Beruflich Dokumente
Kultur Dokumente
0
Administration Guide
FortiAnalyzer v5.0 Administration Guide November 20, 2012 05-500-187572-20121120 Copyright 2012 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, and FortiGuard, are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were attained in internal lab tests under ideal conditions, and performance may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinets General Counsel, with a purchaser that expressly warrants that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinets internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.
Technical Documentation Knowledge Base Customer Service & Support Training Services FortiGuard Document Feedback
Table of Contents
Table of Figures ................................................................................................ 6 Change Log....................................................................................................... 9 Introduction..................................................................................................... 10
Scope..................................................................................................................... 11 Entering FortiAnalyzer configuration data.............................................................. Entering text strings (names) ........................................................................... Selecting options from a list ............................................................................ Enabling or disabling options .......................................................................... 11 11 11 11
Web-based Manager...................................................................................... 18
System requirements............................................................................................. 18 Web browser.................................................................................................... 18 Resolution ........................................................................................................ 18 Connecting to the Web-based Manager ............................................................... 18 Web-based Manager overview.............................................................................. 19 Web-based Manager configuration ....................................................................... Language ......................................................................................................... Administrative access ...................................................................................... Restricting access by trusted hosts ................................................................ Idle timeout ...................................................................................................... 21 21 22 22 22
Device Manager.............................................................................................. 24
ADOMs .................................................................................................................. 25 Devices and groups ............................................................................................... 27 Groups ............................................................................................................. 27 Devices and VDOMs ........................................................................................ 29 Real-time monitor .................................................................................................. 34
Page 3
System Settings.............................................................................................. 36
Dashboard ............................................................................................................. Customizing the dashboard............................................................................. System Information widget .............................................................................. System Resource widget ................................................................................. License Information widget.............................................................................. Unit Operation widget ...................................................................................... Alert Messages Console widget ...................................................................... CLI Console widget.......................................................................................... RAID Monitor widget........................................................................................ General settings..................................................................................................... All ADOMs........................................................................................................ Network............................................................................................................ Certificates ....................................................................................................... Log Access ...................................................................................................... Diagnostic tools ............................................................................................... Admin..................................................................................................................... Monitoring administrator sessions................................................................... Administrator.................................................................................................... Profile ............................................................................................................... Remote authentication server.......................................................................... Administrator settings ...................................................................................... Advanced............................................................................................................... SNMP v1/v2c ................................................................................................... Advanced settings ........................................................................................... Alerts ................................................................................................................ Device Log ....................................................................................................... 37 39 40 48 49 50 50 51 52 56 56 59 64 66 66 67 67 68 71 74 80 81 82 85 86 91
Browsing log files................................................................................................. 110 Importing a log file ......................................................................................... 112 Downloading a log file.................................................................................... 112 Configuring rolling and uploading of logs............................................................ 113
Page 4
Appendix A: SNMP MIB Support................................................................. 139 Appendix B: Port Numbers .......................................................................... 140 Index .............................................................................................................. 142
Page 5
Table of Figures
Topology of the FortiAnalyzer unit in standalone mode .............................................. 13 Topology of the FortiAnalyzer units in analyzer/collector mode .................................. 14 Change operation mode to analyzer ........................................................................... 15 Change operation mode to collector ........................................................................... 15 Logging, analyzing, and reporting workflow ................................................................ 17 The tab bar .................................................................................................................. 20 Main menu bar ............................................................................................................. 20 Administration settings ................................................................................................ 21 Unit operation actions in the Web-based Manager ..................................................... 23 Device manager tab ..................................................................................................... 24 Device list right-click menu .......................................................................................... 25 Create an ADOM .......................................................................................................... 25 Edit an ADOM .............................................................................................................. 26 Add a device group ..................................................................................................... 28 Add device wizard login screen ................................................................................... 30 Add device wizard add device screen ......................................................................... 30 Add device wizard add device screen two .................................................................. 31 Add device wizard summary screen ............................................................................ 32 Edit a device ................................................................................................................ 33 Real time monitor pane ................................................................................................ 34 Refresh a chart ............................................................................................................ 35 FortiAnalyzer system dashboard ................................................................................. 38 Adding a widget ........................................................................................................... 39 A minimized widget ..................................................................................................... 40 System Information widget .......................................................................................... 40 Edit Host Name dialog box .......................................................................................... 42 Time Settings dialog box ............................................................................................. 43 Backup dialog box ....................................................................................................... 46 All Settings Configuration Restore dialog box ............................................................. 46 Change operation mode .............................................................................................. 47 System Resource widget (Real Time display) ............................................................. 48 System Resource widget (Historical display) .............................................................. 48 Edit System Resources Settings window .................................................................... 49 VM License Information widget ................................................................................... 49 Unit Operation widget .................................................................................................. 50 Alert Message Console widget .................................................................................... 51 List of all alert messages ............................................................................................. 51 CLI Console widget ..................................................................................................... 52 RAID monitor widget .................................................................................................... 53 RAID Settings .............................................................................................................. 53 All ADOMs list .............................................................................................................. 56 Create a new ADOM .................................................................................................... 57 Edit an ADOM .............................................................................................................. 58 Network screen ............................................................................................................ 59 Network interface list ................................................................................................... 60 Configure network interfaces ....................................................................................... 61 Routing Table ............................................................................................................... 62
Page 6
Create New route ......................................................................................................... 62 Create New route ......................................................................................................... 63 New local certificate .................................................................................................... 64 Local certificate details ................................................................................................ 65 Administrator session list ............................................................................................. 67 Administrator list .......................................................................................................... 68 Creating a new administrator account ........................................................................ 69 Administrator profile list ............................................................................................... 72 Create new administrator profile ................................................................................. 73 RADIUS server list ....................................................................................................... 74 New RADIUS Server window ....................................................................................... 75 LDAP server list ........................................................................................................... 76 New LDAP server dialog box ....................................................................................... 77 New TACACS+ server dialog box ................................................................................ 79 Administrative settings dialog box ............................................................................... 80 SNMP configuration .................................................................................................... 83 New SNMP community ............................................................................................... 84 Advanced settings ....................................................................................................... 86 Alert event window ...................................................................................................... 86 Create new alert event window ................................................................................... 87 Mail server window ...................................................................................................... 88 Mail server settings ...................................................................................................... 89 Syslog server window .................................................................................................. 89 Syslog server settings .................................................................................................. 90 Alert message console window ................................................................................... 90 Alert console settings .................................................................................................. 91 Log setting window ..................................................................................................... 92 Log access window ..................................................................................................... 93 Task monitor window .................................................................................................. 94 RTM profiles tab .......................................................................................................... 96 Create a new RTM profile ............................................................................................ 97 Edit an RTM profile ...................................................................................................... 97 Clone an RTM profile ................................................................................................... 98 Add dashboard dialog box .......................................................................................... 99 Dashboard options dialog box .................................................................................. 100 Add charts dialog box ............................................................................................... 102 Chart placeholder ...................................................................................................... 102 Moving a chart ........................................................................................................... 103 Viewing RTM data ...................................................................................................... 104 Chart data details ...................................................................................................... 104 Refresh a charts data ............................................................................................... 105 Log view ..................................................................................................................... 106 Column settings ......................................................................................................... 108 Log details ................................................................................................................. 109 Log archive ................................................................................................................ 109 View packet log dialog box ........................................................................................ 110 Log file list .................................................................................................................. 111 Import a log file .......................................................................................................... 112 Log setting window ................................................................................................... 114 Report templates ....................................................................................................... 117 Template and section tool bars ................................................................................. 118 Add a new section ..................................................................................................... 118
Fortinet Technologies Inc. Page 7 FortiAnalyzer v5.0 Administration Guide
Add a new chart ......................................................................................................... 119 Chart preview ............................................................................................................. 119 Choose a graphic ...................................................................................................... 120 Heading element ........................................................................................................ 120 Edit a heading ............................................................................................................ 121 Edit text ...................................................................................................................... 121 Move a report template element ................................................................................ 122 Edit an element .......................................................................................................... 122 Delete an element ...................................................................................................... 123 Report schedules page .............................................................................................. 123 Create a new report schedule ................................................................................... 124 Report history page ................................................................................................... 126 Report calendar ......................................................................................................... 127 Report schedule calendar details .............................................................................. 127 Charts ........................................................................................................................ 128 Create a new chart .................................................................................................... 129 Datasets ..................................................................................................................... 131 Create a new dataset ................................................................................................. 131 Output profile page .................................................................................................... 134 Create new output profile dialog box ........................................................................ 135 Report language ........................................................................................................ 136 Create a new language .............................................................................................. 137
Page 8
Change Log
Date 2012-11-20 Change Description Initial Release.
Page 9
Introduction
The FortiAnalyzer family of logging, analyzing, and reporting appliances securely aggregates log data from Fortinet network security devices and other syslog-compatible devices. A comprehensive suite of easily customized reports enables you to analyze, report, and archive security event, network traffic, web content, and messaging data to measure policy compliance. This guide contains the following chapters: Key Concepts Web-based Manager Device Manager System Settings RTM Profiles Log View Reports
FortiAnalyzer features
Over 550 reports and customizable charts help monitor and maintain identify attack patterns, acceptable use policies, and demonstrate policy compliance Network capacity and utilization data reporting allow you to plan and manage networks more efficiently Scalable architecture allows the device to run in collector or analyzer modes for optimized log processing Advanced features such as event correlation, forensic analysis, and vulnerability assessment provide essential tools for in-depth protection of complex networks Secure data aggregation from multiple FortiGate and FortiMail security appliances provides network-wide visibility and compliance Fully integrated with FortiManager appliances for a single point of command, control, analysis, and reporting Up to 24 TB of log data capacity and choice of RAID levels allow you to balance capacity and data assurance to match organizational needs.
Page 10
Scope
This document describes how to use the Web-based Manger to set up and configure the FortiAnalyzer unit. It assumes you have already successfully installed the FortiAnalyzer unit by following the instructions in your units QuickStart guide. At this stage: You have administrative access to the Web-based Manger and/or CLI. The FortiAnalyzer unit can connect to the Web-based Manger and CLI. This document explains how to use the Web-based Manger to: maintain the FortiAnalyzer unit, including backups configure basic settings, such as system time, DNS settings, administrator password, and network interfaces configure advanced features, such as adding devices, DLP archiving, vulnerability management, logging, and reporting. This document does not cover commands for the command line interface (CLI). For information on the CLI, see the FortiAnalyzer CLI Reference.
Page 11
Key Concepts
This chapter defines basic FortiAnalyzer concepts and terms. If you are new to FortiAnalyzer, this chapter can help you to quickly understand this document and your FortiAnalyzer platform. This topic includes: Administrative domains Operation modes Log storage Workflow
Administrative domains
Administrative domains (ADOMs) enable the admin administrator to constrain other FortiAnalyzer unit administrators access privileges to a subset of devices in the device list. For Fortinet devices with virtual domains (VDOMs), ADOMs can further restrict access to only data from a specific devices VDOM. Enabling ADOMs alters the structure of and the available functions in the Web-based Manager and CLI, according to whether or not you are logging in as the admin administrator, and, if you are not logging in as the admin administrator, the administrator accounts assigned access profile. See System Information widget on page 40 for information on enabling and disabling ADOMs. For information on working with ADOMs, see ADOMs on page 25. For information on configuring administrators and administrator settings, seeAdmin on page 67.
Operation modes
The FortiAnalyzer unit has three operation modes: Standalone - The default mode that supports all FortiAnalyzer features. Analyzer - The mode used for aggregating logs from one or more log collectors. In this mode, the log aggregation configuration function is disabled. Collector - The mode used for saving and uploading logs. For example, instead of writing logs into the database, the collector can retain the logs in original (binary) format for uploading. In this mode, the report function and some functions under System and Tools are disabled. The analyzer and collector modes are used together to increase the analyzers performance. The collector provides a buffer to the analyzer by off-loading the log receiving task from the
Page 12
analyzer. Since log collection from the connected devices is the dedicated task of the collector, its log receiving rate and speed are maximized.
The FortiAnalyzer 100 and 400 models do not support the analyzer mode.
The mode of operation that you choose will depend on your network topology and individual requirements. For information on how to select an operation mode, see Changing the operation mode on page 47.
Standalone mode
The standalone mode is the default mode that supports all FortiAnalyzer features. If your network log volume is reasonable and does not compromise the performance of your FortiAnalyzer unit, you can choose this mode. Figure 1 illustrates the network topology of the FortiAnalyzer unit in standalone mode. Figure 1: Topology of the FortiAnalyzer unit in standalone mode
Page 13
Page 14
To set up the analyzer/collector configuration 1. On the FortiAnalyzer unit, go to System > Dashboard > Status. 2. In the System Information widget, in the Operation Mode field, select Change. The Change Operation Mode dialog box opens. 3. Select Analyzer. Figure 3: Change operation mode to analyzer
4. To enable log aggregation service, select enable Log Aggregation Service, enter the desired disk quota, then enter a password for the analyzer server and confirm it. 5. Select OK. 6. On the first collector unit, go to System > Dashboard > Status. 7. In the System Information widget, in the Operation Mode field, select Change. The Change Operation Mode dialog box opens. 8. Select Collector. Figure 4: Change operation mode to collector
Page 15
9. Enter the following information: Remote Server IP Enable Log Aggregation Password Confirm Password Upload Daily at Enter the IP address of the analyzer unit to which this log collector uploads logs. Select to enable log aggregation.
Enter the password of the analyzer unit. Reenter the password if the analyzer unit. Select a time from the drop-down list to upload logs on a daily basis. The collector archives all logs that are uploaded. During the uploading, if the connection with the analyzer fails, the collector will keep trying to reconnect until the connection restores.
Select to upload logs in real-time. This action will upload log if the selected level and logs of the levels more serious than the select level. Select the minimum log level to be uploaded in real-time.
Log storage
The FortiAnalyzer unit supports Structured Query Language (SQL) logging and reporting. The log data is inserted into the SQL database for generating reports. Both local and remote SQL database options are supported. For more information, see Reports on page 116.
Page 16
Workflow
Once you have successfully deployed the FortiAnalyzer platform in your network, using and maintaining your FortiAnalyzer unit involves the following: Configuration of optional features, and re-configuration of required features if required by changes to your network Backups Updates Monitoring reports, logs, and alerts Figure 5 illustrates the process of data logging, data analyzing, and report generation by the FortiAnalyzer unit in standalone or analyzer mode. Figure 5: Logging, analyzing, and reporting workflow
Page 17
Web-based Manager
This section describes general information about using the Web-based Manager to access the Fortinet system with a web browser. This section includes the following topics: System requirements Connecting to the Web-based Manager Web-based Manager overview Web-based Manager configuration Reboot and shutdown the FortiAnalyzer unit
Additional configuration options and short-cuts are sometimes available through right-click menus. Right-clicking the mouse in various location in the interface accesses these options.
System requirements
Web browser
The FortiAnalyzer Web-based Manager supports the following web browsers: Microsoft Internet Explorer 9.0 Mozilla Firefox 13.0, and 14.0
Resolution
Fortinet recommends setting your monitor to a screen resolution of 1280x1024. This allows for all the objects in the Web-based Manager to be properly viewed.
Page 18
To connect to the Web-based Manager: 1. Connect the unit to a management computer using an Ethernet cable. 2. Configure the management computer to be on the same subnet as the internal interface of the FortiAnalyzer unit: a. Browse to Network and Sharing Center > Change Adapter Settings > Local Area Connection Properties > Internet Protocol Version 4 (TCP/IPv4) Properties. b. Change the IP address of the management computer to 192.168.1.2 and the netmask to 255.255.255.0. 3. On the management computer, start a supported internet browser and browse to https://192.168.1.99 (remember to include the s in https://). 4. Type admin in the Name field, leave the Password field blank, and select Login. You should now be able to use the FortiAnalyzer Web-based Manager.
