Beruflich Dokumente
Kultur Dokumente
FortiAnalyzer v4.0 MR3 Patch Release 6 Administration Guide March 01, 2013 05-436-164257-20130301 Copyright 2013 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, and FortiGuard, are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were attained in internal lab tests under ideal conditions, and performance may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinets General Counsel, with a purchaser that expressly warrants that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinets internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.
Technical Documentation Knowledge Base Customer Service & Support Training Services FortiGuard Document Feedback
Table of Figures
Logging, analyzing, and reporting workflow ................................................................ 25 Topology of the FortiAnalyzer unit in standalone mode .............................................. 31 Change operation mode .............................................................................................. 32 Change operation mode .............................................................................................. 33 Topology of the FortiAnalyzer units in analyzer/collector mode .................................. 34 License information widget .......................................................................................... 37 FortiGuard Distribution Network window .................................................................... 37 Allowed devices window ............................................................................................. 40 Edit device window ...................................................................................................... 41 Putty console window .................................................................................................. 46 Packet capture in Notepad .......................................................................................... 47 Converting sniffer output to .pcap format ................................................................... 48 Viewing sniffer output in Wireshark ............................................................................. 48 Backup and restore window ........................................................................................ 49 Enabling ADOM configuration ..................................................................................... 52 FortiAnalyzer system menu ......................................................................................... 53 Create new ADOM ....................................................................................................... 53 New Administrative Domain window ........................................................................... 54 Switching to the global ADOM .................................................................................... 55 Administrative Domain name ....................................................................................... 55 Administrative settings window ................................................................................... 56 FortiAnalyzer system window ...................................................................................... 57 FortiAnalyzer system menu ......................................................................................... 58 FortiAnalyzer system dashboard ................................................................................. 60 Adding a widget ........................................................................................................... 61 Widget title bar ............................................................................................................ 61 System information widget .......................................................................................... 63 Time settings ............................................................................................................... 64 System information widget .......................................................................................... 65 Change operation mode .............................................................................................. 66 License information widget .......................................................................................... 67 Unit operation widget .................................................................................................. 68 System resources widget ............................................................................................ 69 Edit system resources settings window ...................................................................... 70 Logs/data received widget .......................................................................................... 71 Edit logs/data received settings window ..................................................................... 71 Statistics widget .......................................................................................................... 72 Statistics widget .......................................................................................................... 72 Logs window ................................................................................................................ 73 Log details window ...................................................................................................... 74 Report engine widget ................................................................................................... 75 Disk monitor widget ..................................................................................................... 76 Status of a failed hard disk on a FAZ-800 unit as shown in the Disk Monitor widget 77 Log receive monitor widget ........................................................................................ 79 Editing log receive monitor settings ............................................................................ 79 Alert message console widget ..................................................................................... 80 List of all alert messages ............................................................................................. 80
Page 3
CLI console widget ...................................................................................................... 82 CLI console widget settings ........................................................................................ 82 Top traffic widget ......................................................................................................... 83 Top traffic widget settings ........................................................................................... 83 Top web traffic widget ................................................................................................. 84 Top web traffic widget settings ................................................................................... 85 Top email traffic widget ............................................................................................... 86 Top email traffic widget settings .................................................................................. 86 Top FTP traffic widget ................................................................................................. 87 Top FTP traffic widget settings .................................................................................... 88 Top IM/P2P traffic widget ............................................................................................ 88 Top IM/P2P traffic widget settings .............................................................................. 89 Virus activity widget ..................................................................................................... 90 Virus activity widget settings ....................................................................................... 90 Intrusion activity widget ............................................................................................... 91 Intrusion activity widget settings ................................................................................. 92 Interface list window .................................................................................................... 93 Network interfaces ....................................................................................................... 94 Edit interface window .................................................................................................. 94 Edit interface window .................................................................................................. 97 Allowed devices window ............................................................................................. 97 DNS configuration ....................................................................................................... 99 Route list ...................................................................................................................... 99 New routing entry window ......................................................................................... 100 Network share user list .............................................................................................. 101 User configuration window ........................................................................................ 102 User group list ........................................................................................................... 102 Group configuration window ..................................................................................... 103 Windows network share user list ............................................................................... 104 Windows share configuration window ....................................................................... 105 List of users with NFS share access .......................................................................... 106 NFS export configuration window ............................................................................. 107 Administrator account list .......................................................................................... 108 New administrator window ........................................................................................ 109 Access profile list ....................................................................................................... 112 New access profile window ....................................................................................... 112 Authentication group list ............................................................................................ 113 new Auth Group window ........................................................................................... 114 RADIUS server list ..................................................................................................... 114 New RADIUS server window ..................................................................................... 115 TACACS+ server list .................................................................................................. 116 New TACACS+ Server window ................................................................................. 116 Administrators settings ............................................................................................. 117 Monitoring administrators .......................................................................................... 118 SQL database ............................................................................................................ 120 Database upgrade notice .......................................................................................... 121 Alert events list .......................................................................................................... 122 Add Alert Event window ............................................................................................ 123 Mail server list ............................................................................................................ 125 Mail server settings window ...................................................................................... 126 Test mail server window ............................................................................................ 126 SNMP access list ....................................................................................................... 128
Fortinet Technologies Inc. Page 4 FortiAnalyzer v4.3.6 Administration Guide
New SNMP community window ................................................................................ 130 Syslog server list ........................................................................................................ 131 New Syslog Server window ....................................................................................... 132 Test syslog server window ........................................................................................ 132 Log aggregation client configuration ........................................................................ 134 Log aggregation server configuration ........................................................................ 135 Log forwarding ........................................................................................................... 136 List of IP aliases ......................................................................................................... 137 RAID settings ............................................................................................................. 139 LDAP server list ......................................................................................................... 145 New LDAP Server window ......................................................................................... 145 LDAP distinguished name query ............................................................................... 147 Backup & Restore page ............................................................................................. 148 FortiGuard Distribution Network window .................................................................. 150 Migration .................................................................................................................... 153 Migrating configuration settings ................................................................................ 154 Device list .................................................................................................................. 158 Add a device to an HA cluster ................................................................................... 163 Add device ................................................................................................................. 164 Edit device window .................................................................................................... 167 Enable FDP packets on an interface ......................................................................... 168 Edit Interface .............................................................................................................. 168 Unregistered device options window ........................................................................ 169 Blocked devices ........................................................................................................ 170 Block a device ........................................................................................................... 171 Blocked devices ........................................................................................................ 172 Device groups ............................................................................................................ 172 Create new group ...................................................................................................... 173 All device logs ............................................................................................................ 176 Log details window .................................................................................................... 179 Change display options ............................................................................................. 180 Column display settings ............................................................................................ 180 Filter icons ................................................................................................................. 181 Filters window ............................................................................................................ 181 Log search ................................................................................................................. 183 DLP log archive window ............................................................................................ 186 Quarantine summary ................................................................................................. 188 Quarantine window .................................................................................................... 189 Log file list .................................................................................................................. 191 Import log file window ............................................................................................... 193 Download log file window .......................................................................................... 194 Device log settings .................................................................................................... 196 eDiscovery folders list page ....................................................................................... 197 eDiscovery Config ...................................................................................................... 199 New eDiscovery folder window ................................................................................. 199 eDiscovery search window ........................................................................................ 199 View eDiscovery search window ............................................................................... 201 Enable the SQL local database ................................................................................. 205 Start time options ...................................................................................................... 205 SQL database window ............................................................................................... 206 Left-click and right-click menu options ..................................................................... 207 Default device reports ................................................................................................ 208
Fortinet Technologies Inc. Page 5 FortiAnalyzer v4.3.6 Administration Guide
Add section to default device report ......................................................................... 209 Report options window .............................................................................................. 210 Edit new report section .............................................................................................. 212 New Report Output .................................................................................................... 214 Mail server settings window ...................................................................................... 215 Report settings .......................................................................................................... 216 Report filters .............................................................................................................. 217 Predefined reports page ............................................................................................ 218 Custom reports window ............................................................................................ 219 Indexer based reports view options .......................................................................... 220 Create a new folder ................................................................................................... 220 Pre-defined charts window ........................................................................................ 221 Create new chart template ........................................................................................ 223 Custom chart template .............................................................................................. 226 Pre-defined datasets ................................................................................................. 226 Custom datasets ....................................................................................................... 227 New data set window ................................................................................................ 227 SQL query console window ....................................................................................... 229 View calendar and task list ........................................................................................ 230 Language options window ......................................................................................... 231 Edit report language window ..................................................................................... 231 Add report language window ..................................................................................... 233 Report layout ............................................................................................................. 234 Indexer based reports page ....................................................................................... 235 View report schedule list window .............................................................................. 237 New report schedule window .................................................................................... 238 Predefined report layouts window ............................................................................. 240 Edit report layout window .......................................................................................... 242 Create new report layout ........................................................................................... 244 Add chart to the new report layout ............................................................................ 244 Add section to new report layout .............................................................................. 245 Add text to new report layout dialog box .................................................................. 245 Run report now window ............................................................................................. 247 Data filter template menu .......................................................................................... 248 New data filter ............................................................................................................ 249 Configure report languageTo edit the report language ............................................. 254 Edit report language window ..................................................................................... 254 Add report language window ..................................................................................... 256 Host asset list page ................................................................................................... 260 Create asset window ................................................................................................. 261 Scan schedule list page ............................................................................................. 267 New scan schedule window ...................................................................................... 268 Scan result list page .................................................................................................. 269 Vulnerability scan results page .................................................................................. 270 Example network topology for Network Analyzer use ............................................... 273 Enable Network Analyzer in GUI Menu Customization ............................................. 273 Configure Network Analyzer settings ........................................................................ 274 Real time Network Analyzer logs page ...................................................................... 275 Historical Network Analyzer logs page ...................................................................... 276 Network analyzer log file list page ............................................................................. 278 Download log file window .......................................................................................... 279 Download a partial (filtered) log file ........................................................................... 279
Fortinet Technologies Inc. Page 6 FortiAnalyzer v4.3.6 Administration Guide
Change Dispay Options ............................................................................................. 280 Column display settings window ............................................................................... 281 Filter icons in Network Analyzer ................................................................................ 282 Filters window ............................................................................................................ 282 Network Analyzer log search window ........................................................................ 283 Traffic log settings page ............................................................................................ 287 File explorer window .................................................................................................. 289 Firmware upgrade path ............................................................................................. 291 Backup & Restore menu ............................................................................................ 292 Firmware version [Update] page ................................................................................ 296 Database upgrade notice .......................................................................................... 296 Enable administrative access on the interface .......................................................... 304 Create a new data set window .................................................................................. 326 SQL query test results window .................................................................................. 327 Adding a dataset to a chart template ........................................................................ 374 Adding a chart to a report .......................................................................................... 375 Creating a dataset ..................................................................................................... 376 ConnectWise setup tables ......................................................................................... 383 ConnectWise Integrator login .................................................................................... 383 ConnectWise management IT ................................................................................... 384 ConnectWise company information .......................................................................... 385 ConnectWise configuration menu ............................................................................. 386
Page 7
Table of Contents
Table of Figures ................................................................................................ 3 Change Log..................................................................................................... 15 Introduction..................................................................................................... 16
Scope..................................................................................................................... 17 Entering FortiAnalyzer configuration data.............................................................. Entering text strings (names) ........................................................................... Selecting options from a list ............................................................................ Enabling or disabling options........................................................................... Report enhancements ........................................................................................... Default device reports...................................................................................... Per device report generation ........................................................................... Email report option at the device level............................................................. Report and chart variables support ................................................................. PDF report improvements................................................................................ 17 17 18 18 19 19 19 19 19 20
Web-based Manager changes .............................................................................. 20 Menu layout enhancements............................................................................. 20 Operation mode changes ................................................................................ 20 Structured Query Language database................................................................... SQL database compatibility............................................................................. Performance improvements on SQL report generation................................... Local event logs in SQL database ................................................................... Custom fields support in SQL database.......................................................... 20 20 20 20 20
FortiWeb support ................................................................................................... 21 FortiWeb integration ........................................................................................ 21 FortiMail, FortiWeb, and FortiClient logs in SQL database ............................. 21 FortiAnalyzer Virtual Machine support................................................................... 21 VMware ESX/ESXi 5.0 Support........................................................................ 21 Logging enhancements ......................................................................................... Log file integrity validation ............................................................................... Retrieve FortiGate logs on demand ................................................................. Log forwarding IP spoofing.............................................................................. UTM logs consolidation ................................................................................... 21 21 21 21 21
Page 8
Additional enhancements ...................................................................................... Secure communication between devices ........................................................ Network vulnerability scan ............................................................................... SNMP v3 support............................................................................................. TACACS+ server .............................................................................................. DNS log consolidation ..................................................................................... Email filters for reports ..................................................................................... Compatibility with ConnectWise...................................................................... SMP support and large storage....................................................................... Federal Information Processing Standard .......................................................
22 22 22 22 22 22 22 22 23 23
Testing the setup ................................................................................................... 42 Troubleshooting tools ...................................................................................... 43 Backing up the configuration................................................................................. 49
Administrative Domains................................................................................. 50
Configuring ADOMs ............................................................................................... 51 Accessing ADOMs as the admin administrator ..................................................... 57
Page 9
System............................................................................................................. 59
Viewing the dashboard .......................................................................................... Customizing the dashboard............................................................................. System information widget .............................................................................. License Information widget.............................................................................. Unit operation widget....................................................................................... System resources widget ................................................................................ Logs/data received widget .............................................................................. Statistics widget............................................................................................... Report engine widget....................................................................................... Disk monitor widget ......................................................................................... Log Receive Monitor widget ............................................................................ Alert message console widget ......................................................................... CLI console widget .......................................................................................... Top traffic widget ............................................................................................. Top web traffic widget ..................................................................................... Top email traffic widget ................................................................................... Top FTP traffic widget...................................................................................... Top IM/P2P traffic widget ................................................................................ Virus activity widget ......................................................................................... Intrusion activity widget ................................................................................... Configuring network settings................................................................................. Configuring the network interfaces.................................................................. Configuring DNS .............................................................................................. Configuring static routes.................................................................................. Configuring network shares................................................................................. Configuring share users ................................................................................. Configuring Windows shares ......................................................................... Configuring NFS shares ................................................................................. 59 60 62 67 68 69 71 72 75 75 79 80 81 83 84 86 87 88 90 91 92 92 99 99
Configuring administrator related settings........................................................... 108 Configuring administrator accounts............................................................... 108 Configuring the Web-based Managers global settings ...................................... 117 Monitoring administrators.................................................................................... 118
Page 10
Configuring log storage & query features ............................................................ Configuring SQL database storage ............................................................... Configuring alerts........................................................................................... Configuring an email server for alerts & reports ............................................ Configuring the SNMP agent ......................................................................... Configuring syslog servers............................................................................. Configuring log aggregation .......................................................................... Configuring log forwarding ............................................................................ Configuring IP aliases .................................................................................... Configuring RAID ........................................................................................... Configuring LDAP queries for reports............................................................
119 119 122 125 127 131 133 135 137 138 144
Backing up the configuration and installing firmware.......................................... 147 Scheduling & uploading vulnerability management updates............................... 149 Migrating data from one FortiAnalyzer unit to another ........................................ 152 Importing a local server certificate....................................................................... 156
Configuring device groups................................................................................... 172 Classifying FortiGate network interfaces ............................................................. 173
Browsing log files................................................................................................. 191 Importing a log file ......................................................................................... 192 Downloading a log file.................................................................................... 193 Backing up logs and archived files ...................................................................... 195 Configuring rolling and uploading of devices logs.............................................. 195 Using eDiscovery ................................................................................................. 197
Page 11
Page 12
Backing up your configuration............................................................................. Backing up your configuration through the Web-based Manager ................ Backing up your configuration through the CLI............................................. Backing up your log files................................................................................
Testing firmware before upgrading/downgrading ............................................... 293 Installing firmware from the BIOS menu in the CLI ............................................. 295 Upgrading your FortiAnalyzer unit ....................................................................... Upgrading/downgrading through the Web-based Manager ......................... Upgrading/downgrading through the CLI ...................................................... Verifying the upgrade ..................................................................................... Troubleshooting process ..................................................................................... Establish a baseline ....................................................................................... Define the problem......................................................................................... Gathering facts............................................................................................... Search for a solution ...................................................................................... Create a troubleshooting plan ....................................................................... Providing supporting elements ...................................................................... Gather system information............................................................................. Check port assignments ................................................................................ Troubleshoot connectivity issues .................................................................. Run ping and traceroute ...................................................................................... Check connections with ping......................................................................... Check routes with traceroute......................................................................... What traceroute can tell you .......................................................................... How to use traceroute ................................................................................... 295 295 297 297 298 298 299 299 300 300 300 300 302 302 303 303 305 305 305
What can sniffing packets tell you ....................................................................... 306 Obtain any required additional equipment..................................................... 307 Ensure you have administrator access to required equipment ..................... 307 Contact customer service & support ................................................................... 307
Page 13
Troubleshooting FortiAnalyzer issues.................................................................. File system issue............................................................................................ Report issue ................................................................................................... Binary files issue ............................................................................................ CPU usage issue............................................................................................ HA log issue ................................................................................................... NFS server connection issue ......................................................................... Vulnerability management issues .................................................................. Upgrade issue................................................................................................ Web-based Manager issue ............................................................................ Disk usage issue ............................................................................................ Device IP issue............................................................................................... Running an HQIP for hardware integrity control ............................................ Packet capture (CLI sniffer) best practice...................................................... No logs received with encryption enabled between a FortiGate unit and a FortiAnalyzer unit ......................................................................................... Bootup issues ................................................................................................
308 308 309 309 309 311 311 311 312 312 313 313 315 315 315 316
Page 14
Change Log
Change Description Initial release. Reports chapter updated. Added custom report filter details. Updated document template. Minor document updates.
Page 15
Introduction
Welcome and thank you for selecting Fortinet products for your network protection. FortiAnalyzer units are network appliances that provide integrated log collection and reporting tools. Reports analyze logs for email, FTP, web browsing, security events, and other network activity to help identify and mitigate security issues throughout your network. In addition to logging and reporting, FortiAnalyzer units also have several major features that augment or enable certain FortiGate unit functionalities, such as DLP archiving and quarantining, and improve your ability to stay informed about the state of your network. Logging and reporting: A FortiAnalyzer unit can aggregate and analyze log data from Fortinet and other syslog-compatible devices. Using a comprehensive suite of easily-customized reports, you can filter and review records, including traffic, event, virus, attack, web content, and email data, mining the data to determine your security stance and ensure regulatory compliance. For information about the FortiAnalyzer logging, analyzing, and reporting workflow, see Figure 1 on page 25. DLP archive / Data mining: Both FortiGate DLP (Data Leak Prevention) archive logs and their associated copies of files or messages can be stored on and viewed from a FortiAnalyzer unit, leveraging its storage capacity for large media files that can be common with multimedia content. When DLP archives are received by the FortiAnalyzer unit, you can use data filtering similar to other log files to track and locate specific email or instant messages, or to examine the contents of archived files. Quarantine repository: A FortiAnalyzer unit can act as a central repository for files that are suspicious or known to be infected by a virus, and have therefore been quarantined by your FortiGate units. Network vulnerability scan: A FortiAnalyzer unit can scan your designated target hosts for known vulnerabilities and open TCP and/or UDP ports. When the vulnerability scan is complete, the FortiAnalyzer unit generates a report that describes the discovered security issues and their known solutions. FortiAnalyzer units can utilize the FortiGuard subscription service to update their vulnerability databases with new entries added as they are discovered. Packet capture: FortiAnalyzer units can log observed packets to diagnose areas of the network where firewall policies may require adjustment, or where traffic anomalies occur. File explorer: You can browse through the list of content archive/DLP, quarantine, log, and report files on the FortiAnalyzer unit. Network sharing: FortiAnalyzer units can use their hard disks as an NFS or Windows-style network share for FortiAnalyzer reports and logs, as well as users files. FIPS support: Federal Information Processing Standards (FIPS) are supported in some special releases of FortiAnalyzer firmware. Contact Customer Service & Support for more information.
Introduction
Page 16
Scope
This document describes how to use the Web-based Manger to set up and configure the FortiAnalyzer unit. It assumes you have already successfully installed the FortiAnalyzer unit by following the instructions in the FortiAnalyzer Install Guide. At this stage: You have administrative access to the Web-based Manger and/or CLI. The FortiAnalyzer unit can connect to the Web-based Manger and CLI. This document explains how to use the Web-based Manger to: maintain the FortiAnalyzer unit, including backups configure basic such as system time, DNS settings, administrator password, and network interfaces configure advanced features, such as adding devices, DLP archiving, vulnerability management, logging, and reporting This document does not cover commands for the command line interface (CLI). For information on the CLI, see the FortiAnalyzer v4.0 MR3 CLI Reference.
Introduction
Page 17
From the CLI you can do the following to confirm that the firewall address name field allows 64 characters: config report chart edit <chart_name> tree --- [chart] --*name |- type |- title (128 xss) |- comment (1024) |- dataset (64) +- graph-type
(64)
Note that the tree command output also shows the number of characters allowed for other report chart name settings. For example, the comment field can contain up to 1024 characters.
Introduction
Page 18
Report enhancements
The FortiAnalyzer system in v4.0 MR3 includes a number of changes and improvements to the report settings, report sections, and reports contents. These improve the user experience when generating and working with reports at both the device and group levels. See Reports on page 203 for more information.
Page 19
You can define these variables from the Web-based Manager, or from the CLI at the report layout level. The variables defined at the chart level will override the report level values. If the same variable is defined at both levels, the chart level value will have a higher priority. See Report settings on page 210 for more information.
Page 20
FortiWeb support
FortiWeb integration
You can add FortiWeb units to FortiAnalyzer units and view the FortiWeb logs on the FortiAnalyzer units. You can also generate reports using the collected FortiWeb logs.
Logging enhancements
Log file integrity validation
You can use the execute log-integrity command to query a log file's MD5 checksum and timestamp to ensure that the log file has not been modified. This command only applies for: rolled log files with MD5 hash recorded a local log containing the MD5 hash of the log files downloaded from the FortiAnalyzer Web-based Manager. You cannot apply this command on an active log file. For more information, see the FortiAnalyzer CLI Reference.
Page 21
Additional enhancements
Secure communication between devices
SSL FTP secure communications can be established between a FortiAnalyzer unit and a FortiGate or FortiManager unit. In the FortiAnalyzer CLI, you can choose the encryption algorithm for secure communications.
SNMP v3 support
The FortiAnalyzer SNMP v3 implementation includes support for queries, traps, authentication, and privacy. This is configured only with the CLI. For more information, see config system snmp in the FortiAnalyzer CLI Reference.
TACACS+ server
You can configure the FortiAnalyzer unit to have a TACACS+ server perform the user authentication. For more information, see Configuring TACACS+ servers on page 115.
Page 22
Page 23
Administrative Domains
FortiAnalyzer Administrative Domains (ADOMs) enable the admin administrator to constrain other FortiAnalyzer unit administrators access privileges to a subset of devices in the device list. For Fortinet devices with virtual domains (VDOMs), ADOMs can further restrict access to only data from a specific devices VDOM. For more information, see Administrative Domains on page 24.
Operation mode
The FortiAnalyzer unit has three operation modes: Standalone: The default mode that supports all FortiAnalyzer features. Analyzer: The mode used for aggregating logs from one or more log collectors. In this mode, the log aggregation configuration function is disabled. Collector: The mode used for saving and uploading logs. For example, instead of writing logs into the database, the collector can retain the logs in original (binary) format for uploading. In this mode, the report function and some functions under System and Tools are disabled. The analyzer and collector modes are used together to increase the analyzers performance. The collector provides a buffer to the analyzer by off-loading the log receiving task from the analyzer. Since log collection from the connected devices is the dedicated task of the collector, its log receiving rate and speed are maximized.
The FortiAnalyzer 100 and 400 models do not support the analyzer mode.
The mode of operation that you choose will depend on your network topology and individual requirements. For information about appropriate network topologies for each mode of operation, see Operation modes on page 12.
Page 24
Log storage
The FortiAnalyzer unit saves logs received to the default proprietary indexed file storage system which is always ready to accept log data. It can also insert the log data into the Structured Query Language (SQL) database for generating reports. Both local and remote SQL database options are supported. For more information, see Reports on page 203.
Workflow
Once you have successfully deployed the FortiAnalyzer device on your network, using and maintaining your FortiAnalyzer unit involves the following: Configuration of optional features, and re-configuration of required features if required by changes to your network Backups Updates Monitoring reports, logs, and alerts Figure 1 illustrates the process of data logging, data analyzing, and report generation by the FortiAnalyzer unit in standalone or analyzer mode. Figure 1: Logging, analyzing, and reporting workflow
Page 25
Page 26
In these cases, you must access either interface using the default settings.
If the above conditions do not apply, access the Web-based Manager using the IP address, administrative access protocol, administrator account, and password already configured, instead of the default settings.
After you connect, you can use the Web-based Manager or CLI to configure basic network settings and access the CLI and/or Web-based Manager through your network. However, if you want to update the firmware, you may want to do so before continuing. See Updating the firmware on page 30. Until the FortiAnalyzer unit is configured with an IP address and connected to your network, you may prefer to connect the FortiAnalyzer unit directly to your management computer, or through a switch, in a peer network that is isolated from your overall network. However, isolation is not required.
indicate that the certificate contains a domain name while you have entered an IP address. You must manually indicate whether this mismatch is normal or not. Both warnings are normal for the default certificate. 4. Verify and accept the certificate, either permanently (the web browser will not display the self-signing warning again) or temporarily. You cannot log in until you accept the certificate. For details on accepting the certificate, see the documentation for your web browser. 5. In the Name field, type admin, then select Login. (In its default state, there is no password for this account.) Login credentials entered are encrypted before they are sent to the FortiAnalyzer unit. If your login is successful, the Web-based Manager appears. To continue by updating the firmware, see Updating the firmware on page 30. Otherwise, to continue by configuring the basic settings, see The operation mode on page 31.
For more information on available CLI commands, see the FortiAnalyzer v4.0 MR3 CLI Reference. If you are not connecting for the first time, or have not just reset the configuration to its default state or restored the firmware, administrative access settings may have already been configured. In this case, access the CLI using the IP address, administrative access protocol, administrator account and password already configured instead of the default settings.
