAID Monitor widget title bar, select RAID Settings. The RAID Settings dialog box appears; see Figure 40. Figure 40:RAID Settings
3. From the RAID Level list, select the RAID option you want to configure and then select Apply. Once selected, depending on the RAID level, it may take a while to generate the RAID array.
Page 53
Supported RAID levels

FortiAnalyzer units with multiple hard drives can support the following RAID levels: RAID 0 A RAID 0 array is also referred to as striping or RAID linear. The FortiAnalyzer unit writes information evenly across all hard disks. The total space available is that of all the disks in the RAID array. There is no redundancy available. If any single drive fails, the data on that drive cannot be recovered. This RAID level is beneficial because it provides better performance, since the FortiAnalyzer unit can distribute disk writing across multiple disks. RAID 1 A RAID 1 array is also referred to as mirroring. The FortiAnalyzer unit writes information to one hard disk, and writes a copy (a mirror image) of all information to all other hard disks. The total disk space available is that of only one hard disk, as the others are solely used for mirroring. This provides redundant data storage with no single point of failure. Should any of the hard disks fail, there are several backup hard disks available. RAID 5 A RAID 5 array employs striping with a parity check. Similar to RAID 0, the FortiAnalyzer unit writes information evenly across all drives but additional parity blocks are written on the same stripes. The parity block is staggered for each stripe. The total disk space is the total number of disks in the array, minus one disk for parity storage. For example, with four hard disks, the total capacity available is actually the total for three hard disks. RAID 5 performance is typically better with reading than with writing, although performance is degraded when one disk has failed or is missing. With RAID 5, one disk can fail without the loss of data. If a drive fails, it can be replaced and the FortiAnalyzer unit will restore the data on the new disk by using reference information from the parity volume. RAID 10 RAID 10 (or 1+0), includes nested RAID levels 1 and 0, or a stripe (RAID 0) of mirrors (RAID 1). The total disk space available is the total number of disks in the array (a minimum of 4) divided by 2, for example: two RAID 1 arrays of two disks each three RAID 1 arrays of two disks each six RAID1 arrays of two disks each. One drive from a RAID 1 array can fail without the loss of data; however, should the other drive in the RAID 1 array fail, all data will be lost. In this situation, it is important to replace a failed drive as quickly as possible.
Hot-swapping hard disks

If a hard disk on a FortiAnalyzer unit fails, it must be replaced. The hard disk can be replaced while the FortiAnalyzer unit is running, also known as hot swapping. The Disk Monitor widget indicates a failed disk, including its RAID level, but does not give specific information about when the disk failed. To identify which hard disk failed, read the relevant log message in the Alert Message Console widget (see Alert Messages Console widget on page 50). To hot-swap a hard disk: 1. Go to System Settings > General > Dashboard. 2. In the Unit Operation widget, click Shutdown. 3. Click OK. 4. Remove the faulty hard disk and replace it with a new one.
Page 54
5. Restart the FortiAnalyzer unit. The FortiAnalyzer unit will automatically add the new disk to the current RAID array. The status appears on the console. After the FortiAnalyzer unit boots, the widget will display a green check mark icon for all disks and the RAID Status area will display the progress of the RAID re-synchronization/rebuild. Electrostatic discharge (ESD) can damage FortiAnalyzer equipment. Only perform the procedures described in this document from an ESD workstation. If no such station is available, you can provide some ESD protection by wearing an anti-static wrist or ankle strap and attaching it to an ESD connector or to a metal part of a FortiAnalyzer chassis. When replacing a hard disk, you need to first verify that the new disk has the same size as those supplied by Fortinet and has at least the same capacity as the old one in the FortiAnalyzer unit. Installing a smaller hard disk will affect the RAID setup and may cause data loss. Due to possible differences in sector layout between disks, the only way to guarantee that two disks have the same size is to use the same brand and model. The size provided by the hard drive manufacturer for a given disk model is only an approximation. The exact size is determined by the number of sectors present on the disk.
Once a RAID array is built, adding another disk with the same capacity will not affect the array size until you rebuild the array by restarting the FortiAnalyzer unit.
Adding new disks

Some FortiAnalyzer units have space to ass more hard disks to increase your storage capacity.
Fortinet recommends that you use the same disks as those supplied by Fortinet. Disks of other brands will not be supported by Fortinet. For information on purchasing extra hard disks, contact your Fortinet reseller.
To add more hard disks 1. Obtain the same disks as those supplied by Fortinet. 2. Back up the log data on the FortiAnalyzer unit. You can also migrate the data to another Fortianalyzer unit if you have one. Data migration reduces system down time and risk of data loss. For information on data backup, see Backing up the system on page 45. 3. Install the disks on the FortiAnalyzer unit. You can do so while the FortiAnalyzer unit is running. 4. Configure the RAID level. 5. If you have backed up the log data, restore the data. For more information, see Restoring the configuration on page 46.
Page 55
General settings
All ADOMs
The All ADOMs options displays all the ADOMs configured on the device and provides the option to create new ADOMs. It is only visible if ADOMs are enabled, see System Information widget on page 40. Figure 41:All ADOMs list
Create New Search Name Version Device VPN Management # of Policy Packages Alert Device
Select to create a new ADOM. Enter a keyword to search your ADOMs. The names of the current ADOMs. The firmware release version for the ADOM. The devices that are currently in the ADOM.
To create a new ADOM: 1. Select Create New from the ADOM list tool bar, or right click in the ADOM list and select New in the right-click menu. The Create ADOM dialog box opens.
Page 56
Figure 42:Create a new ADOM
2. Enter a name for the ADOM in the Name field. 3. Select the version of the firmware release for the ADOM from the drop-down list. 4. Select the devices to be added to the ADOM from the device list on the left, and then select the arrow button to transfer them into the selected devices list on the right. 5. Select OK to create the ADOM. To edit an ADOM: 1. Right click on the ADOM you need to edit and select Edit from the right-click menu. The Edit ADOM dialog box opens.
Page 57
Figure 43:Edit an ADOM
2. Edit the ADOM information as required and then select OK. The name of the ADOM and the version cannot be edited. To delete an ADOM: 1. Right click on the ADOM you would like to delete and select Delete from the right-click menu. 2. Select OK in the confirmation dialog box to delete the ADOM.
Page 58
Network
The FortiAnalyzer unit can manage Fortinet devices connected to any of its interfaces. The DNS servers must be on the networks to which the FortiAnalyzer unit connects, and should have two different addresses. To view the configured network interfaces, go to System Settings > General > Network. The Network screen is displayed. Figure 44:Network screen
The following information is available: Management Interface IP/Netmask IPv6 Address Administrative Access IPv6 Administrative Access Default Gateway DNS Primary DNS Server Secondary DNS Server All Interfaces Enter the primary DNS server IP address. Enter the secondary DNS server IP address. Click to open the network interface list. See Viewing the network interface list on page 60. The IP address and netmask associated with this interface. The IPv6 address and netmask associated with this interface. Select the allowed administrative service protocols from: HTTPS, HTTP, PING, SSH, Telnet, SNMP, Web Service, and Aggregator. Select the allowed IPv6 administrative service protocols from: HTTPS, HTTP, PING, SSH, Telnet, SNMP, Web Service, and Aggregator. The default gateway associated with this interface
Page 59
Routing Table IPv6 Routing Table Diagnostic Tools
Click to open the routing table. See Configuring static routes on page 61. Click to open the IPv6 routing table. See Configuring IPv6 static routes on page 63. Select to run available diagnostic tools, including Ping, Traceroute, and View logs.
Viewing the network interface list

To view the Network interface list, select the All Interfaces button. Figure 45:Network interface list
The following information is available: Name The names of the physical interfaces on your FortiAnalyzer unit. The name, including number, of a physical interface depends on the model. Unlike FortiGate, you cannot set alias names for the interfaces. For more information, on configuring the interface, see Configuring network interfaces on page 61. If HA operation is enabled, the HA interface has /HA appended to its name. IP / Netmask IPv6 Description Administrative Access The IP address and netmask associated with this interface. The IPv6 address associated with this interface. A description of the interface. The list of allowed administrative service protocols on this interface. These include HTTP, HTTPS, PING, SSH, and Telnet.
IPV6 Administrative The list of allowed IPv6 administrative service protocols on this access interface. Enable Displays if the interface is enabled or disabled. If the port is enabled, a green circle with a check mark appears in the column. If the interface is not enabled, a gray circle with an X appears in the column.
Page 60
Configuring network interfaces

In the Network interface list select the interface name link to change the interface options. Figure 46:Configure network interfaces
Enable
Select to enable this interface. A green circle with a check mark appears in the interface list to indicate the interface is accepting network traffic. When not selected, a gray circle with an X appears in the interface list to indicate the interface is down and not accepting network traffic.
Alias
Enter an alias for the port to make it easily recognizable.
IP Address/Netmask Enter the IP address and netmask for the interface. IPv6 Address Administrative Access Enter the IPv6 address for the interface. Select the services to allow on this interface. Any interface that is used to provide administration access to the FortiAnalyzer unit will require at least HTTPS or HTTP for web-manager access, or SSH for CLI access. Select the services to allow on this interface. Enter a brief description of the interface (optional).
IPv6 Administrative Access Description
Configuring static routes

Go to System Settings > General > Network and select the Routing Table button to view, edit, or add to the static routing table.
Page 61
Figure 47:Routing Table
Delete Create New
Select the check box next to the route number and select Delete to remove the route from the table. Select Create New to add a new route. See Add a static route on page 62. Select the route number to edit the settings.
ID IP/Netmask Gateway Interface
The route number. The destination IP address and netmask for this route. The IP address of the next hop router to which this route directs traffic. The network interface that connects to the gateway.
Add a static route Go to System Settings > General > Network, select the Routing Table button, and select Create New to add a route, or select the route number to edit an existing route. Figure 48:Create New route
Destination IP/Mask Gateway Interface
Enter the destination IP address and netmask for this route. Enter the IP address of the next hop router to which this route directs traffic. Select the network interface that connects to the gateway.
Page 62
Configuring IPv6 static routes

Go to System Settings > General > Network and select the IPv6 Routing Table button to view, edit, or add to the IPv6 static routing table. The following information and settings are available: Delete Create New Select the check box next to the route number and select Delete to remove the route from the table. Select Create New to add a new route. See Add a IPv6 static route on page 63. Select the route number to edit the settings. ID IPv6 Address Gateway Interface The route number. The destination IPv6 address for this route. The IP address of the next hop router to which this route directs traffic. The network interface that connects to the gateway.
Add a IPv6 static route Go to System Settings > General > Network, select the IPv6 Routing Table button, and select Create New to add a route, or select the route number to edit an existing route. Figure 49:Create New route
Destination IPv6 Prefix Enter the destination IPv6 prefix for this route. Gateway Interface Enter the IP address of the next hop router to which this route directs traffic. Select the network interface that connects to the gateway.
Page 63
Certificates
The FortiAnalyzer unit generates a certificate request based on the information you enter to identify the FortiAnalyzer unit. After you generate a certificate request, you can download the request to a computer that has management access to the FortiAnalyzer unit and then forward the request to a CA.
Creating a local certificate

To create a certificate request: 1. Go to System Settings > General > Certificates > Local Certificates. 2. Select the Create New button and enter the information as required and select Ok. Figure 50:New local certificate
Certificate Name Key Size
The name of the certificate. Select the key size from the drop-down list.
Common Name (CN) Enter the common name of the certificate. Country (C) State/Province (ST) Locality (L) Organization (O) Organization Unit (OU) E-mail Address (EA) Select the country from the drop-down list. Enter the state or province. Enter the locality. Enter the organization for the certificate. Enter the organization unit. Enter the email address.
Page 64
The certificate window also enables you to export certificates for authentication, importing and viewing.
Only Local Certificates can be created. CA Certificates can only be imported
Importing certificates
To import a local certificate: 1. Go to System Settings > General > Certificates > Local Certificates. 2. Select the Import button. 3. Enter the location of the local certificate, or select browse and browse to the location of the certificate, and select Ok. To import a CA certificate: 1. Go to System Settings > General > Certificates > CA Certificates. 2. Select the Import button. 3. Enter the location of the local certificate, or select browse and browse to the location of the certificate, and select Ok.
Viewing certificate details

To view a local certificate: 1. Go to System Settings > General > Certificates > Local Certificates. 2. Select the certificates which you would like to see details about and click on View Certificate Detail; see Figure 51. Figure 51:Local certificate details
Certificate Name Issuer

The name of the certificate. The issuer of the certificate.