If the network interfaces have been configured differently during installation, the URL and/or permitted administrative access protocols (such as HTTPS) may no longer be in their default state.
For information on enabling administrative access protocols and configuring IP addresses, see Configuring network interfaces on page 61.
If the URL is correct and you still cannot access the Web-based Manager, you may also need to configure static routes. For details, see Configuring static routes on page 61.
Page 19
Tab bar
The Web-based Manager tab bar contains the device type, the available tabs, the Help button, and the Log Out button. Figure 6: The tab bar
Device Manager tab RTM Profiles tab Log View tab Reports tab
Manage groups, devices, and VDOMs, and view real-time monitor data. For more information, see Device Manager on page 24. Configure and manage real-time monitor profiles. For more information, see RTM Profiles on page 96. View and download logs for connected devices. For more information, see Log View on page 106. Configure report templates, schedules, and output profiles, and manage charts and datasets. For more information, see Reports on page 116. Configure system settings such as network interfaces, administrators, system time, server settings, and others. You can also perform maintenance and firmware operations. For more information, see System Settings on page 36. Open the Fortianalyzer online help. Log out of the Web-based Manager.
Add a device using the Add Device wizard. For more information, see Devices and VDOMs on page 29. Add a device group. For more information, see Groups on page 27.
Tree menu
The Web-based Manager tree menu content varies depending on which tab is selected and how your FortiAnalyzer unit is configured. If ADOMs are enabled, the contents of the tree menu on all tabs except the System Settings tab, will be organized by ADOM. Some elements in the tree menu can be right-clicked to access different configuration options.
Page 20
Content pane
The content pane information changes depending on which tab is being viewed, and what element is selected in the tree menu. The content pane of the device manager and log view tabs is split horizontally into two frames.
Language
The Web-based Manager supports multiple languages, the default language is English. You can change the Web-based Manager to display language in English, Simplified Chinese, Traditional Chinese, Japanese, or Korean. For best results, you should select the language that the management computer operating system uses. You can also set the interface to automatically detect the system language. To change the Web-based Manager language: 1. Go to System Settings > Admin > Admin Settings. 2. In the Language field, select a language from the drop-down list, or select Auto Detect to use the same language as configured for your web browser. 3. Select OK. Figure 8: Administration settings
Page 21
Administrative access
Administrative access enables an administrator to connect to the system to view and change configuration settings. The default configuration of your system allows administrative access to one or more of the interfaces of the unit as described in the QuickStart and installation guides for your device. Administrative access can be configured in IPv4 or IPv6 and includes settings for: HTTPS, HTTP, PING, SSH, TELNET, SNMP, Web Service, and Aggregator. To change administrative access: 1. Go to System Settings > General > Network. By default, port1 settings will be presented. To configure administrative access for a different interface, select All Interfaces, and then select the interface from the list. 2. Set the IPv4 IP/Netmask or the IPv6 Address, select one or more Administrative Access types for the interface, and set the default gateway and DNS servers. 3. Select OK to finish changing the access. For more information, seeNetwork on page 59.
Idle timeout
By default, the Web-based Manager disconnects administrative sessions if no activity takes place for fifteen minutes. This idle timeout is recommended to prevent someone from using the Web-based Manager from a PC that is logged in and then left unattended. To change the Web-based Manager idle timeout: 1. Go to System Settings > Admin > Admin Settings. 2. Change the Idle Timeout minutes as required. 3. Select OK For more information, see Administrator settings on page 80.
Page 22
To reboot the FortiAnalyzer unit: 1. From the Web-based Manager, go to System Settings > General > Dashboard. 2. In the Unit Operation widget, select Reboot or, in the CLI Console widget, enter: execute reboot To shutdown the FortiAnalyzer unit: 1. From the Web-based Manager, go to System Settings > General > Dashboard. 2. In the Unit Operation widget, select Shutdown or, in the CLI Console widget, enter: execute shutdown
Page 23
Device Manager
The device manager tab allows you to add and edit devices, groups, and VDOMs, and view real-time monitor data for those devices. It also allows you to create, edit, and delete ADOMs, when they are enabled (see System Information widget on page 40). Figure 10:Device manager tab
The tree menu, on the left side of the interface, shows the ADOMs and the device groups within those ADOMs. If ADOMs are disabled, the tree menu simple shows the device groups. When a device group is selected, the devices and VDOMs within that group are listed in the top half of the content pane on the right of the interface. The device and VDOM list can be searched using the search box in the content pane tool bar. The columns shown in the list can be changed, and the list can be sorted by selecting a column header. To change the column settings: 1. Right-click anywhere in the content pane to open the right-click menu. 2. Select Column Settings. Columns currently included in the content pane table have a green check mark next them.
Page 24
3. Select a column from the list to add or remove that column from the table.
ADOMs
When ADOMs are enabled, the device manager tab has collapsible ADOM navigation, where all of the ADOMs are displayed on the tree menu on the left of the interface. The devices within each ADOM are shown in the configured device groups, or in the default All FortiGate group if no other groups have been created. When ADOMs are disabled, the tree menu simply displays the device groups. The number of devices within each group is shown in parentheses next to the group name. To add an ADOM: 1. In the device manager tab, right-click on an ADOM name. 2. In the right-click menu, under the ADOM heading, select Create New. The Create ADOM dialog box opens. Figure 12:Create an ADOM
Page 25
3. Enter the following information: Name Version Search Devices Enter a name that will allow you to distinguish this ADOM from your other ADOMs. Select the version of the devices that will be in the ADOM. Enter a search term to find a specific device (optional). Select members from the available member list on the left and transfer them to the Selected member list on the right to assign the devices to the ADOM.
4. Select OK to create the ADOM. To edit an ADOM: 1. In the device manager tab, right-click on the ADOM you need to edit. 2. In the right-click menu, under the ADOM heading, select Edit. The Edit ADOM dialog box opens. Figure 13:Edit an ADOM
3. Edit the following information as required: Search Devices Enter a search term to find a specific device (optional). Select members from the available member list on the left and transfer them to the Selected member list on the right to assign the devices to the ADOM. Enable or disable the ADOM.
Status
Page 26
4. Select OK to finish editing the ADOM. To delete an ADOM 1. In the device manager tab, right-click on the ADOM you need to delete. 2. In the right-click menu, under the ADOM heading, select Delete.
Groups
Groups are used to organize devices and VDOMs and to update the firmware on the devices within the group. Groups can also contain other groups. To create a new group: 1. In the device manager tab, right-click on an element in the tree menu. 2. In the right-click menu, under the Device Group heading, select Create New. The Add Device Group dialog box opens.
Page 27
3. Enter the following information: Group Name Description OS Type Search Enter a name for the group Enter a description of the group (optional). Select the device type from the drop-down list. Enter a search term to find a specific device (optional).
Devices and groups Select members from the available member list on the left and transfer them to the Selected member list on the right to add the devices to the group. Select All Deselect All Show All Devices/Groups Use this button to select all the devices and groups in the device list. Use this button to deselect all the devices and groups in the device list. Select to show all devices and groups.
4. Select OK to create the group. To edit a group: 1. In the device manager tab, right-click on the group you need to edit in the tree menu. 2. In the right-click menu, under the Device Group heading, select Edit. The Edit Device Group dialog box opens.
Fortinet Technologies Inc. Page 28 FortiAnalyzer v5.0 Administration Guide
3. Change the group information and the devices, groups, and VDOMs that are in the group as needed, and then select OK to finish editing the group. To delete a group: 1. In the device manager tab, right-click on the group you need to delete in the tree menu. 2. In the right-click menu, under the Device Group heading, select Delete. 3. Select OK in the confirmation window to delete the group. To update device firmware: 1. In the device manager tab, right-click on the group containing the device whose firmware will be updated in the tree menu. 2. In the right-click menu, under the Device Group heading, select Firmware Update. This option is only available on user created groups. 3. The Group Firmware Information dialog box opens in the content pane, showing the available firmware upgrades and the upgrade history.
To add a model device: 1. Right-click on a group in the tree menu or in the content pane and, from the right-click menu, select Add Device. The Add Device wizard opens.
Page 29
2. Enter the device IP address, name, and password in the requisite fields. 3. Select Next to continue to the next wizard page: Add Device. Figure 16:Add device wizard add device screen
4. Enter the following information: Name Description Enter a name for the device. Enter a description for the device (optional).
Page 30
Device Type Device Model Firmware Version Serial Number Enable Interface Mode Hard Disk Installed Disk Log Quota. When Allocated Disk Space is Full
Select the device type on the drop-down list. Select the device model on the drop-down list. Select the firmware version and major release on the drop-down list. Enter the device serial number. This value must match the device model selected. Select to enable interface mode. If the device does not support interface mode, this option is not available. This option is available when the device model has a hard disk. Enter the disk log quota in MB. Select to overwrite the oldest logs or to stop logging when the allocated disk space is full.
Device Permissions Select the device permissions from: Logs, DLP Archive, Quarantine, and IPS Packet Log. Add to Groups Other Device Information Select to add the device to any predefined groups. Enter other device information (optional), including: Company/Organization, Contact, City, Province/State, and Country.
5. Select Next to proceed to the next add device page. Figure 17:Add device wizard add device screen two
6. After the device has been created successfully, select Next to proceed to the summary page.
Page 31
7. Select Finish to add the device model. To edit a device: 1. In the device manager tab, in the tree menu, select the group that contains the device you need to edit. 2. In the content pane, right-click on the on the device and select Edit from the right-click menu. The Edit Device dialog box opens.
Page 32
3. Edit the following information as needed: Name Description The name of the device. Descriptive information about the device.
Company/Organization Company or organization information. Country Province/State City Contact IP Address Admin User Password Enter the country. Enter the province or state. Enter the city. Enter the contact name. The IP address of the device. The administrator username. The administrator password.
Page 33
Device Information
Information about the device, including serial number, device model, firmware version, connected interface, HA mode, cluster name, and cluster members. The amount of space that the disk log is allowed to use, in MB. The action for the system to take when the disk log quota is filled, either Overwrite Oldest Logs, or Stop Logging. Select check box to enable this feature. Secure Connection secures OFTP traffic through an IPsec tunnel. The device serial number. The pre-shared key for the IPsec connection between the FortiGate and FortiAnalyzer. The devices permissions. Select any of: Logs, DLP Archive, Quarantine, and IPS Packet Log.
Disk Log Quota When Allocated Disk Space is Full Secure Connection ID Pre-Shared Key Device Permissions
4. Select OK to finish editing the device. To delete a device or VDOM: 1. In the device manager tab, in the tree menu, select the group that contains the device or VDOM you need to delete. 2. In the content pane, right-click on the on the device or VDOM and select Delete in the right-click menu. 3. Select OK in the confirmation window to delete the device or VDOM.
Real-time monitor
When a device is selected in the upper content pane, real-time monitor data for that device based on the RTM profile to which that device is assigned, is displayed in the lower content pane. For more information on RTM profiles, see RTM Profiles on page 96. Figure 20:Real time monitor pane
Page 34
To change the dashboard that is shown, select Real-time Monitor in the tool bar, and then select the desired dashboard from the drop-down list. To refresh the data displayed in any of the available charts, select the refresh button on the chart (Figure 21). Figure 21:Refresh a chart
To change the charts that are displayed in the pane, the RTM profile must be changed. See RTM Profiles on page 96 for more information on configuring RTM profiles.
Page 35
System Settings
The System Settings module enables you to manage and configure the basic system options for the FortiAnalyzer unit. This includes the basic network settings to connect the device to the corporate network, the configuration of administrators and their access privileges, and managing and updating firmware for the device
Additional configuration options and short-cuts are available using the right-click menu. Right-click the mouse on different navigation panes on the Web-based Manager page to access these options.
The System Settings tab provides access to the following menus and sub-menus: General Select this menu to configure, monitor, and troubleshoot the main system information. Dashboard All ADOMs Network Certificates Log Access Diagnostic tools
Page 36
Admin
Select this menu to configure administrator user accounts, as well as configure global administrative settings for the FortiAnalyzer unit. Monitoring administrator sessions Administrator Profile Remote authentication server RADIUS server LDAP server TACACS+ server Administrator settings
Advanced
Select to configure mail server settings, remote output, SNMP, metafield data and other advanced settings. SNMP v1/v2c Advanced settings Alerts Alerts event Mail server Syslog Server Alert Console Device Log Log Setting Log Access Task Monitor
Dashboard
When you select the System Settings tab, it automatically opens at the System Settings > General > Dashboard page; see Figure 22. The Dashboard page displays widgets that provide performance and status information and enable you to configure basic system settings. The dashboard also contains a CLI widget that enables you to use the command line through the Web-based Manager. These widgets appear on a single dashboard.
Page 37
The following widgets are available: System Information Displays basic information about the FortiAnalyzer system, such as up time and firmware version. For more information, see General settings on page 56. From this widget you can also manually update the FortiAnalyzer firmware to a different release. For more information, see System Information widget on page 40. License Information Displays the devices being managed by the FortiAnalyzer unit and the maximum numbers of devices allowed. For more information, see License Information widget on page 49. Displays status and connection information for the ports of the FortiAnalyzer unit. It also enables you to shutdown and restart the FortiAnalyzer unit or reformat a hard disk. For more information, see Unit Operation widget on page 50. Displays the real-time and historical usage status of the CPU, memory and hard disk. For more information, see System Resource widget on page 48. Displays log-based alert messages for both the Fortinet unit itself and connected devices. For more information, see Alert Messages Console widget on page 50. Opens a terminal window that enables you to configure the FortiAnalyzer unit using CLI commands directly from the Web-based Manager. This widget is hidden by default. For more information, see CLI Console widget on page 51. Displays information about the status of RAID disks as well as what RAID level has been selected. It also displays how much disk space is currently consumed. For more information, see RAID Monitor widget on page 52.
Page 38 FortiAnalyzer v5.0 Administration Guide
Unit Operation
System Resources
RAID Monitor
To move a widget
Position your mouse cursor on the widgets title bar, then click and drag the widget to its new location.
To add a widget
In the dashboard tool bar, select Add Widget, then select the names of widgets that you want to show. To hide a widget, in its title bar, select the Close icon. Figure 23:Adding a widget
Multiple System Resources widgets can be added to the dashboard. Only one of all of the other widgets may be added.
Page 39
Widget title Show/Hide arrow Show/Hide arrow Widget Title More Alerts Display or minimize the widget. The name of the widget. Show the Alert Messages dialog box.
This option appears only on the Alert Message Console widget. Edit Select to change settings for the widget. This option appears only on certain widgets. Detach Detach the CLI Console widget from the dashboard and open it in a separate window. This option appears only on the CLI Console widget. RAID Settings Show the RAID Settings dialog box, which displays the current RAID settings and allows for configuration of the RAID level if available. This option appears only on the RAID Monitor widget. Refresh Close Select to update the displayed information. Select to remove the widget from the dashboard. You will be prompted to confirm the action. To add the widget, select Widget in the toolbar and then select the name of the widget you want to show.