Page 28
The following procedure uses Microsoft HyperTerminal. Steps may vary with other terminal emulators.
1. Using the RJ-45-to-DB-9 or null modem cable, connect your computers COM port to the FortiAnalyzer units console port. 2. Verify that the FortiAnalyzer unit is powered on. 3. On your management computer, start HyperTerminal. 4. On Connection Description, enter a Name for the connection and select OK. 5. On Connect To, from Connect using, select the COM port to which you connected the FortiAnalyzer unit. 6. Select OK. 7. Select the following Port settings and select OK. Bits per second Data bits Parity Stop bits Flow control 8. Press Enter. The terminal emulator connects to the CLI and the CLI displays a login prompt. 9. Type admin and press Enter twice. (In its default state, there is no password for this account.) The CLI displays a prompt, such as: FortiAnalyzer # You can now enter commands. To continue by updating the firmware, see Updating the firmware on page 30. Otherwise, to continue by configuring the basic settings, see The operation mode on page 31. For information about how to use the CLI, see the FortiAnalyzer v4.0 MR3 CLI Reference. 9600 8 None 1 None
The following procedure uses PuTTY. Steps may vary with other SSH clients.
To connect to the CLI using an SSH connection: 1. On your management computer, configure the Ethernet port with the static IP address 192.168.1.2 with a netmask of 255.255.255.0. 2. Using the Ethernet cable, connect your computers Ethernet port to the FortiAnalyzer units port1. 3. Verify that the FortiAnalyzer unit is powered on.
Page 29
4. On your management computer, start your SSH client. 5. In Host Name (or IP Address), type 192.168.1.99. 6. In Port, type 22. 7. From Connection type, select SSH. 8. Select Open. The SSH client connects to the FortiAnalyzer unit. The SSH client may display a warning if this is the first time you are connecting to the FortiAnalyzer unit and its SSH key is not yet recognized by your SSH client, or if you have previously connected to the FortiAnalyzer unit but it used a different IP address or SSH key. If your management computer is directly connected to the FortiAnalyzer unit with no network hosts between them, this is normal. 9. Select Yes to verify the fingerprint and accept the FortiAnalyzer units SSH key. You cannot log in until you accept the key. The CLI displays a login prompt. 10. Type admin and press Enter. (In its default state, there is no password for this account.)
If three incorrect login attempts occur in a row, you will be disconnected. Wait for one minute, then reconnect to attempt the login again.
The CLI displays a prompt, such as: FortiAnalyzer # You can now enter commands. To continue by updating the firmware, see Updating the firmware on page 30. Otherwise, to continue by configuring the basic settings, see The operation mode on page 31. For information about how to use the CLI, see the FortiAnalyzer CLI Reference.
Before you can download firmware updates for your FortiAnalyzer unit, you must first register your FortiAnalyzer unit with Customer Service & Support. For details, go to https://support.fortinet.com/ or contact Customer Service & Support.
Page 30
Standalone mode
The standalone mode is the default mode that supports all FortiAnalyzer features. If your network log volume is reasonable and does not compromise the performance of your FortiAnalyzer unit, you can choose this mode. Figure 2 illustrates the network topology of the FortiAnalyzer unit in standalone mode. Figure 2: Topology of the FortiAnalyzer unit in standalone mode FortiAnalyzer unit External SQL databas e for log
LAN
Monitored devices that send logs to the FortiAnalyzer unit for analyzing and reporting.
analyzer during the low traffic periods. As a result, the performance of the analyzer is guaranteed as it will only deal with log insertion and reporting when the log transfer process is over.
The FAZ-100 and FAZ-400 models do not support the analyzer mode.
As illustrated in Figure 5: company A has two remote branch networks protected by multiple FortiGate units. The networks generate large volumes of logs which fluctuate significantly during a day. It used to have a FAZ-4000A in standalone mode to collect logs from the FortiGate units and generate reports. To further boost the performance of the FAZ-4000A, the company deploys a FAZ-400B in collector mode in each branch to receive logs from the FortiGate units during the high traffic period and transfer bulk logs to the analyzer during the low traffic period. To set up the analyzer/collector configuration: 1. On the FortiAnalyzer unit, go to System > Dashboard > Status. 2. In the System Information widget, in the Operation Mode row, select Change. 3. Select Analyzer and enter the password for the analyzer server and confirm it. Figure 3: Change operation mode
Select to allow collectors to forward logs in real-time to the analyzer. Normally, logs are collected and uploaded on schedule, but you may want some critical logs to be sent immediately.
Automatically Delete After the logs are uploaded on schedule, those ones that (Reconcile) Real-time Logs were forwarded in real-time become duplicate. Select this During Collector Upload option to automatically delete the duplicate logs. 4. Select OK. 5. On the first collector unit, go to System > Dashboard > Status. 6. In the System Information widget, in the Operation Mode row, select Change. 7. Select Collector.
Page 32
Enter the IP address of the analyzer unit to which this log collector uploads logs. For example, 100.10.1.2. Enter the password of the analyzer unit. Select 00:00 to upload logs on a daily basis because network traffic starts to drop from this time on. During the uploading, if the connection with the analyzer fails, the collector will keep trying to reconnect until the connection restores. The collector archives all logs that are uploaded.
Select to upload priority logs in real time, then set the priority level to Critical in Minimum Severity. This action will upload critical level logs and the logs of the levels before Critical in the list.
Page 33
Figure 5: Topology of the FortiAnalyzer units in analyzer/collector mode High-end FortiAnalyzer unit in analyzer mode External SQL database for log storage
FortiAnalyzer unit in collector mode (optimized for storing & forwarding logs)
FortiAnalyzer unit in collector mode (optimized for storing & forwardin g logs)
LAN
LAN
Page 34
To change the admin administrator password: 1. Go to System > Admin > Administrator. 2. Select the admin administrator account. 3. Select Change Password. 4. In the Old Password field, do not enter anything. (In its default state, there is no password for the admin account.) 5. In the New Password field, enter a password with sufficient complexity and number of characters to deter brute force and other attacks. 6. In the Confirm Password field, enter the new password again to confirm its spelling. 7. Select OK. 8. Select Logout. The FortiAnalyzer appliance logs you out. To continue using the Web-based Manager, you must log in again. The new password takes effect the next time that administrator account logs in.
Page 35
Your FortiAnalyzer unit cannot detect the latest vulnerabilities and compliance violations unless it is licensed and has network connectivity to download current definitions from the FortiGuard service.
Page 36
Licensed (green check mark icon ): At the last attempt, the FortiAnalyzer unit was able to successfully contact the FDN and validate its FortiGuard license. Unreachable (grey X icon ): Unable to determine license status due to network connection errors. Check the configuration of the FortiAnalyzer unit and any NAT or firewall devices that exist between the FortiAnalyzer appliance and the FDN or override server. For example, you may need to add static routes. Figure 6: License information widget
To verify FortiGuard update connectivity: Before performing this procedure, if your FortiAnalyzer appliance connects to the Internet using a proxy, configure the FortiAnalyzer appliance to connect to the FDN through the proxy (go to System > Maintenance > FortiGuard). 1. Go to System > Maintenance > FortiGuard. Figure 7: FortiGuard Distribution Network window
2. If you want your FortiAnalyzer appliance to connect to a specific FDS other than the default for its time zone, enable Use override server address, and enter the fully qualified domain name (FQDN) or IP address of the FDS. 3. Select Apply.
Page 37
4. Select Request Update Now. The FortiAnalyzer appliance tests the connection to the FDN and, if applicable, the server you specified to override the default FDN server. The amount of time required varies based on the speed of the FortiAnalyzer units network connection, and the number of timeouts that occur before the connection attempt is successful or the FortiAnalyzer appliance determines that it cannot connect. Test results are indicated in the local logs in Log & Archive > Log Access > Event, such as this log message: VCM upgrade: no new update available which indicates that the connection succeeded. If the connection test did not succeed due to license issues, you would instead see this log message: VCM upgrade: Invalid VM license. If the connection test did not succeed due to failed connectivity with the proxy, you would instead see this log message: VCM upgrade: failed connecting to 192.168.1.10:443 For more troubleshooting information, see the command diagnose debug application fortiguard in the FortiAnalyzer v4.0 MR3 CLI Reference.
4. Select Apply. The FortiAnalyzer unit next requests an update according to the schedule. If you have enabled logging, when the FortiAnalyzer unit requests an update, the event is recorded in the local logs in Log & Archive > Log Access > Event, such as this log message: VM upgrade: no new update available
Page 38
3. Select OK. The page refreshes. 4. After a few minutes, select the FortiGuard submenu to refresh the page, or go to System > Dashboard > Status and look at the License Information widget. If an update was available, the packages that were updated have new version numbers. If you have enabled logging, when the FortiAnalyzer unit requests an update, the event is recorded in the local logs in Log & Archive > Log Access > Event Log, such as this log message: VCM upgrade: no new update available
Page 39
2. Select the FortiGate device from the device list and select the Edit icon.
Page 40
3. Configure the Disk Allocation quota to be used by the FortiGate device. 4. Configure the Device Privileges settings to allow the FortiGate unit to send and view its log files, archived content, and quarantined files.
Remotely accessing logs, content logs, and quarantined files is available on FortiGate units running firmware v4.0 or later.
5. Select OK. For more information, see Configuring connections with devices & their disk space quota on page 157.
Due to the nature of connectivity for certain HA modes, full content archiving and quarantining may not be available for FortiGate units in an HA cluster. For details, see the FortiOS Handbook.
To send FortiGate logs to a FortiAnalyzer unit: 1. On the FortiGate unit, go to Log & Report > Log Config > Log Setting. 2. Select the Expand Arrow for Remote Logging and Archiving to expand the options.
Page 41
3. Select FortiAnalyzer and enter the IP Address of the FortiAnalyzer unit. 4. Select a security level to log. 5. Select Apply. For more information on the logging options, see the Log & Report chapter in the FortiGate v4.0 MR3 Administration Guide.
Further reading
The FortiGate unit and FortiAnalyzer unit are now configured to send and receive log information. Using this log collection, you can view traffic and vulnerability statistics, and run reports from a selection of over 200 reports in 15 categories. To help you in further configuration and data analysis, see these other Fortinet documents, available from the Technical Documentation web site, http://docs.fortinet.com. This guide includes further configuration and technical information on your FortiAnalyzer unit. FortiAnalyzer v4.0 MR3 CLI Reference describes all the CLI commands you can use to configure the FortiAnalyzer unit. FortiAnalyzer v4.0 MR3 Log Reference describes the FortiAnalyzer local log messages, which can be used for analysis and troubleshooting purposes. FortiOS v4.0 MR3 Handbook includes steps for enabling the various logging options and details on the logging levels. FortiOS v4.0 MR3 Log Message Reference describes what each log messages means and its components.
Page 42
To test connections with devices, you must configure each device to send logs, and then cause some kind of event that will trigger a log. If the device keeps a local log buffer for performance reasons, and only sends logs periodically or when the buffer is full, you may need to generate multiple logs and/or wait for the FortiAnalyzer unit to receive the log message from the remote device. For information on periodic log uploads or buffering behavior, consult the documentation for each device. If the FortiAnalyzer unit is operating as a log aggregator, your test should include receiving logs from other FortiAnalyzer units.
Troubleshooting tools
To locate network errors and other issues that may prevent logs from passing to or through the FortiAnalyzer unit, FortiAnalyzer units feature several troubleshooting tools. You may also be able to perform additional tests from your management computer or the computers of SMTP clients and servers. This section includes the following topics: Ping and traceroute Log messages Packet capture
ms ms ms ms ms
--- 172.20.120.167 ping statistics --5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 0.8/1.4/2.4 ms
Page 43
or that 192.168.1.10 is not reachable: FortiAnalyzer # execute ping 192.168.1.10 PING 192.168.1.10 (192.168.1.10): 56 data bytes Timeout ... Timeout ... Timeout ... Timeout ... Timeout ... --- 192.168.1.10 ping statistics --5 packets transmitted, 0 packets received, 100% packet loss
Both ping and traceroute require that network nodes respond to ICMP ping. If you have disabled responses to ICMP on your network, hosts may appear to be unreachable to ping and traceroute even if connections using other protocols can succeed.
If the host is not reachable, you can use traceroute to determine the router hop or host at which the connection fails: FortiAnalyzer # execute traceroute 192.168.1.10 traceroute to 192.168.1.10 (192.168.1.10), 32 hops max, 72 byte packets 1 192.168.1.2 2 ms 0 ms 1 ms 2 * * * For more information on CLI commands, see the FortiAnalyzer v4.0 MR3 CLI Reference.
Log messages
Log messages often contain clues that can aid you in determining the cause of a problem. FortiAnalyzer units can record log messages when errors occur that cause failures, upon significant changes, and upon processing events. Depending on the type, log messages may appear in one of several log files. For example: To determine when and why a FortiGuard update connection failed, you might examine the Message field in the event log. To determine why an email was blocked by a firewall, you might examine logs whose Type field is dlp in the UTM log. During troubleshooting, you may find it useful to reduce the logging severity threshold for more verbose logs to include more information on less severe events. For example, when the FortiAnalyzer unit cannot reach the FDN or override server for FortiGuard updates, the associated log message in the event log has a severity level of Error. If your severity threshold is currently greater than Error (such as Critical or Alert), the Alert Message Console widget in the Web-based Manager will not record that log message, and you will not be notified of the error. Often this error might occur due to temporary connectivity problems and is not critical. However, if you are frequently encountering this issue, you may want to lower the severity threshold to determine how often the issue is occurring and whether the cause of the problem is persistent.
Page 44
Packet capture
Packet capture, also known as sniffing, records some or all of the packets seen by a network interface. By recording packets, you can trace connection states to the exact point at which they fail, which may help you to diagnose some types of problems that are otherwise difficult to detect. FortiAnalyzer units have a built-in sniffer. Packet capture on FortiAnalyzer units is similar to that of FortiGate units. To use the built-in sniffer, connect to the CLI and enter the following command: diagnose sniffer packet [<interface_name>] [{none | '<filter_str>'}] [{1 | 2 | 3}] [<count_int>] where: <interface_name> is the name of a network interface, such as port1,or any for all interfaces. '<filter_str>' is the sniffer filter that specifies the protocols and port numbers that you do or do not want to capture, such as 'tcp port 25',or none for no filters. {1 | 2 | 3} is an integer indicating the depth of packet headers and payloads to display. <count_int> is the number of packets the sniffer reads before stopping. Packet capture output is printed to your CLI display until you stop it by pressing Ctrl + C, or until it reaches the number of packets that you have specified to capture. Packet capture can be very resource intensive. To minimize the performance impact on your FortiAnalyzer unit, use packet capture only during periods of minimal traffic, with a serial console CLI connection rather than a Telnet or SSH CLI connection, and be sure to stop the command when you are finished. For example, you might capture all TCP port 443 (typically HTTPS) traffic occurring through port1, regardless of its source or destination IP address. The capture uses a high level of verbosity (indicated by 3). A specific number of packets to capture is not specified. As a result, the packet capture continues until the administrator presses CTRL + C. The sniffer then confirms that five packets were seen by that network interface. (Verbose output can be very long. As a result, output shown below is truncated after only one packet. Commands that you would type are highlighted in bold; responses from the FortiAnalyzer appliance are not in bold.) FortiAnalyzer# diagnose sniffer packet port1 'tcp port 443' 3 interfaces=[port1] filters=[tcp port 443] 10.651905 192.168.0.1.50242 -> 192.168.0.2.443: syn 761714898 0x0000 0009 0f09 0001 0009 0f89 2914 0800 4500 ..........)...E. 0x0010 003c 73d1 4000 4006 3bc6 d157 fede ac16 .<s.@.@.;..W.... 0x0020 0ed8 c442 01bb 2d66 d8d2 0000 0000 a002 ...B..-f........ 0x0030 16d0 4f72 0000 0204 05b4 0402 080a 03ab ..Or............ 0x0040 86bb 0000 0000 0103 0303 ..........
Page 45
Instead of reading packet capture output directly in your CLI display, you should usually save the output to a plain text file using your CLI client. Saving the output provides several advantages: packets can arrive more rapidly than you may be able to read them in the buffer of your CLI display, and many protocols transfer data using encodings other than US-ASCII. It is usually preferable to analyze the output by loading it into in a network protocol analyzer application such as Wireshark (http://www.wireshark.org/). For example, you could use PuTTY or Microsoft HyperTerminal to save the sniffer output. Methods may vary. See the documentation for your CLI client. Requirements: terminal emulation software such as PuTTY a plain text editor such as Notepad a Perl interpreter network protocol analyzer software such as Wireshark To view packet capture output using PuTTY and Wireshark: 1. On your management computer, start PuTTY. 2. Use PuTTY to connect to the FortiAnalyzer appliance using either a local serial console, SSH, or Telnet connection. For details, see the FortiAnalyzer v4.0 MR3 CLI Reference. 3. Type the packet capture command, such as: diagnose sniffer packet port1 'tcp port 25' 3 but do not press Enter yet. 4. In the upper left corner of the window, select the PuTTY icon to open its drop-down menu, then select Change Settings. Figure 10:Putty console window
A dialog appears where you can configure PuTTY to save output to a plain text file. 5. In the Category tree on the left, go to Session > Logging. 6. In Session logging, select Printable output.
Page 46
7. In Log file name, select the Browse button, then choose a directory path and file name such as C:\Users\MyAccount\packet_capture.txt to save the packet capture to a plain text file. (You do not need to save it with the .log file extension.) 8. Select Apply. 9. Press Enter to send the CLI command to the FortiAnalyzer unit, beginning packet capture. 10. If you have not specified a number of packets to capture, when you have captured all packets that you want to analyze, press Ctrl + C to stop the capture. 11. Close the PuTTY window. 12. Open the packet capture file using a plain text editor such as Notepad. Figure 11:Packet capture in Notepad
13. Delete the first and last lines, which look like this: =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.07.25 11:34:40 =~=~=~=~=~=~=~=~=~=~=~= FortiAnalyzer-2000 # These lines are a PuTTY timestamp and a command prompt, which are not part of the packet capture. If you do not delete them, they could interfere with the script in the next step. 14. Convert the plain text file to a format recognizable by your network protocol analyzer application. You can convert the plain text file to a format (.pcap) recognizable by Wireshark using the fgt2eth.pl Perl script. To download fgt2eth.pl, see the Knowledge Base article Using the FortiOS built-in packet sniffer.
The fgt2eth.pl script is provided as-is, without any implied warranty or technical support, and requires that you first install a Perl module compatible with your operating system.
To use fgt2eth.pl, open a command prompt, then enter a command such as the following: fgt2eth.pl -in packet_capture.txt -out packet_capture.pcap where: fgt2eth.pl is the name of the conversion script; include the path relative to the current directory, which is indicated by the command prompt packet_capture.txt is the name of the packet captures output file; include the directory path relative to your current directory packet_capture.pcap is the name of the conversion scripts output file; include the directory path relative to your current directory where you want the converted output to be saved.
Page 47
Methods to open a command prompt vary by operating system. On Windows XP, go to Start > Run and enter cmd. On Windows 7, select the Start (Windows logo) menu to open it, then enter cmd.
15. Open the converted file in your network protocol analyzer application. For further instructions, see the documentation for that application. Figure 13:Viewing sniffer output in Wireshark
For additional information on packet capture, see the Knowledge Base article Using the FortiOS built-in packet sniffer. For more information on CLI commands, see the FortiAnalyzer v4.0 MR3 CLI Reference.
Page 48
To back up the configuration file: 1. Log in to the Web-based Manager as the admin administrator. Other administrator accounts do not have the required permissions. 2. Go to System > Maintenance > Backup & Restore. Figure 14:Backup and restore window
3. In the Backup area, select Backup. Your browser downloads the configuration file and saves it to your local PC. Time required varies by the size of the configuration and the specifications of the appliances hardware as well as the speed of your network connection, but could take several minutes. For more information, see Backing up your configuration on page 291.
Page 49
Administrative Domains
Administrative domains (ADOMs) enable the admin administrator to constrain other FortiAnalyzer unit administrators access privileges to a subset of devices in the device list. For FortiGate devices with virtual domains (VDOMs), ADOMs can further restrict access to only data from a specific FortiGate VDOM.
Table 3: Characteristics of the CLI and Web-based Manager when ADOMs are enabled admin administrator account Other administrators Access to Global Configuration Access to Administrative Domain Configuration (can create ADOMs) Can create administrator accounts Can enter all ADOMs Yes Yes Yes Yes No No No No
Enabling ADOMs alters the structure and available functionality of the Web-based Manager and CLI according to whether or not you are logging in as the admin administrator, and, if you are not logging in as the admin administrator, the administrator accounts assigned access profile. If ADOMs are enabled and you log in as admin, you first access the Global ADOM where you have full access to the menus, except the Report menu, and can configure other ADOMs in System > ADOM > ADOM. At the end of the menu list, the Current ADOM menu appears, enabling you to enter into another ADOM or return to the Global ADOM.
By default, some menus are hidden. To make them visible, you can enable the menus in System > Admin > Settings. See To enable ADOMs: on page 51 for more information.
The Global ADOM contains settings used by the FortiAnalyzer unit itself, as well as settings shared by ADOMs, such as the device list, RAID, and administrator accounts. It does not include ADOM-specific settings or data, such as logs and reports. When configuring other administrator accounts, an additional option appears allowing you to restrict other administrators to an ADOM. For more information, see Assigning administrators to an ADOM on page 57. The admin administrator can further restrict other administrators access to specific configuration areas within their ADOM by using access profiles. For more information, see Configuring access profiles on page 111.
Administrative Domains
Page 50
If ADOMs are enabled and you log in as any other administrator, you enter the ADOM assigned to your account. You can only access the menu items assigned to you in your access profile. You cannot access the Global ADOM or enter other ADOMs. By default, administrator accounts other than the admin account are assigned to the root ADOM, which includes all devices in the device list. By creating ADOMs that contain a subset of devices in the device list, and assigning them to administrator accounts, you can restrict other administrator accounts to a subset of the FortiAnalyzer units total devices or VDOMs. The maximum number of ADOMs varies by FortiAnalyzer model. For details, see Maximum Value Matrix on page 322. This chapter includes the following: Configuring ADOMs Accessing ADOMs as the admin administrator Assigning administrators to an ADOM
Configuring ADOMs
ADOMs are disabled by default. To use ADOMs: 1. Login as admin. Other administrators cannot enable, disable, or configure ADOMs. 2. Enable the feature by going to System > Admin > Settings. See To enable ADOMs: on page 51.
3. Create ADOMs by going to System > ADOM > ADOM. See Add or edit an ADOM: on page 53. 4. Assign other FortiAnalyzer administrators to an ADOM by going to System > Admin > Administrator. See To assign an administrator to an ADOM: on page 58. To enable ADOMs: Enabling ADOMs moves non-global configuration items to the root ADOM. Back up the configuration before beginning the following procedure. For more information about backing up your configuration, see Maintaining Firmware on page 290.
1. Log in as admin. Other administrators cannot enable, disable, or configure ADOMs. 2. Go to System > Admin > Settings. 3. Enable (select) Admin Domain Configuration.
Administrative Domains
Page 51
If other administrators are also logged in at the same time, they will not be automatically logged out. Notify them that ADOMs have been enabled, and that they may need to log out and log in again for display changes to take effect.
6. To confirm that ADOMs are enabled, log in again as admin. System > ADOM should now be available. At the end of the menu list, the Current ADOM menu also appears, enabling you to enter into an ADOM or return to the Global ADOM. Continue with Add or edit an ADOM: on page 53 to create ADOMs.
Administrative Domains
Page 52
Add or edit an ADOM: Before you can add an ADOM, you must first enable the feature. For details, see To enable ADOMs: on page 51. 1. From Current ADOM in the left-hand navigation menu, select Global. 2. Go to System > ADOM > ADOM. Figure 17:Create new ADOM
3. Select Create New, or, to modify an existing ADOM, mark its check box, then select Edit.
Administrative Domains
Page 53
4. In Name field, type a name for the ADOM. This field cannot be modified if you are editing an existing entry. To modify the name, delete the entry, then recreate it using the new name. 5. From Available Devices, select which devices to associate with the ADOM, then select the right arrow to move them to Selected Devices. You can move multiple devices at once. To select multiple devices, select the first device, then hold the Shift key while selecting the last device in a continuous range, or hold the Ctrl key while selecting each additional device. To remove a device from Selected Devices, select one or more devices, then select the left arrow to move them to Available Devices. 6. If the ADOM includes a FortiGate unit, and you want to include only a specific VDOM, enable Restrict to Virtual Domain(s), then enter the VDOM name. If the ADOM includes a FortiMail unit and you want to include only a specific email domain, enable and configure Restrict to Email Domain(s). 7. Select OK. Continue with Assigning administrators to an ADOM on page 57. To disable ADOMs: Back up the configuration before beginning this procedure. Deleting ADOMs, which can occur when disabling the ADOM feature, removes administrator accounts assigned to ADOMs other than the root ADOM. For more information, see Maintaining Firmware on page 290. If you do not wish to delete these administrator accounts, assign them to the root ADOM before disabling ADOMs.
Administrative Domains
Page 54
2. Go to System > ADOM > ADOM. 3. Mark the check boxes next to each ADOM except root (Management Administrative Domain), then select Delete. Figure 20:Administrative Domain name
You cannot delete an ADOM if an administrator is currently assigned to it. You must first reassign the administrator to the root ADOM (see Assigning administrators to an ADOM on page 57).
If any other ADOMs except the root ADOM remain, the option to disable ADOMs will not appear. 4. Go to System > Admin > Settings. 5. Disable (deselect) Admin Domain Configuration.
Administrative Domains
Page 55
Administrative Domains
Page 56
The ADOM-specific menu subset appears. While in this menu subset, any changes you make affect this ADOM only, and do not affect devices in other ADOMs or global FortiAnalyzer unit settings. You can return to global settings by selecting Global from Current ADOM.
By default, when ADOMs are enabled, existing administrator accounts other than admin are assigned to the root ADOM, which contains all devices in the device list. For more information about creating other ADOMs, see Configuring ADOMs on page 51.