Page 65 FortiAnalyzer v5.0 Administration Guide
Subject Valid From Valid To Version Serial Number Extension To view a CA certificate:
The subject of the certificate. The date from which the certificate is valid. The last day that the certificate is valid. The certificate should be renewed before this date. The certificates version. The serial number of the certificate. The certificate extension information.
1. Go to System Settings > General > Certificates > CA Certificates. 2. Select the certificates which you would like to see details about and click on View Certificate Detail. The details displayed are similar to those displayed for a local certificate.
Downloading a certificate
To download a local certificate: 1. Go to System Settings > General > Certificates > Local Certificates. 2. Select the certificates which you would like to download, click on Download, and save the certificate to the desired location. To download a CA certificate: 1. Go to System Settings > General > Certificates > CA Certificates. 2. Select the certificates which you would like to download, click on Download, and save the certificate to the desired location.
Log Access
The logs created by FortiAnalyzer are viewable within the Web-based Manager. You can use the FortiAnalyzer Log Message Reference, available on the Fortinet Technical Documentation web site to interpret the messages. You can view log messages in the FortiAnalyzer Web-based Manager that are stored in memory or on the internal hard disk. To view the log messages: 1. Go to System Settings > General > Log Access. 2. Select the log type by selecting it from the Type drop-down list on the tool bar. 3. Select Download to download a file containing the logs in either CSV or the normal format. 4. Select the Raw text/Formatted table button to toggle log message view. 5. Select Refresh to refresh the displayed logs. 6. Select Historical Log to view historical logs.
Diagnostic tools
Diagnostic tools allows you to run available diagnostic tools, including Ping, Traceroute, and View logs.
Page 66
Admin
The System Settings > Admin menu enables you to configure administrator accounts, access profiles, and adjust global administrative settings for the FortiAnalyzer unit. The following menu options are available: Administrator Profile Select to configure administrative users accounts. For more information, see Administrator on page 68. Select to set up access profiles for the administrative users. For more information, see Profile on page 71.
Remote Auth Server Select to configure authentication server settings for administrative log in. For more information, see Remote authentication server on page 74. Admin Settings Select to configure connection options for the administrator including port number, language of the Web-based Manager and idle timeout. For more information, see Administrator settings on page 80.
Monitoring administrator sessions

The Current Administrators view enables you to view the list of administrators logged into the FortiAnalyzer unit. From this window you can also disconnect users if necessary. To view logged in administrators on the FortiAnalyzer unit, go to System Settings > General > Dashboard. In the System Information widget, under Current Administrators, select Detail. The list of current administrator sessions opens; see Figure 52. Figure 52:Administrator session list
The following information is available: User Name IP Address Start Time The name of the administrator account. Your session is indicated by (current). The IP address where the administrator is logging in from. The date and time the administrator logged in.
Page 67
Time Out (mins) Delete
The maximum duration of the session in minutes (1 to 480 minutes). Select the check box next to the user and select Delete to drop their connection to the FortiAnalyzer unit.
To disconnect an administrator: 1. Go to System Settings > General > Dashboard. 2. In the System Information widget, under Current Administrators, select Detail. The list of current administrator sessions appears; see Figure 52. 3. Select the check box for each administrator session that you want to disconnect, and select Delete. 4. Select OK to confirm deletion of the session. The disconnected administrator will see the FortiAnalyzer login screen when disconnected. They will not have any additional warning. It is a good idea to inform the administrator before disconnecting if possible should they be in the middle of important configurations for the FortiAnalyzer or another device.
Administrator
Go to System Settings > Admin > Administrator to view the list of administrators and configure administrator accounts. Only the default admin administrator account can see the complete administrators list. If you do not have certain viewing privileges, you will not see the administrator list. Figure 53:Administrator list
The following information is available: Delete Create New User Name Profile Select the check box next to the administrator you want to remove from the list and select Delete. Select to create a new administrator. For more information, see To create a new administrator account: on page 69. The name this administrator uses to log in. Select the administrator name to edit the administrator settings. The administrator profile for this user that determines the privileges of this administrator. For information on administrator profiles, see Profile on page 71.
Page 68
Status
Indicates whether the administrator is currently logged into the FortiAnalyzer unit not. A green circle with an up arrow indicates the administrator is logged in, a red circle with a down arrow indicates the administrator is not logged in. Descriptive text about the administrator account.
Comments
To create a new administrator account: 1. Go to System Settings > Admin > Administrator and select Create New. The New Administrator dialog box appears; see Figure 54. Figure 54:Creating a new administrator account
2. Configure the following settings: User Name Type Enter the name that this administrator uses to log in. This field is available if you are creating a new administrator account. Select the type of authentication the administrator will use when logging into the FortiAnalyzer unit. If you select LOCAL, you will need to add a password. Otherwise, depending on the type of authentication server selected, you will select the authentication server from a drop-down list. Enter the password.
New Password
Confirm Password Enter the password again to confirm it.
Page 69
Server wildcard Trusted Host1 Trusted Host2 Trusted Host3
Select the RADIUS, LDAP, or TACACS+ server, as appropriate. This option is only available if the type is not LOCAL. Select this option to set the password as a wildcard. This option is only available if the type is not LOCAL. Optionally, enter the trusted host IP address and netmask from which the administrator can log in to the FortiAnalyzer unit. You can specify up to three trusted hosts. Setting trusted hosts for all of your administrators can enhance the security of your system. For more information, see Using trusted hosts on page 71.
Trusted IPv6 Host1 Optionally, enter the trusted host IPv6 address from which the Trusted IPv6 Host2 administrator can log in to the FortiAnalyzer unit. You can specify up Trusted IPv6 Host3 to three trusted IPv6 hosts. Setting trusted IPv6 hosts for all of your administrators can enhance the security of your system. For more information, see Using trusted hosts on page 71. Profile Select a profile from the list. The profile selected determines the administrators access to the FortiAnalyzer units features. To create a new profile see Configuring administrator profiles on page 72. Admin Domain Description Choose the ADOM this admin will belong to. This field is available only if ADOMs are enabled. Optionally, enter a description of this administrators role, location or reason for their account. This field adds an easy reference for the administrator account.
User Information (optional) Contact Email Contact Phone Enter a contact email address for the new administrator. Enter a contact phone number for the new administrator.
3. Select OK to create the new administrator account. To modify an existing administrator account: 1. Go to System Settings > Admin> Administrator. The list of configured administrators appears; see Figure 53 on page 68. 2. In the User Name column, double-click on the user name of the administrator you want to change. The Edit Administrator window appears. 3. Modify the settings as required. For more information about configuring account settings, see To create a new administrator account: on page 69. 4. Select OK to save your changes. To delete an existing administrator account: 1. Go to System Settings > Admin > Administrator. The list of configured administrators appears; see Figure 53 on page 68. 2. Select the check box of the administrator account you want to delete and then select the Delete icon in the tool bar.
3. In the dialog box that appears, select OK to confirm the deletion.
Using trusted hosts

Setting trusted hosts for all of your administrators increases the security of your network by further restricting administrative access. In addition to knowing the password, an administrator must connect only through the subnet or subnets you specify. You can even restrict an administrator to a single IP address if you define only one trusted host IP address with a netmask of 255.255.255.255. When you set trusted hosts for all administrators, the FortiAnalyzer unit does not respond to administrative access attempts from any other hosts. This provides the highest security. If you leave even one administrator unrestricted, the unit accepts administrative access attempts on any interface that has administrative access enabled, potentially exposing the unit to attempts to gain unauthorized access. The trusted hosts you define apply both to the Web-based Manager and to the CLI when accessed through SSH. CLI access through the console connector is not affected.
If you set trusted hosts and want to use the Console Access feature of the Web-based Manager, you must also set 127.0.0.1/255.255.255.255 as a trusted host. By default, Trusted Host 3 is set to this address.
Profile
The System Settings > Admin > Profile menu enables you to create or edit administrator profiles which are used to limit administrator access privileges to devices or system features. There are three pre-defined profiles with the following privileges: Restricted_User Standard_User Super_User Restricted user profiles have no System Privileges enabled, and have read-only access for all Device Privileges. Standard user profiles have no System Privileges enabled, but have read/write access for all Device Privileges. Super user profiles have all system and device privileges enabled.
You cannot delete these profiles, but you can modify them. You can also create new profiles if required.
This Guide is intended for default users with full privileges. If you create a profile with limited privileges it will limit the ability of any administrator using that profile to follow procedures in this Guide.
To view the list of configured administrator profiles, go to the System Settings > Admin > Profile page; see Figure 55.
Page 71
Figure 55:Administrator profile list
The default administrator profiles can not be deleted. They can, however, be edited.
The following information is available: Delete Select the check box next to the profile you want to delete and select Delete. Predefined profiles cannot be deleted. You can only delete custom profiles when they are not applied to any administrators. Select to create a custom administrator profile. See Configuring administrator profiles on page 72. The administrator profile name. Select the profile name to view or modify existing settings. For more information about profile settings, see Configuring administrator profiles on page 72. Provides a brief description of the system and device access privileges allowed for the selected profile.
Create New Profile
Description
Configuring administrator profiles

You can modify one of the pre-defined profiles or create a custom profile if needed. Only administrators with full system privileges can modify the administrator profiles. To create a custom profile: 1. Go to System Settings > Admin > Profile and select Create New. The Create Profile dialog box appears; see Figure 56.
Page 72
Figure 56:Create new administrator profile
2. Configure the following settings: Profile Name Description Enter a name for this profile. Enter a description for this profile. While not a requirement, a description can help to know what the profiles is for or the levels it is set to. Select None, Read Only, or Read-Write access for categories as required.
Other Settings
3. Select OK to save the new profile. To modify an existing profile: 1. Go to System Settings > Admin > Profile. The list of available profiles appears; see Figure 55 on page 72. 2. In the Profile column, double-click on the name of the profile you want to change. The Edit Profile dialog box appears. Profile Name Description Other Settings Enter a name for this profile. Enter a description for this profile. While not a requirement, a description can help to know what the profiles is for or the levels it is set to. Select None, Read Only, or Read-Write access for categories as required.
3. Configure the appropriate changes and then select OK to save the settings. To delete a profile: 1. Go to System Settings > Admin > Profile. The list of available profiles appears; see Figure 55 on page 72. 2. Select the check box of the custom profile you want to delete and then select the Delete icon in the tool bar. You can only delete custom profiles when they are not applied to any administrators.
Page 73
3. In the confirmation dialog box that appears, select OK to delete the profile.
Remote authentication server