Page 40
The following information is available on this widget: Host Name Serial Number The identifying name assigned to this FortiAnalyzer unit. For more information, see Changing the host name on page 41. The serial number of the FortiAnalyzer unit. The serial number is unique to the FortiAnalyzer unit and does not change with firmware upgrades. The serial number is used for identification when connecting to the FortiGuard server. Displays the FortiAnalyzer platform type, for example FMG-VM (virtual machine). The current time on the FortiAnalyzer internal clock. For more information, see Configuring the system time on page 42. The version number and build number of the firmware installed on the FortiAnalyzer unit. To update the firmware, you must download the latest version from the Customer Service & Support web site at https://support.fortinet.com. Select Update and select the firmware image to load from the local hard disk or network volume. For more information, see Updating the system firmware on page 44. The date of the last system configuration backup. The following actions are available: Select Backup to backup the system configuration to a file; see Backing up the system on page 45. Select Restore to restore the configuration from a backup file; see Restoring the configuration on page 46. Current Administrators The number of administrators that are currently logged in. The following actions are available: Select Change Password to change your own password. Select Details to view the session details for all currently logged in administrators. See Monitoring administrator sessions on page 67 for more information. Up Time Administrative Domain Operation Mode The duration of time the FortiAnalyzer unit has been running since it was last started or restarted. Displays whether ADOMs are enabled, and allows for enabling and disabling ADOMs. Display and change the current operating mode.
System Configuration
display the host name in a truncated form ending with a tilde ( ~ ) to indicate that additional characters exist, but are not displayed. For example, if the host name is Fortinet1234567890, the CLI prompt would be Fortinet123456~#. To change the host name 1. Go to System Settings > General > Dashboard. 2. In the System Information widget, next to the Host Name field, select Change. The Change Host Name dialog box appears; see Figure 26. Figure 26:Edit Host Name dialog box
3. In the Host Name field, type a new host name. The host name may be up to 35 characters in length. It may include US-ASCII letters, numbers, hyphens, and underscores. Spaces and special characters are not allowed. 4. Select OK.
For many features to work, including scheduling, logging, and SSL-dependent features, the Fortinet system time must be accurate.
To configure the date and time 1. Go to System Settings > General > Dashboard. 2. In the System Information widget, in the System Time field, select Change. The Change System Time Settings dialog box appears, see Figure 27.
Page 42
3. Configure the following settings to either manually configure the system time, or to automatically synchronize the Fortinet units clock with an NTP server: System Time The date and time according to the Fortinet units clock at the time that this tab was loaded, or when you last selected the Refresh button. Select the time zone in which the Fortinet unit is located and whether or not the system automatically adjusts for daylight savings time. Select this option to manually set the date and time of the Fortinet units clock, then select the Hour, Minute, Second, Year, Month, and Day fields before you select OK. Select this option to automatically synchronize the date and time of the Fortinet units clock with an NTP server, then configure the Syn Interval and Server fields before you select OK. Enter how often in minutes the Fortinet unit should synchronize its time with the NTP server. For example, entering 1440 causes the Fortinet unit to synchronize its time once a day. Enter the IP address or domain name of an NTP server. To find an NTP server that you can use, go to http://www.ntp.org.
Server
Page 43
Before you can download firmware updates for your Fortinet unit, you must first register your Fortinet unit with Customer Service & Support. For details, go to https://support.fortinet.com/ or contact Customer Service & Support.
To manually update the Fortinet firmware 1. Download the firmware (the .out file) from the Customer Service & Support web site, https://support.fortinet.com/. 2. Go to System Settings > General > Dashboard. 3. In the System Information widget, in the Firmware Version field, select Update. The Firmware Upgrade window opens. 4. Select Browse to locate the firmware package (.out file) that you downloaded from the Customer Service & Support web site, and select Open. 5. Select OK to upload the file. Your browser uploads the firmware file. The time required varies by the size of the file and the speed of your network connection. When the file transfer is complete, a prompt appears: Manual upload release complete. It will take a few minutes to unpack the uploaded release. Please wait. 6. Wait until the unpacking process completes, then refresh the page. The firmware package file name will appear in the Releases Available For Upgrade section after you refresh the page. 7. Select the firmware package, then select the icon in the Upgrade Firmware column and select OK in the dialog box that appears. The Fortinet unit installs the firmware and restarts. If you changed the firmware to an earlier version whose configuration is not compatible, you may need to do first-time setup again. For instructions, see the QuickStart guide for your unit.
Installing firmware replaces the current network vulnerability management engine with the version included with the firmware release that you are installing. After you install the new firmware, make sure that your vulnerability definitions are up-to-date.
To change the FortiAnalyzer system firmware through FDN 1. The FortiAnalyzer system can automatically download firmware updates from FDN, if you have a valid support license. To access these updates, go to System > Dashboard > Status. 2. In the System Information widget, in the Firmware Version row, select Update. The Firmware Upgrade dialog box appears. When new versions of firmware are available on FDN, new entries are shown in the From Server drop-down list.
Page 44
3. Select the Download icon to start downloading the new upgrade firmware. The time required varies by the size of the file and the speed of your network connection. 4. Wait until the unpacking process completes, then refresh the page. The new firmware package will appear in the Releases Available For Upgrade section after you refresh the page. 5. Select the firmware package, then select the icon in the Upgrade Firmware column and select OK in the dialog box that appears. The Fortinet unit installs the firmware and restarts.
Page 45
3. Configure the following settings: Encryption Select to encrypt the backup file with a password. The password is required to restore the configuration. The check box is selected by default. (Optional) Select a password. This password is used to encrypt the backup file, and is required to restore the file. (This option is available only when the encryption check box is selected.) Re-enter the password to confirm it.
Password
Confirm Password
4. If you want to encrypt the backup file, select the Encryption check box, then enter and confirm the password you want to use. 5. Select OK and save the backup file on your management computer.
Page 46
3. Configure the following settings and select OK. From Local Password Overwrite current IP, routing Select Browse to find the configuration backup file you want to restore. Enter the encryption password, if applicable. Select the check box to overwrite the current IP, routing settings.
3. Select the required operation mode for the unit and, if necessary, enter any required information for the selected mode. See Operation modes on page 12 for more information. 4. Select OK to change the operation mode.
Page 47
CPU Usage
The current CPU utilization. The Web-based Manager displays CPU usage for core processes only. CPU usage for management processes (for example, for HTTPS connections to the Web-based Manager) is excluded. The current memory utilization. The Web-based Manager displays memory usage for core processes only. Memory usage for management processes (for example, for HTTPS connections to the web-based manager) is excluded. The current hard disk usage, shown on a pie chart as a percentage of total hard disk space. This item does not appear when viewing historical system resources.
Memory Usage
Network Utilization The network utilization over the specified historical time period. This item does not appear when viewing current (Real Time) system resources.
Page 48
Change the system resource widget display settings: 1. Go to System Settings > General > Dashboard. 2. In the System Resources widget, hover the mouse over the title bar and select the Edit icon. The Edit System Resources Settings dialog box appears. Figure 33:Edit System Resources Settings window
3. You can configure the following settings: To view only the most current information about system resources, from View Type, select Real Time. This is the default. To view historical information about system resources, from View Type, select History. To change the time range, from Time Period, select one of the following: Last 10 minutes, Last 1 hour, or Last 24 hours. To automatically refresh the widget at intervals, in Refresh Interval, type a number between 10 and 240 seconds. To disable the refresh interval feature, type 0. 4. Select OK to apply your settings.
Page 49
Port numbers (vary The image below the port name indicates its status by its color. Green depending on indicates the port is connected. Grey indicates there is no connection. model) For more information about a ports configuration and throughput, position your mouse over the icon for that port. You will see the full name of the interface, the IP address and netmask, the status of the link, the speed of the interface, and the number of sent and received packets. Reboot Shutdown Select to restart the FortiAnalyzer unit. You are prompted to confirm before the reboot is executed. Select to shutdown the FortiAnalyzer unit. You are prompted to confirm before the shutdown is executed.
Page 50
The widget displays only the most current alerts. For a complete list of unacknowledged alert messages (see Figure 37), select the More Alerts icon in the widgets title bar. A popup window appears. To clear the list, select Clear Alert Messages. Figure 37:List of all alert messages
Select the Edit icon in the title bar to open the Edit Alert Message Console Settings dialog box so that you can adjust the number of entries visible, and their refresh interval.
The CLI Console widget requires that your web browser support JavaScript.
Page 51
To use the console, click within the console area. Doing so will automatically log you in using the same administrator account you used to access the Web-based Manager. You can then enter commands by typing them. You can copy and paste commands into or from the console.
The command prompt, by default the model number such as Fortinet-800B #, contains the host name of the Fortinet unit. To change the host name, see Changing the host name on page 41.
For information on available CLI commands, see the FortiAnalyzer CLI Reference. Figure 38:CLI Console widget
Page 52
To configure RAID: 1. Go to System Settings > General > Dashboard. 2. From the RAID Monitor widget title bar, select RAID Settings. The RAID Settings dialog box appears; see Figure 40. Figure 40:RAID Settings
3. From the RAID Level list, select the RAID option you want to configure and then select Apply. Once selected, depending on the RAID level, it may take a while to generate the RAID array.
Page 53
Page 54
5. Restart the FortiAnalyzer unit. The FortiAnalyzer unit will automatically add the new disk to the current RAID array. The status appears on the console. After the FortiAnalyzer unit boots, the widget will display a green check mark icon for all disks and the RAID Status area will display the progress of the RAID re-synchronization/rebuild. Electrostatic discharge (ESD) can damage FortiAnalyzer equipment. Only perform the procedures described in this document from an ESD workstation. If no such station is available, you can provide some ESD protection by wearing an anti-static wrist or ankle strap and attaching it to an ESD connector or to a metal part of a FortiAnalyzer chassis. When replacing a hard disk, you need to first verify that the new disk has the same size as those supplied by Fortinet and has at least the same capacity as the old one in the FortiAnalyzer unit. Installing a smaller hard disk will affect the RAID setup and may cause data loss. Due to possible differences in sector layout between disks, the only way to guarantee that two disks have the same size is to use the same brand and model. The size provided by the hard drive manufacturer for a given disk model is only an approximation. The exact size is determined by the number of sectors present on the disk.
Once a RAID array is built, adding another disk with the same capacity will not affect the array size until you rebuild the array by restarting the FortiAnalyzer unit.
Fortinet recommends that you use the same disks as those supplied by Fortinet. Disks of other brands will not be supported by Fortinet. For information on purchasing extra hard disks, contact your Fortinet reseller.
To add more hard disks 1. Obtain the same disks as those supplied by Fortinet. 2. Back up the log data on the FortiAnalyzer unit. You can also migrate the data to another Fortianalyzer unit if you have one. Data migration reduces system down time and risk of data loss. For information on data backup, see Backing up the system on page 45. 3. Install the disks on the FortiAnalyzer unit. You can do so while the FortiAnalyzer unit is running. 4. Configure the RAID level. 5. If you have backed up the log data, restore the data. For more information, see Restoring the configuration on page 46.
Page 55
General settings
All ADOMs
The All ADOMs options displays all the ADOMs configured on the device and provides the option to create new ADOMs. It is only visible if ADOMs are enabled, see System Information widget on page 40. Figure 41:All ADOMs list
Create New Search Name Version Device VPN Management # of Policy Packages Alert Device
Select to create a new ADOM. Enter a keyword to search your ADOMs. The names of the current ADOMs. The firmware release version for the ADOM. The devices that are currently in the ADOM.
To create a new ADOM: 1. Select Create New from the ADOM list tool bar, or right click in the ADOM list and select New in the right-click menu. The Create ADOM dialog box opens.
Page 56
2. Enter a name for the ADOM in the Name field. 3. Select the version of the firmware release for the ADOM from the drop-down list. 4. Select the devices to be added to the ADOM from the device list on the left, and then select the arrow button to transfer them into the selected devices list on the right. 5. Select OK to create the ADOM. To edit an ADOM: 1. Right click on the ADOM you need to edit and select Edit from the right-click menu. The Edit ADOM dialog box opens.
Page 57
2. Edit the ADOM information as required and then select OK. The name of the ADOM and the version cannot be edited. To delete an ADOM: 1. Right click on the ADOM you would like to delete and select Delete from the right-click menu. 2. Select OK in the confirmation dialog box to delete the ADOM.
Page 58
Network
The FortiAnalyzer unit can manage Fortinet devices connected to any of its interfaces. The DNS servers must be on the networks to which the FortiAnalyzer unit connects, and should have two different addresses. To view the configured network interfaces, go to System Settings > General > Network. The Network screen is displayed. Figure 44:Network screen
The following information is available: Management Interface IP/Netmask IPv6 Address Administrative Access IPv6 Administrative Access Default Gateway DNS Primary DNS Server Secondary DNS Server All Interfaces Enter the primary DNS server IP address. Enter the secondary DNS server IP address. Click to open the network interface list. See Viewing the network interface list on page 60. The IP address and netmask associated with this interface. The IPv6 address and netmask associated with this interface. Select the allowed administrative service protocols from: HTTPS, HTTP, PING, SSH, Telnet, SNMP, Web Service, and Aggregator. Select the allowed IPv6 administrative service protocols from: HTTPS, HTTP, PING, SSH, Telnet, SNMP, Web Service, and Aggregator. The default gateway associated with this interface
Page 59
Click to open the routing table. See Configuring static routes on page 61. Click to open the IPv6 routing table. See Configuring IPv6 static routes on page 63. Select to run available diagnostic tools, including Ping, Traceroute, and View logs.
The following information is available: Name The names of the physical interfaces on your FortiAnalyzer unit. The name, including number, of a physical interface depends on the model. Unlike FortiGate, you cannot set alias names for the interfaces. For more information, on configuring the interface, see Configuring network interfaces on page 61. If HA operation is enabled, the HA interface has /HA appended to its name. IP / Netmask IPv6 Description Administrative Access The IP address and netmask associated with this interface. The IPv6 address associated with this interface. A description of the interface. The list of allowed administrative service protocols on this interface. These include HTTP, HTTPS, PING, SSH, and Telnet.
IPV6 Administrative The list of allowed IPv6 administrative service protocols on this access interface. Enable Displays if the interface is enabled or disabled. If the port is enabled, a green circle with a check mark appears in the column. If the interface is not enabled, a gray circle with an X appears in the column.
Page 60
Enable
Select to enable this interface. A green circle with a check mark appears in the interface list to indicate the interface is accepting network traffic. When not selected, a gray circle with an X appears in the interface list to indicate the interface is down and not accepting network traffic.
Alias
IP Address/Netmask Enter the IP address and netmask for the interface. IPv6 Address Administrative Access Enter the IPv6 address for the interface. Select the services to allow on this interface. Any interface that is used to provide administration access to the FortiAnalyzer unit will require at least HTTPS or HTTP for web-manager access, or SSH for CLI access. Select the services to allow on this interface. Enter a brief description of the interface (optional).
Page 61
Select the check box next to the route number and select Delete to remove the route from the table. Select Create New to add a new route. See Add a static route on page 62. Select the route number to edit the settings.
The route number. The destination IP address and netmask for this route. The IP address of the next hop router to which this route directs traffic. The network interface that connects to the gateway.
Add a static route Go to System Settings > General > Network, select the Routing Table button, and select Create New to add a route, or select the route number to edit an existing route. Figure 48:Create New route
Enter the destination IP address and netmask for this route. Enter the IP address of the next hop router to which this route directs traffic. Select the network interface that connects to the gateway.
Page 62
Add a IPv6 static route Go to System Settings > General > Network, select the IPv6 Routing Table button, and select Create New to add a route, or select the route number to edit an existing route. Figure 49:Create New route
Destination IPv6 Prefix Enter the destination IPv6 prefix for this route. Gateway Interface Enter the IP address of the next hop router to which this route directs traffic. Select the network interface that connects to the gateway.