Administrative Domains
Page 57
To assign an administrator to an ADOM: 1. Log in as admin. Other administrators cannot configure administrator accounts when ADOMs are enabled. 2. From Current ADOM in the left-hand navigation menu, select Global (see Figure 19 on page 55). 3. Go to System > Admin > Administrator. Figure 23:FortiAnalyzer system menu
4. Configure the administrator account as described in Configuring administrator accounts on page 108. In Admin Domain, select which ADOM the administrator will be allowed to access.
Administrative Domains
Page 58
System
The System menu displays a dashboard with widgets that indicate statuses and perform basic functions, such as rebooting the FortiAnalyzer unit. This menu also contains submenus that enable you to make configuration backups, and configure administrator accounts, system time, network and FortiGuard connectivity, and other system-wide features such as RAID and log forwarding. This topic includes: Viewing the dashboard Configuring network settings Configuring network shares Configuring administrator related settings Configuring the Web-based Managers global settings Monitoring administrators Configuring log storage & query features Backing up the configuration and installing firmware Scheduling & uploading vulnerability management updates Migrating data from one FortiAnalyzer unit to another Importing a local server certificate
System
Page 59
To add a dashboard
To add a dashboard, select Dashboard, then select Add Dashboard and type its name. The dashboard is added to the left-hand navigation menu. (For example, for a dashboard named Summary Reports, System > Dashboard > Summary Reports would be added to the menu.) The new dashboard is empty until you add the widgets that you want to show on that new dashboard.
To move a widget
To move a widget, position your mouse cursor on the widgets title bar, then select and drag the widget to its new location.
System
Page 60
When the SQL database is enabled, Top Traffic, Top Web Traffic, Top Email Traffic, Top FTP Traffic, Top IM/P2PTraffic, Virus Activity, and Intrusion Activity will not appear in the widget list. For information on enabling the SQL database, see Configuring SQL database storage on page 119. To see the available options for a widget, position your mouse cursor over the icons in the widgets title bar. Options vary slightly from widget to widget, but always include options to close or show/hide the widget. Figure 26:Widget title bar
Table 4: Widget values Web-based Manager item Description Widget title Show/Hide arrow More alerts The name of the widget. Select to show or hide the widget. Show the Alert Messages dialog box. This option appears only on the Alert Message Console widget. Reset Reset the collected statistics. See Statistics widget on page 72. This option appears only on the Statistics widget. Detach Detach the CLI Console widget from the dashboard and open it in a separate window. See CLI console widget on page 81. This option appears only on the CLI Console widget. Console Preferences Show the Console Preferences window, which allows you to customize the look of the CLI Console widget. See CLI console widget on page 81. This option appears only on the CLI Console widget.
System
Page 61
RAID settings
Show the RAID Settings dialog box, which displays the current RAID settings and allows for configuration of the RAID level if available. See Disk monitor widget on page 75. This option appears only on the RAID Monitor widget.
Select to change settings for the widget. Select to update the displayed information. Select to hide the widget on the dashboard. You will be prompted to confirm the action. To show the widget again, select Widget near the top of the dashboard.
The available dashboard widgets are: System information widget License Information widget Unit operation widget System resources widget Logs/data received widget Statistics widget Report engine widget Disk monitor widget Log Receive Monitor widget Alert message console widget CLI console widget Top traffic widget Top web traffic widget Top email traffic widget Top FTP traffic widget Top IM/P2P traffic widget Virus activity widget Intrusion activity widget
System
Page 62
The widget displays the following information: Serial Number The serial number of the FortiAnalyzer unit. The serial number is specific to the FortiAnalyzer units hardware and does not change with firmware upgrades. Use this number when registering the hardware with Customer Service & Support. The time in days, hours, and minutes since the FortiAnalyzer unit was started. The current date and time according to the FortiAnalyzer units internal clock. Select Change to change the time or configure the FortiAnalyzer unit to get the time from an NTP server. See Configuring the time & date on page 63. Host Name The host name of the FortiAnalyzer unit. Select Change to change the host name. See Configuring the FortiAnalyzer units host name on page 65. Firmware Version The version of the firmware currently installed on the FortiAnalyzer unit. Select Update to install firmware. See Maintaining Firmware on page 290. Operation Mode The current operation mode of the FortiAnalyzer unit. Select Change to switch to another operation mode. See Selecting the operation mode on page 65. This option is not available on FortiAnalyzer-100B, -100C models.
For many features to work, including scheduling, logging, and SSL-dependent features, the FortiAnalyzer system time must be accurate.
System
Page 63
To configure the date and time: 1. Go to System > Dashboard > Status. In the System Information widget, in the System Time row, select Change. 2. From Time Zone, select the time zone in which the FortiAnalyzer unit is located. 3. Configure the following to either manually configure the system time, or automatically synchronize the FortiAnalyzer units clock with an NTP server: Figure 28:Time settings
4. Configure the following settings: System Time Refresh Time Zone Set Time The date and time according to the FortiAnalyzer units clock at the time that this tab was loaded, or when you last selected the Refresh button. Select to update the System Time field with the current time according to the FortiAnalyzer units clock. Select the time zone in which the FortiAnalyzer unit is located. Select this option to manually set the date and time of the FortiAnalyzer units clock, then select the Hour, Minute, Second, Year, Month and Day fields before you select OK.
Synchronize with Select this option to automatically synchronize the date and time of the NTP Server FortiAnalyzer units clock with an NTP server, then configure the Server and Sync Interval fields before you select OK. Server Sync Interval Enter the IP address or domain name of an NTP server. To find an NTP server that you can use, go to http://www.ntp.org. Enter how often in minutes the FortiAnalyzer unit should synchronize its time with the NTP server. For example, entering 1440 causes the FortiAnalyzer unit to synchronize its time once a day.
5. Select OK.
System
Page 64
3. In the Host Name field, type a new host name. The host name may be up to 35 characters in length. It may include US-ASCII letters, numbers, hyphens, and underscores. Spaces and special characters are not allowed. 4. Select OK.
System
Page 65
analyzer. Since log collection from the connected devices is the dedicated task of the collector, its log receiving rate and speed are maximized.
The FortiAnalyzer 100 series and 400 series models do not have the analyzer mode.
Which mode of operation you choose will vary by its appropriateness to your network topology and other requirements. For more information, see The operation mode on page 31. Table 5: Unavailable features in each operation mode Mode Standalone Analyzer Collector Unavailable feature in Web-based Manager N/A System > Config > Log aggregation System > Config Report Tools > Network Analyzer To select the operation mode: 1. Go to System > Dashboard > Status. 2. In the System Information widget, in the Operation Mode row, select Change. Figure 30:Change operation mode
System
Page 66
3. Configure the following settings: Standalone The default operation mode. Analyzer If you choose this mode, enter the password for the analyzer server and confirm it. Select Accept Real-time Log Forwarding from Collectors to allow collectors to forward logs in real-time to the analyzer. Normally, logs are collected and uploaded on schedule, but users may want some critical logs to be sent immediately. After the logs are uploaded on schedule, those ones that were forwarded in real-time become duplicate. You can select Automatically Delete (Reconcile) Real-time Logs During Collector Upload to automatically delete the duplicate logs. Collector If you choose this mode, configure the following: Remote IP - Enter the IP address of the FortiAnalyzer unit to which this log collector uploads logs. Password - Enter the password of the FortiAnalyzer unit to which this log collector uploads logs. Upload Daily at - Select the time to upload logs on a daily basis. Enable Real-time Forwarding of Priority Logs - Select to upload priority logs in real time, then set the priority level in Minimum Severity. 4. Select OK.
System
Page 67
The widget displays the following information: Vulnerability Management VCM Plugins Indicates whether or not this FortiAnalyzer unit is licensed for FortiGuard Vulnerability Management Service. If it is not, you can select Subscribe to register for the service. The version of the vulnerability compliance management plug-in, and the date of its last update. Select Update to upload a new version of the plug-in. For more information on vulnerability management, see Scheduling & uploading vulnerability management updates on page 149. A total of the number of each device type connecting or attempting to connect to the FortiAnalyzer unit. For more information about the maximum numbers of devices of each type and/or VDOMs that are permitted to connect to the FortiAnalyzer unit, see Maximum number of devices on page 161 and Maximum Value Matrix on page 322. The Registered column is the number of devices that you have added to the FortiAnalyzer units device list, either manually or automatically. The Unregistered column is the number of devices attempting to connect to the FortiAnalyzer unit that are not yet registered. To configure the FortiAnalyzer unit to accept data from a device, see To manually add a device or HA cluster: on page 163. For more information about registered and unregistered device, see Unregistered vs. registered devices on page 161.
These operations are available only to users with the read and write access profile.
Color indicates whether or not a port has detected a physical connection. If a ports color is gray, there is no connectivity, but if a ports color is green, it is connected. Additional system-wide operations, such as formatting the log disk or resetting the configuration to the firmwares default values, are available from the CLI. For details, see the FortiAnalyzer v4.0 MR3 CLI Reference. Figure 32:Unit operation widget
System
Page 68
The widget displays the following information: Reboot ShutDown Select to halt and restart the operating system of the FortiAnalyzer unit. Select to halt the operating system of the FortiAnalyzer unit, preparing its hardware to be powered off.
The widget displays the following information: Memory Usage The current memory (RAM) usage displayed as a dial gauge or graph. The web-based manager displays memory usage for core processes only. Memory usage for management processes (for example, for HTTPS connections to the web-based manager) is excluded. The number of sessions over the specified historical time period. Sessions are the current communications sessions on the FortiAnalyzer unit which includes devices that connect to send logs or quarantine files. This item does not appear when viewing current (Real Time) system resources. Network Utilization The network utilization over the specified historical time period. This item does not appear when viewing current (Real Time) system resources.
Session
System
Page 69
CPU Usage
The current CPU usage displayed as a dial gauge or graph. The Web-based Manager displays CPU usage for core processes only. CPU usage for management processes (for example, for HTTPS connections to the web-based manager) is excluded. The FortiAnalyzer CPU utilization can appear to be continually high due to the amount of work the FortiAnalyzer is tasked to perform. There are two key CPU-intensive operations on a FortiAnalyzer unit: indexing log messages report generation and other enhanced features Log indexing A FortiAnalyzer unit deployed in a network can receive hundreds of log messages per second throughout the day. The FortiAnalyzer unit indexes nearly all fields in a log message to include in the database. This process can be very CPU intensive, as the indexing component is continually running to keep up with the incoming log messages. Report generation and other enhanced features The FortiAnalyzer unit has many reporting functions. Various report generations can be running at any time during the day including: security event reports traffic summary reports regular reports whose complexity can vary depending on the requirements quota checking with log rolling network sniffing vulnerability scan. All these tasks can be CPU intensive, especially when several occur at the same time. This can cause the CPU to stay at 90% or more a lot of the time. It is important to note that the indexing operation is set to the lowest priority, so as to not affect the critical processes, such as receiving log messages. These operation will take all the available CPU cycles, it is normal to expect high CPU utilization at times. On smaller devices, such as the FortiAnalyzer-100C, where the CPU and disk speed are not as fast as the higher-end models, the CPU usage can appear more pronounced.
To configure settings for the widget, in its title bar, select Edit to open the Edit System Resources Settings window. Figure 34:Edit system resources settings window
System
Page 70
To view only the most current information about system resources, from View Type, select Real Time. To view historical information about system resources, from View Type, select History. To change the time range, from Time Period, select one of the following: Last 10 Minutes, Last Hour, or Last Day. To automatically refresh the widget at intervals, in Refresh Interval, type a number between 10 and 240 seconds. To disable the refresh interval feature, type 0.
The widget displays the following information: Logs Received Data Received Number of logs received per second. Volume of data received.
To configure settings for the widget, in its title bar, select Edit to open the Edit Logs/Data Received Settings window. Figure 36:Edit logs/data received settings window
To view only the most current information about system resources, from View Type, select Real Time. To view historical information about system resources, from View Type, select History. To change the time range, from Time Period, select one of the following: Last 10 Minutes, Last Hour, or Last Day. To automatically refresh the widget at intervals, in Refresh Interval, type a number between 10 and 240 seconds. To disable the refresh interval feature, type 0. For information on how much disk space is currently consumed, see Disk monitor widget on page 75.
System Page 71 FortiAnalyzer v4.3.6 Administration Guide
Statistics widget
The Statistics widget displays the numbers of sessions, volume of log files, and number of reports handled by the FortiAnalyzer unit. Figure 37:Statistics widget
The widget displays the following information: (Since yyyy-mm-dd hh:mm:ss) Sessions The date and time when the statistics were last reset. To rest the date and time, hover your mouse cursor over the widgets title bar area, then select Reset. The number of communication sessions occurring on the FortiAnalyzer unit, including those with devices that connect to send logs or quarantine files. Select Details for more information on the connections. For more information, see To view session details: on page 72.
Logs & Reports Logs The number of new log files received from a number of devices since the statistics were last reset. For more information, see To view log details: on page 73. The average log file volume received per day over the past seven days. Select Details to view the log file volume received per day. For information on total disk space consumption, see Disk monitor widget on page 75. The number of reports generated for a number of devices. Select Details for more information on the reports.
Log Volume
Reports
To view session details: 1. Go to System > Dashboard > Status. 2. In the Statistics widget, next to Sessions, select Details. Figure 38:Statistics widget
When viewing sessions, you can search or filter to find specific content. For more information about filtering information, see Filtering logs on page 181.
System
Page 72
The window displays the following information: Refresh Search Protocol Source Source Port Destination Destination Port Expires(secs) To view log details: 1. Go to System > Dashboard > Status. 2. In the Statistics widget, next to Logs, select Details. Select to refresh the page with current, updated session information. Enter a word or words to find specific information. Press Enter to initiate the search process. The protocol used during that session. The sessions source IP address. The sessions source port number. The sessions destination IP address. The sessions destination port number. The number of seconds before the session expires.
System
Page 73
The window displays the following information: Display Mark the check box of a log file whose messages you want to view, then select this button. Only one log file can be selected each time. For more information about viewing log details, see Viewing log messages on page 175. Mark the check box of a log file that you want to download, select this button, then select one of the following. Log file format: Downloads the log file in text (.txt), comma-separated value (.csv), or standard .log (native) file format. Compress with gzip: Compress the downloaded log file with GZIP compression. Downloading a log-formatted file with GZIP compression results in a download with the file extension .log.gz. Import Select to import a devices log files. This can be useful when restoring data or loading log data for temporary use. From the Device field, select the device to which the imported log file belongs, or select Take From Imported File to read the device ID from the log file. If you select Take From Imported File, your log file must contain a device_id field in its log messages. In Filename, select Browse to find the log file. For more information, see Importing a log file on page 192. Device Type Select the type of devices whose log files you want to view.
Download
Show Log File Enable to show the log file names under each log type. Names Log Files A list of available log files for each device or device group. Select the group name to expand the list of devices within the group, and to view their log files. The current, or active, log file appears as well as rolled log files. Rolled log files include a number in the file name, such as vlog.1267852112.log. If you configure the FortiAnalyzer unit to delete the original log files after uploading rolled logs to an FTP server, only the current log will exist.
System
Page 74
# From To
Number of log files for each type. The date and time when the FortiAnalyzer unit starts to generate the log file. The date and time when the FortiAnalyzer unit completes generating the log file when the file reaches its maximum size or the scheduled time. For more information, see Configuring rolling and uploading of devices logs on page 195. The size of the log file.
Size (bytes)
The RAID Settings icon does not appear on FAZ-100B and FAZ-100C units, because RAID is not supported on these models. Only disk space usage information is displayed on these models.
System
Page 75
The widget displays the following information: RAID Status Icons and text indicate one of the following RAID disk statuses: (OK): Indicates that the RAID disk has no problems (Warning): Indicates that there is a problem with the RAID disk, such as a failure, and needs replacing. The RAID disk is also in reduced reliability mode when this status is indicated in the widget. (Rebuilding): Indicates that a drive has been replaced and the RAID array is being rebuilt; it is also in reduced reliability mode. (Failure): Indicates that one or more drives have failed, the RAID array is corrupted, and the drive must be reinitialized. This is displayed by both a failure symbol and text. The text appears when you hover your mouse over the warning symbol; the text also indicates the amount of space in GB.
Rebuild Status
A percentage bar indicating the progress of the rebuilding of a RAID array. The bar appears only when a RAID array is being rebuilt.
Estimated rebuild time The time remaining to rebuild the RAID array, and the date and time [start and end time] the rebuild is expected to end. This time period appears only when an array is being rebuilt. This time period will not display in hardware RAID, such as FAZ-2000, FAZ-2000A, FAZ-2000B, and FAZ-4000A, FAZ-4000B.
System
Page 76
Rebuild Warning
Text reminding you the system has no redundancy protection until the rebuilding process is complete. This text appears only when an array is being rebuilt. The amount of disk used, displayed as a percentage and a percentage bar. The FortiAnalyzer unit reserves some disk space for compression files, upload files, and temporary reports files. The total reserved space is: 25% of total disk space if total < 500G, with MAX at 100G 20% of total disk space if 500G< total <1000G, with MAX at 150G 15% of total disk space if 1000G < total < 3000G, with MAX at 300G 10% of total disk space if total > 3000G This is therefore to be deducted from the total capacity.
FortiAnalyzer units allocate most of their total disk space for the FortiAnalyzer units own logs, as well as logs and quarantined files from connecting devices. Disk space quota is assigned to each device and the FortiAnalyzer unit itself. If the quota is consumed, the FortiAnalyzer unit will either overwrite the oldest files saved or stop collecting new logs, depending on your settings. For devices disk space quota settings, see Manually adding a FortiGate unit using the Fortinet Discovery Protocol on page 167. For the FortiAnalyzer units local log disk space quota settings, see the FortiAnalyzer v4.0 MR3 CLI Reference. Remaining disk space is reserved for devices, FortiAnalyzer reports, and any temporary files, such as configuration backups and log files that are currently queued for upload to a server. The size of the reserved space varies by the total RAID/hard disk capacity. For more information, see Disk space usage on page 77. For more information about RAID, see Configuring RAID on page 138. For more information on the volume of logs being received, see Logs/data received widget on page 71.
System
Page 77
To replace a hard disk: Electrostatic discharge (ESD) can damage FortiAnalyzer equipment. Only perform the procedures described in this document from an ESD workstation. If no such station is available, you can provide some ESD protection by wearing an anti-static wrist or ankle strap and attaching it to an ESD connector or to a metal part of a FortiAnalyzer chassis. When replacing a hard disk, you need to first verify that the new disk has the same size as those supplied by Fortinet and has at least the same capacity as the old one in the FortiAnalyzer unit. Installing a smaller hard disk will affect the RAID setup and may cause data loss. Due to possible differences in sector layout between disks, the only way to guarantee that two disks have the same size is to use the same brand and model. The size provided by the hard drive manufacturer for a given disk model is only an approximation. The exact size is determined by the number of sectors present on the disk. 1. Go to System > Dashboard > Status. 2. In the Unit Operation widget, select Shutdown. 3. Select OK. 4. Remove the faulty hard disk and replace it with a new one. 5. Restart the FortiAnalyzer unit. The FortiAnalyzer unit will automatically add the new disk to the current RAID array. The status appears on the console. After the FortiAnalyzer unit boots, the widget will display a green check mark icon for all disks and the RAID Status area will display the progress of the RAID resynchronization/rebuild.
Once a RAID array is built, adding another disk with the same capacity will not affect the array size until you rebuild the array by restarting the FortiAnalyzer unit.
Fortinet recommends that you use the same disks as those supplied by Fortinet. Disks of other brands will not be supported by Fortinet. For information on purchasing extra hard disks, contact your Fortinet reseller.
To add more hard disks: 1. Obtain the same disks as those supplied by Fortinet. 2. Back up the log data on the FortiAnalyzer 2000B/4000B unit. You can also migrate the data to another FortiAnalyzer unit if you have one. Data migration reduces system down time and risk of data loss. For information on data backup, see Backing up the configuration and installing firmware on page 147. For information on data migration, see Migrating data from one FortiAnalyzer unit to another on page 152. 3. Install the disks in the FortiAnalyzer unit. You can do so while the FortiAnalyzer unit is running. 4. Configure the RAID level. See Configuring RAID on page 138.
System Page 78 FortiAnalyzer v4.3.6 Administration Guide
5. If you have backed up the log data, restore the data. For more information, see Backing up the configuration and installing firmware on page 147.
To configure settings for the widget, in its title bar, select Edit. Figure 45:Editing log receive monitor settings
Configure the following settings: Widget Name Type The current widget name. Select either: Log Type: Display the type of logs that are received from all registered devices and separates them into categories, such as top 5 traffic logs or antivirus logs. Device: Display the logs that received by each registered device and separates the devices into the top number of devices. No. Entries Select the number of either log types or devices in the widgets graph, depending on your selection in the Type field.
System
Page 79
Time Period
Select one of the following time ranges over which to monitor the rate at which log messages are received: Hour Day Week
Refresh Interval To automatically refresh the widget at intervals, in Refresh Interval, type a number between 10 and 240 seconds. To disable the refresh interval feature, type 0.
Alert messages can also be delivered by email, syslog or SNMP. For more information, see Configuring alerts on page 122.
The widget displays only the most current alerts. For a complete list of unacknowledged alert messages, in the widgets title bar, select More alerts. To sort the columns by either ascending or descending order, select the column headings. Figure 47:List of all alert messages
System
Page 80
The following information is displayed: Acknowledge Include...and higher Remove unacknowledged alerts older than [n days] formatted | raw Mark the check boxes of alert messages that you want to remove from the list of alerts, then select Acknowledge. Select a severity threshold. Log messages equal to or greater than that severity will appear in the list of alerts. Select a number of days to remove the alert messages older than that number.
Select either: formatted: Display the alert messages in columnar format. raw: Display the information without formatting, as it actually appears in the log messages.
The device where the log message originated. The Message (msg=) field of the log message, which usually contains a description of the event. The severity level of the log message. The date and time when the log message was generated. To sort in ascending or descending order, select the arrow in the column heading. The number of occurrences of the event.
Counter
The CLI Console widget requires that your web browser support JavaScript.
To use the console, first select within the console area. Doing so will automatically log you in using the same administrator account you used to access the Web-based Manager. You can then enter commands by typing them. Alternatively, you can copy and paste commands from or into the CLI Console.
The prompt, by default the model number such as FortiAnalyzer-800B #, contains the host name of the FortiAnalyzer unit. To change the host name, see Configuring the FortiAnalyzer units host name on page 65.
For information on available commands, see the FortiAnalyzer v4.0 MR3 CLI Reference.
System
Page 81
To configure settings for the widget, in its title bar, select Console Preferences. Figure 49:CLI console widget settings
Configure the following settings: Preview Text A preview of your changes to the CLI Console widgets appearance. Select the current color swatch to the left of this label, then select a color from the color palette to the right to change the color of the text in the CLI Console. Select the current color swatch to the left of this label, then select a color from the color palette to the right to change the color of the background in the CLI Console. Enable to display a command input field below the normal console emulation area. When this option is enabled, you can enter commands by typing them into either the console emulation area or the external command input field.
Background
System
Page 82
Enter the number of lines the console buffer keeps in memory. The valid range is from 20 to 9999. Select a font type from the list. There are only three font types to choose from: Lucida Console, Courier New, and the default font. Select a font from the list to change the display font of the CLI Console. Select the size in points of the font. The default size is 10 points.
To expand details for one of the widgets items, select its + button, then select which log field you want to use to categorize its results. For example, for one of the items, you might select Device to display and categorize that items results by which devices recorded those log messages. To further subcategorize one of the devices results by protocol, you could then select its + button and select Service. The resulting widget display would show reflect traffic volume for each service on that one device, from that source IP address. To collapse details and return to higher-level items, select a parent items X button. To configure settings for the widget, in its title bar, select Edit. Figure 51:Top traffic widget settings
System
Page 83
Configure the following settings: Widget Name Device Display by Type a name for the widget. It will appear in the widgets title bar. Select the name of either a device or device group for which you want to display traffic volumes. Select which attribute to use in order to rank the top results: Top Sources (to any): Rank results according to the total volume for each source IP address. Top Destinations (from any): Rank results according to the total volume for each destination IP address. Filter Port Time Scope No. Entries Select whether to include TCP or UDP protocols, then type the port number. The valid range is from 1 to 65,535. Select one of the following time ranges: Hour, Day, Week, or Month. Select the number of entries to display.
To expand details for one of the widgets items, select its + button, then select which log field you want to use to categorize its results. For example, for one of the items, you might select Device to display and categorize that items results by which devices recorded those log messages. To further subcategorize one of the devices results by protocol, you could then select its + button, then select Service. The resulting widget display would show reflect web traffic volume for each service on that one device, from that source IP address. To collapse details and return to higher-level items, select a parent items X button. To configure settings for the widget, in its title bar, select Edit.
System
Page 84
Configure the following settings: Widget Name Device Display by Type a name for the widget. It will appear in the widgets title bar. Select the name of either a device or device group for which you want to display traffic volumes. Select which attribute to use in order to rank the top results: Top Sources (to any): Rank results according to the total volume for each source IP address. Top Destinations (from any): Rank results according to the total volume for each destination IP address. FIlter Source IP Address or User Filter Destination IP Address By Volume By Requests Time Scope No. Entries Type the traffics source IP address or user name. Type the traffics destination IP address. Select to gather the information for this widget from the traffic logs. Select to gather the information for this widget from the Web Filter logs. Select one of the following time ranges: Hour, Day, Week, or Month. Select the number of entries to display.
System
Page 85
To expand details for one of the widgets items, select its + button, then select which log field you want to use to categorize its results. For example, for one of the items, you might select Device to display and categorize that items results by which devices recorded those log messages. To further subcategorize one of the devices results by protocol, you could then select its + button, then select Service. The resulting widget display would show reflect email traffic volume for each service on that one device, from that source IP address. To collapse details and return to higher-level items, select a parent items X button. To configure settings for the widget, in its title bar, select Edit. Figure 55:Top email traffic widget settings
Configure the following settings: Widget Name Device Type a name for the widget. It will appear in the widgets title bar. Select the name of either a device or device group for which you want to display traffic volumes.
System
Page 86
Display by
Select which attribute to use in order to rank the top results: Top Sources (to any): Rank results according to the total volume for each source IP address. Top Destinations (from any): Rank results according to the total volume for each destination IP address.