The FortiAnalyzer system supports remote authentication of administrators using RADIUS, LDAP, and TACACS+ servers. To use this feature, you must configure the appropriate server entries in the FortiAnalyzer unit for each authentication server in your network.
RADIUS server
Remote Authentication Dial-in User (RADIUS) is a user authentication and network-usage accounting system. When users connect to a server they enter a user name and password. This information is passed to a RADIUS server, which authenticates the user and authorizes access to the network. You can create or edit RADIUS server entries in the RADIUS server list to support authentication of administrators. When an administrator accounts type is set to RADIUS, the FortiAnalyzer unit uses the RADIUS server to verify the administrator password at logon. The password is not stored on the FortiAnalyzer unit. Go to System Settings > Admin > Remote Auth Server > Radius Server to view the RADIUS server list. Figure 57:RADIUS server list
Create New Delete Name Server Name/IP Secondary Server Name/IP
Add a new RADIUS server entry. Select the check box next to the server entry and select Delete. You cannot delete a RADIUS server entry if there are administrator accounts using it. The RADIUS server name. Select the server name to edit the settings. The IP address or DNS resolvable domain name of the RADIUS server. Optional IP address or DNS resolvable domain name of the secondary RADIUS server.
To add a RADIUS server configuration: 1. Go to System Settings > Admin > Remote Auth Server > RADIUS server. The list of configured RADIUS servers appears. 2. Select the Create New tool bar icon. The New RADIUS Server dialog box appears; see Figure 58.
Page 74
Figure 58:New RADIUS Server window
3. Configure the following settings: Name Enter a name to identify the RADIUS server.
Server Name/IP Enter the IP address or fully qualified domain name of the RADIUS server. Server Secret Enter the RADIUS server secret.
Secondary Enter the IP address or fully qualified domain name of the secondary Server Name/IP RADIUS server. Secondary Server Secret Port Auth-Type Enter the secondary RADIUS server secret. Enter the port for RADIUS traffic. The default port is 1812. You can change it if necessary. Some RADIUS servers use port 1645. Enter the authentication type the RADIUS server requires. The default setting of ANY has the FortiAnalyzer unit try all the authentication types.
4. Select OK to save the new RADIUS server configuration. To modify an existing RADIUS server configuration: 1. Go to System Settings > Admin > Remote Auth Server > RADIUS server. The list of configured RADIUS servers appears. 2. In the Name column, select the name of the server configuration you want to change. The Edit RADIUS Server dialog box appears. 3. Modify the settings as required and select OK to apply your changes. To delete an existing RADIUS server configuration: 1. Go to System Settings > Admin > Remote Auth Server > RADIUS server. The list of configured RADIUS servers appears. 2. Select the check box beside the server configuration you want to delete and then select the Delete tool bar icon. A confirmation dialog box appears.
Page 75
3. Select OK to delete the server entry.
You cannot delete a RADIUS server entry if there are administrator accounts using it.
LDAP server
Lightweight Directory Access Protocol (LDAP) is an Internet protocol used to maintain authentication data that may include departments, people, groups of people, passwords, email addresses, and printers. An LDAP consists of a data-representation scheme, a set of defined operations, and a request/response network. If you have configured LDAP support and require a user to authenticate using an LDAP server, the FortiAnalyzer unit contacts the LDAP server for authentication. To authenticate with the FortiAnalyzer unit, the user enters a user name and password. The FortiAnalyzer unit sends this user name and password to the LDAP server. If the LDAP server can authenticate the user, the FortiAnalyzer unit successfully authenticates the user. If the LDAP server cannot authenticate the user, the FortiAnalyzer unit refuses the connection. Go to System Settings > Admin > Remote Auth Server > LDAP Server to create a new LDAP server entry or edit an existing server entry. Figure 59:LDAP server list
Delete
Select the check box next to the server name and select Delete. You cannot delete a LDAP server entry if there are administrator accounts using it. Add a new LDAP server entry. The LDAP server name. Select the server name to edit the settings. The IP address or DNS resolvable domain name of the LDAP server.
Create New Name Server Name/IP Secure Connection
Page 76
To add a LDAP server: 1. Go to System Settings > Admin > Remote Auth Server > LDAP Server. The list of LDAP servers appears. 2. Select the Create New tool bar icon. The New LDAP Server dialog box appears; see Figure 60. Figure 60:New LDAP server dialog box
3. Configure the following information: Name Server Name/IP Port Common Name Identifier Enter a name to identify the LDAP server. Enter the IP address or fully qualified domain name of the LDAP server. Enter the port for LDAP traffic. The default port is 389. The common name identifier for the LDAP server. Most LDAP servers use cn. However, some servers use other common name identifiers such as uid.
Distinguished Name The distinguished name used to look up entries on the LDAP servers use. The distinguished name reflects the hierarchy of LDAP database object classes above the common name identifier. Bind Type User DN Password Secure Connection Select to use a secure LDAP server connection for authentication. Select the type of binding for LDAP authentication.
4. Select OK to save the new LDAP server entry. To modify an existing LDAP server configuration: 1. Go to System Settings > Admin > Remote Auth Server > LDAP Server. The list of configured LDAP servers appears. 2. In the Name column, select the name of the server configuration you want to change. The Edit LDAP Server dialog box appears.
3. Modify the settings as required and select OK to apply your changes. To delete an existing LDAP server configuration: 1. Go to System Settings > Admin > Remote Auth Server > LDAP Server. The list of configured LDAP servers appears. 2. Select the check box beside the server configuration you want to delete and then select the Delete tool bar icon. A confirmation dialog box appears. 3. Select OK to delete the server entry.
You cannot delete a LDAP server entry if there are administrator accounts using it.
TACACS+ server
In recent years, remote network access has shifted from terminal access to LAN access. Users connect to their corporate network (using notebooks or home PCs) with computers that use complete network connections and have the same level of access to the corporate network resources as if they were physically in the office. These connections are made through a remote access server. As remote access technology has evolved, the need for network access security has become increasingly important. Terminal Access Controller Access-Control System (TACACS) is a remote authentication protocol that provides access control for routers, network access servers, and other networked computing devices via one or more centralized servers. TACACS allows a client to accept a user name and password and send a query to a TACACS authentication server. The server host determines whether to accept or deny the request and sends a response back that allows or denies network access to the user. The default TCP port for a TACACS server is 49. For more information about TACACS servers, see the FortiGate documentation. Go to System Settings > Admin > Remote Auth Server > TACACS+ Server to create a new TACACS+ server entry or edit an existing server entry. The TACACS+ server list provides the following information and options: Delete Create New Name Select the check box next to the server name and select Delete. You cannot delete a TACACS+ server entry if there are administrator accounts using it. Add a new TACACS+ server entry. The TACACS+ server name. Select the server name to edit the settings.
Server Name/IP The IP address or DNS resolvable domain name of the TACACS+ server. To add a TACACS+ server: 1. Go to System Settings > Admin > Remote Auth Server > TACACS+ Server. The list of TACACS+ servers appears. 2. Select the Create New tool bar icon. The New TACACS+ Server dialog box appears; see Figure 61.
Page 78
Figure 61:New TACACS+ server dialog box
3. Configure the following information: Name Enter a name to identify the TACACS+ server.
Server Name/IP Enter the IP address or fully qualified domain name of the TACACS+ server. Port Server Key Auth-Type Enter the port for TACACS+ traffic. The default port is 389. Enter the key to access the TACACS+ server. The server key can be a maximum of 16 characters in length. Enter the authentication type the TACACS+ server requires. The default setting of ANY has the FortiAnalyzer unit try all the authentication types.
4. Select OK to save the new TACACS+ server entry. To modify an existing TACACS+ server configuration: 1. Go to System Settings > Admin > Remote Auth Server > TACACS+ Server. The list of configured TACACS+ servers appears. 2. In the Name column, select the name of the server configuration you want to change. The Edit TACACS+ Server dialog box appears. 3. Modify the settings as required and select OK to apply your changes. To delete an existing TACACS+ server configuration: 1. Go to System Settings > Admin > Remote Auth Server > TACACS+ Server. The list of configured TACACS+ servers appears. 2. Select the check box beside the server configuration you want to delete and then select the Delete tool bar icon. A confirmation dialog box appears. 3. Select OK to delete the server entry.
You cannot delete a TACACS+ server entry if there are administrator accounts using it.
Page 79
Administrator settings
The System Settings > Admin > Admin Settings page allows you to configure global settings for administrator access to the FortiAnalyzer unit, including: Ports for HTTPS and HTTP administrative access Idle Timeout settings Language of the web-based manager Password Policy Only the admin administrator can configure these system options, which apply to all administrators logging onto the FortiAnalyzer unit. To configure the administrative settings: 1. Go to System Settings > Admin > Admin Settings. The Settings dialog box appears; see Figure 62. Figure 62:Administrative settings dialog box
2. Configure the following information: Administration Settings HTTP Port HTTPS Port HTTPS & Web Service Server Certificate Enter the TCP port to be used for administrative HTTP access. Enter the TCP port to be used for administrative HTTPS access. Select a certificate from the drop-down list.
Page 80
Idle Timeout
Enter the number of minutes that an administrative connection can be idle before the administrator must log in again. The maximum is 480 minutes (8 hours). To ensure security, the idle timeout should be a short period of time to avoid the administrator inadvertently leaving the management computer logged in to the FortiAnalyzer unit and opening the possibility of someone walking up and modifying the network options. Select a language from the drop-down list.
Language Password Policy Enable Minimum Length Must Contain Admin Password Expires after Other Devices
Select to enable administrator passwords. Select the minimum length for a password. The default is eight characters. Select the types of characters that a password must contain. Select the number of days that a password is valid for, after which time it must be changed. Select whether FortiCarrier and FortiSwitch Manager Settings are shown.
3. Select Apply to save your settings. The settings are applied to all administrator accounts.
Advanced
The System Settings > Advanced menu enables you to configure SNMP, metafield data, and other settings. The following options are available: SNMP v1/v2c Advanced settings Select to configure FortiGate and FortiAnalyzer reporting through SNMP traps. See SNMP v1/v2c on page 82. Select to configure global advanced settings such as offline mode, device synchronization settings and install interface policy only; see Advanced settings on page 85. Select to configure alert events, mail and syslog servers, and to view alert messages. See Alerts on page 86 Select to configure log settings and access and to view the task monitor. See Device Log on page 91
Alerts Device Log
Page 81
SNMP v1/v2c
Simple Network Management Protocol (SNMP) allows you to monitor hardware on your network. You can configure the hardware, such as the FortiAnalyzer SNMP agent, to report system information and send traps (alarms or event messages) to SNMP managers. An SNMP manager, or host, is typically a computer running an application that can read the incoming trap and event messages from the agent and send out SNMP queries to the SNMP agents. A FortiManager unit can act as an SNMP manager, or host, to one or more FortiAnalyzer units. By using an SNMP manager, you can access SNMP traps and data from any FortiAnalyzer interface configured for SNMP management access. Part of configuring an SNMP manager is to list it as a host in a community on the FortiAnalyzer unit it will be monitoring. Otherwise the SNMP monitor will not receive any traps from that FortiAnalyzer unit, or to query that unit. You can configure the FortiAnalyzer unit to respond to traps and send alert messages to SNMP managers that were added to SNMP communities. When you are configuring SNMP, you need to first download and install both the FORTINET-CORE-MIB.mib and FORTINET-FORTIANALYZER-MIB.mib files so that you can view these alerts in a readable format. The Fortinet MIB contains support for all Fortinet devices, and includes some generic SNMP traps; information responses and traps that FortiAnalyzer units send are a subset of the total number supported by the Fortinet proprietary MIB. Your SNMP manager may already include standard and private MIBs in a compiled database which is all ready to use; however, you still need to download both the FORTINET-CORE-MIB.mib and FORTINET-FORTIANALYZER-MIB.mib files regardless. FortiAnalyzer SNMP is read-only: SNMP v1 and v2 compliant SNMP managers have read-only access to FortiAnalyzer system information and can receive FortiAnalyzer traps. RFC support includes most of RFC 2665 (Ethernet-like MIB) and most of RFC 1213 (MIB II). FortiAnalyzer units also use object identifiers from the Fortinet proprietary MIB. For more information about the MIBs and traps that are available for the FortiAnalyzer unit, see SNMP MIB Support on page 139. SNMP traps alert you to events that happen, such as an a log disk being full or a virus being detected. SNMP fields contain information about your FortiAnalyzer unit, such as percent CPU usage or the number of sessions. This information is useful to monitor the condition of the unit, both on an ongoing basis and to provide more information when a trap occurs.
Configuring the SNMP agent

The SNMP Agent sends SNMP traps that originate on the FortiAnalyzer system to an external monitoring SNMP manager defined in one of the FortiAnalyzer SNMP communities. Typically an SNMP manager is an application on a local computer that can read the SNMP traps and generate reports or graphs from them. The SNMP manager can monitor the FortiAnalyzer system to determine if it is operating properly, or if there are any critical events occurring. The description, location, and contact information for this FortiAnalyzer system will be part of the information an SNMP manager will have this information is useful if the SNMP manager is monitoring many devices, and it will enable faster responses when the FortiAnalyzer system requires attention. Go to System Settings > Advanced > SNMP v1/v2c to configure the SNMP Agent.
Page 82
Figure 63:SNMP configuration
SNMP Agent Description Location Contact Communities Create New
Select to enable the FortiAnalyzer SNMP agent. When this is enabled, it sends FortiAnalyzer SNMP traps. Enter a description of this FortiAnalyzer system to help uniquely identify this unit. Enter the location of this FortiAnalyzer system to help find it in the event it requires attention. Enter the contact information for the person in charge of this FortiAnalyzer system. The list of SNMP communities added to the FortiAnalyzer configuration. Select Create New to add a new SNMP community. If SNMP Agent is not selected, this control will not be visible. For more information, see Configuring an SNMP community on page 83.
Community Name Queries Traps Enable Delete icon Edit icon
The name of the SNMP community. The status of SNMP queries for each SNMP community. The status of SNMP traps for each SNMP community. Select to enable or unselect to disable the SNMP community. Select to remove an SNMP community. Select to edit an SNMP community.
Configuring an SNMP community