Page 63
Certificates
The FortiAnalyzer unit generates a certificate request based on the information you enter to identify the FortiAnalyzer unit. After you generate a certificate request, you can download the request to a computer that has management access to the FortiAnalyzer unit and then forward the request to a CA.
The name of the certificate. Select the key size from the drop-down list.
Common Name (CN) Enter the common name of the certificate. Country (C) State/Province (ST) Locality (L) Organization (O) Organization Unit (OU) E-mail Address (EA) Select the country from the drop-down list. Enter the state or province. Enter the locality. Enter the organization for the certificate. Enter the organization unit. Enter the email address.
Page 64
The certificate window also enables you to export certificates for authentication, importing and viewing.
Importing certificates
To import a local certificate: 1. Go to System Settings > General > Certificates > Local Certificates. 2. Select the Import button. 3. Enter the location of the local certificate, or select browse and browse to the location of the certificate, and select Ok. To import a CA certificate: 1. Go to System Settings > General > Certificates > CA Certificates. 2. Select the Import button. 3. Enter the location of the local certificate, or select browse and browse to the location of the certificate, and select Ok.
Subject Valid From Valid To Version Serial Number Extension To view a CA certificate:
The subject of the certificate. The date from which the certificate is valid. The last day that the certificate is valid. The certificate should be renewed before this date. The certificates version. The serial number of the certificate. The certificate extension information.
1. Go to System Settings > General > Certificates > CA Certificates. 2. Select the certificates which you would like to see details about and click on View Certificate Detail. The details displayed are similar to those displayed for a local certificate.
Downloading a certificate
To download a local certificate: 1. Go to System Settings > General > Certificates > Local Certificates. 2. Select the certificates which you would like to download, click on Download, and save the certificate to the desired location. To download a CA certificate: 1. Go to System Settings > General > Certificates > CA Certificates. 2. Select the certificates which you would like to download, click on Download, and save the certificate to the desired location.
Log Access
The logs created by FortiAnalyzer are viewable within the Web-based Manager. You can use the FortiAnalyzer Log Message Reference, available on the Fortinet Technical Documentation web site to interpret the messages. You can view log messages in the FortiAnalyzer Web-based Manager that are stored in memory or on the internal hard disk. To view the log messages: 1. Go to System Settings > General > Log Access. 2. Select the log type by selecting it from the Type drop-down list on the tool bar. 3. Select Download to download a file containing the logs in either CSV or the normal format. 4. Select the Raw text/Formatted table button to toggle log message view. 5. Select Refresh to refresh the displayed logs. 6. Select Historical Log to view historical logs.
Diagnostic tools
Diagnostic tools allows you to run available diagnostic tools, including Ping, Traceroute, and View logs.
Page 66
Admin
The System Settings > Admin menu enables you to configure administrator accounts, access profiles, and adjust global administrative settings for the FortiAnalyzer unit. The following menu options are available: Administrator Profile Select to configure administrative users accounts. For more information, see Administrator on page 68. Select to set up access profiles for the administrative users. For more information, see Profile on page 71.
Remote Auth Server Select to configure authentication server settings for administrative log in. For more information, see Remote authentication server on page 74. Admin Settings Select to configure connection options for the administrator including port number, language of the Web-based Manager and idle timeout. For more information, see Administrator settings on page 80.
The following information is available: User Name IP Address Start Time The name of the administrator account. Your session is indicated by (current). The IP address where the administrator is logging in from. The date and time the administrator logged in.
Page 67
The maximum duration of the session in minutes (1 to 480 minutes). Select the check box next to the user and select Delete to drop their connection to the FortiAnalyzer unit.
To disconnect an administrator: 1. Go to System Settings > General > Dashboard. 2. In the System Information widget, under Current Administrators, select Detail. The list of current administrator sessions appears; see Figure 52. 3. Select the check box for each administrator session that you want to disconnect, and select Delete. 4. Select OK to confirm deletion of the session. The disconnected administrator will see the FortiAnalyzer login screen when disconnected. They will not have any additional warning. It is a good idea to inform the administrator before disconnecting if possible should they be in the middle of important configurations for the FortiAnalyzer or another device.
Administrator
Go to System Settings > Admin > Administrator to view the list of administrators and configure administrator accounts. Only the default admin administrator account can see the complete administrators list. If you do not have certain viewing privileges, you will not see the administrator list. Figure 53:Administrator list
The following information is available: Delete Create New User Name Profile Select the check box next to the administrator you want to remove from the list and select Delete. Select to create a new administrator. For more information, see To create a new administrator account: on page 69. The name this administrator uses to log in. Select the administrator name to edit the administrator settings. The administrator profile for this user that determines the privileges of this administrator. For information on administrator profiles, see Profile on page 71.
Page 68
Status
Indicates whether the administrator is currently logged into the FortiAnalyzer unit not. A green circle with an up arrow indicates the administrator is logged in, a red circle with a down arrow indicates the administrator is not logged in. Descriptive text about the administrator account.
Comments
To create a new administrator account: 1. Go to System Settings > Admin > Administrator and select Create New. The New Administrator dialog box appears; see Figure 54. Figure 54:Creating a new administrator account
2. Configure the following settings: User Name Type Enter the name that this administrator uses to log in. This field is available if you are creating a new administrator account. Select the type of authentication the administrator will use when logging into the FortiAnalyzer unit. If you select LOCAL, you will need to add a password. Otherwise, depending on the type of authentication server selected, you will select the authentication server from a drop-down list. Enter the password.
New Password
Page 69
Select the RADIUS, LDAP, or TACACS+ server, as appropriate. This option is only available if the type is not LOCAL. Select this option to set the password as a wildcard. This option is only available if the type is not LOCAL. Optionally, enter the trusted host IP address and netmask from which the administrator can log in to the FortiAnalyzer unit. You can specify up to three trusted hosts. Setting trusted hosts for all of your administrators can enhance the security of your system. For more information, see Using trusted hosts on page 71.
Trusted IPv6 Host1 Optionally, enter the trusted host IPv6 address from which the Trusted IPv6 Host2 administrator can log in to the FortiAnalyzer unit. You can specify up Trusted IPv6 Host3 to three trusted IPv6 hosts. Setting trusted IPv6 hosts for all of your administrators can enhance the security of your system. For more information, see Using trusted hosts on page 71. Profile Select a profile from the list. The profile selected determines the administrators access to the FortiAnalyzer units features. To create a new profile see Configuring administrator profiles on page 72. Admin Domain Description Choose the ADOM this admin will belong to. This field is available only if ADOMs are enabled. Optionally, enter a description of this administrators role, location or reason for their account. This field adds an easy reference for the administrator account.
User Information (optional) Contact Email Contact Phone Enter a contact email address for the new administrator. Enter a contact phone number for the new administrator.
3. Select OK to create the new administrator account. To modify an existing administrator account: 1. Go to System Settings > Admin> Administrator. The list of configured administrators appears; see Figure 53 on page 68. 2. In the User Name column, double-click on the user name of the administrator you want to change. The Edit Administrator window appears. 3. Modify the settings as required. For more information about configuring account settings, see To create a new administrator account: on page 69. 4. Select OK to save your changes. To delete an existing administrator account: 1. Go to System Settings > Admin > Administrator. The list of configured administrators appears; see Figure 53 on page 68. 2. Select the check box of the administrator account you want to delete and then select the Delete icon in the tool bar.
Fortinet Technologies Inc. Page 70 FortiAnalyzer v5.0 Administration Guide
If you set trusted hosts and want to use the Console Access feature of the Web-based Manager, you must also set 127.0.0.1/255.255.255.255 as a trusted host. By default, Trusted Host 3 is set to this address.
Profile
The System Settings > Admin > Profile menu enables you to create or edit administrator profiles which are used to limit administrator access privileges to devices or system features. There are three pre-defined profiles with the following privileges: Restricted_User Standard_User Super_User Restricted user profiles have no System Privileges enabled, and have read-only access for all Device Privileges. Standard user profiles have no System Privileges enabled, but have read/write access for all Device Privileges. Super user profiles have all system and device privileges enabled.
You cannot delete these profiles, but you can modify them. You can also create new profiles if required.
This Guide is intended for default users with full privileges. If you create a profile with limited privileges it will limit the ability of any administrator using that profile to follow procedures in this Guide.
To view the list of configured administrator profiles, go to the System Settings > Admin > Profile page; see Figure 55.
Page 71
The default administrator profiles can not be deleted. They can, however, be edited.
The following information is available: Delete Select the check box next to the profile you want to delete and select Delete. Predefined profiles cannot be deleted. You can only delete custom profiles when they are not applied to any administrators. Select to create a custom administrator profile. See Configuring administrator profiles on page 72. The administrator profile name. Select the profile name to view or modify existing settings. For more information about profile settings, see Configuring administrator profiles on page 72. Provides a brief description of the system and device access privileges allowed for the selected profile.
Description
Page 72
2. Configure the following settings: Profile Name Description Enter a name for this profile. Enter a description for this profile. While not a requirement, a description can help to know what the profiles is for or the levels it is set to. Select None, Read Only, or Read-Write access for categories as required.
Other Settings
3. Select OK to save the new profile. To modify an existing profile: 1. Go to System Settings > Admin > Profile. The list of available profiles appears; see Figure 55 on page 72. 2. In the Profile column, double-click on the name of the profile you want to change. The Edit Profile dialog box appears. Profile Name Description Other Settings Enter a name for this profile. Enter a description for this profile. While not a requirement, a description can help to know what the profiles is for or the levels it is set to. Select None, Read Only, or Read-Write access for categories as required.
3. Configure the appropriate changes and then select OK to save the settings. To delete a profile: 1. Go to System Settings > Admin > Profile. The list of available profiles appears; see Figure 55 on page 72. 2. Select the check box of the custom profile you want to delete and then select the Delete icon in the tool bar. You can only delete custom profiles when they are not applied to any administrators.
Page 73
3. In the confirmation dialog box that appears, select OK to delete the profile.
RADIUS server
Remote Authentication Dial-in User (RADIUS) is a user authentication and network-usage accounting system. When users connect to a server they enter a user name and password. This information is passed to a RADIUS server, which authenticates the user and authorizes access to the network. You can create or edit RADIUS server entries in the RADIUS server list to support authentication of administrators. When an administrator accounts type is set to RADIUS, the FortiAnalyzer unit uses the RADIUS server to verify the administrator password at logon. The password is not stored on the FortiAnalyzer unit. Go to System Settings > Admin > Remote Auth Server > Radius Server to view the RADIUS server list. Figure 57:RADIUS server list
Add a new RADIUS server entry. Select the check box next to the server entry and select Delete. You cannot delete a RADIUS server entry if there are administrator accounts using it. The RADIUS server name. Select the server name to edit the settings. The IP address or DNS resolvable domain name of the RADIUS server. Optional IP address or DNS resolvable domain name of the secondary RADIUS server.
To add a RADIUS server configuration: 1. Go to System Settings > Admin > Remote Auth Server > RADIUS server. The list of configured RADIUS servers appears. 2. Select the Create New tool bar icon. The New RADIUS Server dialog box appears; see Figure 58.
Page 74
3. Configure the following settings: Name Enter a name to identify the RADIUS server.
Server Name/IP Enter the IP address or fully qualified domain name of the RADIUS server. Server Secret Enter the RADIUS server secret.
Secondary Enter the IP address or fully qualified domain name of the secondary Server Name/IP RADIUS server. Secondary Server Secret Port Auth-Type Enter the secondary RADIUS server secret. Enter the port for RADIUS traffic. The default port is 1812. You can change it if necessary. Some RADIUS servers use port 1645. Enter the authentication type the RADIUS server requires. The default setting of ANY has the FortiAnalyzer unit try all the authentication types.
4. Select OK to save the new RADIUS server configuration. To modify an existing RADIUS server configuration: 1. Go to System Settings > Admin > Remote Auth Server > RADIUS server. The list of configured RADIUS servers appears. 2. In the Name column, select the name of the server configuration you want to change. The Edit RADIUS Server dialog box appears. 3. Modify the settings as required and select OK to apply your changes. To delete an existing RADIUS server configuration: 1. Go to System Settings > Admin > Remote Auth Server > RADIUS server. The list of configured RADIUS servers appears. 2. Select the check box beside the server configuration you want to delete and then select the Delete tool bar icon. A confirmation dialog box appears.
Page 75
You cannot delete a RADIUS server entry if there are administrator accounts using it.
LDAP server
Lightweight Directory Access Protocol (LDAP) is an Internet protocol used to maintain authentication data that may include departments, people, groups of people, passwords, email addresses, and printers. An LDAP consists of a data-representation scheme, a set of defined operations, and a request/response network. If you have configured LDAP support and require a user to authenticate using an LDAP server, the FortiAnalyzer unit contacts the LDAP server for authentication. To authenticate with the FortiAnalyzer unit, the user enters a user name and password. The FortiAnalyzer unit sends this user name and password to the LDAP server. If the LDAP server can authenticate the user, the FortiAnalyzer unit successfully authenticates the user. If the LDAP server cannot authenticate the user, the FortiAnalyzer unit refuses the connection. Go to System Settings > Admin > Remote Auth Server > LDAP Server to create a new LDAP server entry or edit an existing server entry. Figure 59:LDAP server list
Delete
Select the check box next to the server name and select Delete. You cannot delete a LDAP server entry if there are administrator accounts using it. Add a new LDAP server entry. The LDAP server name. Select the server name to edit the settings. The IP address or DNS resolvable domain name of the LDAP server.
Page 76
To add a LDAP server: 1. Go to System Settings > Admin > Remote Auth Server > LDAP Server. The list of LDAP servers appears. 2. Select the Create New tool bar icon. The New LDAP Server dialog box appears; see Figure 60. Figure 60:New LDAP server dialog box
3. Configure the following information: Name Server Name/IP Port Common Name Identifier Enter a name to identify the LDAP server. Enter the IP address or fully qualified domain name of the LDAP server. Enter the port for LDAP traffic. The default port is 389. The common name identifier for the LDAP server. Most LDAP servers use cn. However, some servers use other common name identifiers such as uid.
Distinguished Name The distinguished name used to look up entries on the LDAP servers use. The distinguished name reflects the hierarchy of LDAP database object classes above the common name identifier. Bind Type User DN Password Secure Connection Select to use a secure LDAP server connection for authentication. Select the type of binding for LDAP authentication.
4. Select OK to save the new LDAP server entry. To modify an existing LDAP server configuration: 1. Go to System Settings > Admin > Remote Auth Server > LDAP Server. The list of configured LDAP servers appears. 2. In the Name column, select the name of the server configuration you want to change. The Edit LDAP Server dialog box appears.
Fortinet Technologies Inc. Page 77 FortiAnalyzer v5.0 Administration Guide
3. Modify the settings as required and select OK to apply your changes. To delete an existing LDAP server configuration: 1. Go to System Settings > Admin > Remote Auth Server > LDAP Server. The list of configured LDAP servers appears. 2. Select the check box beside the server configuration you want to delete and then select the Delete tool bar icon. A confirmation dialog box appears. 3. Select OK to delete the server entry.
You cannot delete a LDAP server entry if there are administrator accounts using it.