Select a protocol to filter by email protocol. Enter the email server IP address for filtering the information. Select to gather the total amount of email traffic for this widget from the traffic logs.
By Requests Select to gather the total amount of email traffic for this widget from the content logs. Time Scope No. Entries Select one of the following time ranges: Hour, Day, Week, or Month. Select the number of entries to display.
To expand details for one of the widgets items, select its + button, then select which log field you want to use to categorize its results. For example, for one of the items, you might select Device to display and categorize that items results by which devices recorded those log messages. To further subcategorize one of the devices results by protocol, you could then select its + button, then select Service. The resulting widget display would show reflect FTP traffic volume for each service on that one device, from that source IP address. To collapse details and return to higher-level items, select a parent items X button. To configure settings for the widget, in its title bar, select Edit.
System
Page 87
Configure the following settings: Widget Name Device Display by Type a name for the widget. It will appear in the widgets title bar. Select the name of either a device or device group for which you want to display traffic volumes. Select which attribute to use in order to rank the top results: Top Sources (to any): Rank results according to the total volume for each source IP address. Top Destinations (from any): Rank results according to the total volume for each destination IP address. Time Scope No. Entries Select one of the following time ranges: Hour, Day, Week, or Month. Select the number of entries to display.
To expand details for one of the widgets items, select its + button, then select which log field you want to use to categorize its results. For example, for one of the items, you might select Device to display and categorize that items results by which devices recorded those log messages. To further subcategorize one of the
System Page 88 FortiAnalyzer v4.3.6 Administration Guide
devices results by protocol, you could then select its + button, then select Service. The resulting widget display would show reflect IM/P2P traffic volume for each service on that one device, from that source IP address. To collapse details and return to higher-level items, select a parent items X button. To configure settings for the widget, in its title bar, select Edit. Figure 59:Top IM/P2P traffic widget settings
Configure the following settings: Widget Name Type Device Display by Type a name for the widget. It will appear in the widgets title bar. Select either instant messaging (IM) or peer-to-peer (P2P) traffic. Select the name of either a device or device group for which you want to display traffic volumes. Select which attribute to use in order to rank the top results: Top Sources (to any): Rank results according to the total volume for each source IP address. Top Destinations (from any): Rank results according to the total volume for each destination IP address. Protocol Time Scope No. Entries Select a protocol for filtering the traffic. If you select All, all of the protocols will be included. Select one of the following time ranges: Hour, Day, Week, or Month. Select the number of entries to display.
System
Page 89
To expand details for one of the widgets items, select its + button, then select which log field you want to use to categorize its results. For example, for one of the items, you might select Device to display and categorize that items results by which devices recorded those log messages. To further subcategorize one of the devices results by protocol, you could then select its + button, then select Service. The resulting widget display would show reflect detected viruses for each service on that one device, from that source IP address. To collapse details and return to higher-level items, select a parent items X button. To configure settings for the widget, in its title bar, select Edit. Figure 61:Virus activity widget settings
Configure the following settings: Widget Name Device Type a name for the widget. It will appear in the widgets title bar. Select the name of either a device or device group for which you want to display traffic volumes.
System
Page 90
Display by
Select which attribute to use in order to rank the top results: Time Period: Rank results according to the total number of incidents for each 24-hour time period, from 00:00:00 to 23:59:59. Top Viruses: Rank results according to the total number of incidents for each virus. Top Sources (to any): Rank results according to the total number of incidents for each source IP address. Top Destinations (from any): Rank results according to the total number of incidents for each destination IP address. Protocol break down for virus incidents: Rank results according to the total number of incidents for each protocol.
Select one of the following time ranges: Hour, Day, Week, or Month. Select the number of entries to display.
To expand details for one of the widgets items, select its + button, then select which log field you want to use to categorize its results. For example, for one of the items, you might select Device to display and categorize that items results by which devices recorded those log messages. To further subcategorize one of the devices results by protocol, you could then select its + button, then select Service. The resulting widget display would show reflect detected intrusion attempts for each service on that one device, from that source IP address. To collapse details and return to higher-level items, select a parent items X button. To configure settings for the widget, in its title bar, select Edit.
System
Page 91
Configure the following settings: Widget Name Type a name for the widget. It will appear in the widgets title bar. Device Display by Select the name of either a device or device group for which you want to display traffic volumes. Select which attribute to use in order to rank the top results: Time Period: Rank results according to the total number of incidents for each 24-hour time period, from 00:00:00 to 23:59:59. Top Intrusions: Rank results according to the total number of incidents for each virus. Top Sources (to any): Rank results according to the total number of incidents for each source IP address. Top Destinations (from any): Rank results according to the total number of incidents for each destination IP address. Time Scope No, Entries Select one of the following time ranges: Hour, Day, Week, or Month. Select the number of entries to display.
System
Page 92
each network interface separately, with its own IP address, netmask, and accepted administrative access protocols.
You can restrict which IP addresses are permitted to log in as a FortiAnalyzer administrator through the network interfaces. For details, see Configuring administrator accounts on page 108.
Enable administrative access only on network interfaces connected to trusted private networks or directly to your management computer. If possible, enable only secure administrative access protocols such as HTTPS or SSH. Failure to restrict administrative access could compromise the security of your FortiAnalyzer unit. Unlike other administrative protocols, SNMP access is not configured individually for each network interface. Instead, see Configuring the SNMP agent on page 127. Figure 64:Interface list window
This window displays the following information: Bring Up Bring Down Name IP/Netmask Access FDP Mark the check box of the network interface that you want to enable, then select Bring Up. The new status appears in Status. Mark the check box of the network interface that you want to disable, then select Bring Down. The new status appears in Status. The name of the network interface, usually directly associated with one physical link as indicated by its name, such as port1. The IP address and netmask of the network interface, separated by a slash ( / ). The administrative access services that are enabled on the network interface, such as HTTPS for the Web-based Manager. Indicates whether Fortinet Discovery Protocol (FDP) is enabled. When FDP is enabled for an interface, a green check appears. For more information about FDP, see About Fortinet Discovery Protocol on page 96 and Manually adding a FortiGate unit using the Fortinet Discovery Protocol on page 167. Indicates the up (available) or down (unavailable) administrative status of the network interface. Green up arrow: The network interface is up and permitted to receive or transmit traffic. Red down arrow: The network interface is down and not permitted to receive or transmit traffic.
Status
System
Page 93
To edit a network interface: 1. Go to System > Network > Interface. 2. Mark the check box next to the interface whose settings you want to modify, then select Edit. Figure 65:Network interfaces
3. Configure the following settings: Interface Name Fortinet Discovery Protocol The name (such as port2) and media access control (MAC) address of this network interface. Select Enabled to respond to Fortinet Discovery Protocol (FDP) on this interface, allowing FortiGate devices to find the FortiAnalyzer unit automatically. For more information about FDP, see About Fortinet Discovery Protocol on page 96 and Manually adding a FortiGate unit using the Fortinet Discovery Protocol on page 167. Enter the IP address/subnet mask. The IP address must be on the same subnet as the network to which the interface connects. Enable the types of administrative access that you want to permit on this interface. Enable to allow secure HTTPS connections to the web-based manager through this network interface. For information on configuring the port number on which the FortiAnalyzer listens for these connections, see Configuring the Web-based Managers global settings on page 117. PING Enable to allow ICMP ping responses from this network interface.
System
Page 94
HTTP
Enable to allow HTTP connections to the web-based manager through this network interface. For information on configuring the port number on which the FortiAnalyzer listens for these connections, see Configuring the Web-based Managers global settings on page 117. Caution: HTTP connections are not secure, and can be intercepted by a third party. If possible, enable this option only for network interfaces connected to a trusted private network, or directly to your management computer. Failure to restrict administrative access through this protocol could compromise the security of your FortiAnalyzer unit.
SSH TELNET
Enable to allow SSH connections to the CLI through this network interface. Enable to allow Telnet connections to the CLI through this network interface. Caution: Telnet connections are not secure, and can be intercepted by a third party. If possible, enable this option only for network interfaces connected to a trusted private network, or directly to your management computer. Failure to restrict administrative access through this protocol could compromise the security of your FortiAnalyzer unit.
AGGREGATOR Enable to allow sending and receiving log aggregation transmissions. For more information about aggregation, see Configuring log aggregation on page 133. WEBSERVICES Enable to allow web service (SOAP) connections. FortiManager units require web service connections for remote management of FortiAnalyzer units. If this option is not enabled, the FortiManager unit cannot install a configuration on the FortiAnalyzer unit. For more information, see Configuring and using FortiAnalyzer web services on page 96. Web services can also be used by third-party tools to access logs and reports stored on the FortiAnalyzer unit. For more information about web services, see the FortiAnalyzer v4.0 MR3 CLI Reference. MTU Enable Override default MTU value (1500) to change the maximum transmission unit (MTU) value, then enter the maximum packet size in bytes. To improve network performance, adjust the MTU so that it equals the smallest MTU of all devices between this interface and the traffics final destinations. If the MTU is larger than other devices MTU, other devices through which the traffic travels must spend time and processing resources to break apart large packets to meet their smaller MTU. This process slows down transmission. The default value is 1500 bytes. The MTU size must be between 576 and 1500 bytes.
System
Page 95
4. Select OK. If you were connected to the Web-based Manager through this network interface, you are now disconnected from it. 5. To access the Web-based Manager again, in your web browser, modify the URL to match the new IP address of the network interface. For example, if you configured the network interface with the IP address 172.16.1.20, you would browse to https://172.16.1.20. If the new IP address is on a different subnet than the previous IP address, and your computer is directly connected to the FortiAnalyzer unit, you may also need to modify the IP address and subnet of your computer to match the FortiAnalyzer units new IP address.
Due to design changes, FortiManager v4.0 MR3 or later can not manage FortiAnalyzer units.
In addition to enabling web services, you must also register the devices with each other. When registering the FortiAnalyzer with the FortiManager unit, to guarantee full access to the FortiAnalyzer units entire configuration, you must provide the login for the FortiAnalyzer units admin administrator account. When registering the FortiManager with the FortiAnalyzer units device list, you must set connection permissions to allow remote management. Web services can also be used by third-party tools to access logs and reports stored on the FortiAnalyzer unit. For more information, see the FortiAnalyzer v4.0 MR3 CLI Reference. Web services are automatically encrypted with SSL (HTTPS). For information on the certificate used to do so, see Importing a local server certificate on page 156. To configure web services: 1. On the FortiAnalyzer unit, log in as admin. 2. Go to System > Network > Interface. 3. Mark the check box of the network interface which will accept web services connections, then select Edit. 4. In the Administrative Access area, enable WEBSERVICES.
System Page 96 FortiAnalyzer v4.3.6 Administration Guide
If it is not already enabled, also enable HTTPS. 5. Select OK. 6. Go to System > Admin > Administrator. 7. Mark the check box of the admin administrator account, then select Edit. 8. In Trusted Host, include the FortiManager unit's IP address. For additional security, restrict the Trusted Host entry to include only the FortiManager unit's IP address (that is, a subnet mask of 255.255.255.255) and your computer's IP address. 9. Select OK. 10. Go to Devices > All Devices > Allowed. Figure 68:Allowed devices window
11. If the FortiManager unit appears as an unregistered device, mark its check box, then select Register to complete the device registration. If the FortiManager unit does not appear in the device list, select Create New to add the device registration. 12. Select OK. 13. Register the FortiAnalyzer unit with the FortiManager units device list. For details, see the FortiManager v4.0 MR3 Administration Guide.
System
Page 97
To obtain the WSDL file: Download the WSDL file directly from the following URL: https://<FortiAnalyzer_ip_address>:8080/FortiAnalyzerWS?wsdl The following is a section of the WSDL file: <definitions name="FortiAnalyzerWS" targetNamespace="http://localhost:8080/FortiAnalyzerWS.wsdl"> <types> <schema targetNamespace="urn:FortiAnalyzerWS" elementFormDefault="qualified" attributeFormDefault="qualified"> <import namespace="http://schemas.xmlsoap.org/soap/encoding/ "/> <element name="FortiRequestEl" type="ns:FortiRequest"/> <element name="FortiResponseEl" type="ns:FortiResponse"/> <!-- enumerations --> <simpleType name="SearchContent"> <restriction base="xsd:string"> <enumeration value="Logs"/> <enumeration value="ContentLogs"/> <enumeration value="LocalLogs"/> </restriction> </simpleType> <simpleType name="ReportType"> <restriction base="xsd:string"> <enumeration value="FortiGate"/> <enumeration value="FortiClient"/> <enumeration value="FortiMail"/> </restriction> </simpleType> <service name="FortiAnalyzerWS"> <documentation>gSOAP 2.7.7 generated service definition</documentation> <port name="FortiAnalyzerWS" binding="tns:FortiAnalyzerWS"> <SOAP:address location="https://localhost:8080/ FortiAnalyzerWS"/> </port> </service> </definitions>
System
Page 98
Configuring DNS
System > Network > DNS enables you to configure the FortiAnalyzer unit with the IP addresses of the domain name system (DNS) servers that the FortiAnalyzer unit will query to resolve domain names such as www.example.com into IP addresses. Figure 69:DNS configuration
FortiAnalyzer units require connectivity to DNS servers for DNS lookups. Your Internet service provider (ISP) may supply IP addresses of DNS servers, or you may want to use the IP addresses of your own DNS servers.
For improved performance, use DNS servers on your local network. Features such as NFS shares can be impacted by poor DNS connectivity.
This window displays the following information: Move Insert Select to change the routes order in the route list. Select to add a route before the selected one in the list.
Destination IP/Netmask Displays the destination IP address and netmask of packets that the FortiAnalyzer unit wants to send to.
System
Page 99
Gateway Interface
Displays the IP address of the router where the FortiAnalyzer unit forwards packets. Displays the names of the FortiAnalyzer interfaces through which intercepted packets are received and sent.
To add a static route: 1. Go to System > Network > Routing. 2. Select Create New. The new routing entry window opens. Figure 71:New routing entry window
3. Configure the following settings: Destination IP/Mask Enter the destination IP address network mask of packets that the FortiAnalyzer unit has to intercept. Enter a netmask to associate with the IP address. Gateway Interface Enter the IP address of the gateway where the FortiAnalyzer unit will forward intercepted packets. Select a port through which intercepted packets are received and sent.
System
Page 100
Before a user can access files on the FortiAnalyzer network share: network share user accounts and groups must be created (for Windows share only) network sharing (Windows or NFS) must be enabled the share folder and its file permissions (user access) must be set
This window displays the following information: Create New Edit Delete Username UID Description Select to create a Windows network share user. See To add an user account: on page 101. Change a selected users current settings. Remove a selected users current settings. The name of the user. The users identification. This is useful for NFS shares only. A comment about the user account.
To add an user account: 1. Go to System > Network Sharing > User. 2. Select Create New. 3. Enter the appropriate information for the network share user account and select OK.
System
Page 101
4. Configure the following settings: Username Enter a user name. The name cannot include spaces. UID (NFS only) Leave this field empty. This field is for NFS shares only. The NFS protocol uses the UID to determine the permissions on files and folders. Password Description Enter a password for the user. Enter a description of the user. For example, you might enter the users name or a position such as IT Manager.
System
Page 102
This window displays the following information: Group GID Members The name of the group. For example, Finance. The name cannot include spaces. The group ID. This is useful for NFS shares only. The users that are members of that group.
To add a user group: 1. Go to System > Network Sharing > Group. 2. Select Create New. The group configuration window opens. Figure 75:Group configuration window
3. Configure the following settings: Group GID (NFS only) Enter the name of the group. Leave this field empty. This field is for NFS shares only. The GID is the numerical unique identification for a group. The NFS protocol uses the GID to determine the permissions on files and folders. Available Users The available users that you can add to the group. Select a user and then select the right arrow to move that user to the Members area. Members The users that are included in the group. If you do not want a user included as a member, select a user and then select the left arrow to move that user back to the Available Users area.
System
Page 103
This window displays the following information: Enable Windows Network Sharing Workgroup Local Path Share as Read Only User Read Write User Select the check box to enable Windows network sharing. Enter the name of the work group and then select Apply. The shared file or folder path. The share name. A list of users or groups that have read-only access to the folder or files. A list of users or groups that have read-write access to the folder or files.
To configure a Windows share: 1. Go to System > Network Sharing > Windows Share. 2. Select Create New. The Windows share configuration window opens.
System
Page 104
3. Configure the following settings: Local Path Type a folder directory, such as /Storage/Mail, or select the local path icon to choose a folder to share on the FortiAnalyzer hard disk. If you type a directory, you must start with /Storage. The default permission for files and folders is read and execute privileges. The owner of the document also has write privileges. You must select the write permission for the folder, user and the group to enable write permissions. For more information, see Default file permissions on NFS shares on page 108. Share Name The name of the share configuration.
Available The list of users and groups that are available for Windows network Users & Group shares. For information on adding users and groups, see Configuring share users on page 101. Select a user and then select the right arrow that points to the permission list that you want that user or group to be under, either Read-Only Access or Read-Write Access. Ready-Only Access Users or groups that do not have permission to edit or change settings. To remove a user or group from either access list, select the user or group and then select the left arrow to move it back to the Available Users & Groups list. Users or groups that have permission to edit or change settings. To remove a user or group from either access list, select the user or group and then select the left arrow to move it back to the Available Users & Groups list.
Read-Write Access
System
Page 105
This window displays the following information: Enable NFS Exports Select the check box beside Enable NFS Exports and then select Apply to enable NFS shares. Local Path Remote Clients Read Only User Read Write User The path the user has permission to connect to. A list of users that have access to the folder or files. A list of users or groups that have read-only access to the folder or files. A list of users or groups that have read-write access to the folder or files.
To add a new NFS share configuration: 1. Configure DNS and a default route. For information, see Configuring network settings on page 92. NFS exports are file system-level mounts. Bad DNS or routing connectivity can cause very slow access or 'hangs' when trying to write a file using NFS. 2. Go to System > Network Sharing > NFS Export. 3. Select Enable NFS Exports and select Apply. 4. Select Create New.
System
Page 106
5. Configure the following settings: Local Path Type a folder directory, such as /Storage/Mail, or select the local path icon to choose a folder to share on the FortiAnalyzer hard disk. If you type a directory, you must start with /Storage. The default permissions for files and folders is read and execute privileges. The owner of the document also has write privileges. You must select the write permission for the folder and for the user and the group to enable write access for users and groups. For more information, see Default file permissions on NFS shares on page 108. Remote Client: (Host, subnet, FQDN) Permissions Enter the IP address or domain name of an NFS client, such as a FortiMail unit configured for NFS storage. This client can access the NFS share folder. Select the type of permissions. The type of permission selected determines which list the NFS client will be put in. Read Only users connecting to the share can list and read files. Read Write users connecting to the share can list, read, create, modify, and delete files. Add Delete Select to add the NFS client to either the Read-only Access list or the Read Write Access list, depending on the permission selected. Select the check box beside the NFS client in either the Read Only Access list or the Read Write Access list, and then select Delete to remove it. The list of remote clients that have read-only access.
Read-Only Access
Read-Write Access The list of remote clients that have both read and write access. 6. Select OK. 7. Configure the NFS client to connect to the FortiAnalyzer unit and mount the share.
System Page 107 FortiAnalyzer v4.3.6 Administration Guide
System
Page 108
The following information is available: Change Password Change the account password. For more information, see Changing an administrators password on page 111.
Update Column Define log columns for an administrator account. You can revert the column Settings settings to the system default one if they have been customized, or copy the settings from another administrator account. For information about configuring column settings, see Displaying and arranging log columns on page 180. Name Trusted Hosts The assigned name for the administrator. The IP address and netmask of acceptable locations for the administrator to log in to the FortiAnalyzer unit. If you want the administrator to have access the FortiAnalyzer unit from any address, use the IP address and netmask 0.0.0.0/0.0.0.0. To limit the administrator to only access the FortiAnalyzer unit from a specific network or host, enter that networks IP and netmask. Profile Type The access profile assigned to the administrator. For more information, see Configuring access profiles on page 111. Type can be either Local, as a configured administrator on the FortiAnalyzer unit, or Remote Auth if you are using a RADIUS or TACACS+ server on your network.
To add an administrator account: 1. Go to System > Admin > Administrator. 2. Select Create New. The new administrator window opens. Figure 81:New administrator window
System
Page 109
3. Configure the following settings: Administrator Enter the administrator name. You can add the @ symbol in the name. For example, admin_1@headquarters, could identify an administrator that will access the FortiAnalyzer unit from the headquarters office of their organization. The @ symbol is also useful to those administrators who require RADIUS authentication. You can also configure an administrator account for remote authentication and associate an authentication group as well. Remote Auth Wild Card Auth Group Select if you are authenticating a specific account on a RADIUS or TACACS+ server. This option appears only if Remote Auth is enabled. Select if you do not want to set a password for the account on a RADIUS or TACACS+ server. This option appears only if Remote Auth is enabled. You also need to create an authentication group so that you can select it from the list. For more information about creating an authentication group, see Configuring authentication groups on page 113. Select which RADIUS server group to use when authenticating this administrator account. Backup Password This option appears only if Remote Auth is enabled and Wildcard is not selected. Optionally, enter a password for the account on a RADIUS or TACACS+ server. Password Enter a password for the administrator account. For security reasons, a password should be a mixture of letters and numbers and longer than six characters. If a user attempts to log in and mis-types the password three times, the user is locked out of the system from that IP address for a short period of time. This option does not appear if you select Wildcard and when editing the account. Confirm Password Re-enter the password for the administrator account to confirm its spelling. This option does not appear if you select Wildcard and when editing the account. Trusted Host Enter the IP address and netmask of acceptable locations for the administrator to log in to the FortiAnalyzer unit. If you want the administrator to have access to the FortiAnalyzer unit from any address, use the IP address and netmask 0.0.0.0/0.0.0.0. To limit the administrator to only access the FortiAnalyzer unit from a specific network, enter that networks IP and netmask.
System
Page 110
Access Profile
Select an access profile from the list. Access profiles define administrative access permissions to areas of the configuration by menu item. For more information, see Configuring access profiles on page 111. This option does not appear for the admin administrator.
Admin Domain Select an administrative domain (ADOM) from the list. ADOMs define administrative access permissions to areas of the configuration and device data by device or VDOM. For more information, see Administrative Domains on page 50. This option does not appear when ADOMs are disabled, nor for the admin administrator. 4. Select OK to save the setting.
System
Page 111
To view the list of access profiles, go to System > Admin > Access Profile. Figure 82:Access profile list
The following information is displayed: Profile Name The name of the access profile.
To create an access profile: 1. Go to System > Admin > Access Profile. 2. Select Create New. 3. The new access profile window opens. Figure 83:New access profile window
4. Configure the following settings: Profile Name Enter a name for the new access profile.
Access Control Lists the FortiAnalyzer configuration components to which you can set administrator access. None The administrator has no access to the function.
System
Page 112
The administrator can view pages, menus and information, but cannot modify any settings. The administrator can view pages, menus and information as well as change configurations.
Administrator accounts can also be restricted to specific devices or FortiGate units with VDOMs in the FortiAnalyzer device list. For more information, see Administrative Domains on page 50.
System
Page 113
3. Enter a name for the group. 4. Select the servers from Available Auth Servers to add to the group and select the right arrow. 5. Select OK.
The name that identifies the server. The server name or IP address of that server.
To add a RADIUS server: 1. Go to System > Admin > RADIUS Server, select Create New. The new RADIUS server window opens.
System
Page 114
2. Configure the following settings: Name Primary Server Name/IP Primary Server Secret Secondary Server Name/IP Secondary Server Secret Authentication Protocol Enter a name to identify the server. Enter the primary IP address for the server. Enter the password for the primary server. Enter the secondary IP address for the server. This is in case the primary one goes out of service. Enter the password for the secondary server. Select which protocol the FortiAnalyzer unit will use to communicate with the RADIUS server.
System
Page 115
CHAP (challenge-handshake authentication protocol) CHAP provides the same functionality as PAP, but is more secure as it does not send the password and other user information over the network to the security server. MS-CHAP (Microsoft challenge-handshake authentication protocol v1) This is the Microsoft-specific version of CHAP. The default protocol configuration, Auto, uses PAP, MS-CHAP, and CHAP, in that order. To view the TACACS+ server list, go to System > Admin > TACACS+ Server. Figure 88:TACACS+ server list
The name that identifies the server. The IP address of that server. The authentication protocol that a TACACS+ server uses during the authentication process.
To add a TACACS+ server: 1. Go to System > Admin > TACACS+ Server, select Create New. 2. Enter the appropriate information for the server and select OK. Figure 89:New TACACS+ Server window
Enter a name to identify the server. Enter the server domain name or IP address of the TACACS+ server. Enter the key to access the TACACS+ server.
Authentication Type Select the authentication type to use for the TACACS+ server.
System
Page 116
System
Page 117
Configure the following settings: Idle Timeout Set the idle timeout to control the amount of inactive time before the administrator must log in again. For better security, keep the idle timeout to a low value (for example, five minutes). When viewing real-time logs, a pop-up window appears 60 seconds before the set idle timeout value is reached, prompting you to keep or cancel the value. If you choose to cancel the set idle timeout value, you will not be logged out after the idle timeout value is reached. Web Administration [Language] Select the language for the Web-based Manager.
Web-based Manager Be default, these menu items are hidden. Select one to make it appear Menu Customization in the menu list. Admin Domain Configuration Enable or disable administrative domains (ADOMs). For more information on ADOMs, see Administrative Domains on page 50. This option does not appear if ADOMs are currently enabled and ADOMs other than the root ADOM exist. This option does not appear on FortiAnalyzer-100B/100C models. Login Disclaimer Select Enable to enter a login disclaimer message and select Apply. When you log in next time, you will be asked to accept or decline the disclaimer.
Monitoring administrators
The Monitor page enables the admin administrator to view a list of other administrators that are currently logged in to the FortiAnalyzer unit. The admin administrator can disconnect other administrators sessions, should the need arise. To monitor current administrators, go to System > Admin > Monitor. Figure 91:Monitoring administrators
To disconnect an administrator, mark the check box next to an administrators account name, then select Disconnect.