An SNMP community is a grouping of devices for network administration purposes. Within that SNMP community, devices can communicate by sending and receiving traps and other information. One device can belong to multiple communities, such as one administrator terminal monitoring both a firewall SNMP community and a printer SNMP community. You can add an SNMP community to define a destination IP address that can be selected as the recipient (SNMP manager) of FortiAnalyzer unit SNMP alerts. Defined SNMP communities are also granted permission to request FortiAnalyzer unit system information using SNMP traps.
Page 83
Each community can have a different configuration for SNMP queries and traps. Each community can be configured to monitor the FortiAnalyzer unit for a different set of events. You can also add the IP addresses of up to eight SNMP managers to each community. To create a new SNMP community: 1. Go to System Settings > Advanced > SNMP v1/v2c. 2. Ensure that the SNMP Agent is enabled, and under Communities, select Create New. The New SNMP Community dialog box opens. Figure 64:New SNMP community
3. Enter the below information as required. Community Name Hosts Enter a name to identify the SNMP community. If you are editing an existing community, you will be unable to change the name. The list of FortiAnalyzer that can use the settings in this SNMP community to monitor the FortiAnalyzer system. Select Add to create a new entry that you can edit.
IP Address Enter the IP address of an SNMP manager. By default, the IP address is 0.0.0.0 so that any SNMP manager can use this SNMP community.
Page 84
Interface
Select the name of the interface that connects to the network where this SNMP manager is located from the drop-down list. You need to do this if the SNMP manager is on the Internet or behind a router.
Delete icon Select to remove this SNMP manager entry. Add Select to add a new default entry to the Hosts list that you can edit as needed. You can have up to eight SNMP manager entries for a single community. Enter the port numbers (161 by default) that the FortiAnalyzer system uses to send SNMP v1 and SNMP v2c queries to the FortiAnalyzer in this community. Enable queries for each SNMP version that the FortiAnalyzer system uses. Note: The SNMP client software and the FortiAnalyzer unit must use the same port for queries. Traps Enter the Remote port numbers (162 by default) that the FortiAnalyzer system uses to send SNMP v1 and SNMP v2c traps to the FortiAnalyzer in this community. Enable traps for each SNMP version that the FortiAnalyzer system uses. Note: The SNMP client software and the FortiAnalyzer unit must use the same port for traps. SNMP Event Enable the events that will cause the FortiAnalyzer unit to send SNMP traps to the community. These events include: Interface IP changed Log disk space low HA Failover System Restart CPU Overusage Memory Low 4. Select OK to create the SNMP community. To edit an SNMP community: 1. Go to System Settings > Advanced > SNMP v1/v2c. 2. In the Action column of the community you need to edit, select the edit icon. The Edit SNMP Community dialog box opens. 3. Edit the SNMP community settings as required and then select OK. To delete an SNMP community: 1. Go to System Settings > Advanced > SNMP v1/v2c. 2. In the Action column of the community you need to delete, select the delete icon. 3. Select OK in the confirmation dialog box to delete the SNMP community.
Queries
Advanced settings
To view and configure advanced settings options, go to the System Settings > Advanced > Advanced Settings page. The Advanced Settings dialog box appears; see Figure 65.
Figure 65:Advanced settings
Configure the following settings and then select Apply: Download WSDL file Select to download the FortiAnalyzer units Web Services Description Language (WSDL) file. Web services is a standards-based, platform independent, access method for other hardware and software APIs. The file itself defines the format of commands the FortiAnalyzer will accept as well as the response to expect. Using the WSDL file, third-party or custom applications can communicate with the FortiAnalyzer unit and operate it or retrieve information just as an admin user would from the Web-based Manager or CLI. Task List Size Set a limit on the size of the task list.
Alerts
Alerts allow you to monitor and receive notification on specific activity on your network.
Alerts event
You can configure alert events by severity level and set thresholds. When an alert event occurs you can configure to have the alert event sent to an email address, SNMP server, or a syslog server. Figure 66:Alert event window
Page 86
To create a new alert event: 1. Go to System Settings > Advanced > Alerts > Alerts Event, and select Create New from the content pane tool bar. The New Alert Event dialog box will open. Figure 67:Create new alert event window
2. Configure the following settings: Name Severity Level Condition Level Log Filters Enable Generic Text Threshold Generate Alert Generate an alert after: 1, 5, 10, 50, or 100 or more events of each When .... type occurs. Occurrence Destination Send Alert To Select: Email Address > Create New SNMP Server > Create New Syslog Server > Create New Add Use the Add button to add multiple recipients. Select: 0.5, 1.0, 3.0, 6.0, 12.0, 24.0, or 168.0 hours. Select to enable log filters. Optional text field. Enter the conditional value: greater than or equal to (>=), equal to (=), or less than or equal to (<=). Select the severity level: Information, Notification, Warning, Error, Critical, Alert, or Emergency. Enter a name for the alert event.
Page 87
Include Alert Severity Level
Select to include alert severity level. Select: High, Medium High, Medium, Medium Low, or Low.
3. Select OK to create the new alert event. To edit an alert event: 1. Go to System Settings > Advanced > Alerts > Alerts Event, 2. Select the edit icon in the row of the alert event you need to edit. The Edit Alert Event dialog box will open. 3. Edit the alert event settings as required and then select OK. To delete an alert event: 1. Go to System Settings > Advanced > Alerts > Alerts Event, 2. Select the delete icon in the row of the alert event you need to delete. 3. Select OK in the confirmation dialog box to delete the alert event.
Mail server
Configure mail server settings for alerts, edit existing settings, or delete mail servers.
If an existing mail server is set in an Alerts Event configuration, the delete icon is removed and the mail server entry can not be deleted.
Figure 68:Mail server window
Page 88
Figure 69:Mail server settings
Configure the following settings and then select OK: SMTP Server Enable Authentication Email Account Password Enter the SMTP server domain information, e.g. mail@company.com. Select to enable authentication. Enter an email account, e.g. admin@company.com. Enter the email account password.
Syslog Server
Configure syslog server settings for alerts, edit existing settings, or delete syslog servers. Select Create New to add a new syslog server.
If an existing syslog server is set in an Alerts Event configuration, the delete icon is removed and the syslog server entry can not be deleted.
Figure 70:Syslog server window
Page 89
Figure 71:Syslog server settings
Configure the following settings and then select OK: Name IP address (or FQDN) Port Enter a name for the syslog server. Enter the IP address or FQDN of the syslog server. Enter the syslog server port number. The default value is 514.
Alert Console
The Alert Console allows you to view alert events by device. Use the Configure button to display events for a specific time frame or severity level. Select Clear Alert Messages to clear all the alert messages from the console. Figure 72:Alert message console window
Page 90
Figure 73:Alert console settings
Configure the following settings and then select OK: Period Severity Select 1 to 7 days. Select: Debug, Information, Notification, Warning, Error, Critical, Alert, or Emergency.
Device Log
The FortiAnalyzer allow you to log system events to disk. for more information, see Log View on page 106.
Log Setting
The log settings menu window, found at System Settings > Advanced > Device Log > Log Setting, allows you to configure event logging to disk and includes the following options: Specify the severity level of logged events Log rotation settings Log upload to an FTP, SFTP or SCP server, or to a FortiAnalyzer system
Page 91
Figure 74:Log setting window
Configure the following settings and then select Apply: Disk Level Select to enable log setting configuration. Select the level of the notification from the drop-down list. Options include: Emergency, Alert, Critical, Error, Warning, Notification, Information, and Debug.
Log Rotate Log file cannot exceed Roll logs Select Type Select One Day Enter the maximum log size in megabytes. Select to roll the logs. Rolling will occur either on a weekly or daily basis as selected. Select to roll the logs on a weekly or daily basis. Select the day of the week to roll the logs. This option is enabled only when Roll Logs is selected and the Type is Weekly.
Page 92
Time Disk full Enable log uploading Upload Server Type Upload Server IP Port Username Password Remote Directory When rolled Daily at
Select the Hour and Minute of the day to roll the logs. The hour is based on a 24 hour clock. Select the action to take, Overwritten or Do not log, when the disk is full from the drop-down list. Select to upload realtime device logs. Select one of FTP, SFTP, SCP, or FAZ. Enter the IP address of the upload server. Enter the port of the upload server. Select the username that will be used to connect to the upload server. Select the password that will be used to connect to the upload server. Select the remote directory on the upload server where the log will be uploaded. Select to upload log files when they are rolled according to settings selected under Roll Logs. Select the hour to upload the logs. The hour is based on a 24 hour clock
Upload rolled files in Select to gzip the logs before uploading. This will result in smaller gzipped format logs, and faster upload times. Delete files after uploading Event Log Select to remove device log files from the FortiAnalyzer system after they have been uploaded to the Upload Server. This option is not available. Please ignore it.
Log Access
Log access, found at System Settings > Advanced > Device Log > Log Access, displays current logs, the size of the log file, and allows for deleting, backup, and browsing of the log files. Figure 75:Log access window
Page 93
Task Monitor
Using the task monitor, you can view the status of the tasks that you have performed. Go to System Settings > Advanced > Device Log > Task Monitor, then select a task category in the View field. Figure 76:Task monitor window
Delete View ID Source Expand Arrow Description User
Remove the selected task or tasks from the list. Select which tasks to view from the drop-down list, based on their status. The identification number for a task. The platform from where the task is performed. Select to display the specific actions taken under this task. The nature of the task. The users who have performed the tasks.
Page 94
Status
The status of the task (hover over the icon to view the description): All: All types of tasks. Done: Completed with success. Error: Completed without success. Cancelled: User cancelled the task. Cancelling: User is cancelling the task. Aborted: The FortiAnalyzer system stopped performing this task. Aborting: The FortiAnalyzer system is stopping performing this task. Running: Being processed. In this status, a percentage bar appears in the Status column.
Start Time
The time that the task was performed.
Page 95
RTM Profiles
The RTM Profiles tab allows you to create Real-Time Monitor (RTM) profiles and assign then them to one or more managed devices. Each profile contains one or more dashboards onto which various charts can be added, deleted, and arranged to display the desired real-time information. The real-time information can then be viewed in the device summary pane on the Device Manager tab. Figure 77:RTM profiles tab
RTM Profiles
RTM profiles contain one or more dashboards that consist of various predefined charts. A profile is assigned to one or more managed devices, and then the information defined by the selected charts in a given dashboard can be viewed in the device summary of the device to which the profile is assigned. See View managed devices on page 132 for more information. RTM profiles can be created, edited, cloned, and deleted. Cloning a profile allows you to create a second profile that is exactly the same as the original profile. This can save time when creating multiple profiles that only have slight differences. To create a new RTM profile: 1. On the RTM Profiles tab, right click in the tree menu and select Create New from the pop-up menu. The Create New RTM Profile dialog box opens.
Page 96
Figure 78:Create a new RTM profile
2. Enter a name for the profile in the Name field, and select the specific devices to which the profile will be assigned, or select All FortiGate to assign the profile to all FortiGate devices.
A device can only have a single RTM profile to it. If a new profile is assigned to a device to which a profile has already been assigned, the newly assigned profile will displace the previously assigned profile.
3. Select OK to create the new RTM profile. To edit an RTM profile: 1. On the RTM Profiles tab, right click in the tree menu on the name of the profile you would like to edit, and select Edit from the pop-up menu. The Edit RTM Profile dialog box opens. Figure 79:Edit an RTM profile
2. Edit the name of the profile and the devices to which the profile is assigned as needed, then select OK to finish editing the RTM profile.
Page 97
To clone an RTM profile: 1. On the RTM Profiles tab, right click in the tree menu on the name of the profile you would like to clone, and select Clone from the pop-up menu. The Clone RTM Profile dialog box opens. Figure 80:Clone an RTM profile
2. Edit the name of the profile as needed, then select OK to finish cloning the RTM profile. To delete an RTM profile: 1. On the RTM Profiles tab, right click in the tree menu on the name of the profile you would like to delete, and select delete from the pop-up menu. The Delete RTM Profile dialog box opens. 2. Select OK to delete the RTM profile.
Page 98
Dashboards
Each RTM profile can contain multiple dashboards. A dashboard contains the charts that represent the information that will be presented in the device summary. Each dashboard in a profile can be selected from the Real Time Monitor tab on the device summary tool bar. See View managed devices on page 132 for more information. Dashboards can be created, edited, and deleted. To create a new dashboard: 1. On the RTM Profiles tab, select the +, or Add Dashboard, icon in the content pane tool bar. The Add Dashboard dialog box will open Figure 81:Add dashboard dialog box
2. Enter a name for the new dashboard in the Title field, select the number of columns the dashboard will contain (one or two) and enter the time period that the data in the charts will cover in the Time Period field. The available time periods are: Last N Hours Today Yesterday Last 7 Days Last 14 Days Last 30 Days Last N Days This Week Last Week Last 2 Weeks Last N Weeks This Month Last Month This Quarter Last Quarter This Year Other
Where N represents a variable, allowing for a user selectable number of hours, days, or weeks. If Other is selected, the start and end date and time must be manually entered. 3. Select OK to create the new dashboard. The new dashboard will appear on the content pane tool bar to the right of any previously created dashboards in that profile.
Page 99
To edit a dashboard: 1. On the RTM Profiles tab, select the dashboard you would like to edit, and then select Options. The Dashboard Options dialog box will open Figure 82:Dashboard options dialog box
2. Edit the dashboard information as required, then select OK to finish editing the dashboard. To delete a dashboard: 1. On the RTM Profiles tab, select the X, or Delete, icon to the right of the in dashboard name for the dashboard that you would like to delete. 2. Select OK in the confirmation box to delete the dashboard and all of its data.
Charts
Charts are predefined to show specific information in an appropriate format, such as pie charts or lists. They are organized into categories, and can be added to, removed from, and organized on dashboards. In a profile dashboard, the charts are shown as placeholders. When viewing the charts in the device summary (see View managed devices on page 132), they will be populated with real-time data. The currently available predefined charts are outline in Table 1. New charts can also be created, see Charts on page 128 for more information
The available predefined charts may change. Please see the latest release notes for updated information.
Table 1: Available predefined charts Event Top SSL-VPN Tunnel Users by Top SSL-VPN Web Mode Bandwidth Users by Bandwidth
Page 100
Table 1: Available predefined charts (continued) IPS (Attack) Top Attack Victims Network Scan List Number of Vulnerabilities Traffic Top Users by Sessions Traffic History by Number of Active User Top 5 Destinations Top 5 Applications by Sessions Top 5 Email Recipients Traffic Summary Top Dial-Up IPsec Tunnels by Bandwidth Top 5 Users by Bandwidth Virus Top Viruses by Name Web Filter Top Web User by Bandwidth Top 10 Allowed Sites Top Blocked Websites Top Video Streaming Websites Top Web Users by Requests by Bandwidth Top 10 Blocked Sites Top Blocked Users Top Allowed Websites by Request Top Allowed Websites by Bandwidth Top Virus Victims Top Viruses by Name Number of Sessions for Past 7 Top 5 Applications by Days Bandwidth Top 5 Email Senders Top Recipients by Combined Email size Top Attacks Top Attack Source
Top Site-to-Site IPsec Tunnels Top Destination Addresses by by Bandwidth Sessions Top Recipients by Number of Emails Top Applications by Sessions Top Users by Bandwidth Top Applications by Bandwidth Top Senders by Combined Email Size Email Receivers Summary Top Destination Addresses by Bandwidth Top Senders by Number of Emails Email Senders Summary
Page 101
To add a chart to a dashboard: 1. In the RTM Profiles tab, select an RTM profile and the dashboard within that profile to which you would like to a add a chart. 2. Select Add Charts in the content pane tool bar. The Add Charts dialog box will open. Figure 83:Add charts dialog box
3. Find the chart that you would like to add in one of the following ways: Browse the list of all the available the available charts. Select the category of the chart you are looking for and then browse the list of the charts in that category. Search for the chart by entering all or part of the chart name into the Search field. Once you select a chart, the graph type and the charts category will be displayed in the preview box on the right of the dialog box. 4. Select OK to add the chart to the dashboard. Figure 84:Chart placeholder
Page 102
To reorganize the charts on a dashboard: 1. In the RTM Profiles tab, select an RTM profile and the dashboard within that profile that you would like to reorganize. 2. Click and drag any of the chart placeholders. The selected chart will follow the pointer so long as the left mouse button is held down. A yellow spacer with a dashed red outline will appear in the location where the chart will be once the mouse button is released. Figure 85:Moving a chart
3. Move the chart placeholder up, down, or to the side if the dashboard has two columns (see To edit an RTM profile: on page 97). 4. When the outlined yellow spacer box is in the location that you want the chart, release the mouse button and the chart will fall into place. 5. When you are finished reorganizing the dashboard, select the Save button in the content pane tool bar to save your changes. To remove a chart from a dashboard: 1. In the RTM Profiles tab, select an RTM profile and the dashboard within that profile that contains the chart you would to remove. 2. Select the garbage can icon in the top right corner of the chart placeholder that you would like to remove. 3. Select OK in the confirmation dialog box to remove the chart from the dashboard. 4. When you have finished removing charts, select the Save button in the content pane tool bar to save your changes.
View RTM data