TACACS+ server
In recent years, remote network access has shifted from terminal access to LAN access. Users connect to their corporate network (using notebooks or home PCs) with computers that use complete network connections and have the same level of access to the corporate network resources as if they were physically in the office. These connections are made through a remote access server. As remote access technology has evolved, the need for network access security has become increasingly important. Terminal Access Controller Access-Control System (TACACS) is a remote authentication protocol that provides access control for routers, network access servers, and other networked computing devices via one or more centralized servers. TACACS allows a client to accept a user name and password and send a query to a TACACS authentication server. The server host determines whether to accept or deny the request and sends a response back that allows or denies network access to the user. The default TCP port for a TACACS server is 49. For more information about TACACS servers, see the FortiGate documentation. Go to System Settings > Admin > Remote Auth Server > TACACS+ Server to create a new TACACS+ server entry or edit an existing server entry. The TACACS+ server list provides the following information and options: Delete Create New Name Select the check box next to the server name and select Delete. You cannot delete a TACACS+ server entry if there are administrator accounts using it. Add a new TACACS+ server entry. The TACACS+ server name. Select the server name to edit the settings.
Server Name/IP The IP address or DNS resolvable domain name of the TACACS+ server. To add a TACACS+ server: 1. Go to System Settings > Admin > Remote Auth Server > TACACS+ Server. The list of TACACS+ servers appears. 2. Select the Create New tool bar icon. The New TACACS+ Server dialog box appears; see Figure 61.
Page 78
3. Configure the following information: Name Enter a name to identify the TACACS+ server.
Server Name/IP Enter the IP address or fully qualified domain name of the TACACS+ server. Port Server Key Auth-Type Enter the port for TACACS+ traffic. The default port is 389. Enter the key to access the TACACS+ server. The server key can be a maximum of 16 characters in length. Enter the authentication type the TACACS+ server requires. The default setting of ANY has the FortiAnalyzer unit try all the authentication types.
4. Select OK to save the new TACACS+ server entry. To modify an existing TACACS+ server configuration: 1. Go to System Settings > Admin > Remote Auth Server > TACACS+ Server. The list of configured TACACS+ servers appears. 2. In the Name column, select the name of the server configuration you want to change. The Edit TACACS+ Server dialog box appears. 3. Modify the settings as required and select OK to apply your changes. To delete an existing TACACS+ server configuration: 1. Go to System Settings > Admin > Remote Auth Server > TACACS+ Server. The list of configured TACACS+ servers appears. 2. Select the check box beside the server configuration you want to delete and then select the Delete tool bar icon. A confirmation dialog box appears. 3. Select OK to delete the server entry.
You cannot delete a TACACS+ server entry if there are administrator accounts using it.
Page 79
Administrator settings
The System Settings > Admin > Admin Settings page allows you to configure global settings for administrator access to the FortiAnalyzer unit, including: Ports for HTTPS and HTTP administrative access Idle Timeout settings Language of the web-based manager Password Policy Only the admin administrator can configure these system options, which apply to all administrators logging onto the FortiAnalyzer unit. To configure the administrative settings: 1. Go to System Settings > Admin > Admin Settings. The Settings dialog box appears; see Figure 62. Figure 62:Administrative settings dialog box
2. Configure the following information: Administration Settings HTTP Port HTTPS Port HTTPS & Web Service Server Certificate Enter the TCP port to be used for administrative HTTP access. Enter the TCP port to be used for administrative HTTPS access. Select a certificate from the drop-down list.
Page 80
Idle Timeout
Enter the number of minutes that an administrative connection can be idle before the administrator must log in again. The maximum is 480 minutes (8 hours). To ensure security, the idle timeout should be a short period of time to avoid the administrator inadvertently leaving the management computer logged in to the FortiAnalyzer unit and opening the possibility of someone walking up and modifying the network options. Select a language from the drop-down list.
Language Password Policy Enable Minimum Length Must Contain Admin Password Expires after Other Devices
Select to enable administrator passwords. Select the minimum length for a password. The default is eight characters. Select the types of characters that a password must contain. Select the number of days that a password is valid for, after which time it must be changed. Select whether FortiCarrier and FortiSwitch Manager Settings are shown.
3. Select Apply to save your settings. The settings are applied to all administrator accounts.
Advanced
The System Settings > Advanced menu enables you to configure SNMP, metafield data, and other settings. The following options are available: SNMP v1/v2c Advanced settings Select to configure FortiGate and FortiAnalyzer reporting through SNMP traps. See SNMP v1/v2c on page 82. Select to configure global advanced settings such as offline mode, device synchronization settings and install interface policy only; see Advanced settings on page 85. Select to configure alert events, mail and syslog servers, and to view alert messages. See Alerts on page 86 Select to configure log settings and access and to view the task monitor. See Device Log on page 91
Page 81
SNMP v1/v2c
Simple Network Management Protocol (SNMP) allows you to monitor hardware on your network. You can configure the hardware, such as the FortiAnalyzer SNMP agent, to report system information and send traps (alarms or event messages) to SNMP managers. An SNMP manager, or host, is typically a computer running an application that can read the incoming trap and event messages from the agent and send out SNMP queries to the SNMP agents. A FortiManager unit can act as an SNMP manager, or host, to one or more FortiAnalyzer units. By using an SNMP manager, you can access SNMP traps and data from any FortiAnalyzer interface configured for SNMP management access. Part of configuring an SNMP manager is to list it as a host in a community on the FortiAnalyzer unit it will be monitoring. Otherwise the SNMP monitor will not receive any traps from that FortiAnalyzer unit, or to query that unit. You can configure the FortiAnalyzer unit to respond to traps and send alert messages to SNMP managers that were added to SNMP communities. When you are configuring SNMP, you need to first download and install both the FORTINET-CORE-MIB.mib and FORTINET-FORTIANALYZER-MIB.mib files so that you can view these alerts in a readable format. The Fortinet MIB contains support for all Fortinet devices, and includes some generic SNMP traps; information responses and traps that FortiAnalyzer units send are a subset of the total number supported by the Fortinet proprietary MIB. Your SNMP manager may already include standard and private MIBs in a compiled database which is all ready to use; however, you still need to download both the FORTINET-CORE-MIB.mib and FORTINET-FORTIANALYZER-MIB.mib files regardless. FortiAnalyzer SNMP is read-only: SNMP v1 and v2 compliant SNMP managers have read-only access to FortiAnalyzer system information and can receive FortiAnalyzer traps. RFC support includes most of RFC 2665 (Ethernet-like MIB) and most of RFC 1213 (MIB II). FortiAnalyzer units also use object identifiers from the Fortinet proprietary MIB. For more information about the MIBs and traps that are available for the FortiAnalyzer unit, see SNMP MIB Support on page 139. SNMP traps alert you to events that happen, such as an a log disk being full or a virus being detected. SNMP fields contain information about your FortiAnalyzer unit, such as percent CPU usage or the number of sessions. This information is useful to monitor the condition of the unit, both on an ongoing basis and to provide more information when a trap occurs.
Page 82
Select to enable the FortiAnalyzer SNMP agent. When this is enabled, it sends FortiAnalyzer SNMP traps. Enter a description of this FortiAnalyzer system to help uniquely identify this unit. Enter the location of this FortiAnalyzer system to help find it in the event it requires attention. Enter the contact information for the person in charge of this FortiAnalyzer system. The list of SNMP communities added to the FortiAnalyzer configuration. Select Create New to add a new SNMP community. If SNMP Agent is not selected, this control will not be visible. For more information, see Configuring an SNMP community on page 83.
The name of the SNMP community. The status of SNMP queries for each SNMP community. The status of SNMP traps for each SNMP community. Select to enable or unselect to disable the SNMP community. Select to remove an SNMP community. Select to edit an SNMP community.
Page 83
Each community can have a different configuration for SNMP queries and traps. Each community can be configured to monitor the FortiAnalyzer unit for a different set of events. You can also add the IP addresses of up to eight SNMP managers to each community. To create a new SNMP community: 1. Go to System Settings > Advanced > SNMP v1/v2c. 2. Ensure that the SNMP Agent is enabled, and under Communities, select Create New. The New SNMP Community dialog box opens. Figure 64:New SNMP community
3. Enter the below information as required. Community Name Hosts Enter a name to identify the SNMP community. If you are editing an existing community, you will be unable to change the name. The list of FortiAnalyzer that can use the settings in this SNMP community to monitor the FortiAnalyzer system. Select Add to create a new entry that you can edit.
IP Address Enter the IP address of an SNMP manager. By default, the IP address is 0.0.0.0 so that any SNMP manager can use this SNMP community.
Page 84
Interface
Select the name of the interface that connects to the network where this SNMP manager is located from the drop-down list. You need to do this if the SNMP manager is on the Internet or behind a router.
Delete icon Select to remove this SNMP manager entry. Add Select to add a new default entry to the Hosts list that you can edit as needed. You can have up to eight SNMP manager entries for a single community. Enter the port numbers (161 by default) that the FortiAnalyzer system uses to send SNMP v1 and SNMP v2c queries to the FortiAnalyzer in this community. Enable queries for each SNMP version that the FortiAnalyzer system uses. Note: The SNMP client software and the FortiAnalyzer unit must use the same port for queries. Traps Enter the Remote port numbers (162 by default) that the FortiAnalyzer system uses to send SNMP v1 and SNMP v2c traps to the FortiAnalyzer in this community. Enable traps for each SNMP version that the FortiAnalyzer system uses. Note: The SNMP client software and the FortiAnalyzer unit must use the same port for traps. SNMP Event Enable the events that will cause the FortiAnalyzer unit to send SNMP traps to the community. These events include: Interface IP changed Log disk space low HA Failover System Restart CPU Overusage Memory Low 4. Select OK to create the SNMP community. To edit an SNMP community: 1. Go to System Settings > Advanced > SNMP v1/v2c. 2. In the Action column of the community you need to edit, select the edit icon. The Edit SNMP Community dialog box opens. 3. Edit the SNMP community settings as required and then select OK. To delete an SNMP community: 1. Go to System Settings > Advanced > SNMP v1/v2c. 2. In the Action column of the community you need to delete, select the delete icon. 3. Select OK in the confirmation dialog box to delete the SNMP community.
Queries
Advanced settings
To view and configure advanced settings options, go to the System Settings > Advanced > Advanced Settings page. The Advanced Settings dialog box appears; see Figure 65.
Fortinet Technologies Inc. Page 85 FortiAnalyzer v5.0 Administration Guide
Configure the following settings and then select Apply: Download WSDL file Select to download the FortiAnalyzer units Web Services Description Language (WSDL) file. Web services is a standards-based, platform independent, access method for other hardware and software APIs. The file itself defines the format of commands the FortiAnalyzer will accept as well as the response to expect. Using the WSDL file, third-party or custom applications can communicate with the FortiAnalyzer unit and operate it or retrieve information just as an admin user would from the Web-based Manager or CLI. Task List Size Set a limit on the size of the task list.
Alerts
Alerts allow you to monitor and receive notification on specific activity on your network.
Alerts event
You can configure alert events by severity level and set thresholds. When an alert event occurs you can configure to have the alert event sent to an email address, SNMP server, or a syslog server. Figure 66:Alert event window
Page 86
To create a new alert event: 1. Go to System Settings > Advanced > Alerts > Alerts Event, and select Create New from the content pane tool bar. The New Alert Event dialog box will open. Figure 67:Create new alert event window
2. Configure the following settings: Name Severity Level Condition Level Log Filters Enable Generic Text Threshold Generate Alert Generate an alert after: 1, 5, 10, 50, or 100 or more events of each When .... type occurs. Occurrence Destination Send Alert To Select: Email Address > Create New SNMP Server > Create New Syslog Server > Create New Add Use the Add button to add multiple recipients. Select: 0.5, 1.0, 3.0, 6.0, 12.0, 24.0, or 168.0 hours. Select to enable log filters. Optional text field. Enter the conditional value: greater than or equal to (>=), equal to (=), or less than or equal to (<=). Select the severity level: Information, Notification, Warning, Error, Critical, Alert, or Emergency. Enter a name for the alert event.
Page 87
Select to include alert severity level. Select: High, Medium High, Medium, Medium Low, or Low.
3. Select OK to create the new alert event. To edit an alert event: 1. Go to System Settings > Advanced > Alerts > Alerts Event, 2. Select the edit icon in the row of the alert event you need to edit. The Edit Alert Event dialog box will open. 3. Edit the alert event settings as required and then select OK. To delete an alert event: 1. Go to System Settings > Advanced > Alerts > Alerts Event, 2. Select the delete icon in the row of the alert event you need to delete. 3. Select OK in the confirmation dialog box to delete the alert event.
Mail server
Configure mail server settings for alerts, edit existing settings, or delete mail servers.
If an existing mail server is set in an Alerts Event configuration, the delete icon is removed and the mail server entry can not be deleted.
Page 88
Configure the following settings and then select OK: SMTP Server Enable Authentication Email Account Password Enter the SMTP server domain information, e.g. mail@company.com. Select to enable authentication. Enter an email account, e.g. admin@company.com. Enter the email account password.
Syslog Server
Configure syslog server settings for alerts, edit existing settings, or delete syslog servers. Select Create New to add a new syslog server.
If an existing syslog server is set in an Alerts Event configuration, the delete icon is removed and the syslog server entry can not be deleted.
Page 89
Configure the following settings and then select OK: Name IP address (or FQDN) Port Enter a name for the syslog server. Enter the IP address or FQDN of the syslog server. Enter the syslog server port number. The default value is 514.
Alert Console
The Alert Console allows you to view alert events by device. Use the Configure button to display events for a specific time frame or severity level. Select Clear Alert Messages to clear all the alert messages from the console. Figure 72:Alert message console window
Page 90
Configure the following settings and then select OK: Period Severity Select 1 to 7 days. Select: Debug, Information, Notification, Warning, Error, Critical, Alert, or Emergency.
Device Log
The FortiAnalyzer allow you to log system events to disk. for more information, see Log View on page 106.
Log Setting
The log settings menu window, found at System Settings > Advanced > Device Log > Log Setting, allows you to configure event logging to disk and includes the following options: Specify the severity level of logged events Log rotation settings Log upload to an FTP, SFTP or SCP server, or to a FortiAnalyzer system
Page 91
Configure the following settings and then select Apply: Disk Level Select to enable log setting configuration. Select the level of the notification from the drop-down list. Options include: Emergency, Alert, Critical, Error, Warning, Notification, Information, and Debug.
Log Rotate Log file cannot exceed Roll logs Select Type Select One Day Enter the maximum log size in megabytes. Select to roll the logs. Rolling will occur either on a weekly or daily basis as selected. Select to roll the logs on a weekly or daily basis. Select the day of the week to roll the logs. This option is enabled only when Roll Logs is selected and the Type is Weekly.
Page 92
Time Disk full Enable log uploading Upload Server Type Upload Server IP Port Username Password Remote Directory When rolled Daily at
Select the Hour and Minute of the day to roll the logs. The hour is based on a 24 hour clock. Select the action to take, Overwritten or Do not log, when the disk is full from the drop-down list. Select to upload realtime device logs. Select one of FTP, SFTP, SCP, or FAZ. Enter the IP address of the upload server. Enter the port of the upload server. Select the username that will be used to connect to the upload server. Select the password that will be used to connect to the upload server. Select the remote directory on the upload server where the log will be uploaded. Select to upload log files when they are rolled according to settings selected under Roll Logs. Select the hour to upload the logs. The hour is based on a 24 hour clock
Upload rolled files in Select to gzip the logs before uploading. This will result in smaller gzipped format logs, and faster upload times. Delete files after uploading Event Log Select to remove device log files from the FortiAnalyzer system after they have been uploaded to the Upload Server. This option is not available. Please ignore it.