System
Page 118
FortiAnalyzer Model FAZ-100B, FAZ-100C FAZ-400B FAZ-400C FAZ-800, FAZ-800B FAZ-1000B, FAZ-1000C FAZ-2000, FAZ-2000A, FAZ-2000B FAZ-4000A, FAZ-4000B
Remote SQL database storage limit 1TB 2TB 2TB 4TB 4TB 6TB 24TB
System
Page 119
To configure the SQL database: 1. Go to System > Config > SQL Database. Figure 92:SQL database
2. Configure the following settings: Location Select Disabled to save log data to the proprietary indexed file storage system instead of the SQL database, Local Database to save log data into the local SQL database, and Remote Database to save log data into the remote MySQL database. By default, the local SQL database is PostgreSQL. The selection of location affects the way to configure reports. For more information, see Reports on page 203. Start Time Select the time when the FortiAnalyzer unit can start to insert log data into the SQL database. This field activates when Local Database or Remote Database is selected. Type Select the remote SQL database from the supported list of databases. This field only appears when Remote Database is selected. Server Enter the IP address or FQDN of the server on which the remote SQL database is installed. This field only appears when Remote Database is selected. Enter the name for the database in which log tables will be stored. This database should already exist on the MySQL server. If it does not, the FortiAnalyzer unit cannot connect. This field only appears when Remote Database is selected.
Database Name
System
Page 120
Enter the login information for a user on the database that has permissions to read and write data, and to create tables. Select the log type(s) that you want to save to the SQL database. This field activates when Local Database or Remote Database is selected.
Upgrade notice
If you choose the proprietary indexed file system for log storage, an upgrade notice appears when you log in to the Web-based Manager, asking if you want to switch to the SQL database and migrate all logs to the SQL database. Figure 93:Database upgrade notice
If you want to switch to the SQL database, select Upgrade Now and select local or remote SQL database, then select OK. For more information about SQL database configuration, see To configure the SQL database: on page 120. Your logs stored in the proprietary indexed file system will still be kept after the switch. Database switch affects report configuration. For more information, see Reports on page 203.
System
Page 121
Configuring alerts
Log-based alerts define log message types, severities, and sources which trigger administrator notification. For example, you could configure a trigger on the attack logs with an SMTP server output, if you want to receive an alert by email when your network detects an attack attempt. You can notify administrators by email, SNMP, or syslog, as well as the Alert Message Console widget. For information on viewing alerts through the Web-based Manager, see Alert message console widget on page 80. To view configured log-based alerts, go to System > Config > Log-based Alerts. Figure 94:Alert events list
This page displays the following information: Name Devices Triggers Destination The name given to the log-based alert configuration. The devices the FortiAnalyzer unit is monitoring for the log-based alerts. The log message packets the FortiAnalyzer unit is monitoring for the log-based alerts. The location where the FortiAnalyzer unit sends the alert message. This can be an email address, SNMP Trap or syslog server.
To add a log-based alert: 1. Go to System > Config > Log-based Alerts, select Create New, enter the appropriate information, then select OK.
System
Page 122
Configure the following settings: Alert Name Device Selection Enter a name indicating the type of alert the FortiAnalyzer is monitoring for. Select the devices the FortiAnalyzer unit monitors for the alert event. Select from the Available Devices list and select the right arrow to move the device name to the Selected Devices list. Hold the SHIFT or CTRL keys while selecting to select multiple devices.
System
Page 123
Trigger(s)
Select the triggers that the FortiAnalyzer unit uses to indicate when to send an alert message. Select the following: a log type to monitor, such as Event Log or Attack Log the severity level to monitor for within the log messages, such as >= the severity of the log message to match, such as Critical For example, selecting Event Log >= Warning, the FortiAnalyzer unit will send alerts when an event log message has a level of Warning, Error, Critical, Alert and Emergency. These options are used in conjunction with Generic Text (located under Log Filters) and Device Selection to specify which log messages will trigger the FortiAnalyzer unit to send an alert message.
Select Generic Text to enable log filters, and then enter log message filter text. This text is used in conjunction with Trigger(s) and Device Selection to specify which log messages will trigger the FortiAnalyzer unit to send an alert message. Enter an entire word, which is delimited by spaces, as it appears in the log messages that you want to match. Inexact or incomplete words or phrases may not match. For example, entering log_i or log_it may not match; entering log_id=0100000075 will match all log messages containing that whole word. Do not use special characters, such as quotes () or asterisks (*). If the log message that you want to match contains special characters, consider entering a substring of the log message that does not contain special characters. For example, instead of entering, User 'admin' deleted report 'Report_1', you might enter admin.
Threshold
Set the threshold or log message level frequency that the FortiAnalyzer unit monitors before sending an alert message. For example, set the FortiAnalyzer unit to send an alert only after it receives five emergency messages in an hour. Select where the FortiAnalyzer unit sends the alert message. Select an email address, SNMP trap or syslog server from the list. You must configure the SNMP traps or syslog server, before you can select them from the list. For the FortiAnalyzer unit to send an email message, you must configure a DNS server and mail server account. For information, see Configuring an email server for alerts & reports on page 125. For information on configuring SNMP traps, see Configuring the SNMP agent on page 127. For information on configuring syslog servers, see Configuring syslog servers on page 131.
From
When configuring the FortiAnalyzer unit to send an email alert message, enter the senders email address. This option only appears after you populate the Send Alert To field.
System
Page 124
To
When configuring the FortiAnalyzer unit to send an email alert message, enter the recipients email address. This option only appears after you populate the Send Alert To field.
Select to add the destination for the alert message. Add as many recipients as required. Select a recipient from the Destination list and select Delete to remove a recipient. Select the alert severity value to include in the outgoing alert message information.
Verify if the email server is correctly configured. For more information, see To verify mail server connectivity: on page 126. The name of the email server.
E-Mail Account The email address used for accessing the account on the email server. Password The password used in authentication of that server. The password appears as ******.
To add a mail server for alerts: 1. Go to System > Config > Mail Server and select Create New. The mail server settings window opens.
System
Page 125
2. Configure the following settings: SMTP Server The name/address of the SMTP email server.
Enable Authentication Select to enable SMTP authentication. When set, you must enter an email user name and password for the FortiAnalyzer unit to send an email with the account. E-Mail Account Enter the user name for logging in to the SMTP server to send alert mails. You only need to do this if you have enabled the SMTP authentication. The account name must be in the form of an email address, such as user@example.com. Enter the password for logging in to the SMTP server to send alert email. You only need to do this if you enabled the SMTP authentication.
Password
Mail servers configured to send FortiAnalyzer alerts can also be selected when configuring report profiles and vulnerability scan jobs to email report output. For more information, see Network Vulnerability Scan on page 258 andIndexer based reports on page 235.
To verify mail server connectivity: 1. Go to System > Config > Mail Server. 2. Select the mail server that you want to verify, then select Test. Figure 98:Test mail server window
System
Page 126
3. Enter an email address in the Send test email to field. To verify complete connectivity from the FortiAnalyzer unit to the administrators inbox, this should be the administrators email address. 4. Select Test. A message appears, indicating the success or failure of sending email to the SMTP server. If the message was successfully sent, verify that it reached the email address.
System
Page 127
Configure the following settings: SNMP Agent Description Location Contact Trap Type Trigger Threshold Sample Period(s) Select to enable the SNMP agent. Enter a descriptive name for this FortiAnalyzer unit. Enter the physical location of the FortiAnalyzer unit, such as a city or floor number. Enter the contact information for the person responsible for this FortiAnalyzer unit. The type of available SNMP trap. Enter a number (percent) for the trap type usage that will trigger a trap. The number can be between 1 to 100. Enter the number of times a trigger value is reached before triggering a trap.The number can be between 1 and 100. Enter a time period, in seconds. The number can be between 1 and 28800. The default number is 600 seconds, which is 10 minutes. During the configured time period, the SNMP agent evaluates the trap type, for example, CPU, at every same frequency. For example, during 600 seconds (10 minutes), the SNMP agent evaluates memory every 60 seconds (1 minute). Sample Frequency(s) Enter a number for the frequency of triggers. The number can be between 1 and 100. Apply Select to save the configured settings. Selecting Apply will not save the SNMP communities because they are automatically saved after being configured.
System
Page 128
The list of SNMP communities added to the FortiAnalyzer configuration. Select to add a new SNMP community. See Configuring an SNMP community on page 129. Change the selected SNMP community configuration. Remove the selected SNMP community configuration. You cannot delete a community if it is used in an alert event. For more information, see Configuring alerts on page 122. Verify the selected SNMP community configuration by sending a test SNMP trap to the SNMP manager. This option only shows if the test SNMP trap is successfully sent by the FortiAnalyzer unit. You need to go to the SNMP manager to check if the trap has been successfully received. If the test fails, you need to reconfigure the SNMP community that you want to verify. This option is inactive if the SNMP agent configuration is not saved. See Apply on page 128.
Test
Community Name The name of the SNMP community. Queries Traps Enable The status of SNMP queries for each SNMP community. The query status can be enabled (green check mark) or disabled (gray cross). The status of SNMP traps for each SNMP community. The trap status can be enabled (green check mark) or disabled (gray cross) Select to enable the SNMP community. By default, an SNMP community is enabled when it is configured.
System
Page 129
3. Configure the following settings: Community Name Hosts Enter a name to identify the SNMP community. Enter the IP address and Identify the SNMP managers that can use the settings in this SNMP community to monitor the FortiAnalyzer unit. The IP address of an SNMP manager than can use the settings in this SNMP community to monitor the FortiAnalyzer unit. You can also set the IP address to 0.0.0.0 to so that any SNMP manager can use this SNMP community. Optionally select the name of the interface that this SNMP manager uses to connect to the FortiAnalyzer unit. You only have to select the interface if the SNMP manager is not on the same subnet as the FortiAnalyzer unit. This can occur if the SNMP manager is on the Internet or behind a router. Select a Delete icon to remove an SNMP manager. Add a blank line to the Hosts list. You can add up to 10 SNMP managers to a single community.
Host Name
Interface
Delete Add
System
Page 130
Queries
Enter the port number (161 by default) that the SNMP managers in this community use for SNMP v1 and SNMP v2c queries to receive configuration information from the FortiAnalyzer unit. Select the Enable check box to activate queries for each SNMP version. Note: The SNMP client software and the FortiAnalyzer unit must use the same port for queries.
Traps
Enter the local and remote port numbers (port 162 for each by default) that the FortiAnalyzer unit uses to send SNMP v1 and SNMP v2c traps to the SNMP managers in this community. Select Enable to activate traps for each SNMP version. Note: The SNMP client software and the FortiAnalyzer unit must use the same port for traps.
SNMP Events
Enable each SNMP event for which the FortiAnalyzer unit should send traps to the SNMP managers in this community.
Verify the syslog server configuration by sending a test message to the server. See To verify a syslog server configuration: on page 132. The name of the syslog server. The IP address or fully qualified domain name (FQDN) for the SNMP server, and port number.
System
Page 131
To add an syslog server: 1. Go to System > Config > Remote Syslog. 2. Select Create New, enter the appropriate information, then select OK. Figure 102:New Syslog Server window
Name
IP address (or FQDN) Enter the IP address or fully qualified domain name for the SNMP server. Port Enter the syslog server port number. The default syslog port is 514.
To verify a syslog server configuration: 1. Go to System > Config > Remote Syslog. 2. Select the syslog server configuration you want to verify. 3. Select Test. Table 7: Test syslog server
4. In the Syslog Message field, enter a syslog message such as This is a test. Figure 103:Test syslog server window
5. Select Test. You need to go to the syslog server to check if the message has been successfully received. If the test fails, reconfigure the syslog server.
System
Page 132
For more information about log aggregation port numbers, see the Knowledge Base article Traffic Types and TCP/UDP Ports used by Fortinet Products.
All FortiAnalyzer models can be configured as a log aggregation client, but log aggregation server support varies by FortiAnalyzer model, due to storage and resource requirements. Table 8: FortiAnalyzer models that support either an aggregation client or server, or both FortiAnalyzer Model FAZ-100B, FAZ-100C FAZ-400B FAZ-400C FAZ-800, FAZ-800B FAZ-1000B, FAZ-1000C FAZ-2000, FAZ-2000A, FAZ-2000B FAZ-4000A, FAZ-4000B Aggregation Client Yes Yes Yes Yes Yes Yes Yes Aggregation Server No No No Yes Yes Yes Yes
A device logging to a log aggregator client cannot send its logs to the aggregation server since the server will refuse them. This device will appear in the device list of the aggregation server. You can easily identify these devices as they do not have Rx and Tx permissions. On the aggregation server, configure the device quotas to be equal to or more than those on the aggregation client to avoid log data loss. When using log aggregation, all the FortiAnalyzer units must be running the same firmware release and their system time must be synchronized.
System
Page 133
Configuring an aggregation client: An aggregation client is a FortiAnalyzer unit that sends logs to an aggregation server. By default, log aggregation is disabled on the FortiAnalyzer unit. To configure the aggregation client, go to System > Config > Log Aggregation, select Enable log aggregation TO remote FortiAnalyzer and enter the appropriate information. Select Apply. Figure 104:Log aggregation client configuration
Configure the following settings: Enable log aggregation TO remote FortiAnalyzer Remote FortiAnalyzer IP Password Select to enable log aggregation to a remote FortiAnalyzer unit.
Enter the IP address of the FortiAnalyzer unit acting as the aggregation server. Enter the password for the aggregation server. This password is set when configuring the aggregation server. See Password on page 135.
Confirm Password Enter the password again for the aggregation server. Aggregation daily at [hh:mm] Aggregation Now Select the time of the day when the aggregation client uploads the logs to the aggregation server. Select to start a log aggregation operation. Depending on the amount of new logs since the previous sychronization, the aggregation operation can take some time. It is recommended to perform the aggregation during off-peak hours.
System
Page 134
Configuring an aggregation server: An aggregation server is a FortiAnalyzer unit that receives the logs sent from an aggregation client. FortiAnalyzer-800/800B and higher can be configured as aggregation servers.
The aggregration server needs to have device quotas at least as large as the aggregation client. If the device quotas are not correctly configured, log data will be lost.
By default, log aggregation is disabled on the FortiAnalyzer unit. To configure the aggregation server, go to System > Config > Log Aggregation, select Enable log aggregation TO this FortiAnalyzer, enter the password and confirm it, and then select Apply. Figure 105:Log aggregation server configuration
Configure the following settings: Enable log aggregation TO this FortiAnalyzer Password Select to enable log aggregation to this FortiAnalyzer unit.
System
Page 135
Log forwarding is similar to log uploading or log aggregation, but log-forwards are sent as individual syslog messages, not whole log files over FTP, SFTP, or SCP, and not as batches of log files. By default, log forwarding is disabled on the FortiAnalyzer unit. To forward logs: 1. Go to System > Config > Log Forwarding. 2. Select Enable log forwarding to remote log server. Figure 106:Log forwarding
3. Configure the following settings: Enable log Select to enable log forwarding to a syslog server. forwarding to remote log server Remote device IP Forward all incoming logs Forward only authorized logs Minimum Severity Enter the IP address of the external syslog server. Select to forward all incoming logs. Select to forward only authorized logs (authorized according to a devices permissions). Select the minimum severity threshold. All log events of equal or greater severity will be transmitted. For example, if the selected minimum severity is Critical, all Emergency, Alert and Critical log events will be forwarded; other log events will not be forwarded.
System
Page 136
Configuring IP aliases
By default, this option is not available. To make it appear, you need to enable it in System > Admin > Settings. Use IP Alias to assign meaningful names to IP addresses. When configuring reports, or viewing logs and DLP archives, select Resolve Host Name to view the alias rather than the IP address. IP aliases can make logs and reports easier to read and interpret. For example, you could create an IP alias to display the label mailserver1 instead of its IP address, 10.10.1.54. When adding an IP alias, you can also include an IP address range. For example: 10.10.10.1 - 10.10.10.50 10.10.10.1 - 10.10.20.100 To view the IP Alias list, go to System > Config > IP Alias. Figure 107:List of IP aliases
Import
If you have a text file with IP addresses and aliases mapping, you can import the file instead of mapping them one by one on the FortiAnalyzer unit. See Importing IP aliases on page 137. The name of the IP alias. The IP address or range for the IP alias.
Alias Host
To add an IP alias: 1. Go to System > Config > IP Alias. 2. Select Create New. 3. Enter a nickname for the IP address in Alias. 4. Enter the IP address or range in Host(Subnet / IP Range). 5. Select OK.
Importing IP aliases
If you have a text file with IP addresses and aliases mapping, you can import the file instead of mapping them one by one on the FortiAnalyzer unit. This is a quick way to add the mappings to the FortiAnalyzer unit. The contents of the text file should be in the following format: <alias_ipv4> <alias_name>
System
Page 137
For example: 10.10.10.1 User_1 There can be only one IP address and user name entry per line. To import the alias file: 1. Go to System > Config > IP Alias. 2. Select Import. 3. Enter the path and file name, or select Browse to locate the file. 4. Select OK.
Configuring RAID
RAID (Redundant Array of Independent Disks) helps to divide data storage over multiple disks which provides increased data reliability. FortiAnalyzer units that contain multiple hard disks can configure the RAID array for capacity, performance and availability. From System > Dashboard > Status, you can view the status of the RAID array from the Disk Monitor widget. The Disk Monitor widget displays the status of each disk in the RAID array, including the disks RAID level. This widget also displays how much disk space is being used. For more information, see Disk monitor widget on page 75. The Alert Message Console widget, located in System > Dashboard > Status provides detailed information about RAID array failures. For more information see Alert message console widget on page 80. If you need to remove a disk from the FortiAnalyzer unit, you can hot swap it. Hot swapping means that you can remove a failed hard disk and replace it with a new one even while the FortiAnalyzer unit is still in operation. Hot swapping is a quick and efficient way to replace hard disks. For more information about hot swapping, see Swapping hard disks on page 77. System > Config > RAID allows you to change the RAID level of the RAID array. Changing the RAID level will remove all log data from the disks, and the device disk quota may be reduced to accommodate the available disk space in the new RAID array.
System
Page 138
Configure the following settings: RAID Level Select a RAID level and select Apply. The FortiAnalyzer unit will reboot, destroy the existing RAID array, create a new RAID array with the specified level, and then create a new file system on the array. All existing data is lost. Total Disk Space Free Disk Space Disk # The amount of disk space available within the RAID array. The amount of free disk space. The number identifying the disk. These numbers reflect what disks are available on the FortiAnalyzer unit.For example, on a FortiAnalyzer-4000A, there would be 1-12, whereas on a FortiAnalyzer-2000A there would be 1-6. The size of the individual hard disk. The current status of the hard disk. For example, OK indicates that the hard disk is okay and working normally; Not Present indicates that the hard disk is not being detected by the FortiAnalyzer unit or has been removed and no disk is available; Failed indicates that the hard disk is not working properly.
System
Page 139
Alternatively, go to System > Dashboard > Status and, on the Disk Monitor widget, select RAID Settings in the title bar.
2. From RAID Level, select a RAID level. 3. Select Apply to begin the process of changing the RAID level. The following message appears:
0, 1 Linear, 0, 1, 10 0, 5, 5 plus spare, 10, 50 0, 5, 5 plus spare, 10, 50 0, 5, 5 plus spare, 10, 50, 6, 6 plus spare, 60
1 10 50 50 50
System
Page 140
When changing the RAID level, the available levels depend on the number of working disks that are actually present in the unit. For example, RAID5 is not available on FortiAnalyzer units with fewer than three disks. With a full complement of working disks, the default level is the recommended level in the above table. The following sections assume a full complement except where noted. You can find out information about RAID from the get system status or diag raid info commands in the CLI.
Fortinet recommends having an uninterruptible power supply (UPS) to reduce the possibility of data inconsistencies when power failures occur.
Linear A linear RAID level combines all hard disks into one large virtual disk. It is also known as concatenation or JBOD (Just a Bunch of Disks). The total space available in this option is the capacity of all disks used. There is very little performance change when using this RAID format. If any of the drives fails, the entire set of drives is unusable until the faulty drive is replaced. All data will be lost. RAID 0 A RAID 0 array is also referred to as striping. The FortiAnalyzer unit writes information evenly across all hard disks. The total space available is that of all the disks in the RAID array. There is no redundancy available. If any of the drives fails, the data cannot be recovered. This RAID level is beneficial because it provides better performance, since the FortiAnalyzer unit can distribute disk writing across multiple disks. RAID 1 A RAID 1 array is also referred to as mirroring. The FortiAnalyzer unit writes information to one hard disk, and writes a copy (a mirror image) of all information to all other hard disks. The total disk space available is that of only one hard disk, as the others are solely used for mirroring. This provides redundant data storage with no single point of failure. Should any of the hard disks fail, there are several backup hard disks available. With a FortiAnalyzer-800 for example, if one disk fails, there are still three other hard disks the FortiAnalyzer unit can access and continue functioning. RAID 5 A RAID 5 array employs striping with a parity check. The FortiAnalyzer unit writes information evenly across all drives. Additional parity blocks are written on the same stripes. The parity block is staggered for each stripe. The total disk space is the total number of disks in the array, minus one disk for parity storage. For example, on a FortiAnalyzer-800 with four hard disks, the total capacity available is actually the total for three hard disks. RAID 5 performance is typically better with reading than writing, although performance is degraded when one disk has failed or is missing. With RAID 5, one disk can fail without the loss of data. If a drive fails, it can be replaced and the FortiAnalyzer unit will restore the data on the new disk using reference information from the parity volume.
RAID 5 appears in the Web-based Manager only for FortiAnalyzer units with hardware RAID.
System
Page 141
RAID 10 RAID 10 (or 1+0), includes nested RAID levels 1 and 0, or a stripe (RAID 0) of mirrors (RAID 1). The total disk space available is the total number of disks in the array (a minimum of 4) divided by 2. One drive from a RAID 1 array can fail without loss of data; however, should the other drive in the RAID 1 array fail, all data will be lost. In this situation, it is important to replace a failed drive as quickly as possible. two RAID 1 arrays of two disks each (FortiAnalyzer-800/800B) three RAID 1 arrays of two disks each (FortiAnalyzer-2000/2000A/2000B) six RAID1 arrays of two disks each (FortiAnalyzer-4000A) twelve RAID1 arrays of two disks each (FortiAnalyzer-4000B)
Fortinet recommends using RAID 10 for redundancy instead of RAID 5 on FortiAnalyzer units with software RAID. RAID 5 can cause decreased performance.
RAID 50 RAID 50 (or 5+0) includes nested RAID levels 5 and 0, or a stripe (RAID 0) and stripe with parity (RAID 5). The total disk space available is the total number of disks minus the number of RAID 5 sub-arrays. RAID 50 provides increased performance and also ensures no data loss for the same reasons as RAID 5. One drive in each RAID 5 array can fail without the loss of data. For the following FortiAnalyzer units, data is recoverable when: two RAID 5 arrays of three disks each (FortiAnalyzer-2000/2000A/2000B) three RAID 5 arrays of four disks each (FortiAnalyzer-4000A) two RAID 5 arrays of twelve disks each (FortiAnalyzer-4000B) RAID 5 with hot spare FortiAnalyzer-2000/2000A/2000B and FortiAnalyzer-4000A/4000B units can use one of their hard disks as a hot spare (a stand-by disk for the RAID), should any of the other RAID hard disks fail. If a hard disk fails, within a minute of the failure, the FortiAnalyzer unit begins to automatically substitute the hot spare for the failed drive, integrating it into the RAID array, and rebuilding the RAIDs data. When you replace the failed hard disk, the FortiAnalyzer unit uses the new hard disk as the new hot spare. The total disk space available is the total number of disks minus two. RAID 6 RAID 6 provides fault tolerance from two drive failures; array continues to operate with up to two failed drives. This makes larger RAID groups more practical, especially for high-availability systems. This becomes increasingly important as large-capacity drives lengthen the time needed to recover from the failure of a single drive. Single-parity RAID levels are as vulnerable to data loss as a RAID 0 array until the failed drive is replaced and its data rebuilt; the larger the drive, the longer the rebuild will take. Double parity gives time to rebuild the array without the data being at risk if a single additional drive fails before the rebuild is complete. RAID 60 RAID 60 (or 6+0) includes nested RAID levels 6 and 0, or a stripe (RAID 0) and stripe with parity (RAID 6). The total disk space available is the total number of disks minus the number of RAID 6 sub-arrays. RAID 60 provides increased performance and also ensures no data loss for the same reasons as RAID 6. One drive in each RAID 6 array can fail without the loss of data. For the following FortiAnalyzer unit, data is recoverable when: two RAID 6 arrays of twelve disks each (FortiAnalyzer-4000B)
System Page 142 FortiAnalyzer v4.3.6 Administration Guide
RAID 6 with hot spare FortiAnalyzer-4000B unit can use one of its hard disks as a hot spare (a stand-by disk for the RAID), should any of the other RAID hard disks fail. If a hard disk fails, within a minute of the failure, the FortiAnalyzer unit begins to automatically substitute the hot spare for the failed drive, integrating it into the RAID array, and rebuilding the RAIDs data. When you replace the failed hard disk, the FortiAnalyzer unit uses the new hard disk as the new hot spare. The total disk space available is the total number of disks minus two.
The FAZ-4000B supports up to 24 disks. Each disk size is 932 GB. In theory, The FAZ-4000B can support a maximum disk space of 24 x 932 GB (close to 24 TB) when RAID level is 0. However, the FortiAnalyzer unit uses filesystem ext3 which has a 16 TB limitation of disk space. Therefore, even if the FAZ-4000B has 24 TB RAID array capacity, the total disk space is limited to 16 TB. This is why the max disk space for the FAZ-4000B is 15380 GB.
System
Page 143
By default, the LDAP query occurs over a standard LDAP connection. The FortiAnalyzer unit does not support secure query (TLS or LDAPS) protocols.