After creating an RTM profile, and adding dashboards and charts to it, the real-time data can be viewed in the device summaries of the devices to which the RTM profile was assigned. To view the RTM data: 1. In the Device Manager tab, select the desired device from the device list in the content pane. The selected devices RTM data will be shown in the lower content frame; see Figure 86.
Page 103
2. In the dashboard tool bar, select Real-time Monitor. 3. Select the RTM profile dashboard that you would like to view from the drop-down list. The charts specified in the RTM profile dashboard will be populated with data and shown in the device summary pane. Figure 86:Viewing RTM data
4. To view more detail on specific data within one of the charts, hover your cursor over a portion of the graph and a small dialog box will pop-up showing more data. Figure 87:Chart data details
Page 104
5. To refresh the data in a chart, select the Refresh button in the right corner of the chart title bar. Figure 88:Refresh a charts data
6. To make any changes to the layout of the charts, or to add or remove charts, return to the RTM Profile tab. For information see RTM Profiles on page 96, Dashboards on page 99, and Charts on page 100.
Page 105
Log View
The Log View tab shows log messages for connected devices, organized by ADOMs. You can also view, import, and export log files stored for a given device.
Viewing log messages

To view log messages, select the Log View tab, browse to the device whose logs you would like to view in the tree menu. Figure 89:Log view
Refresh Realtime Log Historical Log
Refresh the log view. Select to change to the real time view, where the log table is updated in real time. Select to change to the historical log view, where logs are not updated in real time, and can be downloaded and searched. This option is only available when in the real time view.
Column Settings Log Details
Select to change the columns to view and the order they appear on the page. Adjust the location and visibility of the Log Details frame. It can be hidden, or visible on the bottom or right side of the content pane. For more information, see Log details on page 109.
Page 106
Download
Select to download the logs. Two options are available: Current View: Select to download log files in text (.txt), or comma-separated value (.csv). The downloaded version will match the current log view, containing only log messages that match your current filter settings. Raw Log: Select to download log files in text (.txt), or comma-separated value (.csv) for a specified date and time range.
Search Date/Time Other Pages Log Details frame
Search the logs based on the search terms entered in the search field. The date and time the log was received by the FortiAnalyzer unit. Other columns will be available, depending on the log type selected in the tree menu. Settings to adjust the number of logs listed per page and to browse through the pages of logs. Detailed information on the log message selected in the log message list. See Log details on page 109 for more information.
Depending on configuration and the device, different logs will be available, such as traffic logs, various event logs, and others.
Customizing the log view

The columns in the log message list can be customized to show only relevant information in your preferred order. For most columns, you can also filter data within the columns to include or exclude log messages which contain your specified text in that column. Most column headings contain a gray filter icon, which becomes green when a filter is configured and enabled. To display or hide columns: 1. Browse to the log message list you would like to customize 2. Select Column Settings in the toolbar. The Column Settings dialog box opens.
Page 107
Figure 90:Column settings
3. Select which columns to hide or display. In the Available Fields area, select the names of individual columns you want to display, then select the single right arrow to move them to the Show fields in this order area. In the Show fields in this order area, select the names of individual columns you want to hide, then select the single left arrow to move them to the Available Fields area. To return all columns to their default displayed/hidden status, select Default Column Settings. 4. Select Apply to apply the changes to the log message list. To change the order of the columns: 1. Browse to the log message list you would like to customize 2. Select Column Settings in the toolbar. The Column Settings dialog box opens. 3. In the Show fields in this order area, select a column name whose order of appearance you want to change. 4. Select the up or down arrow to move the column in the ordered list. Placing a column name towards the top of the Show fields in this order list will move the column to the left side of the log message list. 5. Select Apply to apply the changes to the log message list. To filter log messages by column content: 1. In the heading of the column that you want to filter, select the filter icon to open the Filter Settings dialog box for that column. The Filter Settings dialog boxes are specific to the column you are filtering. 2. Enter the requisite information to filter the selected column and then select Apply. The columns filter icon will turn green when the filter is enabled. Downloading the current view will only download the log messages that meet the current filter criteria.
Page 108
Log details
Log details can be viewed for any of the collected logs. To view log details, select the log in the log message list. The log details will be displayed in the lower frame of the content pane. Figure 91:Log details
The details provided in the log detail frame will vary depending on the type of log selected.
To adjust the location of the Log Details frame, select Log Details in the toolbar. From the drop-down list, select one of the following: On Right: The Log Details frame will be shown on the right side of the screen. On Bottom: The Log Details frame will be shown on the bottom of the content pane (default setting). Hidden: The Log Details frame will be hidden from view.
Archive
The Archive tab is displayed next to the Log Details tab on the details frame when archived logs are available. Figure 92:Log archive
The name and size of the archived log files are listed in the table. Selecting the download button next to the file name allows you to save the file to your computer. Depending on the file type of the archived log file, the View Packet Log button may also be available next to the download button. Select this button to open the View Packet Log dialog box, which displays the path and content of the log file.
Figure 93:View packet log dialog box
Browsing log files

Log View > Log Browse > Log Browse displays log files stored for devices. When a log file reaches its maximum size, or reaches the scheduled time, the FortiAnalyzer rolls the active log file by renaming the file. The file name will be in the form of xlog.N.log, where x is a letter indicating the log type and N is a unique number corresponding to the time the first log entry was received. For information about setting the maximum file size and log rolling options, see Configuring rolling and uploading of logs on page 113. If you display the log messages in formatted view, you can display and arrange columns and/or filter log messages by column contents. For more information, see Customizing the log view on page 107.
Page 110
Figure 94:Log file list
Delete Display
Mark the check box of the file whose log messages you want to delete, then select this button. Mark the check box of the file whose log messages you want to view, then select this button. For more information, see Viewing log messages on page 106 Mark the check box of the log file that you want to download, select this button, then select a format for saving the log files: text (.txt), or comma-separated value (.csv). For more information, see Downloading a log file on page 112.
Download
Import
Select to import log files. For more information about importing log files, see Importing a log file on page 112.
Log Files
A list of available log files for each device or device group. Select the group name to expand the list of devices within the group, and to view their log files. The current, or active, log file appears as well as rolled log files. Rolled log files include a number in the file name, such as vlog.1267852112.log. If you configure the FortiAnalyzer unit to delete the original log files after uploading rolled logs to an FTP server, only the current log will exist.
# From To Size (bytes)
The number of devices in a group, and the number of log files for a device. The start time when the log file was generated. The end time when the log file was generated. The size of the log file.
Page 111
Importing a log file

Imported log files can be useful when restoring data, or loading log data for temporary use. For example, if you have older log files from a device, you can import these logs to the FortiAnalyzer unit so that you can generate reports containing older data. Importing log files is also useful when changing your RAID configuration. Changing your RAID configuration reformats the hard disk, erasing log files. If you back up the log files, after changing the RAID configuration, you can import logs to restore them to the FortiAnalyzer unit. To import a log file: 1. Go to Log View > Log Browse > Log Browse. 2. Select Import. The Import Log File dialog box opens. Figure 95:Import a log file
3. Select the device to which the imported log file belongs from the Device field drop-down list, or select [Take From Imported File] to read the device ID from the log file. If you select [Take From Imported File] your log file must contain a device_id field in its log messages. 4. In the File field, enter the path and file name of the log file, or select Browse. and browse to the log file. 5. Select OK. A message appears, stating that the upload is beginning, but will be cancelled if you leave the page. 6. Select OK. The upload time varies depending on the size of the file and the speed of the connection. After the log file successfully uploads, the FortiAnalyzer unit inspects the log file. If the device_id field in the uploaded log file does not match the device, the import will fail. Select Return to attempt another import. If you selected [Take From Imported File], and the FortiAnalyzer units device list does not currently contain that device, a message appears after the upload. Select OK to import the log file and automatically add the device to the device list, or select Cancel.
Downloading a log file

You can download a log file to save it as a backup or for use outside the FortiAnalyzer unit. The download consists of either the entire log file, or a partial log file, as selected by your current log view filter settings and, if downloading a raw file, the time span specified. To download a whole log file: 1. Go to Log View > Log Browse > Log Browse. 2. Expand the group name or device name to view the list of available log files under each log type.
3. Select the specific log file (wlog.log, elog.log, etc.) that you want to download. 4. Select Download. 5. Select the log file format, either a text file or a csv file. 6. Select OK. If prompted by your web browser, select a location to where save the file, or open the file without saving. To download a partial log file: 1. Go to Log View > Log Browse > Log Browse. 2. Expand the group name or device name to view the list of available log files under each log type. 3. Select the specific log file (wlog.log, elog.log, etc.) that you want to download. 4. Select Display. 5. Select a filter icon to restrict the current view to only items which match your criteria, then select OK. Filtered columns have a green filter icon. For more information about filtering log views, see Filtering logs on page.... 6. Select Download. 7. Select the log file format, either a text file or a csv file, and select Compress with gzip if you need to download a compressed file. 8. Select OK. If prompted by your web browser, select a location to where save the file, or open the file without saving.
Configuring rolling and uploading of logs