Log Access
Log access, found at System Settings > Advanced > Device Log > Log Access, displays current logs, the size of the log file, and allows for deleting, backup, and browsing of the log files. Figure 75:Log access window
Page 93
Task Monitor
Using the task monitor, you can view the status of the tasks that you have performed. Go to System Settings > Advanced > Device Log > Task Monitor, then select a task category in the View field. Figure 76:Task monitor window
Remove the selected task or tasks from the list. Select which tasks to view from the drop-down list, based on their status. The identification number for a task. The platform from where the task is performed. Select to display the specific actions taken under this task. The nature of the task. The users who have performed the tasks.
Page 94
Status
The status of the task (hover over the icon to view the description): All: All types of tasks. Done: Completed with success. Error: Completed without success. Cancelled: User cancelled the task. Cancelling: User is cancelling the task. Aborted: The FortiAnalyzer system stopped performing this task. Aborting: The FortiAnalyzer system is stopping performing this task. Running: Being processed. In this status, a percentage bar appears in the Status column.
Start Time
Page 95
RTM Profiles
The RTM Profiles tab allows you to create Real-Time Monitor (RTM) profiles and assign then them to one or more managed devices. Each profile contains one or more dashboards onto which various charts can be added, deleted, and arranged to display the desired real-time information. The real-time information can then be viewed in the device summary pane on the Device Manager tab. Figure 77:RTM profiles tab
RTM Profiles
RTM profiles contain one or more dashboards that consist of various predefined charts. A profile is assigned to one or more managed devices, and then the information defined by the selected charts in a given dashboard can be viewed in the device summary of the device to which the profile is assigned. See View managed devices on page 132 for more information. RTM profiles can be created, edited, cloned, and deleted. Cloning a profile allows you to create a second profile that is exactly the same as the original profile. This can save time when creating multiple profiles that only have slight differences. To create a new RTM profile: 1. On the RTM Profiles tab, right click in the tree menu and select Create New from the pop-up menu. The Create New RTM Profile dialog box opens.
Page 96
2. Enter a name for the profile in the Name field, and select the specific devices to which the profile will be assigned, or select All FortiGate to assign the profile to all FortiGate devices.
A device can only have a single RTM profile to it. If a new profile is assigned to a device to which a profile has already been assigned, the newly assigned profile will displace the previously assigned profile.
3. Select OK to create the new RTM profile. To edit an RTM profile: 1. On the RTM Profiles tab, right click in the tree menu on the name of the profile you would like to edit, and select Edit from the pop-up menu. The Edit RTM Profile dialog box opens. Figure 79:Edit an RTM profile
2. Edit the name of the profile and the devices to which the profile is assigned as needed, then select OK to finish editing the RTM profile.
Page 97
To clone an RTM profile: 1. On the RTM Profiles tab, right click in the tree menu on the name of the profile you would like to clone, and select Clone from the pop-up menu. The Clone RTM Profile dialog box opens. Figure 80:Clone an RTM profile
2. Edit the name of the profile as needed, then select OK to finish cloning the RTM profile. To delete an RTM profile: 1. On the RTM Profiles tab, right click in the tree menu on the name of the profile you would like to delete, and select delete from the pop-up menu. The Delete RTM Profile dialog box opens. 2. Select OK to delete the RTM profile.
Page 98
Dashboards
Each RTM profile can contain multiple dashboards. A dashboard contains the charts that represent the information that will be presented in the device summary. Each dashboard in a profile can be selected from the Real Time Monitor tab on the device summary tool bar. See View managed devices on page 132 for more information. Dashboards can be created, edited, and deleted. To create a new dashboard: 1. On the RTM Profiles tab, select the +, or Add Dashboard, icon in the content pane tool bar. The Add Dashboard dialog box will open Figure 81:Add dashboard dialog box
2. Enter a name for the new dashboard in the Title field, select the number of columns the dashboard will contain (one or two) and enter the time period that the data in the charts will cover in the Time Period field. The available time periods are: Last N Hours Today Yesterday Last 7 Days Last 14 Days Last 30 Days Last N Days This Week Last Week Last 2 Weeks Last N Weeks This Month Last Month This Quarter Last Quarter This Year Other
Where N represents a variable, allowing for a user selectable number of hours, days, or weeks. If Other is selected, the start and end date and time must be manually entered. 3. Select OK to create the new dashboard. The new dashboard will appear on the content pane tool bar to the right of any previously created dashboards in that profile.
Page 99
To edit a dashboard: 1. On the RTM Profiles tab, select the dashboard you would like to edit, and then select Options. The Dashboard Options dialog box will open Figure 82:Dashboard options dialog box
2. Edit the dashboard information as required, then select OK to finish editing the dashboard. To delete a dashboard: 1. On the RTM Profiles tab, select the X, or Delete, icon to the right of the in dashboard name for the dashboard that you would like to delete. 2. Select OK in the confirmation box to delete the dashboard and all of its data.
Charts
Charts are predefined to show specific information in an appropriate format, such as pie charts or lists. They are organized into categories, and can be added to, removed from, and organized on dashboards. In a profile dashboard, the charts are shown as placeholders. When viewing the charts in the device summary (see View managed devices on page 132), they will be populated with real-time data. The currently available predefined charts are outline in Table 1. New charts can also be created, see Charts on page 128 for more information
The available predefined charts may change. Please see the latest release notes for updated information.
Table 1: Available predefined charts Event Top SSL-VPN Tunnel Users by Top SSL-VPN Web Mode Bandwidth Users by Bandwidth
Page 100
Table 1: Available predefined charts (continued) IPS (Attack) Top Attack Victims Network Scan List Number of Vulnerabilities Traffic Top Users by Sessions Traffic History by Number of Active User Top 5 Destinations Top 5 Applications by Sessions Top 5 Email Recipients Traffic Summary Top Dial-Up IPsec Tunnels by Bandwidth Top 5 Users by Bandwidth Virus Top Viruses by Name Web Filter Top Web User by Bandwidth Top 10 Allowed Sites Top Blocked Websites Top Video Streaming Websites Top Web Users by Requests by Bandwidth Top 10 Blocked Sites Top Blocked Users Top Allowed Websites by Request Top Allowed Websites by Bandwidth Top Virus Victims Top Viruses by Name Number of Sessions for Past 7 Top 5 Applications by Days Bandwidth Top 5 Email Senders Top Recipients by Combined Email size Top Attacks Top Attack Source
Top Site-to-Site IPsec Tunnels Top Destination Addresses by by Bandwidth Sessions Top Recipients by Number of Emails Top Applications by Sessions Top Users by Bandwidth Top Applications by Bandwidth Top Senders by Combined Email Size Email Receivers Summary Top Destination Addresses by Bandwidth Top Senders by Number of Emails Email Senders Summary
Page 101
To add a chart to a dashboard: 1. In the RTM Profiles tab, select an RTM profile and the dashboard within that profile to which you would like to a add a chart. 2. Select Add Charts in the content pane tool bar. The Add Charts dialog box will open. Figure 83:Add charts dialog box
3. Find the chart that you would like to add in one of the following ways: Browse the list of all the available the available charts. Select the category of the chart you are looking for and then browse the list of the charts in that category. Search for the chart by entering all or part of the chart name into the Search field. Once you select a chart, the graph type and the charts category will be displayed in the preview box on the right of the dialog box. 4. Select OK to add the chart to the dashboard. Figure 84:Chart placeholder
Page 102
To reorganize the charts on a dashboard: 1. In the RTM Profiles tab, select an RTM profile and the dashboard within that profile that you would like to reorganize. 2. Click and drag any of the chart placeholders. The selected chart will follow the pointer so long as the left mouse button is held down. A yellow spacer with a dashed red outline will appear in the location where the chart will be once the mouse button is released. Figure 85:Moving a chart
3. Move the chart placeholder up, down, or to the side if the dashboard has two columns (see To edit an RTM profile: on page 97). 4. When the outlined yellow spacer box is in the location that you want the chart, release the mouse button and the chart will fall into place. 5. When you are finished reorganizing the dashboard, select the Save button in the content pane tool bar to save your changes. To remove a chart from a dashboard: 1. In the RTM Profiles tab, select an RTM profile and the dashboard within that profile that contains the chart you would to remove. 2. Select the garbage can icon in the top right corner of the chart placeholder that you would like to remove. 3. Select OK in the confirmation dialog box to remove the chart from the dashboard. 4. When you have finished removing charts, select the Save button in the content pane tool bar to save your changes.
Page 103
2. In the dashboard tool bar, select Real-time Monitor. 3. Select the RTM profile dashboard that you would like to view from the drop-down list. The charts specified in the RTM profile dashboard will be populated with data and shown in the device summary pane. Figure 86:Viewing RTM data
4. To view more detail on specific data within one of the charts, hover your cursor over a portion of the graph and a small dialog box will pop-up showing more data. Figure 87:Chart data details
Page 104
5. To refresh the data in a chart, select the Refresh button in the right corner of the chart title bar. Figure 88:Refresh a charts data
6. To make any changes to the layout of the charts, or to add or remove charts, return to the RTM Profile tab. For information see RTM Profiles on page 96, Dashboards on page 99, and Charts on page 100.
Page 105
Log View
The Log View tab shows log messages for connected devices, organized by ADOMs. You can also view, import, and export log files stored for a given device.
Refresh the log view. Select to change to the real time view, where the log table is updated in real time. Select to change to the historical log view, where logs are not updated in real time, and can be downloaded and searched. This option is only available when in the real time view.
Select to change the columns to view and the order they appear on the page. Adjust the location and visibility of the Log Details frame. It can be hidden, or visible on the bottom or right side of the content pane. For more information, see Log details on page 109.
Page 106
Download
Select to download the logs. Two options are available: Current View: Select to download log files in text (.txt), or comma-separated value (.csv). The downloaded version will match the current log view, containing only log messages that match your current filter settings. Raw Log: Select to download log files in text (.txt), or comma-separated value (.csv) for a specified date and time range.
Search the logs based on the search terms entered in the search field. The date and time the log was received by the FortiAnalyzer unit. Other columns will be available, depending on the log type selected in the tree menu. Settings to adjust the number of logs listed per page and to browse through the pages of logs. Detailed information on the log message selected in the log message list. See Log details on page 109 for more information.
Depending on configuration and the device, different logs will be available, such as traffic logs, various event logs, and others.
Page 107
3. Select which columns to hide or display. In the Available Fields area, select the names of individual columns you want to display, then select the single right arrow to move them to the Show fields in this order area. In the Show fields in this order area, select the names of individual columns you want to hide, then select the single left arrow to move them to the Available Fields area. To return all columns to their default displayed/hidden status, select Default Column Settings. 4. Select Apply to apply the changes to the log message list. To change the order of the columns: 1. Browse to the log message list you would like to customize 2. Select Column Settings in the toolbar. The Column Settings dialog box opens. 3. In the Show fields in this order area, select a column name whose order of appearance you want to change. 4. Select the up or down arrow to move the column in the ordered list. Placing a column name towards the top of the Show fields in this order list will move the column to the left side of the log message list. 5. Select Apply to apply the changes to the log message list. To filter log messages by column content: 1. In the heading of the column that you want to filter, select the filter icon to open the Filter Settings dialog box for that column. The Filter Settings dialog boxes are specific to the column you are filtering. 2. Enter the requisite information to filter the selected column and then select Apply. The columns filter icon will turn green when the filter is enabled. Downloading the current view will only download the log messages that meet the current filter criteria.
Page 108
Log details
Log details can be viewed for any of the collected logs. To view log details, select the log in the log message list. The log details will be displayed in the lower frame of the content pane. Figure 91:Log details
The details provided in the log detail frame will vary depending on the type of log selected.
To adjust the location of the Log Details frame, select Log Details in the toolbar. From the drop-down list, select one of the following: On Right: The Log Details frame will be shown on the right side of the screen. On Bottom: The Log Details frame will be shown on the bottom of the content pane (default setting). Hidden: The Log Details frame will be hidden from view.
Archive
The Archive tab is displayed next to the Log Details tab on the details frame when archived logs are available. Figure 92:Log archive
The name and size of the archived log files are listed in the table. Selecting the download button next to the file name allows you to save the file to your computer. Depending on the file type of the archived log file, the View Packet Log button may also be available next to the download button. Select this button to open the View Packet Log dialog box, which displays the path and content of the log file.
Fortinet Technologies Inc. Page 109 FortiAnalyzer v5.0 Administration Guide
Page 110
Delete Display
Mark the check box of the file whose log messages you want to delete, then select this button. Mark the check box of the file whose log messages you want to view, then select this button. For more information, see Viewing log messages on page 106 Mark the check box of the log file that you want to download, select this button, then select a format for saving the log files: text (.txt), or comma-separated value (.csv). For more information, see Downloading a log file on page 112.
Download
Import
Select to import log files. For more information about importing log files, see Importing a log file on page 112.
Log Files
A list of available log files for each device or device group. Select the group name to expand the list of devices within the group, and to view their log files. The current, or active, log file appears as well as rolled log files. Rolled log files include a number in the file name, such as vlog.1267852112.log. If you configure the FortiAnalyzer unit to delete the original log files after uploading rolled logs to an FTP server, only the current log will exist.
The number of devices in a group, and the number of log files for a device. The start time when the log file was generated. The end time when the log file was generated. The size of the log file.
Page 111
3. Select the device to which the imported log file belongs from the Device field drop-down list, or select [Take From Imported File] to read the device ID from the log file. If you select [Take From Imported File] your log file must contain a device_id field in its log messages. 4. In the File field, enter the path and file name of the log file, or select Browse. and browse to the log file. 5. Select OK. A message appears, stating that the upload is beginning, but will be cancelled if you leave the page. 6. Select OK. The upload time varies depending on the size of the file and the speed of the connection. After the log file successfully uploads, the FortiAnalyzer unit inspects the log file. If the device_id field in the uploaded log file does not match the device, the import will fail. Select Return to attempt another import. If you selected [Take From Imported File], and the FortiAnalyzer units device list does not currently contain that device, a message appears after the upload. Select OK to import the log file and automatically add the device to the device list, or select Cancel.
3. Select the specific log file (wlog.log, elog.log, etc.) that you want to download. 4. Select Download. 5. Select the log file format, either a text file or a csv file. 6. Select OK. If prompted by your web browser, select a location to where save the file, or open the file without saving. To download a partial log file: 1. Go to Log View > Log Browse > Log Browse. 2. Expand the group name or device name to view the list of available log files under each log type. 3. Select the specific log file (wlog.log, elog.log, etc.) that you want to download. 4. Select Display. 5. Select a filter icon to restrict the current view to only items which match your criteria, then select OK. Filtered columns have a green filter icon. For more information about filtering log views, see Filtering logs on page.... 6. Select Download. 7. Select the log file format, either a text file or a csv file, and select Compress with gzip if you need to download a compressed file. 8. Select OK. If prompted by your web browser, select a location to where save the file, or open the file without saving.
Page 113
To enable and configure log rolling or uploading, go to System Settings > Advanced > Device Log > Log Setting. Figure 96:Log setting window
Log Rotate Log file cannot exceed Roll logs Select Type Select One Day Enter the maximum size of each device log file, in megabytes. Select to roll the logs. Rolling will occur either on a weekly or daily basis as selected. Select to roll the logs on a weekly or daily basis. Select the day of the week to roll the logs. This option is enabled only when Roll Logs is selected and the Type is Weekly. Time Disk full Select the Hour and Minute of the day to roll the logs. The hour is based on a 24 hour clock. Select the action to take, Overwritten or Do not log, when the disk is full from the drop-down list.