A directory is a set of objects with similar attributes organized in a logical and hierarchical way. Generally, an LDAP directory tree reflects geographic or organizational boundaries, with the Domain Name System (DNS) names at the top level of the hierarchy. The common name identifier for most LDAP servers is cn; however some servers use other common name identifiers such as uid. For example, you could use the following base distinguished name: ou=marketing,dc=fortinet,dc=com where ou is organization unit and dc is a domain component. You can also specify multiple instances of the same field in the distinguished name, for example, to specify multiple organization units: ou=accounts,ou=marketing,dc=fortinet,dc=com Binding occurs when the LDAP server successfully authenticates the user and allows the user access to the LDAP server based on the users permissions. You can configure the FortiAnalyzer unit to use one of two types of binding: anonymous: bind using anonymous user search regular: bind using user name/password and then search If your LDAP server requires authentication to perform searches, use the regular type and provide values for user name and password. In System > Config > LDAP, you can define a query to retrieve a list of LDAP users from a remote LDAP server. LDAP queries are used in FortiAnalyzer reports as an additional filter for the user field, providing a convenient way for filtering log data without having to list the user names manually. For example, you need to create a scope in a report that is restricted to include only log messages whose user= field matches user names retrieved from the networks main LDAP server. For more information about LDAP queries in FortiAnalyzer reports, see Indexer based reports on page 235. To view the LDAP server list, go to System > Config > LDAP.
System
Page 144
The name of the LDAP server. The server name or IP address of the LDAP server. The port with which the server is exchanging information. The default port is 389.
Common Name Identifier The name of the common name identifier. Distinguished Name The name of the attribute identifier that is used in the LDAP query filter.
To define an LDAP server query: 1. Go to System > Config > LDAP. The new LDAP server window opens. Figure 110:New LDAP Server window
2. Configure the following settings: Name Server Name/IP Server Port Enter the name for the LDAP server query. Enter the LDAP server domain name or IP address. Enter the port number. By default, the port is 389.
System
Page 145
Server Type
Select whether to use anonymous or authenticated (regular) queries. If selecting Anonymous, your LDAP server must be configured to allow unauthenticated anonymous queries. If selecting Regular, you must also enter the Bind DN and Bind Password.
Bind DN
Enter an LDAP user name in DN format to authenticate as a specific LDAP user, and bind the query to a DN. This option appears only when the Server Type is Regular.
Bind Password
Enter the LDAP users password. This option appears only when the Server Type is Regular.
Enter the attribute identifier used in the LDAP query filter. By default, the identifier is cn. For example, if the Base DN contains several objects, and you want to include only objects whose cn=Admins, enter the Common Name Identifier cn and enter the Group(s) value Admins when configuring report profiles. For more information, see Indexer based reports on page 235. Report scopes using this query require Common Name Identifier. If this option is blank, the LDAP query for reports will fail.
Base DN
Enter the Distinguished Name of the location in the LDAP directory which will be searched during the query. To improve query speed, enter a more specific DN to constrain your search to the relevant subset of the LDAP tree. For example, instead of entering dc=example,dc=com you might enter the more specific DN ou=Finance,dc=example,dc=com. This restricts the query to the Finance organizational unit within the tree. Report scopes using this query require Base DN. If this option is blank, the LDAP query for reports will fail.
LDAP Distinguished View the LDAP server Distinguished Name Query tree for the LDAP Name Query server that you are configuring so that you can cross-reference to the Distinguished Name. Leave the Base DN field empty for this option to work. For more information, see Querying for the base DN on page 147. 3. Select OK to save the setting.
System
Page 146
Do not forget the password to the backed up configuration file. A password-encrypted backup configuration file cannot be restored without the password.
For additional information about backing up and restoring configuration, see Maintaining Firmware on page 290. To back up the configuration and install firmware, go to System > Maintenance > Backup & Restore.
System
Page 147
Configure the following settings: System Configuration Last Backup Backup configuration to: The date and time of the last backup to local PC Currently, the only option on the Web-based Manager is to back up to your local PC. However, you can use the execute backup config command to back up the system configuration to a file on a FTP, SFTP, SCP, or TFTP server. For more information, see the FortiAnalyzer CLI Reference. Select to encrypt the backup file. Enter a password in the Password field and enter it again in the Confirm field. You will need this password to restore the file. You must encrypt the backup file if you are using a secure connection to a FortiGate or FortiManager device. Password Confirm Backup Restore configuration from: Filename Password Restore Firmware Partition A partition can contain one version of the firmware and the system configuration.
Page 148 FortiAnalyzer v4.3.6 Administration Guide
Enter a password to encrypt the configuration file. This password is required when restoring the configuration file. Enter the password again to confirm. Select to back up the configuration. Currently the only option is to restore from a PC. Enter the configuration file name or use the Browse button if you are restoring the configuration from a file on the management computer. Enter the password if the backup file is encrypted. Select to restore the configuration from the selected file.
System
A green check mark indicates which partition contains the firmware and configuration currently in use. The date and time of the last update to this partition. The version and build number of the FortiAnalyzer firmware. If your FortiAnalyzer model has a backup partition, you can: Select Upload to replace with firmware from the management computer. Select Upload and Reboot to replace the existing firmware and make this the active partition.
System
Page 149
The following information is displayed: FortiGuard Subscription Services Displays the VCM registration status, engine and module version number, date of last update, and status of the connection to the FortiGuard Distribution Network (FDN). A green indicator means that the FortiAnalyzer unit can connect to the FDN or override server. An orange indicator means that the FortiAnalyzer unit cannot connect to the FDN or override server. Check the configuration of the FortiAnalyzer unit and any NAT or firewall devices that exist between the FortiAnalyzer unit and the FDN or override server. For example, you may need to add routes to the FortiAnalyzer units routing table. (Vulnerability Select to open the Customer Service & Support web site to Management) Subscribe register the FortiAnalyzer unit and Vulnerability Management Service to receive vulnerability management updates from the FDN.
System
Page 150
Select to upload a VCM upgrade file from your management computer. To obtain a VCM upgrade file, contact Customer Service & Support. You might upload a VCM file if you want to provide an immediate update, or use a VCM version other than the one currently provided by the FDN. If you want to use a VCM file other than the one currently provided by the FDN, also disable scheduled updates. Note: Manual updates are not a substitute for a connection to the FDN. As with scheduled updates, manual updates require that the FortiAnalyzer unit can connect to the FDN to validate its VCM license.
Service Configuration Options FortiGuard Server Use override server address Select the Expand arrow to display this FortiAnalyzer units FortiGuards server options for the subscription services. Enable Use override server address and enter the IP address and port number of an FDS in the format <IP>:<port>, such as 10.10.1.10:8889. If you want to connect to a specific FDN server other than the one to which the FortiAnalyzer unit would normally connect, you can override the default IP addresses by configuring an override server. If, after applying the override server address, the FDN status icon changes to indicate availability (a green check mark), the FortiAnalyzer unit has successfully connected to the override server. If the icon still indicates that the FDN is not available, the FortiAnalyzer unit cannot connect to the override server. Check the FortiAnalyzer configuration and the network configuration to make sure you can connect to the FDN override server from the FortiAnalyzer unit. Use Web Proxy Select to enable the FortiAnalyzer unit to connect to the FDN through a web proxy, then enter the IP, Port, and (if required) Name and Password. IP: Enter the IP address of the web proxy. Port: Enter the port number of the web proxy. This is usually 8080. Name: If your web proxy requires a login, enter the user name that your FortiAnalyzer unit should use when connecting to the FDN through the web proxy. Password: If your web proxy requires a login, enter the password that your FortiAnalyzer unit should use when connecting to the FDN through the web proxy. Vulnerability Management Select the Expand arrow to display this FortiAnalyzer units VCM options for the subscription services.
System
Page 151
Enable scheduled updates, then select the frequency of the update (Every, Daily or Weekly). Select Request Update Now if you want to immediately request an update.
Every Daily
Select to update once every n hours, then select the number of hours in the interval. Select to update once every day, then select the hour. The update attempt occurs at a randomly determined time within the selected hour. Select to update once a week, then select the day of the week and the hour of the day. The update attempt occurs at a randomly determined time within the selected hour.
Weekly
To migrate data, the firmware release number and build number on the source and destination FortiAnalyzer units must match. Otherwise the migration will fail.
System
Page 152
You need to configure both the FortiAnalyzer unit that will be sending data (source FortiAnalyzer unit) and the FortiAnalyzer unit that will be receiving data (destination FortiAnalyzer unit) for migrating configuration settings. To configure the source FortiAnalyzer unit: 1. On the source FortiAnalyzer unit, log in to the Web-based Manager. Remember the login password. You will need it for configuring the destination FortiAnalyzer unit. See To configure the destination FortiAnalyzer unit for migrating configuration settings: on page 153. 2. Go to System > Maintenance > Migration. 3. Select Source to enable the FortiAnalyzer unit to send the configuration settings to the other FortiAnalyzer unit. Figure 114:Migration
4. In Peer IP, enter the IP address of the FortiAnalyzer unit that will be receiving the data. 5. Select Apply, then select Enter Migration Mode. A message similar to the following will be displayed:
6. Select OK to reboot the FortiAnalyzer unit in migration mode. This may take a few minutes. You may need to refresh the page so that the login page appears. You can then log back in to the Web-based Manager to verify that the FortiAnalyzer unit is in migration mode. Only the admin user can log in to the FortiAnalyzer unit in migration mode. Only System > Admin > Settings (Read + Write) and System > Maintenance > Migration (Read + Write) menu items appear under migration mode for a source FortiAnalyzer unit. You can modify these settings and they will be migrated to the destination unit. The migration will not start before the destination FortiAnalyzer unit is configured and starts to query the source unit. 7. If you need to modify the Peer IP in migration mode, enter a new one and select Apply. To configure the destination FortiAnalyzer unit for migrating configuration settings: 1. On the destination FortiAnalyzer unit, log in to the Web-based Manager and go to System > Maintenance > Migration. 2. Select Destination to enable the FortiAnalyzer unit to receive the configuration settings.
System
Page 153
3. Enter the IP address of the source FortiAnalyzer unit. 4. Enter the same password you used when logging in to the source FortiAnalyzer unit. The destination FortiAnalyzer unit will use this password to log in to the source FortiAnalyzer unit to get the configuration. The migration will fail if the passwords do not match. 5. If you want this FortiAnalyzer unit to receive logs and data from the registered devices during the migration process, select Accept Logs & Reports. The logs and data received from the managed devices during the migration process will not be overridden by the migrated data. You can also enable or disable this option during the migration process. For more information, see Actions during the migration process on page 155. 6. To receive certain logs and files, expand All Categories and then select what you want to receive. To receive all the categories, select the check box beside All Categories. 7. Select Apply, and then select Test Migration Mode. This FortiAnalyzer unit contacts the source FortiAnalyzer unit to validate the migration. The validation focuses on the following: If the source unit and destination unit have different versions of firmware, the destination unit aborts the migration. If the destination unit has data, a warning appears. You may choose to proceed or not. If the source unit is not in migration mode, the destination unit aborts the migration. If the source units IP is wrong or there is a network problem, Migration source is not reachable appears.
System
Page 154
8. If the migration mode test is successful, select Enter Migration Mode. Only the following menu items appear: System > Dashboard > Dashboard (Read-Only) System > Network > Interface/DNS/Routing (Read + Write) System > Admin > Settings (Read + Write) System > Admin > Maintenance > Migration (Read + Write) Device > All > Device (Read-Only) Log > Log Viewer > Real-time (Read + Write) Tools > File Explorer (Read-Only) You can modify the settings with Read + Write privileges and they will not be overridden by the migrated data. 9. If you modify the configurations in migration mode, select Apply. 10. Select Start Migration. This may take a few minutes or several hours, depending on the amount of data that is being transferred. For example, if there is 500 GB of data that is being transferred, it will take several hours to send. See Actions during the migration process on page 155 for actions that can be taken during the migration process. 11. When the migration process is complete, go to the source and destination FortiAnalyzer units. 12. Log in to the Web-based Manager and go to System > Maintenance > Migration. 13. Select Exit Migration Mode.
System
Page 155
System
Page 156
Devices
The Devices menu controls connection attempt handling, permissions, disk space quota, and other aspects of devices that are connected to the FortiAnalyzer unit for remote logging, DLP archiving, quarantining, and/or remote management. For information on traffic types, ports and protocols that FortiAnalyzer units use to communicate with other devices and services, see the Knowledge Base article Traffic Types and TCP/UDP Ports used by Fortinet Products. This section contains the following topics: Configuring connections with devices & their disk space quota Configuring device groups Classifying FortiGate network interfaces Connection attempts not handled by the device list include log aggregation, log forwarding, and SNMP traps. For more information about configuring connection handling for those types, see Configuring log aggregation on page 133, Configuring log forwarding on page 135, and Configuring the SNMP agent on page 127.
Devices
Page 157
You may want to block connection attempts from devices that you do not want to add to the device list, since connection attempts must be reconsidered with each attempt. For more information, see Blocking unregistered device connection attempts on page 170. Devices may automatically appear on the device list when the FortiAnalyzer unit receives a connection attempt, according to your configuration of Unregistered Options, but devices may also automatically appear as a result of importing log files. For more information, see Importing a log file on page 192. To view the device list, go to Devices > All Devices > Allowed.
Hover your cursor over an item to display more information. Depending on your column display settings, the columns appearing may vary.
Current page
Devices
Page 158
Configure the following settings: Create New Select to manually add a new device to the device list. For information about how to manually add devices, see Manually configuring a device or HA cluster on page 162. Edit Reconfigure the selected device connection and retrieve the devices logs if required. For more information, see To edit a device and retrieve the devices logs: on page 166. Remove the selected devices from the list. You cannot delete a device that is referenced elsewhere in the configuration, such as by being assigned to a device group. To delete the device, first remove all configuration references to that device. If you use the default proprietary indexed file storage system for log storage, once a device is removed from the device list, the associated logs and other data, such as DLP archives and the default report profile for the device (that is, the device summary report Default_<device_name>) are deleted. Reports that may have been already generated from the devices log data, however, are not deleted. If you use the local SQL file storage system for log storage, once a device is removed from the device list, the associated logs are not deleted. To delete the logs, use the command execute sql-local remove-device. This command does not remove reports that may have been already generated from the devices log data. If the device is still configured to attempt to connect to the FortiAnalyzer unit and you have configured Unregistered Device Options to display connection attempts from unregistered devices, the device may reappear in the device list. Register This option only appears if you select an unregistered device. Change a selected unregistered device into an registered one. When the Register Device page appears, enter a name for the device, and modify other settings if required. Select OK. The device appears in the Allowed device list. For more information on registering a device, see Manually configuring a device or HA cluster on page 162. Block Stop further connection attempts. This option appears if the selected device is an unregistered device. For more information about on blocking a device, see Blocking unregistered device connection attempts on page 170 Select to change the columns to view and the order they appear on the page. For more information, see Displaying and arranging log columns on page 180. Enter the partial or the full name of a device and select the one you want from the list to view or edit.
Delete
Devices
Page 159
Name
The name of the device in the device list. This can be any descriptive name that you want assigned to it, and does not need to be its host name. Select the arrow beside Name to list the devices in either ascending or descending order. An orange exclamation point (!) icon before a device name indicates that the device is connecting to the FortiAnalyzer unit and the devices time zone is not synchronized with the FortiAnalyzer units time zone.
The model of the device. For example, the device list displays a FortiGate-400A model as FGT400A. The IP address of the device. If the device has not recently established a connection, 0.0.0.0 appears. Mouse over an icon to view when the last logs or data the FortiAnalyzer unit received from the device, if there are any logs or data the FortiAnalyzer unit received from the device logs are disabled on the device it is an unregistered device Only FortiGate units can send DLP archives, quarantine files, and IPS files to the FortiAnalyzer unit.
Secure
Indicates whether IPsec VPN tunnelling has been enabled for secure transmission of logs, content and quarantined files. Caution: A locked icon indicates that secure connection is enabled, but not necessarily fully configured, and the tunnel may not be up. For more information, see Manually configuring a device or HA cluster on page 162.
Quota Usage
The amount of the FortiAnalyzer disk space allocated for the device and how much of that space is used. For information on configuring disk space usage by quarantined files, see the FortiAnalyzer v4.0 MR3 CLI Reference. The number of VDOMs on the device. The type of the device: FortiGate unit, FortiManager unit, FortiMail unit, FortiWeb unit, FortiClient installation, or syslog server. The ADOMs to which the device is assigned. This column does not appear: on FortiAnalyzer-100 models when ADOM is disabled on the FortiAnalyzer unit. For more information about ADOM, see Administrative Domains on page 50.
Mode
Devices
Page 160
Show
Select the type of devices to display in the list. You can select devices by type, or select Unregistered to display devices that are attempting to connect but that have not yet been registered or added. By default, the first page of the list of items is displayed. The total number of pages displays after the current page number. For example, if 2/10 appears, you are currently viewing page 2 of 10 pages. To view pages, select the left and right arrows to display the first, previous, next, or last page. To view a specific page, enter the page number in the field and then press Enter.
Current Page
By default, all supported Fortinet devices are discovered and listed as registered devices. All generic syslog devices are discovered and automatically listed as unregistered devices automatically. You can configure these settings. For more information, see Configuring unregistered device options on page 169. You can also manually add/register a device. For more information, see Manually configuring a device or HA cluster on page 162.
Devices
Page 161
Table 11:FortiAnalyzer device limits (continued) FAZ-800, FAZ-800B FAZ-1000B FAZ-1000C FAZ-2000, FAZ-2000A FAZ-2000B FAZ-4000A, FAZ-4000B 500 2000 2000 2000 2000 2000 5000 No restrictions No restrictions No restrictions No restrictions No restrictions All All All All All All All All All All All All All All All All All All All All All All All All
To view the number of devices currently attempting to connect, see License Information widget on page 67. For networks with more demanding logging scenarios, an appropriate device ratio may be less than the allowed maximum. Performance will vary according to your network size, device types, logging thresholds, and many other factors. When choosing a FortiAnalyzer model, consider your networks log frequency, and not only your number of devices. A VDOM or HA cluster counts as a single device towards the maximum number of allowed devices. Multiple FortiClient installations (which can number up to the limit of allowed FortiClient installations) also count as a single device. For example, a FAZ-100B could register up to either: 100 devices 99 devices and 100 FortiClient installations 99 devices and one HA pair 91 device and 9 VDOMs When devices attempt to connect to a FortiAnalyzer unit that has reached its maximum number of allowed devices, the FortiAnalyzer unit will reject connection attempts by excess devices, and automatically add those excess devices to the list of blocked devices. For more information about on blocked devices, see Configuring device groups on page 172. When the FortiAnalyzer unit has exceeded its maximum number of allowed devices, you will not be able to add devices to the device list. To resume adding devices, you must first block a device that is currently on your device list, then unblock the device you want to add and add it to the device list.
Devices
Page 162
All FortiClient installations are added as a single device, rather than as one device configuration per FortiClient installation, and their log messages are stored together. Use the FortiAnalyzer reporting features to obtain network histories for individual FortiClient installations. You must add the FortiManager system to the FortiAnalyzer device list for the FortiAnalyzer unit to be remotely administered by the FortiManager system. Additionally, you must also: enable web services on the FortiAnalyzer network interface that will be connected to the FortiManager system. See Configuring and using FortiAnalyzer web services on page 96; register the FortiAnalyzer unit with the FortiManager system. See the FortiManager Administration Guide; be able to connect from your computer to the Web-based Manager of both the FortiManager system and the FortiAnalyzer unit. To manually add a device or HA cluster: 1. Go to Devices > All Devices > Allowed. 2. Do one of the following: To add unregistered devices, at the bottom of the page, select Unregistered from Show. Select an unregistered device and select Register. To add other devices, select Create New. Figure 117:Add a device to an HA cluster
Devices
Page 163
Configure the following settings: Device Type Select the device type. The type is automatically pre-selected if you are adding an unregistered device from the device list, or if you are editing an existing device. Other device options vary by the device type. Device Name Enter a name to represent the device, such as FG-1000-1.This can be any descriptive name that you want assign to it, and does not need to be its host name. The device name is automatically pre-entered if you are adding a FortiClient installation. IP Address Enter the IP address of the device. This option appears only if Device Type is Syslog.
Devices
Page 164
Device ID
Enter the device ID. Device IDs are usually the serial number of the device, and usually appear on the dashboard of the devices web-based manager. The device ID is automatically pre-entered if you are adding an unregistered device from the device list, or if you are editing an existing device. This option does not appear if Device Type is Syslog or FortiClient.
Enter the ID of the primary member in an HA cluster. This option appears only if Mode is HA.
Disk Allocation (MB) Enter the amount of hard disk space allocated to the devices log and content messages, including quarantined files. The allocated space should be at least 10 times the log rolling size for the Log and DLP archive. For example, if you set the log and DLP archive log file roll size to 50 MB, allocate at least 500 MB of disk space for the device. Amounts following the disk space allocation field indicate the amount of disk space currently being used by the device, and the total amount of disk space currently available on the FortiAnalyzer unit. When Allocated Disk Select to either Overwrite Oldest Files or Stop Logging to indicate Space is All Used what the FortiAnalyzer unit should do when the allocated disk space has been used. For more information about disk space allocation, see System resources widget on page 69. Device Privileges Select the connection privileges of the device, such as for sending and viewing log files, DLP archives and quarantined files. Available permissions vary by device type. Note: Remotely accessing logs, DLP archive logs and quarantined files is available on FortiGate units running firmware v4.0 or later.
Devices
Page 165
Description
Enter any additional information on the device. Description information appears when you move the mouse over a device name in the device list. If you are adding a single unit, select Standalone. If you are adding an HA cluster, select HA, then select the devices other than the primary member of the cluster from Available Devices (devices on the FortiAnalyzer units device list) and move them to Membership using the right pointing arrow. The devices are added to the HA cluster. You can also manually enter a device ID in the field under Available Devices and select Add to put it into the HA cluster. Although the manually entered devices will not appear in the device list since they are not added to the FortiAnalyzer unit, they can communicate with the FortiAnalyzer unit through the primary device of the cluster because the primary device synchronizes the configuration with its members. All device models in an HA cluster must be the same. The FortiAnalyzer unit will check each device IDs first six digits to ensure the consistency. This option appears only if Device Type is FortiGate or FortiManager.
Mode
4. Select OK. The device appears in the device list. After registration, some device types can be configured for secure connection. For more information, see Secure on page 160. To edit a device and retrieve the devices logs: 1. Go to Devices > All Devices > Allowed. 2. Select a device and select Edit.
Devices
Page 166
3. Modify the device configuration as required. For more information, see To manually add a device or HA cluster: on page 163. 4. If you want to manually retrieve logs from this device, select Retrieve Logs. 5. Select OK.
Devices
Page 167
Connection attempts from devices not registered with the FortiAnalyzer units device list may not be automatically accepted. In this case, you may need to manually add the device to the device list. For more information, see Configuring unregistered device options on page 169. For a diagram of traffic types, ports and protocols that FortiAnalyzer units use to communicate with other devices and services, see the Knowledge Base article Traffic Types and TCP/UDP Ports used by Fortinet Products. To enable the FortiAnalyzer unit to reply to FDP packets: 1. Go to System > Network > Interface. 2. Select Edit for the network interface that should reply to FDP packets. Figure 120:Enable FDP packets on an interface
4. Select OK. The FortiAnalyzer unit is now configured to respond to FDP packets on that network interface, including those from FortiGate units Automatic Discovery feature. For more information about connecting the FortiGate unit using FDP, see To connect a FortiGate unit to a FortiAnalyzer unit using FDP: on page 168. To connect a FortiGate unit to a FortiAnalyzer unit using FDP: This procedure is based on the FortiOS v4.0 MR2 release and may change in future releases. On the FortiGate unit CLI, enter config log fortianalyzer setting set address-mode auto-discovery end The FortiGate unit sends FDP packets to other hosts on the FortiGate units subnet. If a FortiAnalyzer unit exists on the subnet and is configured to reply to FDP packets, it sends a reply. If your FortiGate unit is connecting to a FortiAnalyzer unit from another network, such as through the Internet or through other firewalls, this may fail to locate the FortiAnalyzer unit, and
Devices
Page 168
you may need to configure an IPsec VPN tunnel to facilitate the connection. For more information and examples, see the Knowledge Base article Sending remote FortiGate logs to a FortiAnalyzer unit behind a local FortiGate unit. For more information about configuring FortiGate unit quarantining, DLP archiving, and/or remote logging, see the FortiGate Administration Guide. Due to the nature of connectivity for certain high availability (HA) modes, full DLP archiving and quarantining may not be available for FortiGate units in an HA cluster. For more information, see the FortiGate HA Overview. Unregistered Device Options apply to all device types attempting to connect, not just FortiGate units.
Configure the following settings: Known Device Types (FortiGate, FortiManager, FortiClient, FortiMail, FortiWeb) Ignore connection and log data Select to deny any connection attempts and log-sending to the FortiAnalyzer unit from Fortinet devices. This option does not apply to manually added devices. For more information on adding a device manually, see Manually configuring a device or HA cluster on page 162. Allow connection, add to Select to allow the devices to connect but list them as unregistered table, but unregistered devices. The FortiAnalyzer unit will ignore any logs ignore log data sent from the devices until you manually register them. Allow connection, register automatically, and store up to Select to allow the connection and automatically register the devices. The FortiAnalyzer unit will store a specified amount of log data from the devices.
Devices
Page 169
Select to deny any connection attempts from all unknown syslog devices. This option does not apply to manually added devices. For more information on adding a device manually, see Manually configuring a device or HA cluster on page 162.
Add unknown unregistered devices to unregistered table, but ignore data Add unknown unregistered devices to unregistered table, and store up to
Select to list unknown syslog devices as unregistered devices and ignore any logs sent from these devices.
Select to list unknown devices as unregistered, and allow the FortiAnalyzer unit to store a specified amount of log data from these devices. The default amount of storage space is 1 000 MB. The available MB of data is determined by how much is currently available on your FortiAnalyzer unit, which fluctuates and is never a fixed number.
Many FortiAnalyzer features are not available for unregistered devices of unknown types. For more information about the differences between unregistered and registered devices, see Unregistered vs. registered devices on page 161. Both registered and unregistered devices count towards the maximum number of devices available for a FortiAnalyzer unit. Too many unregistered devices will prevent you from adding a device. For more information, see Manually configuring a device or HA cluster on page 162. When devices attempt to connect to a FortiAnalyzer unit that has reached its maximum number of allowed devices, the FortiAnalyzer unit will reject connection attempts by excess devices, and automatically add those excess devices to the list of blocked devices. For more information about blocked devices, see Blocking unregistered device connection attempts on page 170.
Devices
Page 170
Unblock
Register a selected device to the FortiAnalyzer units device list. When the Register Device page appears, enter a name for the device, and modify other settings if required. Select OK. The device appears in the Allowed device list. For more information on registering a device, see Manually configuring a device or HA cluster on page 162.