You can control device log file size and consumption of the FortiAnalyzers disk space by configuring log rolling and scheduled uploads to a server. As the FortiAnalyzer unit receives new log items, it performs the following tasks: verifies whether the log file has exceeded its file size limit checks to see if it is time to roll the log file if the file size is not exceeded. Configure the time to be either a daily or weekly occurrence, and when the roll occurs. When a current log file (tlog.log) reaches its maximum size, or reaches the scheduled time, the FortiAnalyzer unit rolls the active log file by renaming the file. The file name will be in the form of xlog.N.log (for example, tlog,1252929496.log), where x is a letter indicating the log type and N is a unique number corresponding to the time the first log entry was received. The file modification time will match the time when the last log was received in the log file. Once the current log file is rolled into a numbered log file, it will not be changed. New logs will be stored in the new current log called tlog.log. If log uploading is enabled, once logs are uploaded to the remote server or downloaded via the Web-based Manager, they are in the following format: FG3K6A3406600001-tlog.1252929496.log-2012-09-29-08-03-54.gz If you have enabled log uploading, you can choose to automatically delete the rolled log file after uploading, thereby freeing the amount of disk space used by rolled log files. If the log upload fails, such as when the FTP server is unavailable, the logs are uploaded during the next scheduled upload.
Page 113
To enable and configure log rolling or uploading, go to System Settings > Advanced > Device Log > Log Setting. Figure 96:Log setting window
Log Rotate Log file cannot exceed Roll logs Select Type Select One Day Enter the maximum size of each device log file, in megabytes. Select to roll the logs. Rolling will occur either on a weekly or daily basis as selected. Select to roll the logs on a weekly or daily basis. Select the day of the week to roll the logs. This option is enabled only when Roll Logs is selected and the Type is Weekly. Time Disk full Select the Hour and Minute of the day to roll the logs. The hour is based on a 24 hour clock. Select the action to take, Overwritten or Do not log, when the disk is full from the drop-down list.
Page 114
Enable log uploading Upload Server Type Upload Server IP Port Username Password Remote Directory When rolled Daily at
Select to upload real time device logs to a service. Select one of FTP, SFTP, SCP, or FAZ. Enter the IP address of the upload server. Enter the port of the upload server. Select the username that will be used to connect to the upload server. Select the password that will be used to connect to the upload server. Select the remote directory on the upload server where the log will be uploaded. Select to upload log files when they are rolled according to settings selected under Roll Logs. Select the hour to upload the logs. The hour is based on a 24 hour clock
Upload rolled files in Select to gzip the logs before uploading. This will result in smaller gzipped format logs, and faster upload times. Delete files after uploading Select to remove device log files from the FortiAnalyzer system after they have been uploaded to the upload server.
Page 115
Reports
FortiAnalyzer units can analyze information collected from the log files of connected devices. It then presents the information in tabular and graphical reports. These reports provide a quick and detailed analysis of activity on your networks. To reduce the number of reports needed, reports are independent from devices, and contain layout information in the form of a report template. The devices, groups, and any other required data related information can be added as parameters to the report at the time of report generation.
Additional configuration options and short-cuts are available using the right-click menu. Right-click the mouse on different navigation panes on the Web-based Manager page to access these options.
The Reports tab allows you to configure reports using the pre-defined report templates, configure report schedules, view report history and the report calendar, and configure and view charts, datasets, and output profiles. This chapter contains the following sections: Templates Schedules History Calendar Advanced
If ADOMs are enabled. each ADOM will have its own report settings.
Page 116
Templates
The FortiAnalyzer has one pre-configured report template called UTM Security Analysis. This template can be used as is, and you can also clone or edit the template. You can also create new templates and customize them as required. The UTM Security Analysis report template reports popular bandwidth and application log data. The template consists of various charts organized under different headings. Figure 97:Report templates
Configure report templates

Report templates can be created, edited, cloned, and deleted. New content can be added to and organized on a template, including: new sections, three levels of headings, text boxes, images, charts, and line and page breaks. To create a new report template: 1. Go to the Reports tab and right-click on Report Templates in the tree menu. 2. In the right-click menu, under the Template heading, select Create New. 3. In the Create New Report Template dialog box, enter a name for the template, and select OK. A new template with a single, blank section is created with the given name.
Page 117
Add report template content

Various content can be added to a report template, such as charts, images, and typographic elements, using the section and template tool bars. Figure 98:Template and section tool bars
Headings
Image
Save
Add
Edit
Delete
Text
Charts Breaks
Move Up
Move Down
To add a section to a report template: 1. Go to the Reports tab and select the template from the tree menu to which you would like to add content. 2. From the section tool bar, select the Add icon. 3. The Add a new section dialog box opens. Figure 99:Add a new section
4. Select the number of columns that the section will contain and enter a title for the section. 5. Select OK to create the new section. 6. If you are finished editing the template, select the Save icon to save your changes. To add a chart to a report template: 1. Go to the Reports tab and select the template from the tree menu to which you would like to add a chart. 2. Click and drag the chart icon to the location where you want to add the chart. When you release the mouse button, the Add a New Chart dialog box will open.
Page 118
Figure 100:Add a new chart
3. Find the chart that you would like to add in one of the following ways: Browse the list of all the available the available charts. Select the category of the chart you are looking for and then browse the list of the charts in that category. Search for the chart by entering all or part of the chart name into the Search field. To view a preview of the chart before you add it, hover your cursor over the chart name in the list. Figure 101:Chart preview
4. Select OK once you have selected the chart you would like to add. The charts placeholder will appear in the location that you had selected in the template. 5. If you are finished editing the template, select the Save icon to save your changes.
Page 119
To add an image to a report template: 1. Go to the Reports tab and select the template from the tree menu to which you would like to add an image. 2. Click and drag the image icon to the location where you want to add the image. The Choose a graphic dialog box will open. Figure 102:Choose a graphic
3. Select an image from the list, or select Upload to browse for an image on your computer. 4. Select OK once you have selected the image you would like to add. The image will appear in the location that you had selected in the template. 5. If you are finished editing the template, select the Save icon to save your changes. To add headings to a report template: 1. Go to the Reports tab and select the template from the tree menu to which you would like to add headings. 2. Click and drag the required heading icon to the location where you want to add the template heading. When you release the mouse button, the selected element will be placed into the template. Figure 103:Heading element
3. To edit the heading text and level, select the edit icon on the template element, or double-click on the element. The Edit Heading dialog box will open.
Page 120
Figure 104:Edit a heading
4. Enter the heading text in the Content field and, if necessary, change the heading level with the Switch to drop-down list. 5. Select OK to finish editing the heading. 6. If you are finished editing the template, select the Save icon to save your changes. To add text to a report template: 1. Go to the Reports tab and select the template from the tree menu to which you would like to add text. 2. Click and drag the text icon to the location where you want to add the text box. When you release the mouse button, the selected element will be placed into the template. 3. To edit the text, select the edit icon on the template element, or double-click on the element. The Edit Text dialog box will open. Figure 105:Edit text
4. Enter the text in the Content field. 5. Select OK to finish editing the text. 6. If you are finished editing the template, select the Save icon to save your changes. To add breaks to a report template: 1. Go to the Reports tab and select the template from the tree menu that you would like to edit. 2. Click and drag the required break icon to the location where you want to add the break. Line breaks and page breaks are available. When you release the mouse button, the selected break will be placed into the template. 3. If you are finished editing the template, select the Save icon to save your changes.
Page 121
Edit report template content

The elements added to report template can be moved, deleted, and some of them can be edited. To move a report template element: 1. Go to the Reports tab and select the template from the tree menu that you would like to edit. 2. Click and drag an element to the desired location. A gray box with a dashed red outline will appear in the location where the element will be placed. 3. Release the mouse button to drop the element into the desired location. Figure 106:Move a report template element
4. When you are finished editing the template, select the Save icon to save your changes. To edit a report template element: 1. Go to the Reports tab and select the template from the tree menu that contains to the element you would like to edit. 2. Select the edit icon in top right corner of the element to be edited. Break elements cannot be edited. Figure 107:Edit an element
3. Depending on the type of element you are editing, an appropriate edit dialog box will open. The edit element dialog boxes contain the same information as the add element dialog boxes, see Add report template content on page 118.
Page 122
4. When you have completed the required edits, select OK to close the edit element dialog box. 5. Select the Save icon to save your changes. To delete a report template element: 1. Go to the Reports tab and select the template from the tree menu that contains to the element you would like to delete. 2. Select the delete icon in the top right corner of the element. Figure 108:Delete an element
3. Select OK in the confirmation dialog box to delete the element. 4. Select the Save icon to save your changes.
Schedules
Report schedules provide a way to schedule a daily, monthly, or weekly report so that the report will be generated at a specific time. You can also manually run a report schedule at any time and enable or disable report schedules. Figure 109:Report schedules page
To create a new schedule: 1. Go to the Reports tab and select Report Schedules in the tree menu. 2. Select Create New on the tool bar, or right-click in the schedule list and select New from the pop-up menu. The Create New Schedule dialog box opens.
Page 123
Figure 110:Create a new report schedule
3. Enter the following information: Schedule Name Report Template Time Period Devices Schedule Color Generate PDF Report Every Enter a name for the new report schedule. Select a report template from the drop-down list. Select the time period that the report covers from the drop-down list. Select the specific devices that the report will cover, or select All FortiGate to cover all the devices. Select the color for the report schedule that will be visible on the report calendar. Select when the report is generated: Enter a number for the frequency of the report based on the time period selected from the drop-down list, or select On Demand to only run the report manually. If On Demand is not selected, enter a starting and ending date and time for the file generation, or set it for never ending. Notify Select to add notification email recipients.
Page 124
Output Profile Advanced Settings Print Table of Contents Per-Device Reports
Select an output profile for the report (optional). See Output profiles on page 134 for more information.
Select the check-box to include a table of contents in the report. Select the check-box to generate a separate report for each managed device.
Print Device List Select the check-box to include a device list in the report. Three styles are available from the drop-down list: Compact: Display a compact comma-separated list of device names. Count: Display only the number of devices. Detailed: Display a table of device information for each device. Language Enable Filters Select the report language from the drop-down menu. The default language is English. Select the check-box to enable filters for the report schedule. The available filters are: users, groups, LDAP queries, hostnames, sources, and destinations.
4. Select OK to create the report schedule. To edit a report schedule: 1. Go to the Reports tab and select Report Schedules in the tree menu. 2. Select the schedule you would like to edit and then select Edit on the tool bar, or right-click on the schedule list and select Edit from the pop-up menu. The Edit Schedule dialog box opens. It contains all the same settings as the Create New Schedule dialog box, see Figure 110 on page 124. 3. Edit the report schedule as required and select OK to apply the changes. To delete a report schedule: 1. Go to the Reports tab and select Report Schedules in the tree menu. 2. Select the schedule you would like to delete and then select Delete on the tool bar, or right-click on the schedule list and select Delete from the pop-up menu. To delete multiple report schedules, select multiple reports and then select Delete from the tool bar or right-click menu. To delete all report schedules, right click and select Select All from the pop-up menu, then select Delete from the tool bar or right-click menu. 3. Select OK in the confirmation dialog box to delete the report schedule. To manually run a report schedule: 1. Go to the Reports tab and select Report Schedules in the tree menu. 2. Right-click on the schedule you would like to run and select Run from the pop-up menu. The report schedule will run and the report will be generated. See History on page 126 for information on viewing the report.
Page 125
To enable/disable a report schedule: 1. Go to the Reports tab and select Report Schedules in the tree menu. 2. Select the schedule or schedules you would like to enable or disable and then right-click on the schedule list and select Enable or Disable from the pop-up menu. To enable or diable all report schedules, right click and select Select All from the pop-up menu, then select Enable or Disable from the right-click menu.
History
Report history allows you to view all reports that have been generated on the FortiAnalyzer system. It displays the report name, device type, and the time that the report was generated. Select a report from the list to view the report in a new window or tab in your web-browser. The reports can also be downloaded as PDFs, and deleted. To view the report history go to the Reports tab and select Report History in the tree menu. Figure 111:Report history page
To delete reports: 1. In the Report History list, select the report or reports that you would like to delete, or right-click and select Select All if you are deleting all of the reports. 2. Select Delete in the tool bar, or right-click and select Delete from the pop-up menu. 3. Select OK in the confirmation dialog box to delete the report or reports. To download reports: 1. In the Report History list, select the report or reports that you would like to download, or right-click and select Select All if you are downloading all of the reports. 2. Select Download in the tool bar, or right-click and select Download from the pop-up menu. 3. Save the file to your computer, or open the file in an applicable program. If you are downloading multiple reports, each one will be saved as a separate file.
Page 126
Calendar
The report calendar provides an overview of the report schedules. You can view all reports scheduled for the selected month. Selecting a report schedule in the calendar opens the Edit Schedule dialog box, allowing you to make changes to the settings for that schedule (see Schedules on page 123). If the report has already been run, selecting the report schedule will download the report. Selecting any day on the calendar opens the Create New Schedule dialog box (see Figure 110 on page 124), allowing you to create a new report schedule with the selected day set as the starting date for the schedule. To view the report calendar, go to the Reports tab and select Report Calendar in the tree menu. Figure 112:Report calendar
When hovering the mouse cursor over a scheduled report on the calendar, a notification box will appear detailing the report name, status, and the device type. Figure 113:Report schedule calendar details
Page 127
Advanced
The advanced report options includes chart and dataset settings, output profiles, and report language settings.
Charts
The FortiAnalyzer unit provides a selection pre-defined charts. New charts can also be created, either from scratch or by cloning a previous chart. To view and configure charts, go to the Reports tab and select Advanced > Charts in the tree menu. Figure 114:Charts
For a list of the currently available pre-defined charts, see Charts on page 100. To create a new chart: 1. Go to the Reports tab and select Advanced > Chart in the tree menu. 2. Select Create New on the tool bar, or right-click in the chart list and select New from the pop-up menu. The Create New Chart dialog box opens.
Page 128
Figure 115:Create a new chart
3. Enter the required information for the new chart. Name table-subtype Enter a name for the chart. Select a table subtype from the drop-down list. The available types are: basic, composite-bar, composite-line, basic-with-pie, and bar-with-pie. Enter the maximum value for data on the x-axis. Select a dataset from the drop-down list. See Datasets on page 131 for more information. Enter a label for the y-axis. Select the line subtype from the drop-down list. The options are: basic, stacked, and back-to-back. Select to enable the y-axis-group. Select to show the table. Enter a category for the chart. Enter a scale for the chart. Enter the top value for the y-axis group. Enter a label for the second y-axis.
x-axis-data-top Dataset y-axis-label line-subtype y-axis-group show-table Category scale y-axis-group-top y2-label-axis
Page 129
y-axis-data-binding Description graph-type x-axis-label
Enter the y-axis data binding information. Enter a description. Select a graph type from the drop-down list. The options are: table, bar, pie, and line. Enter a label for the x-axis.
y2-axis-data-binding Enter the data binding information for the second y-axis. x-axis-data-binding favorite y-axis-group-by order-by resolve-hostname graph-columns Enter the data binding information for the x-axis. Select to set the chart as a favorite. Enter what the y-axis is to be grouped by. Enter ordering information. Select to resolve the hostname. Select if the graph will have one or two columns from the drop-down list.
4. Select OK to create the new chart. To clone a chart: 1. Go to the Reports tab and select Advanced > Chart in the tree menu. 2. Select the chart that you would like to clone and select Clone from the tool bar or right-click menu. The Clone Chart dialog box opens. 3. Edit the information as needed and select OK to clone the chart and create a new chart. To edit a chart: 1. Go to the Reports tab and select Advanced > Chart in the tree menu. 2. Double-click on the chart that you would like to edit, or select the chart and select Edit from the tool bar or right-click menu. The Edit Chart dialog box opens. Pre-defined charts cannot be edited, the information can only be viewed. 3. Edit the information as required and select OK to finish editing the chart. To delete charts: 1. Go to the Reports tab and select Advanced > Chart in the tree menu. 2. Select the chart or charts that you would like to delete and select Delete from the tool bar or right-click menu. Pre-defined charts cannot be deleted. 3. Select OK in the confirmation dialog box to delete the chart or charts.
Page 130
Datasets
FortiAnalyzer datasets are collections of log files from monitored devices. Reports are generated based on these datasets. Pre-defined datasets for each supported device type are provided, and new datasets can be created and configured. To view and configure datasets, go to the Reports tab and select Advanced > Dataset in the tree menu. Figure 116:Datasets
To create a new dataset: 1. Go to the Reports tab and select Advanced > Dataset in the tree menu. 2. Select Create New on the tool bar, or right-click in the dataset list and select New from the pop-up menu. The Create New Dataset dialog box opens. Figure 117:Create a new dataset
Page 131
3. Enter the required information for the new dataset. Name dev-type log-type SQL Query Enter a name for the dataset. Select a device type from the drop-down list. Select a log type from the drop-down list. Enter the SQL query used for the dataset.
4. Select OK to create the new dataset. To clone a dataset: 1. Go to the Reports tab and select Advanced > Dataset in the tree menu. 2. Select the dataset that you would like to clone and select Clone from the tool bar or right-click menu. The Clone Dataset dialog box opens. 3. Edit the information as needed and select OK to clone the dataset and create a new dataset. To edit a dataset: 1. Go to the Reports tab and select Advanced > Dataset in the tree menu. 2. Double-click on the dataset that you would like to edit, or select the dataset and select Edit from the tool bar or right-click menu. The Edit Dataset dialog box opens. Pre-defined datasets cannot be edited, the information can only be viewed. 3. Edit the information as required and select OK to finish editing the dataset. To delete datasets: 1. Go to the Reports tab and select Advanced > Dataset in the tree menu. 2. Select the dataset or datasets that you would like to delete and select Delete from the tool bar or right-click menu. Pre-defined datasets cannot be deleted. 3. Select OK in the confirmation dialog box to delete the datasets or datasets.
New dataset examples