Page 114
Enable log uploading Upload Server Type Upload Server IP Port Username Password Remote Directory When rolled Daily at
Select to upload real time device logs to a service. Select one of FTP, SFTP, SCP, or FAZ. Enter the IP address of the upload server. Enter the port of the upload server. Select the username that will be used to connect to the upload server. Select the password that will be used to connect to the upload server. Select the remote directory on the upload server where the log will be uploaded. Select to upload log files when they are rolled according to settings selected under Roll Logs. Select the hour to upload the logs. The hour is based on a 24 hour clock
Upload rolled files in Select to gzip the logs before uploading. This will result in smaller gzipped format logs, and faster upload times. Delete files after uploading Select to remove device log files from the FortiAnalyzer system after they have been uploaded to the upload server.
Page 115
Reports
FortiAnalyzer units can analyze information collected from the log files of connected devices. It then presents the information in tabular and graphical reports. These reports provide a quick and detailed analysis of activity on your networks. To reduce the number of reports needed, reports are independent from devices, and contain layout information in the form of a report template. The devices, groups, and any other required data related information can be added as parameters to the report at the time of report generation.
Additional configuration options and short-cuts are available using the right-click menu. Right-click the mouse on different navigation panes on the Web-based Manager page to access these options.
The Reports tab allows you to configure reports using the pre-defined report templates, configure report schedules, view report history and the report calendar, and configure and view charts, datasets, and output profiles. This chapter contains the following sections: Templates Schedules History Calendar Advanced
If ADOMs are enabled. each ADOM will have its own report settings.
Page 116
Templates
The FortiAnalyzer has one pre-configured report template called UTM Security Analysis. This template can be used as is, and you can also clone or edit the template. You can also create new templates and customize them as required. The UTM Security Analysis report template reports popular bandwidth and application log data. The template consists of various charts organized under different headings. Figure 97:Report templates
Page 117
Headings
Image
Save
Add
Edit
Delete
Text
Charts Breaks
Move Up
Move Down
To add a section to a report template: 1. Go to the Reports tab and select the template from the tree menu to which you would like to add content. 2. From the section tool bar, select the Add icon. 3. The Add a new section dialog box opens. Figure 99:Add a new section
4. Select the number of columns that the section will contain and enter a title for the section. 5. Select OK to create the new section. 6. If you are finished editing the template, select the Save icon to save your changes. To add a chart to a report template: 1. Go to the Reports tab and select the template from the tree menu to which you would like to add a chart. 2. Click and drag the chart icon to the location where you want to add the chart. When you release the mouse button, the Add a New Chart dialog box will open.
Page 118
3. Find the chart that you would like to add in one of the following ways: Browse the list of all the available the available charts. Select the category of the chart you are looking for and then browse the list of the charts in that category. Search for the chart by entering all or part of the chart name into the Search field. To view a preview of the chart before you add it, hover your cursor over the chart name in the list. Figure 101:Chart preview
4. Select OK once you have selected the chart you would like to add. The charts placeholder will appear in the location that you had selected in the template. 5. If you are finished editing the template, select the Save icon to save your changes.
Page 119
To add an image to a report template: 1. Go to the Reports tab and select the template from the tree menu to which you would like to add an image. 2. Click and drag the image icon to the location where you want to add the image. The Choose a graphic dialog box will open. Figure 102:Choose a graphic
3. Select an image from the list, or select Upload to browse for an image on your computer. 4. Select OK once you have selected the image you would like to add. The image will appear in the location that you had selected in the template. 5. If you are finished editing the template, select the Save icon to save your changes. To add headings to a report template: 1. Go to the Reports tab and select the template from the tree menu to which you would like to add headings. 2. Click and drag the required heading icon to the location where you want to add the template heading. When you release the mouse button, the selected element will be placed into the template. Figure 103:Heading element
3. To edit the heading text and level, select the edit icon on the template element, or double-click on the element. The Edit Heading dialog box will open.
Page 120
4. Enter the heading text in the Content field and, if necessary, change the heading level with the Switch to drop-down list. 5. Select OK to finish editing the heading. 6. If you are finished editing the template, select the Save icon to save your changes. To add text to a report template: 1. Go to the Reports tab and select the template from the tree menu to which you would like to add text. 2. Click and drag the text icon to the location where you want to add the text box. When you release the mouse button, the selected element will be placed into the template. 3. To edit the text, select the edit icon on the template element, or double-click on the element. The Edit Text dialog box will open. Figure 105:Edit text
4. Enter the text in the Content field. 5. Select OK to finish editing the text. 6. If you are finished editing the template, select the Save icon to save your changes. To add breaks to a report template: 1. Go to the Reports tab and select the template from the tree menu that you would like to edit. 2. Click and drag the required break icon to the location where you want to add the break. Line breaks and page breaks are available. When you release the mouse button, the selected break will be placed into the template. 3. If you are finished editing the template, select the Save icon to save your changes.
Page 121
4. When you are finished editing the template, select the Save icon to save your changes. To edit a report template element: 1. Go to the Reports tab and select the template from the tree menu that contains to the element you would like to edit. 2. Select the edit icon in top right corner of the element to be edited. Break elements cannot be edited. Figure 107:Edit an element
3. Depending on the type of element you are editing, an appropriate edit dialog box will open. The edit element dialog boxes contain the same information as the add element dialog boxes, see Add report template content on page 118.
Page 122
4. When you have completed the required edits, select OK to close the edit element dialog box. 5. Select the Save icon to save your changes. To delete a report template element: 1. Go to the Reports tab and select the template from the tree menu that contains to the element you would like to delete. 2. Select the delete icon in the top right corner of the element. Figure 108:Delete an element
3. Select OK in the confirmation dialog box to delete the element. 4. Select the Save icon to save your changes.
Schedules
Report schedules provide a way to schedule a daily, monthly, or weekly report so that the report will be generated at a specific time. You can also manually run a report schedule at any time and enable or disable report schedules. Figure 109:Report schedules page
To create a new schedule: 1. Go to the Reports tab and select Report Schedules in the tree menu. 2. Select Create New on the tool bar, or right-click in the schedule list and select New from the pop-up menu. The Create New Schedule dialog box opens.
Page 123
3. Enter the following information: Schedule Name Report Template Time Period Devices Schedule Color Generate PDF Report Every Enter a name for the new report schedule. Select a report template from the drop-down list. Select the time period that the report covers from the drop-down list. Select the specific devices that the report will cover, or select All FortiGate to cover all the devices. Select the color for the report schedule that will be visible on the report calendar. Select when the report is generated: Enter a number for the frequency of the report based on the time period selected from the drop-down list, or select On Demand to only run the report manually. If On Demand is not selected, enter a starting and ending date and time for the file generation, or set it for never ending. Notify Select to add notification email recipients.
Page 124
Select an output profile for the report (optional). See Output profiles on page 134 for more information.
Select the check-box to include a table of contents in the report. Select the check-box to generate a separate report for each managed device.
Print Device List Select the check-box to include a device list in the report. Three styles are available from the drop-down list: Compact: Display a compact comma-separated list of device names. Count: Display only the number of devices. Detailed: Display a table of device information for each device. Language Enable Filters Select the report language from the drop-down menu. The default language is English. Select the check-box to enable filters for the report schedule. The available filters are: users, groups, LDAP queries, hostnames, sources, and destinations.
4. Select OK to create the report schedule. To edit a report schedule: 1. Go to the Reports tab and select Report Schedules in the tree menu. 2. Select the schedule you would like to edit and then select Edit on the tool bar, or right-click on the schedule list and select Edit from the pop-up menu. The Edit Schedule dialog box opens. It contains all the same settings as the Create New Schedule dialog box, see Figure 110 on page 124. 3. Edit the report schedule as required and select OK to apply the changes. To delete a report schedule: 1. Go to the Reports tab and select Report Schedules in the tree menu. 2. Select the schedule you would like to delete and then select Delete on the tool bar, or right-click on the schedule list and select Delete from the pop-up menu. To delete multiple report schedules, select multiple reports and then select Delete from the tool bar or right-click menu. To delete all report schedules, right click and select Select All from the pop-up menu, then select Delete from the tool bar or right-click menu. 3. Select OK in the confirmation dialog box to delete the report schedule. To manually run a report schedule: 1. Go to the Reports tab and select Report Schedules in the tree menu. 2. Right-click on the schedule you would like to run and select Run from the pop-up menu. The report schedule will run and the report will be generated. See History on page 126 for information on viewing the report.
Page 125
To enable/disable a report schedule: 1. Go to the Reports tab and select Report Schedules in the tree menu. 2. Select the schedule or schedules you would like to enable or disable and then right-click on the schedule list and select Enable or Disable from the pop-up menu. To enable or diable all report schedules, right click and select Select All from the pop-up menu, then select Enable or Disable from the right-click menu.
History
Report history allows you to view all reports that have been generated on the FortiAnalyzer system. It displays the report name, device type, and the time that the report was generated. Select a report from the list to view the report in a new window or tab in your web-browser. The reports can also be downloaded as PDFs, and deleted. To view the report history go to the Reports tab and select Report History in the tree menu. Figure 111:Report history page
To delete reports: 1. In the Report History list, select the report or reports that you would like to delete, or right-click and select Select All if you are deleting all of the reports. 2. Select Delete in the tool bar, or right-click and select Delete from the pop-up menu. 3. Select OK in the confirmation dialog box to delete the report or reports. To download reports: 1. In the Report History list, select the report or reports that you would like to download, or right-click and select Select All if you are downloading all of the reports. 2. Select Download in the tool bar, or right-click and select Download from the pop-up menu. 3. Save the file to your computer, or open the file in an applicable program. If you are downloading multiple reports, each one will be saved as a separate file.
Page 126
Calendar
The report calendar provides an overview of the report schedules. You can view all reports scheduled for the selected month. Selecting a report schedule in the calendar opens the Edit Schedule dialog box, allowing you to make changes to the settings for that schedule (see Schedules on page 123). If the report has already been run, selecting the report schedule will download the report. Selecting any day on the calendar opens the Create New Schedule dialog box (see Figure 110 on page 124), allowing you to create a new report schedule with the selected day set as the starting date for the schedule. To view the report calendar, go to the Reports tab and select Report Calendar in the tree menu. Figure 112:Report calendar
When hovering the mouse cursor over a scheduled report on the calendar, a notification box will appear detailing the report name, status, and the device type. Figure 113:Report schedule calendar details
Page 127
Advanced
The advanced report options includes chart and dataset settings, output profiles, and report language settings.
Charts
The FortiAnalyzer unit provides a selection pre-defined charts. New charts can also be created, either from scratch or by cloning a previous chart. To view and configure charts, go to the Reports tab and select Advanced > Charts in the tree menu. Figure 114:Charts
For a list of the currently available pre-defined charts, see Charts on page 100. To create a new chart: 1. Go to the Reports tab and select Advanced > Chart in the tree menu. 2. Select Create New on the tool bar, or right-click in the chart list and select New from the pop-up menu. The Create New Chart dialog box opens.
Page 128
3. Enter the required information for the new chart. Name table-subtype Enter a name for the chart. Select a table subtype from the drop-down list. The available types are: basic, composite-bar, composite-line, basic-with-pie, and bar-with-pie. Enter the maximum value for data on the x-axis. Select a dataset from the drop-down list. See Datasets on page 131 for more information. Enter a label for the y-axis. Select the line subtype from the drop-down list. The options are: basic, stacked, and back-to-back. Select to enable the y-axis-group. Select to show the table. Enter a category for the chart. Enter a scale for the chart. Enter the top value for the y-axis group. Enter a label for the second y-axis.
x-axis-data-top Dataset y-axis-label line-subtype y-axis-group show-table Category scale y-axis-group-top y2-label-axis
Page 129
Enter the y-axis data binding information. Enter a description. Select a graph type from the drop-down list. The options are: table, bar, pie, and line. Enter a label for the x-axis.
y2-axis-data-binding Enter the data binding information for the second y-axis. x-axis-data-binding favorite y-axis-group-by order-by resolve-hostname graph-columns Enter the data binding information for the x-axis. Select to set the chart as a favorite. Enter what the y-axis is to be grouped by. Enter ordering information. Select to resolve the hostname. Select if the graph will have one or two columns from the drop-down list.
4. Select OK to create the new chart. To clone a chart: 1. Go to the Reports tab and select Advanced > Chart in the tree menu. 2. Select the chart that you would like to clone and select Clone from the tool bar or right-click menu. The Clone Chart dialog box opens. 3. Edit the information as needed and select OK to clone the chart and create a new chart. To edit a chart: 1. Go to the Reports tab and select Advanced > Chart in the tree menu. 2. Double-click on the chart that you would like to edit, or select the chart and select Edit from the tool bar or right-click menu. The Edit Chart dialog box opens. Pre-defined charts cannot be edited, the information can only be viewed. 3. Edit the information as required and select OK to finish editing the chart. To delete charts: 1. Go to the Reports tab and select Advanced > Chart in the tree menu. 2. Select the chart or charts that you would like to delete and select Delete from the tool bar or right-click menu. Pre-defined charts cannot be deleted. 3. Select OK in the confirmation dialog box to delete the chart or charts.
Page 130
Datasets
FortiAnalyzer datasets are collections of log files from monitored devices. Reports are generated based on these datasets. Pre-defined datasets for each supported device type are provided, and new datasets can be created and configured. To view and configure datasets, go to the Reports tab and select Advanced > Dataset in the tree menu. Figure 116:Datasets
To create a new dataset: 1. Go to the Reports tab and select Advanced > Dataset in the tree menu. 2. Select Create New on the tool bar, or right-click in the dataset list and select New from the pop-up menu. The Create New Dataset dialog box opens. Figure 117:Create a new dataset
Page 131
3. Enter the required information for the new dataset. Name dev-type log-type SQL Query Enter a name for the dataset. Select a device type from the drop-down list. Select a log type from the drop-down list. Enter the SQL query used for the dataset.
4. Select OK to create the new dataset. To clone a dataset: 1. Go to the Reports tab and select Advanced > Dataset in the tree menu. 2. Select the dataset that you would like to clone and select Clone from the tool bar or right-click menu. The Clone Dataset dialog box opens. 3. Edit the information as needed and select OK to clone the dataset and create a new dataset. To edit a dataset: 1. Go to the Reports tab and select Advanced > Dataset in the tree menu. 2. Double-click on the dataset that you would like to edit, or select the dataset and select Edit from the tool bar or right-click menu. The Edit Dataset dialog box opens. Pre-defined datasets cannot be edited, the information can only be viewed. 3. Edit the information as required and select OK to finish editing the dataset. To delete datasets: 1. Go to the Reports tab and select Advanced > Dataset in the tree menu. 2. Select the dataset or datasets that you would like to delete and select Delete from the tool bar or right-click menu. Pre-defined datasets cannot be deleted. 3. Select OK in the confirmation dialog box to delete the datasets or datasets.