Delete
Remove a selected device from the list of blocked devices. If the device attempts to connect to the FortiAnalyzer unit, it may appear in the device list as an unregistered device, according to your configuration of Unregistered Device Options. For more information, see Configuring unregistered device options on page 169. The unique ID or serial number of the blocked device. The type of device, such as FortiGate, FortiManager, FortiMail, FortiClient, FortiWeb, or syslog server. The IP address of the blocked device.
1. Go to Devices > All Devices > Allowed. 2. At the bottom of the page, from Show, select Unregistered. Figure 124:Block a device
3. Mark the check box of the unregistered device that you want to block, then select Block. The device appears in the blocked devices list (Devices > All Devices > Blocked).
Devices
Page 171
Select the device group type to display, such as FortiGate, FortiManager, FortiMail or syslog groups. The name of the device group. The names of devices that belong to the device group.
To configure a device group: 1. Go to Devices > Group > Device Group. The create new group window opens.
Devices
Page 172
2. Configure the following settings: Group Name Group Type Enter a name for the device group. Select the device group type that you want to create. You can choose FortiGate Group, FortiMail Group, FortiManager Group, FortiWeb Group, and Syslog Group. When you select a group type, the devices that are available to that group appear in the Available Devices field. FortiClient installations are treated as a single device, and so cannot be configured as a device group. Available Devices The available devices for the group type you select in Group Type. Select a device and then use the right arrow to move it to the Members field. Members The devices that are available in the group you are creating. If you want to remove a device from the Members field, select the device and then select the left arrow to remove it.
3. Select OK.
Devices
Page 173
Some report types for FortiGate devices include traffic direction, inbound or outbound traffic flow. When the FortiAnalyzer unit generates reports involving traffic direction, the FortiAnalyzer unit compares values located in the source and destination interface fields of the log messages with your defined network interface classifications to determine the traffic directionality. The table below illustrates the traffic directionality derived from each possible combination of source and destination interface class. For more information on classifying FortiGate network interfaces, see the FortiAnalyzer v4.0 MR3 CLI Reference. Table 12:Traffic directionality by class of the source and destination interface Source interface class None All types WAN WAN LAN, DMZ LAN, DMZ Example: Your FortiGate unit has four interfaces: port 1 to 4. Port 1 is connected to WAN; Port 2 and Port 3 are connected to LAN; and Port 4 is connected to DMZ. In this case, traffic from Port 1 (WAN) to Port 2 (LAN) is considered as incoming, while traffic from Port 2 to Port 1 is considered outgoing. Destination interface class All types None LAN, DMZ WAN LAN, DMZ WAN Traffic direction Unclassified Unclassified Incoming External Internal Outgoing
Devices
Page 174
FortiGate units send log messages to the FortiAnalyzer unit only after a session is closed. All real-time log messages you view on the FortiAnalyzer unit therefore do not reflect the real-time activities on the FortiGate units.
You can view log messages from all devices or a particular device in real-time or within a specified time frame. For more information about log messages from FortiGate units, see the FortiGate Log Message Reference. To view all log messages, go to Log & Archive > Log Access > All Logs.
The columns that appear reflect the content found in the log file. You can select an item in a column to display more information. Depending on your column display settings, the columns appearing may vary.
Page 175
This page displays the following information: Show Timeframe Realtime Log Select the device or type of device that you want to view logs from. You can select multiple devices. Select the time frame during which you want to display the logs. Select to view the real-time device log messages. After selecting Realtime Log, the Historical Log icon appears. Select it to go back to view logs within a specified time frame. Select to change the columns to view and the order they appear on the page. For more information, see Displaying and arranging log columns on page 180. Select to download a HTML file containing all log messages that match the current filters. The HTML file is formatted to be printable. Time required to generate and download large reports varies by the total amount of log messages, the complexity of any search criteria, the specificity of your column filters, and the speed of your network connection. Download Current View Select to download log files in text (.txt), comma-separated value (.csv), or standard .log (Native) file format. You can also select to compress the log files in gzipped format before uploading to the server. The downloaded version will match the current log view, containing only log messages that match your current filter settings.
Column Settings
Printable Version
Page 176
Search
If you choose to use the proprietary indexed file storage system by selecting Disabled under System > Config > SQL Database, enter a keyword to perform a simple search on the available log information, then press the Enter key to begin the search. If you choose to use SQL database by enabling Local Database or Remote Database under System > Config > SQL Database, you need to enter <field_name>=value, such as device_id=FG600B3909601460 to perform a simple search on the available log information, then press the Enter key to begin the search. Log field names and values can be found in logs of raw format (see Change Display Options on page 177), such as device_id=FG600B3909601460, src_int=port1, or dstname=192.168.30.2.
Advanced Search
Select to search the device logs for matching text using two search types: Quick Search and Full Search. For more information, see Searching the logs on page 182. The date and time the log was received by the FortiAnalyzer unit. The ID of the device that sent the log. The log type. The severity level of the log. The date and time when events occurred on the devices that sent the logs. The date and time when logs were received by the FortiAnalyzer unit. The detailed information of the log. There are over 100 other columns that can be selected, depending on the log type selected. Select the number of rows of log entries to display per page. You can choose up to 1000 entries. Enter a page number, then press Enter to go to the page. Select a view of the log file. Selecting Formatted (the default) displays the log files in columnar format. Selecting Raw displays the log information as it actually appears in the log file.
Last Activity Device ID Type Level Device Time Timestamp Details Other Columns View n per page Current Page Change Display Options
Log messages that are received from a log aggregation device are scheduled transfers, and not real-time messages, because log aggregation devices do not appear in the Real-time log page. Individual high availability (HA) cluster members also do not appear in the Real-time log page because HA members are treated as a single device. For more information about log aggregation, see Configuring log aggregation on page 133. To view a type of log, go to Log & Archive > Log Access and select a log type: Event Log: records all event activities such as an administrator adding a firewall policy on a FortiGate unit. UTM Log: unified threat management log includes IPS (Attack), Application Control, Web Filter, AntiVirus, Data Leak (DLP), and Email Filter.
Log & Archive Page 177 FortiAnalyzer v4.3.6 Administration Guide
By default, this option is not available. To make it appear, you need to enable it in System > Admin > Settings. IPS (Attack): records all attacks that occur against your network. These log messages also contain links to the Fortinet Vulnerability Encyclopedia where you can better assess the attack. This option does not appear if you enable Show Consolidated UTM Log in System > Admin > Settings. Application Control: records the application traffic generated by the applications on the device. This option does not appear if you enable Show Consolidated UTM Log in System > Admin > Settings. Web Filter: records HTTP device log rating errors, including web content blocking actions that the device performs. This option does not appear if you enable Show Consolidated UTM Log in System > Admin > Settings. AntiVirus: records virus incidents in Web, FTP, and email traffic. This option does not appear if you enable Show Consolidated UTM Log in System > Admin > Settings. Data Leak (DLP): provides information concerning files, such as email messages and web pages, that are archived on the FortiAnalyzer unit by the device. This option does not appear if you enable Show Consolidated UTM Log in System > Admin > Settings. Email Filter: records IMAPS, POP3S, and SMTPS email traffic. This option does not appear if you enable Show Consolidated UTM Log in System > Admin > Settings. Traffic log: records all traffic to and through the interfaces on a device. Vulnerability Scan Log: records the vulnerability scan activities on the device VoIP: provides information on VoIP traffic on the device. By default, this option is not available. To make it appear, you need to enable it in System > Admin > Settings. History: records all mail traffic going through the FortiMail unit. By default, this option is not available. To make it appear, you need to enable it in System > Admin > Settings. IM: records instant message text, audio communications, and file transfers attempted by users. By default, this option is not available. To make it appear, you need to enable it in System > Admin > Settings. Generic Syslog: provides syslog information for the device. By default, this option is not available. To make it appear, you need to enable it in System > Admin > Settings. All Logs: records all logs received by the FortiAnalyzer unit.
The columns that appear reflect the content found in the log file. You can select an item in a column to display more information.
Page 178
The details provided in the details window will vary depending on the type of log selected.
To display logs in Raw or Formatted view, go to a page that displays log messages, such as Log & Archive > Log Access > All Logs, and select Change Display Options > Raw/Formatted at the bottom of the page. By default, log messages appear in Formatted view. Figure 130:Change display options
If you select Formatted, options appear that enable you to display and arrange log columns and/or filter log columns. For more information, see Displaying and arranging log columns and Filtering logs on page 181.
3. Select which columns to hide or display. In the Available Fields area, select the names of individual columns you want to display, then select the single right arrow to move them to the Display Fields area. Alternatively, to display all columns, select the double right arrow. In the Display Fields area, select the names of individual columns you want to hide, then select the single left arrow to move them to the Available Fields area. Alternatively, to hide all columns, select the double left arrow. To return all columns to their default displayed/hidden status, select Default. 4. Select OK.
Page 180
To change the order of the columns: 1. Go to a page which displays log messages, such as Log & Archive > Log Access > All Logs. 2. Select Column Settings. Lists of available and displayed columns for the log type appear. 3. In the Display Fields area, select a column name whose order of appearance you want to change. 4. Select the up or down arrow to move the column in the ordered list. Placing a column name towards the top of the Display Fields list will move the column to the left side of the Formatted log view. 5. Select OK.
Filtering logs
When viewing log messages in Formatted view, you can filter columns to display only those log messages that do or do not contain your specified content in that column. By default, most column headings contain a gray filter icon, which becomes green when a filter is configured and enabled. Filters do not appear when viewing logs in Raw view, or for unindexed log fields in Formatted view. When you are viewing real-time logs, filtering by time is not supported; by definition of the real-time aspect, only current logs are displayed. Figure 132:Filter icons
Filter Filter in use
To filter log messages by column contents: 1. In the heading of the column that you want to filter, select the Filter icon to open the log filtering window. Figure 133:Filters window
2. If you want to exclude log messages with matching content in this column, select NOT. If you want to include log messages with matching content in this column, deselect NOT.
Page 181
3. Enter the text that matching log messages must contain. Matching log messages will be excluded or included in your view based upon whether you have selected or deselected NOT. 4. Select OK. A columns Filter icon is green when the filter is currently enabled. You can select Download Current View to download only log messages which meet the current filter criteria.
Filtering tips
When filtering by source or destination IP, you can use the following in the filtering criteria: a single address (2.2.2.2) an address range using a wild card (1.2.2.*) an address range (1.2.2.1-1.2.2.100) You can also use the Boolean operator (or) to indicate mutually exclusive choices: 1.1.1.1 or 2.2.2.2 1.1.1.1 or 2.2.2.* 1.1.1.1 or 2.2.2.1-2.2.2.10 Most column filters require that you enter the columns entire contents to successfully match and filter contents; partial entries do not match the entire contents, and so will not create the intended column filter. For example, if the column contains a source or destination IP address (such as 192.168.2.5), to create a column filter, enter the entire IP address to be matched. If you enter only one octet of the IP address, (such as 192) the filter will not completely match any of the full IP addresses, and so the resulting filter would omit all logs, rather than including those logs whose IP address contains that octet. Exceptions to this rule include columns that contain multiple words or long strings of text, such as messages or URLs. In those cases, you may be able to filter the column using a substring of the text contained by the column, rather than the entire text contained by the column.
Page 182
Configure the following settings: Device/Group Time Period From Select to search logs from the FortiAnalyzer unit (Local Logs), a device, or a device group. Select to search logs from a time frame, or select Specify and define a custom time frame by selecting the From and To date times. Enter the date (or use the calendar icon) and time of the beginning of the custom time range. This option appears only when you select Specify. To Enter the date (or use the calendar icon) and time of the end of the custom time range. This option appears only when you select Specify. Keyword(s) Enter search terms which will match to yield log message search results. To specify that results must include all, any, or none of the keywords, select these options in Match. Select to perform a full search. Keywords for a full search may contain special characters. Full Search examines all log message fields. Select to stop the search before it is completed. This option is grayed out unless there is a search in progress. Select the Expand Arrow to hide or expand additional search options. Select how keywords are used to match log messages which comprise search results. All Words: Select to require that matching log messages must contain all search keywords. If a log message does not contain one or more keywords, it will not be included in the search results. Any Words: Select to require that matching log messages must contain at least one of the search keywords. Any log message containing one or more keyword matches will be included in the search results. Does Not Contain the Words: Select to require that matching log messages must not contain the search keywords. If a log message contains any of the search keywords, it will be excluded from the search results.
Page 183
Other Filters Specify additional criteria, if any, that can be used to further restrict the search criteria. Log Type: Select to include only log messages of the specified type. For example, selecting Traffic would cause search results to include only log messages containing type=traffic. Log Level: Select to include only log messages of the specified severity level. For example, selecting Notice would cause search results to include only log messages containing pri=notice. Src IP: Enter an IP address to include only log messages containing a matching source IP address. For example, entering 192.168.2.1 would cause search results to include only log messages containing src=192.168.2.1 and/or content log messages containing a client IP address of 192.168.2.1. Dst IP: Enter an IP address to include only log messages containing a matching destination IP address. For example, entering 192.168.2.1 would cause search results to include only log messages containing dst=192.168.2.1 and/or content log messages containing a server IP address of 192.168.2.1. User Name: Enter a user name to include only log messages containing a matching authenticated firewall user name. For example, entering userA would cause search results to include only log messages containing user=userA. Group Name: Enter a group name to include only log messages containing a matching authenticated firewall group name. For example, entering groupA would cause search results to include only log messages containing group=groupA.
Search tips
If your search does not return the results you expect, but log messages exist that should contain matching text, examine your keywords and filter criteria using the following search characteristics and recommendations. Separate multiple keywords with a space (type=webfilter subtype=activexfilter). Keywords cannot contain unsupported special characters. Supported characters vary by selection of Quick Search or Full Search. Keywords must literally match log message text, with the exception of case insensitivity and wild cards; resolved names and IP aliases will not match. Some keywords will not match unless you include both the log field name and its value (type=webfilter). Remove unnecessary keywords and search filters which can exclude results. In More Options, if All Words is selected, for a log message to be included in the search results, all keywords must match; if any of your keywords do not exist in the message, the match will fail and the message will not appear in search results. If you cannot remove some keywords, select Any Words. You can use the asterisk (*) character as a wild card (192.168.2.*). For example, you could enter any partial term or IP address, then enter * to match all terms that have identical beginning characters or numbers.
Page 184
If you have disabled an SQL database for log storage in System > Config > SQL Database, you can search for IP ranges, including subnets. For example: 172.16.1.1/24 or 172.16.1.1/255.255.255.0 matches all IP addresses in the subnet 172.16.1.1/255.255.255.0 172.16.1.1-140.255 matches all IP addresses from 172.16.1.1 to 172.16.140.255 If you have disabled an SQL database for log storage in System > Config > SQL Database, you can search for URLs in multiple ways, using part or all of the URL. SQL-based search does not support part of the URL. You can use "*/part1/*/part2*/*" instead. Searching for the full URL may not return enough results if the URL contains random substrings, such as session IDs. If your search keywords do not return enough results, try one of the following: using Full Search shortening your keyword to the smallest necessary substring of the URL shortening your keyword to a substring of the URL delimited by slash (/) characters The search returns results match all, any, or none of the search terms, according to the option you select in Match. For example, if you enter into Keyword(s): srcaddr=192.168.* action=login and if from Match you select All Words, log messages for attacks on 192.168.* by W32/Stration.DU@mm do not appear in the search results. This is because although the first keyword (the IP address) appears in attack log messages, the second keyword (the name of the attack) does not appear, and so the match fails. If the match fails, the log message is not included in the search results.
You can view full and/or summary DLP archives. Summary DLP archives are those which contain only a log message consisting of summary metadata. Full DLP archives are those which contain both the summary and a hyperlink to the associated archived file or message. For example, if the FortiAnalyzer unit has a full DLP archive for an email message, the subject log field of email DLP archives contains a link that enables you to view that email message. If the FortiAnalyzer unit has only a DLP archive summary, the subject field does not contain a link. A full or summary DLP archive varies by: whether the device is configured to send full DLP archives whether the content satisfies DLP archiving requirements whether the FortiAnalyzer unit has the file or message associated with the summary log message (that is, full DLP archives do not appear if you have deleted the associated file or message) For more information about requirements and configuration of DLP archiving, see the FortiOS v4.0 MR3 Administration Guide. To view DLP archives, go to Log & Archive > Archive Access. Select a DLP archive type. Each type has similar controls.
The columns that appear reflect the content found in the archive file. You can select an item in a column to display more information.
Page 186
This page displays the following information: Show To view the archives from a single FortiGate unit, select the FortiGate unit from the list. Select All FortiGates to view a combined list of archives from all the configured FortiGate units. Select a time frame to display only the archived files from the specified period. Select Any time to display all the archived files. Select to change the columns to view and the order they appear on the page. For more information, see Displaying and arranging log columns on page 180. Note: This option is not available for the Quarantine type. Printable Version Select to download an HTML file containing all DLP archive summaries that match the current filters. The HTML file is formatted to be printable. Time required to generate and download large reports varies by the total number of log messages, the complexity of any search criteria, the specificity of your column filters, and the speed of your network connection. Note: This option is not available for the Quarantine type. Download Current View Select to download a copy of the archived file with the current filters applied. For example, if you have a filter applied to display only the entries with a particular URL, selecting Download Current View will allow you to download a log file with only the entries related to the URL configured in the filter. Note: This option is not available for the Quarantine type. Delete associated DLP archive files Select to delete the links of all DLP archive files to the currently selected device, not the file records. Note: This option is not available for IPS Packet, Quarantine, and VoIP archive. Search If you choose to use the proprietary indexed file storage system by selecting Disabled under System > Config > SQL Database, enter a keyword to perform a simple search on the available log information, then press Enter to begin the search. If you choose to use SQL database by enabling Local Database or Remote Database under System > Config > SQL Database, you need to enter <field_name>=value, such as device_id=FG600B3909601460 to perform a simple search on the available log information, then press the Enter key to begin the search. Log field names and values can be found in logs of raw format (see Change Display Options on page 188), such as device_id=FG600B3909601460, log_id=32776, or pri=information. Note: This option is not available for the Quarantine type. View n per page Select the number of log entries to display per page.
Page 187
Current Page
Change Display Options Select a view of the archive file. This option is not available for the Quarantine type. Resolve Host Name: Select to view the IP alias instead of the clients IP address. You must configure the IP aliases on the FortiAnalyzer unit for this setting to take effect. For more information, see Configuring IP aliases on page 137. This option is not available for the Email type. Resolve Service: Select to display the network service names rather than the port numbers, such as HTTP rather than port 80. This option is only available for the IPS Packet type. Formatted (the default): Select to display the log files in columnar format. Raw: Select to display the log information as it actually appears in the log file.
DLP Archives allow you to both view logged details and to download the archived files. If you want to display only the DLP archive log file, instead go to Log & Archive > Log Browse > Log Browse and select the devices dlog.log file. For more information, see Browsing log files on page 191.
To view the quarantine summary, go to Log & Archive > Archive Access > Quarantine. Figure 136:Quarantine summary
Page 188
This page displays the following information: Delete Details Show Timeframe From Device Type Select to remove the selected quarantined file summary of this device and all quarantined files under it from the hard disk. Select to view the quarantined files for this device. For more information, see To view the details of a quarantined file: on page 189. Select a device from the list of available devices to display the list of quarantined files for a specific device. Select a span of time when quarantined files were sent to the FortiAnalyzer unit. The FortiGate unit from which the file originated. Select the expand arrow next to a FortiGate unit to view the files sent from that unit. The type of quarantined file. For example, and infected file is quarantined because a virus is detected. A blocked file is quarantined because the file matches a defined file pattern. The Reason field offers additional detail. The reason a file is quarantined. This elaborates on the information in the Type field. For example, if the Type is listed as Infected, the virus name appears in the Reason field.
Reason
First Detection The date and time the FortiGate unit quarantined the first instance of this file, Time in the format yyyy/mm/dd hh:mm:ss. Last Detection The date and time the FortiGate unit quarantined the last instance of this file, Time in the format yyyy/mm/dd hh:mm:ss, if multiple copies of this file are quarantined. Unique Count The number of quarantined files from this device. The number of duplicates of the same file that are quarantined. A rapidly increasing number can indicate a virus outbreak.
To view the details of a quarantined file: 1. Go to Log & Archive > Archive Access > Quarantine. 2. Select a file and select on Details. Figure 137:Quarantine window
Page 189
This page displays the following information: Delete Select to remove files whose check boxes are selected. To delete one or more files, select the check box next to their file name, then select Delete. To delete all files, select the column heading check box. All files check boxes are selected, and then select Delete. Download Select to save the file to another location when it is deemed safe for the recipient to collect. You can enter a password to protect the file. Caution: Quarantined files are suspected or known to contain a virus or other network threat. Inspecting quarantine files involves a significant security risk. Use caution when downloading quarantined files. Details Analyze Select to view the log for this quarantined file. For information on viewing logs, see Viewing log messages on page 175. Select to analyze a .sis file using the SIS Analyzer. This option is only available if there is a quarantined .sis file. Refresh From Device File Name Select to update the current page. The FortiGate unit from which the file originated. The processed file name of the quarantined file.
First Detection Time The date and time the FortiGate unit quarantined the first instance of this file, in the format yyyy/mm/dd hh:mm:ss. Last Detection Time The date and time the FortiGate unit quarantined the last instance of this file, in the format yyyy/mm/dd hh:mm:ss, if multiple copies of this file are quarantined. Service Checksum Type The service by which the quarantined file was attempting to be transmitted, such as SMTP. A 32-bit checksum the FortiGate unit created from the file. The type of quarantined file. For example, an infected file is quarantined because a virus is detected. A blocked file is quarantined because the file matches a defined file pattern. The Reason field offers additional detail. The reason a file is quarantined. This elaborates on the information in the Type field. For example, if the Type is listed as Infected, the virus name appears in the Reason field. Duplicate count. A count of how many duplicates of the same file were quarantined. A rapidly increasing number can indicate a virus outbreak.
Reason
DC
Page 190
Select the number of quarantine files to display per page. By default, the first page of the list of items is displayed. The total number of pages displays after the current page number. For example, if 2/10 appears, you are currently viewing page 2 of 10 pages. To view pages, select the left and right arrows to display the first, previous, next, or last page. To view a specific page, enter the page number in the field and then press Enter.
Page 191
The page displays the following settings: Delete Display Mark the check box of the file whose log messages you want to delete, then select this button. Mark the check box of the file whose log messages you want to view, then select this button. For more information, see Viewing log messages on page 175. Select to import log files. You can only import log files in native format. For more information about importing log files, see Importing a log file on page 192. Mark the check box of the log file that you want to download, select this button, then select a format for saving the log files: text (.txt), comma-separated value (.csv), or standard .log (native). You can also select to compress the log files before saving them. For more information, see Downloading a log file on page 193 Device Type Show Log File Names Log Files Select the type of devices whose logs you want to view. Enable to display the file names of log files in the Log Files column when their log type is expanded. A list of available log files for each device or device group. Select the group name to expand the list of devices within the group, and to view their log files. The current, or active, log file appears as well as rolled log files. Rolled log files include a number in the file name, such as vlog.1267852112.log. If you configure the FortiAnalyzer unit to delete the original log files after uploading rolled logs to an FTP server, only the current log will exist. # From To Size (bytes) The number of devices in a group, and the number of log files for a device. The start time when the log file was generated. The end time when the log file was generated. The size of the log file.
Import
Download
3. Expand the group name or device name to view the list of available log files under each log type. 4. Select a log file in native format and then select Import. Figure 139:Import log file window
5. Select from Device to which device in the device list the imported log file belongs, or select Take From Imported File to read the device ID from the log file. If you select Take From Imported File, your log file must contain a device_id field in its log messages. 6. In Filename, enter the path and file name of the log file, or select Browse. 7. Select OK. A message appears, stating that the upload is beginning, but will be cancelled if you leave the page. 8. Select OK. Upload time varies by the size of the file and the speed of the connection. After the log file successfully uploads, the FortiAnalyzer unit inspects the log file. If the device_id field in the uploaded log file does not match the device, the import will fail. Select Return to attempt another import. If you selected Take From Imported File, and the FortiAnalyzer units device list does not currently contain that device, a message appears after the upload. Select OK to import the log file and automatically add the device to the device list, or select Cancel.
Page 193
6. Select from the following the following download options: Log File format Downloads the log in text (.txt), comma-separated value (.csv), or standard .log (native) format. Each log element is separated by a comma. CSV files can be viewed in spreadsheet applications.
Compress with gzip Compress the .txt, .log, or .csv file with gzip compression. For example, downloading a log-formatted file with gzip compression would result in a download with the file extension .log.gz. 7. Select OK. 8. If prompted by your web browser, select a location to save the file, or open it without saving. To download a partial log file: 1. Go to Log & Archive > Log Browse > Log Browse. 2. Select the Device Type. 3. Expand the group name or device name to view the list of available log files under each log type. 4. Select the specific log file (wlog.log, elog.log, etc.) that you want to download. 5. Select Display. 6. Select a filter icon to restrict the current view to only items which match your criteria, then select OK. Filtered columns have a green filter icon, and Download Current View appears next to Printable Version. For more information about filtering log views, see Filtering logs on page 181. 7. Select Download Current View . The Download Log File window opens. 8. Select from the following download options: Log File Format Downloads the log in text (.txt), comma-separated value (.csv), or standard .log (native) format. Each log element is separated by a comma. CSV files can be viewed in spreadsheet applications. Compress the .txt, .log, or .csv file with gzip compression. For example, downloading a log-formatted file with gzip compression would result in a download with the file extension .log.gz.
9. Select OK. 10. If prompted by your web browser, select a location to save the file, or open it without saving.
Page 194
You can also configure rolling and uploading settings for the FortiAnalyzer units own log files. For details, see the FortiAnalyzer v4.0 MR3 CLI Reference.