Top 100 applications by bandwidth: 1. Go to Report > Advanced > Dataset. 2. Select Create New to create a new dataset and enter a name for the dataset. 3. Select FortiGate from the dev-type drop-down list 4. Select Traffic Log from the log-type drop-down list. 5. In the SQL Query field, enter the following: SELECT ( TIMESTAMP - TIMESTAMP %3600 ) AS hourstamp, app, service, SUM( sent + rcvd ) AS volume FROM $log GROUP BY app ORDER BY volume DESC LIMIT 100 6. Select OK to create the dataset.
Page 132
Notes: SUM(sent + rcvd) AS volume - this calculates the total sent and received bytes. ORDER BY volume DESC - this orders the results by descending volume (largest volume first) LIMIT 100 - this lists only the top 100 applications. Top 10 attacks: 1. Go to Report > Advanced > Dataset. 2. Select Create New to create a new dataset and enter a name for the dataset. 3. Select FortiGate from the dev-type drop-down list 4. Select Attack from the log-type drop-down list. 5. In the SQL Query field, enter the following: SELECT attack_id, COUNT( * ) AS totalnum FROM $log and attack_id IS NOT NULL GROUP BY attack_id ORDER BY totalnum DESC LIMIT 10 6. Select OK to create the dataset. Notes: The result is ordered by the total attack number of the same attack_id. The most frequent attack_id will appear first. Top WAN optimization applications 1. Go to Report > Advanced > Dataset. 2. Select Create New to create a new dataset and enter a name for the dataset. 3. Select FortiGate from the dev-type drop-down list 4. Select Traffic Log from the log-type drop-down list. 5. In the SQL Query field, enter the following: SELECT wanopt_app_type, SUM( wan_in + wan_out ) AS bandwidth FROM $log AND subtype = 'wanopt-traffic' GROUP BY wanopt_app_type ORDER BY SUM( wan_in + wan_out ) DESC LIMIT 5 6. Select OK to create the dataset. Notes: The WAN optimizer module will log each application bandwidth. All bandwidth data is logged in traffic logs and wan opt data will have the subtype wanopt-traffic SUM(wan_in + wan_out) AS bandwidth - this calculates the total in and out traffic.
Page 133
Output profiles
Output profiles allow you to define email addresses to which generated reports are sent, and provides an option to upload the reports to FTP, SFTP, or SCP servers. Once created, an output profile can be specified in a report schedule; see Schedules on page 123. Figure 118:Output profile page
You must configure a mail server before you can configure an output profile. Please see Mail server on page 88 for information on configuring a mail server.
To create a new output profile: 1. Go to the Reports tab and select Advanced > Output Profile in the tree menu. 2. Select Create New on the tool bar, or right-click in the output profile list and select New from the pop-up menu. The Create New Output Profile dialog box opens.
Page 134
Figure 119:Create new output profile dialog box
3. Enter the following information: Name Description Enter a name for the new output profile. Enter a description for the output profile (optional).
Email Generated Reports Enable email generated reports. Subject Body Email Recipients Enter a subject for the report email. Enter body text for the report email. Select the email server from the drop-down list and enter to and from email addresses. Select the + icon to add another entry so that you can specify multiple recipients. Upload Report to Server Server Type Server Enable uploading the reports to a server. Select FTP, SFTP, or SCP from the drop-down list. Enter the server IP address.
Page 135
User Password Directory Delete file(s) after uploading
Enter the username. Enter the password. Specify the directory where the report will be saved. Select to delete the report after it has been uploaded to the selected.
4. Select OK to create the new output profile. To edit an output profile: 1. Go to the Reports tab and select Advanced > Output Profile in the tree menu. 2. Double-click on the output profile that you would like to edit, or select the output profile and select Edit from the tool bar or right-click menu. The Edit Output Profile dialog box opens. 3. Edit the information as required and select OK to finish editing the output profile. To delete output profiles: 1. Go to the Reports tab and select Advanced > Output Profile in the tree menu. 2. Select the output profile or profiles that you would like to delete and select Delete from the tool bar or right-click menu. 3. Select OK in the confirmation dialog box to delete the selected output profile or profiles.
Language
The language of the reports can be specified when creating a report schedule (see Schedules on page 123). New languages can be added, and the name and description of the languages can be changed. The pre-defined languages cannot be edited. The available report languages can be viewed in the Reports tab under Advanced > Language. Figure 120:Report language
Page 136
The available preconfigured report languages include: English (default report language) French Japanese Korean Portuguese Simplified Chinese Spanish Traditional Chinese To add a language: 1. Go to the Reports tab and select Advanced > Language in the tree menu. 2. Select Create New on the tool bar, or right-click in the language list and select New from the pop-up menu. The Create New Language dialog box opens. Figure 121:Create a new language
3. Enter a name and description for the language in the requisite fields. 4. Select OK to add the language.
Adding a new language does not create that language. It only adds a placeholder for that language that contains the language name and description.
Page 137
To edit a language: 1. Go to the Reports tab and select Advanced > Language in the tree menu. 2. Double-click on the language that you would like to edit, or select the language and select Edit from the tool bar or right-click menu. The Edit Language dialog box opens. 3. Edit the information as required and select OK to finish editing the language.
Pre-defined languages cannot be edited. The information can only be viewed.
To delete languages: 1. Go to the Reports tab and select Advanced > Language in the tree menu. 2. Select the language or languages that you would like to delete and select Delete from the tool bar or right-click menu. 3. Select OK in the confirmation dialog box to delete the selected language or languages.
Pre-defined languages cannot be deleted.
Page 138
Appendix A: SNMP MIB Support

The FortiAnalyzer SNMP agent supports the following management information blocks (MIBs): Table 2: FortiAnalyzer MIBs MIB or RFC FORTINET-CORE-MIB Description This Fortinet-proprietary MIB enables your SNMP manager to query for system information and to receive traps that are common to multiple Fortinet devices.
FORTINET-FORTIANALYZ This Fortinet-proprietary MIB enables your SNMP manager to ER-MIB query for FortiAnalyzer-specific information and to receive FortiAnalyzer-specific traps. RFC-1213 (MIB II) The FortiAnalyzer SNMP agent supports MIB II groups, except: There is no support for the EGP group from MIB II (RFC 1213, section 3.11 and 6.10). Protocol statistics returned for MIB II groups (IP, ICMP, TCP, UDP, etc.) do not accurately capture all FortiAnalyzer traffic activity. More accurate information can be obtained from the information reported by the FortiAnalyzer MIB. RFC-2665 (Ethernet-like MIB) The FortiAnalyzer SNMP agent supports Ethernet-like MIB information except the dot3Tests and dot3Errors groups.
You can obtain these MIB files from the Customer Service & Support web site, https://support.fortinet.com. To be able to communicate with your FortiAnalyzer units SNMP agent, you must first compile these MIBs into your SNMP manager. If the standard MIBs used by the SNMP agent are already compiled into your SNMP manager, you do not have to compile them again. To view a trap or querys name, object identifier (OID), and description, open its MIB file in a plain text editor. All traps sent include the message, the FortiAnalyzer units serial number, and host name. For instructions on how to configure traps and queries, see Configuring the SNMP agent on page 82.
Page 139
Appendix B: Port Numbers