Page 132
Notes: SUM(sent + rcvd) AS volume - this calculates the total sent and received bytes. ORDER BY volume DESC - this orders the results by descending volume (largest volume first) LIMIT 100 - this lists only the top 100 applications. Top 10 attacks: 1. Go to Report > Advanced > Dataset. 2. Select Create New to create a new dataset and enter a name for the dataset. 3. Select FortiGate from the dev-type drop-down list 4. Select Attack from the log-type drop-down list. 5. In the SQL Query field, enter the following: SELECT attack_id, COUNT( * ) AS totalnum FROM $log and attack_id IS NOT NULL GROUP BY attack_id ORDER BY totalnum DESC LIMIT 10 6. Select OK to create the dataset. Notes: The result is ordered by the total attack number of the same attack_id. The most frequent attack_id will appear first. Top WAN optimization applications 1. Go to Report > Advanced > Dataset. 2. Select Create New to create a new dataset and enter a name for the dataset. 3. Select FortiGate from the dev-type drop-down list 4. Select Traffic Log from the log-type drop-down list. 5. In the SQL Query field, enter the following: SELECT wanopt_app_type, SUM( wan_in + wan_out ) AS bandwidth FROM $log AND subtype = 'wanopt-traffic' GROUP BY wanopt_app_type ORDER BY SUM( wan_in + wan_out ) DESC LIMIT 5 6. Select OK to create the dataset. Notes: The WAN optimizer module will log each application bandwidth. All bandwidth data is logged in traffic logs and wan opt data will have the subtype wanopt-traffic SUM(wan_in + wan_out) AS bandwidth - this calculates the total in and out traffic.
Page 133
Output profiles
Output profiles allow you to define email addresses to which generated reports are sent, and provides an option to upload the reports to FTP, SFTP, or SCP servers. Once created, an output profile can be specified in a report schedule; see Schedules on page 123. Figure 118:Output profile page
You must configure a mail server before you can configure an output profile. Please see Mail server on page 88 for information on configuring a mail server.
To create a new output profile: 1. Go to the Reports tab and select Advanced > Output Profile in the tree menu. 2. Select Create New on the tool bar, or right-click in the output profile list and select New from the pop-up menu. The Create New Output Profile dialog box opens.
Page 134
3. Enter the following information: Name Description Enter a name for the new output profile. Enter a description for the output profile (optional).
Email Generated Reports Enable email generated reports. Subject Body Email Recipients Enter a subject for the report email. Enter body text for the report email. Select the email server from the drop-down list and enter to and from email addresses. Select the + icon to add another entry so that you can specify multiple recipients. Upload Report to Server Server Type Server Enable uploading the reports to a server. Select FTP, SFTP, or SCP from the drop-down list. Enter the server IP address.
Page 135
Enter the username. Enter the password. Specify the directory where the report will be saved. Select to delete the report after it has been uploaded to the selected.
4. Select OK to create the new output profile. To edit an output profile: 1. Go to the Reports tab and select Advanced > Output Profile in the tree menu. 2. Double-click on the output profile that you would like to edit, or select the output profile and select Edit from the tool bar or right-click menu. The Edit Output Profile dialog box opens. 3. Edit the information as required and select OK to finish editing the output profile. To delete output profiles: 1. Go to the Reports tab and select Advanced > Output Profile in the tree menu. 2. Select the output profile or profiles that you would like to delete and select Delete from the tool bar or right-click menu. 3. Select OK in the confirmation dialog box to delete the selected output profile or profiles.
Language
The language of the reports can be specified when creating a report schedule (see Schedules on page 123). New languages can be added, and the name and description of the languages can be changed. The pre-defined languages cannot be edited. The available report languages can be viewed in the Reports tab under Advanced > Language. Figure 120:Report language
Page 136
The available preconfigured report languages include: English (default report language) French Japanese Korean Portuguese Simplified Chinese Spanish Traditional Chinese To add a language: 1. Go to the Reports tab and select Advanced > Language in the tree menu. 2. Select Create New on the tool bar, or right-click in the language list and select New from the pop-up menu. The Create New Language dialog box opens. Figure 121:Create a new language
3. Enter a name and description for the language in the requisite fields. 4. Select OK to add the language.
Adding a new language does not create that language. It only adds a placeholder for that language that contains the language name and description.
Page 137
To edit a language: 1. Go to the Reports tab and select Advanced > Language in the tree menu. 2. Double-click on the language that you would like to edit, or select the language and select Edit from the tool bar or right-click menu. The Edit Language dialog box opens. 3. Edit the information as required and select OK to finish editing the language.
To delete languages: 1. Go to the Reports tab and select Advanced > Language in the tree menu. 2. Select the language or languages that you would like to delete and select Delete from the tool bar or right-click menu. 3. Select OK in the confirmation dialog box to delete the selected language or languages.
Page 138
FORTINET-FORTIANALYZ This Fortinet-proprietary MIB enables your SNMP manager to ER-MIB query for FortiAnalyzer-specific information and to receive FortiAnalyzer-specific traps. RFC-1213 (MIB II) The FortiAnalyzer SNMP agent supports MIB II groups, except: There is no support for the EGP group from MIB II (RFC 1213, section 3.11 and 6.10). Protocol statistics returned for MIB II groups (IP, ICMP, TCP, UDP, etc.) do not accurately capture all FortiAnalyzer traffic activity. More accurate information can be obtained from the information reported by the FortiAnalyzer MIB. RFC-2665 (Ethernet-like MIB) The FortiAnalyzer SNMP agent supports Ethernet-like MIB information except the dot3Tests and dot3Errors groups.
You can obtain these MIB files from the Customer Service & Support web site, https://support.fortinet.com. To be able to communicate with your FortiAnalyzer units SNMP agent, you must first compile these MIBs into your SNMP manager. If the standard MIBs used by the SNMP agent are already compiled into your SNMP manager, you do not have to compile them again. To view a trap or querys name, object identifier (OID), and description, open its MIB file in a plain text editor. All traps sent include the message, the FortiAnalyzer units serial number, and host name. For instructions on how to configure traps and queries, see Configuring the SNMP agent on page 82.
Page 139
Page 140
Table 4: FortiAnalyzer listening ports Functionality Windows share Syslog, log forwarding Port(s) UDP 137-139 and TCP 445 UDP 514 Note: If a secure connection has been configured between a FortiGate and a FortiAnalyzer, syslog traffic will be sent into an IPsec tunnel. Data will be exchanged over UDP 500/4500, Protocol IP/50. SSH administrative access to the CLI Telnet administrative access to the CLI HTTP administrative access to the Web-based Manager HTTPS administrative access to the Web-based Manager; remote management from a FortiManager unit Device registration of FortiGate or FortiManager units; remote access to quarantine, logs & reports from a FortiGate unit; remote management from a FortiManager unit (configuration retrieval) (OFTP) NFS share HTTP or HTTPS administrative access to the Web-based Manager's CLI dashboard widget. Protocol used will match the protocol used by the administrator when logging in to the Web-based Manager. Log aggregation server Log aggregation server support requires model FortiAnalyzer-800 or greater. Remote management from a FortiManager unit (configuration installation) Remote MySQL database connection Table 5: FortiAnalyzer FDN ports Functionality Vulnerability Management updates Port(s) TCP 443 TCP 8080 TCP 3306 TCP 3000 TCP 22 TCP 23 TCP 80 TCP 443
TCP 514
Page 141
Index
A
access adminitrative 22 add ADOM 25, 56 alert event 87 break 121 chart 128 charts 102 dataset 131 elements 118121 group 27 headings 120 IPv6 static route 63 language 137 model device 29 output profile 134 RTM dashboard 99 RTM profile 96 schedule 123 SNMP community 84 template 117 text box 121 VDOM 29 admin settings 80 configure 80 administration session timeout 68 administrative domains enable 41 administrator 41, 68 access 22 access profiles 67 add account 69 authentication server 67 configure 68 configure accounts 67 connection options 67 delete 68, 70 disconnect 68 modify 70 monitoring 67 monitoring sessions 67 netmask 70 profiles 71 trusted host 71 administrator profiles delete 73 modify 73 ADOM 56 add 25 create new 56 delete 27, 58 edit 26, 57 name 26 advanced settings 85 system settings 81 alert console 90 create new event 87 events 86 thresholds 86 alert message console 50 alerts 81, 86 mail server 88 syslog server 89 analyzer 14 API 86 archive logs 109 authentication remote 74 server 67
B
backup 45 configuration 41 encrypt 46 browse logs 110
C
calendar report 127 certificates 64 creating 64 downloading 66 importing 65 view details 65 change date 42 host name 42 operation mode 47 time 42 chart add 118 clone 130 create new 128 delete 130 edit 130
Page 142
charts 96 add 102 predefined 100 remove 103 reorganize 103 RTM 100 template 128 CLI 11, 37, 38, 51 commands 52 clone chart 130 dataset 132 RTM profile 98 collector 14 column settings 24 columns log view 107 order 108 command line interface. See CLI command prompt 41 community 83 name 84 configuration backup 41, 45 restore 46 configure admin settings 80 administrator 68 administrator profiles 72 alert console 91 alert event 87 backup 41 date 42 event logging 91 mail server 89 network interfaces 61 profiles 72 SNMP 82 syslog server 89 time 42 connect Web-based Manager 19 connection options 67 console access 71 alert 90 CPU utilization 48 create profiles 72 SNMP community 84
create new ADOM 25, 56 alert event 87 chart 128 charts 102 dataset 131 group 27 output profile 134 RTM dashboard 99 RTM profile 96 schedule 123 template 117 current administrators 41 custom profile 72 customize dashboard 39 log view 107
D
dashboard add a widget 39 alert message console 50 CLI console 51 customize 39 customizing 39 license information 49 move a widget 39 RAID monitor 52 reset 39 system information 40 system resource information 48 unit operation 50 view alert messages 50 view license information 49 view unit operation 50 widget options 39 dashboards 99 data RTM 103 data sets 131 dataset clone 132 create new 131 delete 132 edit 132 examples 132 date configure 42 default gateway 59 password 11
Page 143
delete administrator 68, 70 ADOM 27, 58 alert event 88 charts 130 datasets 132 device 34 edit 32 element 123 group 29 languages 138 log files 93 output profiles 136 profile 73 reports 126 RTM dashboard 100 RTM profile 98 schedule 125 task 94 VDOM 34 details logs 109 device add model 29 delete 34 device log settings 81 diagnostic tools 66 disk 91 display columns 107 DNS 59 servers 59 download logs 112 report 126 WSDL file 86 dynamic IP pool 78
element add 118121 delete 123 edit 122 move 122 enable administrative domains 41 SNMP agent 83 encrypt backup 46 event logging 91 event log 93 event logging configure 91 example datasets 132
F
filter logs 108 firmware update 29 version 41 FortiAnalyzer 91 reboot 23 server 93 shutdown 23 Fortinet Technical Support 44 FortiSwitch 81 FQDN 90 FTP 91 server 93
G
group create new 27 delete 29 edit 28
E
edit administrator 70 ADOM 26, 57 alert event 88 chart 130 dataset 132 device 32 element 122 group 28 language 138 output profile 136 report 122 RTM dashboard 100 RTM profile 97 schedule 125 SNMP community 85
H
hard disk 54 hot-swapping 54 usage 48 hide columns 107 history report 126 host name 41 change 42 hosts trusted 22 hot swap 54
I
idle timeout 22, 81 import logs 112 installation 11
Page 144
J
javascript 51
L
language 21, 81 add 137 delete 138 edit 138 LDAP 76 server configuration 77 LDAP server adding 77 configuration 77 create new 77 delete 78 modify 77 license information widget 49 lightweight directory access protocol 76 line break add 121 local console access 51 log file 93 messages 66 rotate 92, 114 settings 91 system events 91 log view 106 column order 108 columns 107 customize 107 details 109 filter 108 logging to disk 91 logs 42 access 93 archive 109 browsing 110 download 112 import 112 maximum size 92, 114 rolling 92, 113, 114 rotation settings 91 settings 81 upload 91, 93, 113, 115 view packets 109 viewing 66
main menu bar 20 management interface 59 administrative access 59 default gateway 59 IP 59 IPv6 address 59 IPv6 administrative access 59 netmask 59 manager connect to 19 web-based 18 memory utilization 48 modify profile 73 monitor administrator sessions 67 notifications 86 task 94 move element 122
N
name ADOM 26 SNMP community 84 netmask administrator account 70 network 59 configuring interfaces 61 diagnostic tools 60 DNS 59 interface list 60 interfaces 59 IPv6 routing table 60 IPv6 static routing 63 management interface 59 routing table 60 static routing 61 utilization 48 network interface configuring 61 network time protocol. See NTP notifications monitor 86 NTP 42
O
operation mode 12 analyzer 14, 15 change 47 collector 14, 15 standalone 13 output profile 134 output profile create new 134 delete 136 edit 136
M
mail server 134 alerts 88 settings 89
Page 145
P
packet log 109 page break add 121 password 46, 47 administrator 11 policy 81 platform type 41 port remote 85 predefined charts 100 profile create new 134 delete 136 edit 136 profiles administrator 71 configuring 72 create 72 delete 73 modify 73 restricted 71 RTM 96 standard 71 super 71 prompt 52
R
RADIUS server 74 configuration 74 create new 74 delete 75 modify 75 server secret 75 RAID configure 53 monitor 52 supported levels 54 RAID levels RAID 0 54 RAID 10 54 RAID 5 54 RAID linear 54 RAID1 54 RAID monitor widget 52 real-time monitor 34 real-time monitor. See RTM reboot 23, 50 receive notifications 86 remote authentication 74 port 85 remove charts 103
reorganize charts 103 report 116 advanced options 128 calendar 127 charts 128 data sets 131 delete 126 download 126 edit 122 history 126 output 134 profile 134 run 125 schedule 125 schedules 123 templates 117 UTM security analysis 117 reset dashboard 39 resolution 18 restore 46 roll logs 113 routing static 61, 63 routing table 61, 63 configuring 61, 63 RTM charts 96, 100 dashboards 99 profiles 96 view data 103 RTM dashboard delete 100 edit 100 RTM profile clone 98 delete 98 edit 97 new 96 run report 125 schedule 125
S
schedule 42 create new 123 delete 125 edit 125 reports 123 run 125 SCP 91 server 93 screen resolution 18 Secure Shell. See SSH serial number 41
Page 146
server LDAP 76 RADIUS 74 remote authentication 74 syslog 89 TACACS+ 78 set time 43 settings administrator 80 advanced 85 device log 81 log rotation 91 logs 91 network 59 syslog server 89 severity 86 SFTP 91 server 93 shutdown 23, 50 Simple Network Management Protocol. See SNMP SMTP server 89 SNMP 81, 82 Agent 82 community, configuring 83 configure 82 configuring 82 manager 82 system name 41 v1 85 v2c 85 SNMP agent enable 83 SNMP community create 84 edit 85 name 84 special characters 42 SSH 51 SSL 42 standalone 13 static routes add 62, 63 configuring 61, 63 IPv6 63 status task 95 supported web browser 18 sync interval 43 syslog server FQDN 90 name 90 settings 89 system advanced settings 81 backup 45 restore 46 system firmware update 44
system information widget 40 system resource information customize 49 widget 48 system time 41, 42, 43 configuring 42
T
tab bar 20 TACACS+ server 78 configuration 78 create new 78 delete 79 modify 79 task delete 94 list size 86 monitor 94 status 95 Telnet 51 template add break 121 add chart 118 add headings 120 add image 120 add section 118 add text 121 charts 128 create new 117 reports 117 UTM security analysis 117 thresholds 86 time 42 configure 42 set 43 system 43 zone 43 timeout 81 tree menu 20 trusted host 22 security issues 71
U
unit operation widget 50 update device 29 firmware 29 upload enable 93, 115 logs 113 uptime 41 US-ASCII 42 utilization CPU 48 hard disk 48 memory 48 network 48
Page 147
V
VDOM add 29 delete 34 view logs 106 packet log 109
W
web browser supported 18 web services description language. See WSDL
widget 51 add 39 alert message console 50 CLI console 51 license information 49 move 39 options 39 RAID monitor 52 system information 40 system resource information 48, 49 unit operation 50 WSDL file 86 file download 86
Page 148