The following tables describe the port numbers that the FortiAnalyzer unit uses: ports for traffic originating from units (outbound ports) ports for traffic receivable by units (listening ports) ports used to connect to the FortiGuard Distribution Network (FDN ports) Traffic varies by enabled options and configured ports. Only default ports are listed. Table 3: FortiAnalyzer outbound ports Functionality DNS lookup NTP synchronization Windows share SNMP traps Syslog, log forwarding Port(s) UDP 53 UDP 123 UDP 137-138 UDP 162 UDP 514 Note: If a secure connection has been configured between a FortiGate and a FortiAnalyzer, syslog traffic will be sent into an IPsec tunnel. Data will be exchanged over UDP 500/4500, Protocol IP/50. Log and report upload SMTP alert email User name LDAP queries for reports Vulnerability Management updates RADIUS authentication TACACS+ authentication Log aggregation client Device registration of FortiGate or FortiManager units; remote access to quarantine, logs & reports from a FortiGate unit; remote management from a FortiManager unit (configuration retrieval) (OFTP) TCP 21 or TCP 22 TCP 25 TCP 389 or TCP 636 TCP 443 TCP 1812 TCP 49 TCP 3000 TCP 514
Page 140
Table 4: FortiAnalyzer listening ports Functionality Windows share Syslog, log forwarding Port(s) UDP 137-139 and TCP 445 UDP 514 Note: If a secure connection has been configured between a FortiGate and a FortiAnalyzer, syslog traffic will be sent into an IPsec tunnel. Data will be exchanged over UDP 500/4500, Protocol IP/50. SSH administrative access to the CLI Telnet administrative access to the CLI HTTP administrative access to the Web-based Manager HTTPS administrative access to the Web-based Manager; remote management from a FortiManager unit Device registration of FortiGate or FortiManager units; remote access to quarantine, logs & reports from a FortiGate unit; remote management from a FortiManager unit (configuration retrieval) (OFTP) NFS share HTTP or HTTPS administrative access to the Web-based Manager's CLI dashboard widget. Protocol used will match the protocol used by the administrator when logging in to the Web-based Manager. Log aggregation server Log aggregation server support requires model FortiAnalyzer-800 or greater. Remote management from a FortiManager unit (configuration installation) Remote MySQL database connection Table 5: FortiAnalyzer FDN ports Functionality Vulnerability Management updates Port(s) TCP 443 TCP 8080 TCP 3306 TCP 3000 TCP 22 TCP 23 TCP 80 TCP 443
TCP 514
TCP 2049 TCP 2032
Page 141
Index
A
access adminitrative 22 add ADOM 25, 56 alert event 87 break 121 chart 128 charts 102 dataset 131 elements 118121 group 27 headings 120 IPv6 static route 63 language 137 model device 29 output profile 134 RTM dashboard 99 RTM profile 96 schedule 123 SNMP community 84 template 117 text box 121 VDOM 29 admin settings 80 configure 80 administration session timeout 68 administrative domains enable 41 administrator 41, 68 access 22 access profiles 67 add account 69 authentication server 67 configure 68 configure accounts 67 connection options 67 delete 68, 70 disconnect 68 modify 70 monitoring 67 monitoring sessions 67 netmask 70 profiles 71 trusted host 71 administrator profiles delete 73 modify 73 ADOM 56 add 25 create new 56 delete 27, 58 edit 26, 57 name 26 advanced settings 85 system settings 81 alert console 90 create new event 87 events 86 thresholds 86 alert message console 50 alerts 81, 86 mail server 88 syslog server 89 analyzer 14 API 86 archive logs 109 authentication remote 74 server 67
B
backup 45 configuration 41 encrypt 46 browse logs 110
C
calendar report 127 certificates 64 creating 64 downloading 66 importing 65 view details 65 change date 42 host name 42 operation mode 47 time 42 chart add 118 clone 130 create new 128 delete 130 edit 130
Page 142
charts 96 add 102 predefined 100 remove 103 reorganize 103 RTM 100 template 128 CLI 11, 37, 38, 51 commands 52 clone chart 130 dataset 132 RTM profile 98 collector 14 column settings 24 columns log view 107 order 108 command line interface. See CLI command prompt 41 community 83 name 84 configuration backup 41, 45 restore 46 configure admin settings 80 administrator 68 administrator profiles 72 alert console 91 alert event 87 backup 41 date 42 event logging 91 mail server 89 network interfaces 61 profiles 72 SNMP 82 syslog server 89 time 42 connect Web-based Manager 19 connection options 67 console access 71 alert 90 CPU utilization 48 create profiles 72 SNMP community 84
create new ADOM 25, 56 alert event 87 chart 128 charts 102 dataset 131 group 27 output profile 134 RTM dashboard 99 RTM profile 96 schedule 123 template 117 current administrators 41 custom profile 72 customize dashboard 39 log view 107
D
dashboard add a widget 39 alert message console 50 CLI console 51 customize 39 customizing 39 license information 49 move a widget 39 RAID monitor 52 reset 39 system information 40 system resource information 48 unit operation 50 view alert messages 50 view license information 49 view unit operation 50 widget options 39 dashboards 99 data RTM 103 data sets 131 dataset clone 132 create new 131 delete 132 edit 132 examples 132 date configure 42 default gateway 59 password 11
Page 143
delete administrator 68, 70 ADOM 27, 58 alert event 88 charts 130 datasets 132 device 34 edit 32 element 123 group 29 languages 138 log files 93 output profiles 136 profile 73 reports 126 RTM dashboard 100 RTM profile 98 schedule 125 task 94 VDOM 34 details logs 109 device add model 29 delete 34 device log settings 81 diagnostic tools 66 disk 91 display columns 107 DNS 59 servers 59 download logs 112 report 126 WSDL file 86 dynamic IP pool 78
element add 118121 delete 123 edit 122 move 122 enable administrative domains 41 SNMP agent 83 encrypt backup 46 event logging 91 event log 93 event logging configure 91 example datasets 132
F
filter logs 108 firmware update 29 version 41 FortiAnalyzer 91 reboot 23 server 93 shutdown 23 Fortinet Technical Support 44 FortiSwitch 81 FQDN 90 FTP 91 server 93
G
group create new 27 delete 29 edit 28
E
edit administrator 70 ADOM 26, 57 alert event 88 chart 130 dataset 132 device 32 element 122 group 28 language 138 output profile 136 report 122 RTM dashboard 100 RTM profile 97 schedule 125 SNMP community 85
H
hard disk 54 hot-swapping 54 usage 48 hide columns 107 history report 126 host name 41 change 42 hosts trusted 22 hot swap 54
I
idle timeout 22, 81 import logs 112 installation 11
Page 144
interface list 60 configuring 61 IPv6 static routes add 63 configuring 63
J
javascript 51
L
language 21, 81 add 137 delete 138 edit 138 LDAP 76 server configuration 77 LDAP server adding 77 configuration 77 create new 77 delete 78 modify 77 license information widget 49 lightweight directory access protocol 76 line break add 121 local console access 51 log file 93 messages 66 rotate 92, 114 settings 91 system events 91 log view 106 column order 108 columns 107 customize 107 details 109 filter 108 logging to disk 91 logs 42 access 93 archive 109 browsing 110 download 112 import 112 maximum size 92, 114 rolling 92, 113, 114 rotation settings 91 settings 81 upload 91, 93, 113, 115 view packets 109 viewing 66
main menu bar 20 management interface 59 administrative access 59 default gateway 59 IP 59 IPv6 address 59 IPv6 administrative access 59 netmask 59 manager connect to 19 web-based 18 memory utilization 48 modify profile 73 monitor administrator sessions 67 notifications 86 task 94 move element 122
N
name ADOM 26 SNMP community 84 netmask administrator account 70 network 59 configuring interfaces 61 diagnostic tools 60 DNS 59 interface list 60 interfaces 59 IPv6 routing table 60 IPv6 static routing 63 management interface 59 routing table 60 static routing 61 utilization 48 network interface configuring 61 network time protocol. See NTP notifications monitor 86 NTP 42
O
operation mode 12 analyzer 14, 15 change 47 collector 14, 15 standalone 13 output profile 134 output profile create new 134 delete 136 edit 136
M
mail server 134 alerts 88 settings 89
Page 145
P
packet log 109 page break add 121 password 46, 47 administrator 11 policy 81 platform type 41 port remote 85 predefined charts 100 profile create new 134 delete 136 edit 136 profiles administrator 71 configuring 72 create 72 delete 73 modify 73 restricted 71 RTM 96 standard 71 super 71 prompt 52
R
RADIUS server 74 configuration 74 create new 74 delete 75 modify 75 server secret 75 RAID configure 53 monitor 52 supported levels 54 RAID levels RAID 0 54 RAID 10 54 RAID 5 54 RAID linear 54 RAID1 54 RAID monitor widget 52 real-time monitor 34 real-time monitor. See RTM reboot 23, 50 receive notifications 86 remote authentication 74 port 85 remove charts 103
reorganize charts 103 report 116 advanced options 128 calendar 127 charts 128 data sets 131 delete 126 download 126 edit 122 history 126 output 134 profile 134 run 125 schedule 125 schedules 123 templates 117 UTM security analysis 117 reset dashboard 39 resolution 18 restore 46 roll logs 113 routing static 61, 63 routing table 61, 63 configuring 61, 63 RTM charts 96, 100 dashboards 99 profiles 96 view data 103 RTM dashboard delete 100 edit 100 RTM profile clone 98 delete 98 edit 97 new 96 run report 125 schedule 125
S
schedule 42 create new 123 delete 125 edit 125 reports 123 run 125 SCP 91 server 93 screen resolution 18 Secure Shell. See SSH serial number 41
Page 146
server LDAP 76 RADIUS 74 remote authentication 74 syslog 89 TACACS+ 78 set time 43 settings administrator 80 advanced 85 device log 81 log rotation 91 logs 91 network 59 syslog server 89 severity 86 SFTP 91 server 93 shutdown 23, 50 Simple Network Management Protocol. See SNMP SMTP server 89 SNMP 81, 82 Agent 82 community, configuring 83 configure 82 configuring 82 manager 82 system name 41 v1 85 v2c 85 SNMP agent enable 83 SNMP community create 84 edit 85 name 84 special characters 42 SSH 51 SSL 42 standalone 13 static routes add 62, 63 configuring 61, 63 IPv6 63 status task 95 supported web browser 18 sync interval 43 syslog server FQDN 90 name 90 settings 89 system advanced settings 81 backup 45 restore 46 system firmware update 44
system information widget 40 system resource information customize 49 widget 48 system time 41, 42, 43 configuring 42
T
tab bar 20 TACACS+ server 78 configuration 78 create new 78 delete 79 modify 79 task delete 94 list size 86 monitor 94 status 95 Telnet 51 template add break 121 add chart 118 add headings 120 add image 120 add section 118 add text 121 charts 128 create new 117 reports 117 UTM security analysis 117 thresholds 86 time 42 configure 42 set 43 system 43 zone 43 timeout 81 tree menu 20 trusted host 22 security issues 71
U
unit operation widget 50 update device 29 firmware 29 upload enable 93, 115 logs 113 uptime 41 US-ASCII 42 utilization CPU 48 hard disk 48 memory 48 network 48
Page 147
V
VDOM add 29 delete 34 view logs 106 packet log 109
W
web browser supported 18 web services description language. See WSDL
widget 51 add 39 alert message console 50 CLI console 51 license information 49 move 39 options 39 RAID monitor 52 system information 40 system resource information 48, 49 unit operation 50 WSDL file 86 file download 86
Page 148

Fortianalyzer 5.0 Administration Guide

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Fortianalyzer 5.0 Administration Guide

Hochgeladen von

Copyright:

Verfügbare Formate

FortiAnalyzer v5.

docs.fortinet.com kb.fortinet.com support.fortinet.com training.fortinet.com fortiguard.com techdocs@fortinet.com

Key Concepts ................................................................................................. 12

Reboot and shutdown the FortiAnalyzer unit ........................................................ 23

RTM Profiles ................................................................................................... 96

Log View........................................................................................................ 106

Fortinet Technologies Inc.

FortiAnalyzer v5.0 Administration Guide

Reports .......................................................................................................... 116

Fortinet Technologies Inc.

FortiAnalyzer v5.0 Administration Guide

Fortinet Technologies Inc.

FortiAnalyzer v5.0 Administration Guide

Entering FortiAnalyzer configuration data

Entering text strings (names)

Selecting options from a list

Enabling or disabling options

Fortinet Technologies Inc.

FortiAnalyzer v5.0 Administration Guide

Fortinet Technologies Inc.

FortiAnalyzer v5.0 Administration Guide

Analyzer and collector mode

Fortinet Technologies Inc.

FortiAnalyzer v5.0 Administration Guide

Fortinet Technologies Inc.

FortiAnalyzer v5.0 Administration Guide

Enable Real-time Forwarding Minimum Log Level 10. Select OK.

11. On the second collector unit, repeat step 6 to 10.

Fortinet Technologies Inc.

FortiAnalyzer v5.0 Administration Guide

Fortinet Technologies Inc.

FortiAnalyzer v5.0 Administration Guide

Connecting to the Web-based Manager

Web-based Manager overview

Fortinet Technologies Inc.

FortiAnalyzer v5.0 Administration Guide

System Settings tab

Help button Log Out button

Main menu bar

Add Device Add Group

Fortinet Technologies Inc.

FortiAnalyzer v5.0 Administration Guide

Web-based Manager configuration

Fortinet Technologies Inc.

FortiAnalyzer v5.0 Administration Guide

Restricting access by trusted hosts

Fortinet Technologies Inc.

FortiAnalyzer v5.0 Administration Guide

Reboot and shutdown the FortiAnalyzer unit

Fortinet Technologies Inc.

FortiAnalyzer v5.0 Administration Guide

Figure 11:Device list right-click menu

Fortinet Technologies Inc.

FortiAnalyzer v5.0 Administration Guide

Fortinet Technologies Inc.

FortiAnalyzer v5.0 Administration Guide

The root ADOM cannot be deleted.

3. In the confirmation dialog box, select OK to delete the ADOM.

Devices and groups

Fortinet Technologies Inc.

FortiAnalyzer v5.0 Administration Guide

Figure 14:Add a device group

Devices and VDOMs