As the FortiAnalyzer unit receives new log items, it performs the following tasks: verifies whether the log file has exceeded its file size limit checks to see if it is time to roll the log file if the file size is not exceeded. Configure the time to be either a daily or weekly occurrence, and when the roll occurs. When a current log file (tlog.log) reaches its maximum size, or reaches the scheduled time, the FortiAnalyzer unit rolls the active log file by renaming the file. The file name will be in the form of xlog.N.log (for example, tlog,1252929496.log), where x is a letter indicating the log type and N is a unique number corresponding to the time the first log entry was received. The file modification time will match the time when the last log was received in the log file. Once the current log file is rolled into a numbered log file, it will not be changed. New logs will be stored in the new current log called tlog.log. If log uploading is enabled, once logs are uploaded to the remote server or downloaded via the Web-based Manager, they are in the following format: FG3K6A3406600001-tlog.1252929496.log-2009-09-14-14-00-14.gz If you have enabled log uploading, you can choose to automatically delete the rolled log file after uploading, thereby freeing the amount of disk space used by rolled log files. If the log upload fails, such as when the FTP server is unavailable, the logs are uploaded during the next scheduled upload. To enable and configure log rolling or uploading, go to Log & Archive > Options > Log File Options.
Page 195
Configure the following settings: Log file should not exceed Log file should be rolled Enter the maximum size of each device log file. Set the time of day when the FortiAnalyzer unit renames the current log file and starts a new active log file. Optional: Roll log files only when the log file reaches the maximum file size, regardless of time interval. Daily: Roll log files daily, even if the log file has not yet reached maximum file size. Weekly: Roll log files weekly, even if the log file has not yet reached maximum file size. Enable log uploading Server type Select to upload log files to a server when a log file rolls. Select the protocol to use when uploading to a server: File Transfer Protocol (FTP) Secure File Transfer Protocol (SFTP) Secure Copy Protocol (SCP) Server IP address Username Password Confirm Password Enter the IP address of the log upload server. Enter the user name required to connect to the upload server. Enter the password required to connect to the upload server. Re-enter the password to verify correct entry.
Page 196
Enter a location on the upload server where the log file should be saved. Select when the FortiAnalyzer unit should upload files to the server. When rolled: Uploads logs whenever the log file is rolled, based on Log file should be rolled. Daily at: Uploads logs at the configured time, regardless of when or what size it rolls at according to Log file should be rolled.
Uploaded log format Compress uploaded log files Delete files after uploading
Select a format for uploading the log files. The format is in text (.txt), comma-separated value (.csv), or standard .log (Native) file. Select to compress the log files before uploading to the server. Select to remove the log file from the FortiAnalyzer hard disk after the FortiAnalyzer unit completes the upload.
Using eDiscovery
eDiscovery allows you to search through the bulk of stored email from the FortiGate units, extract and download the search results, and share them with a third party if required in situations such as a lawsuit or regulatory violation action. To prove that shared data is an exact copy of the original, the FortiAnalyzer unit produces local logs indicating when each search was executed, when the search results were downloaded, and when they were deleted. In addition, the FortiAnalyzer unit generates SHA1 and MD5 digests for every search result. When a search result is downloaded to an external device, the SHA1 or MD5 digest calculated on the downloaded file must match the same digest generated by the FortiAnalyzer unit in order to prove that the search result has not been tampered with since leaving the FortiAnalyzer unit. Log & Archive > eDiscovery > Folders displays the list of eDiscovery folders containing search results. Figure 142:eDiscovery folders list page
Page 197
This page displays the following information: Download Select to save the selected folder and the contained search results. The saved information can be shared with a third party. Run Now Clone Folder Name Select to refresh the search tasks in a selected folder. This will update the email lists in the search tasks.
Select to duplicate a folder to use as a basis for creating a new one.
The names of the eDiscovery folders that you create. For more information, see To create eDiscovery folders: on page 199. Select the arrow beside a folder name to display the task names of the search results saved in the folder. For more information, see Task Name on page 200. Select a task name to view the email list. See To view a search task: on page 200.
Creation Date The date and time when the folder and search tasks were created. Search Results Each eDiscovery folder displays the number of search results contained in it. Each search task displays the number of email extracted based on the search criteria. See To search email: on page 199. The size of the folders and search tasks. This column also displays the status of search results: Completed: Search is completed and results are available for viewing. Incomplete: Search was interrupted by a system shutdown. Running: Search is in progress. Pending: Search is queued and will run once other searches are completed. Quota Exceeded: Search was stopped because the disk quota has been exceeded. To use eDiscovery, follow the general steps below: Set the disk quota for eDiscovery results out of the current disk space reserved for the system (that is, space not allocated to the devices), since the search results may take considerable amount of disk space. See To set the eDiscovery disk quota: on page 199. Create folders to store search results. Typically, you store search results that are part of a single investigation under one folder. See To create eDiscovery folders: on page 199. Search email based on the search criteria and save the results to a folder where you will view, download, delete, or clone the results. See To search email: on page 199.
Size (bytes)
Page 198
To set the eDiscovery disk quota: 1. Go to Log & Archive > eDiscovery > Config. Figure 143:eDiscovery Config
2. Enter the maximum size of disk space for storing eDiscovery search results. The used and available disk spaces also display. The size of the reserved space for eDiscovery varies by the total disk space. You cannot adjust the disk quota below the size of the existing eDiscovery results. eDiscovery results will not be saved if they exceed the disk quota. 3. Select Apply. To create eDiscovery folders: 1. Go to Log & Archive > eDiscovery > Folders. 2. Select Create New. Figure 144:New eDiscovery folder window
3. Enter a folder name. 4. Select OK. To search email: 1. Go to Log & Archive > eDiscovery > Search. Figure 145:eDiscovery search window
Page 199
2. Complete the following search criteria: Device Timeframe From To Select the FortiGate unit of which you want to search the archived email. Select the time period for the email that you want to search. If you select Specify, enter the start and end time. Enter the senders email address that you want to search. This can be a full or partial email address. Enter all or part of the recipients email address. For multiple recipients, enter any one of the recipients, or enter multiple recipient addresses in the order that they appear in the email address field, separated by a comma (,) and a space, such as: user1@example.com, user2@example.com Subject Message Contains Save to Folder Enter all or part of the subject line of the email message. Enter all or part of a word or phrase in the email message. If you want to save the search results, select a folder. If you do not want to save the search results, select Dont Save. If you want to create a new folder for the search results, select Create New, enter a folder name and select OK. Task Name Enter a unique name for this search task. Such a name will help you identify a particular search result in a folder. For more information, see Folder Name on page 198. This field appears only if you selected a folder in the Save to Folder field. Description Enter a note to describe the task name. For more information, see Description on page 201. This field appears only if you selected a folder in the Save to Folder field. 3. Do one of the following: If you selected Dont Save in the Save to Folder field, select Search. The search results appear. If you selected a folder in the Save to Folder field, select Search & Save. The search results are saved to the selected folder. To view a search task: 1. Go to Log & Archive > eDiscovery > Folders. 2. Select the arrow beside a folder that contains the task you want to view. 3. Left-select on the task name you want to view. The tasks email list displays. Selecting an item displays its detailed information.
Page 200
The name of this search task. For more information, see Task Name on page 200. The note for this task. For more information, see Description on page 200. The serial number(s) of the FortiGate unit(s) of which you have searched the archived email. For more information, see Device on page 200. The date and time when the search task was created. The SHA1 digest for this search task. When a search result is downloaded to an external device, the SHA1 digest calculated on the downloaded file must match this digest in order to prove that the search result was not tampered with since leaving the FortiAnalyzer unit.
MD5
The MD5 digest for this search task. When a search result is downloaded to an external device, the MD5 digest calculated on the downloaded file must match this digest in order to prove that the search result was not tampered with since leaving the FortiAnalyzer unit.
The date and time that the FortiAnalyzer unit received the email from the FortiGate unit. The senders email address that was searched. This can be a full or partial email address. The recipients email address that was searched. This can be a full or partial email address.
Page 201
Subject
The subject line of an email. The email list can display full and/or summary email archives. Summary email archives contain only email messages with summary metadata. Full email archives contain both the summary and a hyperlink to the associated archived message. For example, if the FortiAnalyzer unit has a full email archive for an email message, the subject column of the email contains a link that enables you to view the email message. If the FortiAnalyzer unit has only a email archive summary, the subject column does not contain a link. A full or summary email archive varies by: whether the FortiGate unit is configured to send full email archives whether the content satisfies email archiving requirements whether the FortiAnalyzer unit has the file or message associated with the summary email message (that is, full email archives do not appear if you have deleted the associated message) For more information about requirements and configuration of DLP archiving, see the FortiGate Administration Guide.
The size of the email message. If an email has an attachment, this icon appears.
Page 202
Reports
FortiAnalyzer units can analyze information collected from the log files of connected FortiGate, FortiMail, and FortiWeb devices, FortiClient End Point agents, and syslog compatible devices. It then presents the information in tabular and graphical reports. These reports provide a quick and detailed analysis of activity on your networks. You can create reports based on logs from Structured Query Language (SQL) databases or from the proprietary indexer file system.
By using reports, you can: minimize the effort required to identify attack patterns when customizing policies monitor Internet surfing patterns for compliance with company policies identify your web site visitors for potential customers. FortiAnalyzer reports are also flexible, offering system administrators the choice to compile a report layout based on pre-defined variables or specific information. This chapter includes the following topics: SQL based reports Indexer based reports
Reports
Page 203
SQL Database based reports support FortiGate, FortiClient, FortiMail, FortiWeb and syslog compatible devices.
FortiGate, when referenced in the Web-based Manager and supporting documentation, includes FortiGate, FortiWifi, FortiGate-VM, FortiGate-One and FortiCarrier devices.
This section includes the following topics: Enable/disable SQL database Enable/disable remote SQL database Left & right click menu tree Default device reports Email/upload remote output Predefined reports Custom reports Advanced report settings View report layout
Reports
Page 204
Location Disabled Select Disabled when logging to the proprietary indexer based database.
Reports
Page 205
Local Database
Remote Database Select Remote Database when logging to a remote SQL database. When selecting this option, a drop-down menu appears to allow you to configure the database type, database name, username and password. Start Time Log Type Left-select on the calendar icon to set the log start date and time. Select the required log types from the list.
Configure the following settings: Location Disabled Local Database Select Disabled when logging to the proprietary indexer based database. Select Local Database when logging to a local SQL database.
Remote Database Select Remote Database when logging to a remote SQL database. When selecting this option, a drop-down menu appears to allow you to configure the database type, database name, username and password. Start Time Type Server
Reports
Left-select on the calendar icon to set the log start date and time. Enter the server type. The default server type is MySQL. Enter the server name.
Page 206 FortiAnalyzer v4.3.6 Administration Guide
Enter the database name. Enter the server user name. Enter the server password. Select the required log types from the list.
No.
Left-Click
Show the device list in the left pane. You can expand/collapse and click to jump to devices.
Right-Click
N/A
1 2
Show the cover page, including a hyperlink ToC, for the device report. Show the available report sections. Show the selected report section.
- Edit the report options - Create a new report section - Copy the report
2 4 2
3 4
Show the predened report list in the left pane. You can expland/collapse the report catagories. Show the custom report types list in the left pane.
- Rename the report section - Delete the report section - Create a new report section - Move the report section up or down in the report N/A
N/A
5
2
6 7
N/A
5 6 7 8
N/A
Reports
Page 207
Reports
Page 208
Configure the following settings: Edit Run Historical Reports Right-click menu New Select New > Section to add a new section to the predefined report layout. See Add a report section on page 211 for information on configuring a new report section. Select to edit the Report Settings. See Report settings on page 210 for information on configuring report settings. Select to copy a predefined report layout. You can paste this report layout under the Custom Reports > Unclassified Reports folder. Select to edit the report layout. Select to generate a report immediately based on the current report layout. Select to display all the reports generated based on the current report layout. You can select a report to view the detailed information.
Edit Copy
Reports
Page 209
Report settings
Go to Report > Default Device Reports, right-click on the device serial number and select Edit to display the Report Settings window. Report settings allow you to configure the Report Schedule, Report Filters, and Advanced Settings options for the device report (see Figure 153). Configure the below variables and select OK to save the report layout changes. Figure 153:Report options window
Configure the following settings: Title Description Report Schedule Email/Upload Print Table of Contents Print Device List The default title is Default Report for the serial number selected. This field can be customized. Optional description field. Specify the frequency of report generation including the start and send date and time. Mark the check box if you want to apply a report output template from the drop-down menu. Select if you want a table of contents for the report. Select the way to display the devices in a report. The result can only be seen in PDF reports. Compact: Display a compact comma-separated list of device names included in the report. Count: Display only the number of devices included in the report. Detailed: Display a table of device information for each device included in the report.
Reports
Page 210
Report Filters Device Time Period The default value is the serial number of the device. The default value is Last 7 days. Use the drop-down menu to select a pre-configured time period or select Specify some other date and time range to select a specific time period. Additional options to specify VDOM, User, Group, Hostname, Source Interface and Destination Interface.
Select MHT, MS Word, Text or XML The default language is English. Use the drop-down menu to select: French; Japanese; Korean; Portuguese; Simplified Chinese; Spanish; Traditional Chinese.
Per-Device Reports
Reports
Page 211
Configure the following settings: Text Heading 1 Left-click the Heading 1 (H1) icon and drag and drop into the body of the report to add a new heading to the section. Enter the heading that you would like for the section. Heading 2 Left-click the Heading 2 (H2) icon and drag and drop into the body of the report to add a new heading to the section. Enter the heading that you would like for the section. Text Left-click the Text (T) icon and drag and drop into the header or body of the report to add a new text to the section. Enter the text that you would like for the section. Chart Bar Chart Drag and drop the bar chart icon into the body of the report to add a new bar chart to the section. Configure the bar chart variables in the pop-up window. Select the chart type and one or more variables, then fill out the required information and select OK. Pie Chart Drag and drop the pie chart icon into the body of the report to add a new pie chart to the section. Configure the pie chart variables in the pop-up window. Select the chart type and one or more variables, then fill out the required information and select OK.
Reports
Page 212
Table Chart
Drag and drop the table chart icon into the body of the report to add a new table chart to the section. Configure the table chart variables in the pop-up window. Select the chart type and one or more variables, then fill out the required information and select OK.
other Image Drag and drop the image icon into the body of the report section to add a new image to the section. Select an image from the database or select Upload and browse your local hard drive to upload a custom image to the section. Select OK to import the image into the report section. Page Break Drag and drop the page break icon into the body of the report section to insert a page break.
Reports
Page 213
Reports
Page 214
Configure the following settings: Name Description Output Format Enter a name for the new remote output. Enter a description for the remote output. This field is optional. Select the output format for the report. You can select more than one output format.These options include the following: HTML PDF MS Word Text MIME HTML (MHT) Extensible Markup Language (XML) Connectwise Send Report by Mail Select Send Report by Mail and/or Upload Report to Server and configure the variables in the drop down menus.
Compress Report Files Select to compress the report before sending. From Server SMTP Server Enable Authentication Email Account Password Recipient Add Specify an email address that will be used in the From field in the email. Select a server from the drop down list or select Create New to configure a new mail server. Enter the name of the SMTP server. Select to enable authentication for the new server configuration. Enter the email account for the mail server. Enter a password for the mail server. Specify an email address that will be used in the To field in the email and select Add. You can specify multiple recipient emails. Add the recipient to the To list.
Reports
Page 215
Select an email defined under recipient and select Delete to remove the email from the recipient list. The recipients who will be receiving the report. Optionally enter a name for the attachment. Select to use the default report name. Optionally enter a subject for the email containing the report. Optionally enter body text for the email containing the report.
Upload Report to Server Select Send Report by Mail and/or Upload Report to Server and configure the variables in the drop down menus. Server type Select the server type. The options include the following: File Transfer Protocol (FTP) Secure File Transfer Protocol (SFTP) Secure Copy (SCP) IP address Username Password Directory Delete file(s) after uploading Enter the IP address of the server. Enter the server username. Enter the server password. Specify the directory to which you want to upload the file to. Enable to delete the report file from the FortiAnalyzer upon successful upload to the server.
After configuring the remote output to email the report and/or upload it to a server, you can enable this feature in report settings. See Report settings on page 210 for more information. Figure 157:Report settings
Reports
Page 216
Predefined reports
The Predefined Reports section includes a set of report layouts. Go to Report > Predefined Reports to view, edit, and run these reports. Predefined reports can be edited, but not deleted. To add a new section to a report layout, see Add a section to the default device report on page 209. The predefined report layout includes the following reports: Overview Firewall_and_Bandwidth_Usage_Report Threat_and_Malware_Report Web_Filtering_and_Usage_Report Application_Usage_Report Virtual_Private_Networking_Usage_Report Email_Filtering_and_Usage_Report Wireless_PCI_Report Vulnerability_PCI_Report User_Activity_Summary
For the User_Activity Summary predefined report, the User filter must be configured under Report Options.
Once a predefined report is edited or changed, you can not restore the report layout to the default settings. Fortinet recommends using the right-click menu options to Copy the predefined report layout and Paste it to Custom Reports > Unclassified Reports. You can then edit and customize the report copy.
Reports
Page 217
This page displays the following information: Edit Run Historical Reports Select to edit the report layout. Select to generate a report immediately based on the current report layout. Select to display all the reports generated based on the current report layout. You can select a report to view the detailed information.
Right-click menu
Reports
Page 218
New
Select New > Section to add a new section to the predefined report layout. See Add a report section on page 211 for information on configuring a new report section. Select to edit the Report Settings. See Report settings on page 210 for information on configuring report settings. Select to copy a predefined report layout. You can paste this report layout under the Custom Reports > Unclassified Reports folder.
Edit Copy
Custom reports
The custom reports section includes unclassified and indexer based report classifications. Go Report > Custom Reports to view, edit, and run these reports. Figure 160:Custom reports window
Configure the following settings: Edit Run Historical Reports Select to edit the report layout. Select to generate a report immediately based on the current report layout. Select to display all the reports generated based on the current report layout. You can select a report to view the detailed information.
Reports
Page 219
Reports
Page 220
Pre-defined charts
Go to Report > Advanced > Chart to view the list of both pre-defined and customized report chart templates. The FortiAnalyzer unit provides pre-defined chart templates for each supported device: FortiClient, FortiGate, FortiMail, and FortiWeb. Figure 163:Pre-defined charts window
Reports
Page 221
Configure the following settings: Pre-defined charts FortiClient FortiGate FortiMail FortiWeb Create New Edit Delete Clone AntiVirus, EmailFilter, Traffic, WebFilter. AntiVirus, Application Control, Attack, DLP, DLP Archive, EmailFilter, Event, Network Scan, Traffic, WebFilter. History Attack, Event, Traffic. Select to create a new chart template. Select to edit a custom chart. Pre-defined charts can not be edited. Select to delete a custom chart. Pre-defined charts can not be deleted. Create a duplicate of a report chart template to use as a basis for creating a new one. The cloned template shares the same name with Copy_<sequential-number> appended to the end. Favorite Select Add to Favorite to add one or more selected report chart templates to your favorite list. The star icon (Toggle Favorite State) turns orange. Select Remove from Favorite to remove one or more selected report chart templates from your favorite list. The star icon (Toggle Favorite State) turns gray. The favorite templates can be used to generate reports for quick and easy access. Search Enter a keyword and press Enter to search for charts.
Reports
Page 222
Enter the name for the chart template. Enter any comments or notes about the chart template. Enter the log category for the chart template from the drop-down list. The following log types are available: AntiVirus Application Control Data Leak (DLP) Email Filter Event FortiMail FortiWeb IPS (Attack) Network Monitor Network Scan Traffic VPN VoIP Web Filter
Reports
Page 223
Dataset
Select the dataset for the selected category. FortiAnalyzer datasets are a collection of the log files from the devices monitored by the FortiAnalyzer unit. Reports are generated based on the datasets. Depending on the dataset selection, the values in the Field Output and Data Bindings fields may vary.
Field Output
Depending on the dataset selection, the values of this option may vary. These values are used for marking the report graphs, such as the X or Y axes in a bar graph, or column or row title in a table. Select the graph type from the drop-down menu. The available graph types are bar, pie, and table. Enable this option to display the devices host name from an IP alias or reverse DNS lookup, rather than an IP address. Enable to add this chart template to the favorite list. Depending on your selection in the Graph Type field, the values in this section may vary.
X-axis Data Binding Data Binding: Select a value for the X-axis of the bar graph. The values in this field change depending on your dataset selection. Only Show First n Items: Select the check box and enter a number to show the top ranked log information, such as the top number of viruses, in the report chart. The default number is six. The rest of the log information will be marked as Others in the chart. Overwrite Label: Mark the check box to modify the default value for the X-axis, if required. Y-axis Data Binding Data Binding: Select a value for the Y-axis of the bar graph. The values in this field change depending on your dataset selection. Overwrite Label: Mark the check box to modify the default value for the Y-axis, if required. Group By: Mark the check box to group the log information according to the dataset field output. This option appears only when a datasets output contains more than three fields. Only Show First n Items: Select the check box and enter a number to show the top ranked log information, such as the top number of viruses, in the report chart. The default number is three. The rest of the log information will be marked as Others in the chart. This option appears only when a datasets output contains more than three fields. Data Binding, Pie Depending on your selection in the Graph Type field, the values in this section may vary.
Reports
Page 224
Data Binding
Select a value to show the size of each segment of log information in the pie chart. The values in this field change depending on your dataset selection. For example, in a pie chart called Top Services by Volume, one of the top services is SMTP, and its percentage in the pie is 8.81. This percentage is generated by the selection in this field. Enable Only Show First n Items (Bundle rest into Others) and enter a number to show the top ranked log information, such as the top number of viruses, in the report chart. The default number is six. The rest of the log information will be marked as Others in the chart.
Label Binding
Select a value to label each segment of log information in the pie chart. The values in this field change depending on your dataset selection. For example, in a pie chart called Top Services by Volume, one of the top services is labeled as SMTP. This label is generated by the selection in this field.
Depending on your selection in the Graph Type field, the values in this section may vary. Select Ranked to show the log information in ranked format, such as top x, or top y of top x, in the table. Select Raw to show the log information as an audit report which displays the results only, such as all blocked sites and all sites visited.
Add Column
Select to add a column to the table. This option only appears after you select the Remove the column icon. The data display in the table will be in raw format after selecting the Remove the column icon.
Field Output
Select a value to show the column title for the log information in the table. The values in these fields change depending on your dataset selection. Mark the check box to modify the Field Output value, if required. Mark the check box and enter a number to show the top ranked log information, such as the top number of viruses, in the table. The default number is three. The rest of the log information will be marked as Others in the table. This option is only available if you select to display data in ranked format.
Reports
Page 225
Report datasets
FortiAnalyzer datasets are the collection of log files from the devices monitored by the FortiAnalyzer unit. Reports are generated based on the datasets. The FortiAnalyzer unit provides pre-defined datasets for each supported device type. You can also create new datasets by writing your own SQL queries.
Pre-defined datasets
Go to Report > Advanced > Dataset to view the pre-defined datasets for each supported device type: FortiClient, FortiGate, FortiMail, and FortiWeb. Figure 166:Pre-defined datasets
Pre-defined datasets FortiClient FortiGate FortiMail FortiWeb Custom datasets Go to Report > Advanced > Dataset and select Create New to create a custom dataset for the supported device type or local logs (see Figure 167 and Figure 168). Configure the below variables and select OK to save the new dataset. AntiVirus, EmailFilter, Traffic, WebFilter. AntiVirus, Application Control, Attack, DLP, DLP Archive, EmailFilter, Event, Network Scan, Traffic, WebFilter. History Attack, Event, Traffic.
Reports
Page 226
Configure the following settings: Name Device Type Enter the name for the custom dataset. Select FortiGate, FortiClient, FortiMail, FortiWeb, or Local Logs from the drop-down list.
Reports
Page 227
Enter the type of logs to be used for the dataset. $log is used in the SQL query to represent the log type you select. The log type options include the following: Attack DLP Archive DLP Event Generic History Network Scan Application Control Email Filter Traffic AntiVirus Web Filter
Enable Variables for Enable/Disable to include in $filter. Select to add variables for the Dataset customized data used in a selected chart. If you add a variable for a dataset and choose a chart that contains this dataset, the name of the variable will appear. You can select the variable name and enter a value to filter the dataset. For example, if a variable name username appears and you enter John as the value, your report chart will show Johns information based on the filtered information in the dataset. Variable Variable Name Add SQL Query Test Select a variable in the list. The variables are the same as log field names. Enter a name for the variable selected. Select to add the variable to the dataset. Enter the SQL query syntax to retrieve the log data you want from the SQL database. Select to test whether the SQL query is successful.
Reports
Page 228
Configure the following settings: Device VDOM Select a FortiGate unit, FortiMail unit, FortiWeb unit, or FortiClient installation to apply the SQL query. If you want to apply the SQL query to a FortiGate VDOM, enter the name of the VDOM. Then use $filter in the where clause of the SQL query to limit the results to the FortiGate VDom you specify. Select the time period from the drop-down menu If necessary, modify the SQL query to retrieve the log data you want from the SQL database. Select to execute the SQL query. If the query is not successful, check the SQL query you entered and make sure that the SQL database is working properly on the FortiAnalyzer unit. Clear Save Options Select to remove the displayed query results. Select to save the SQL query console configuration to the dataset configuration. The Device and VDOM configurations are not used by the dataset configuration. Close Select to return to the dataset configuration page.
Both format and string files use Unix-style line endings (LF characters, not CR-LF).
See Configuring report language on page 252 for more information about configuring the report language. Go to Report > Advanced > Language to view, and edit report language. You can also download the language format file and string file.
Reports
Page 230
Configure the following settings: Pre-configured languages The pre-configured languages include the following: English (default report language); French; Japanese; Korean; Portuguese; Simplified Chinese; Spanish; Traditional Chinese. Edit report language: To edit the report language entry, go to Report > Advanced >Language and select a language entry from the list (Figure 172). Select the Edit icon, configure the following variables, and select OK to save the language entry. Figure 172:Edit report language window
Reports
Page 231
Configure the following settings: Language Description Format File The language field displays the language entry that you have selected. Enter a description for the report language entry. If you changed the encoding of the string file, go to Download > Download Format File and open the format file using a plain text editor that supports Unix-style line endings, such as jEdit, and edit the encoding and character set values for each file format. If you have switched between a single-byte and a double-byte encoding, also set the doublebytes value to true (1) or false (0). For specifications on how to indicate encoding and character set, refer to each file formats specifications: W3C HTML 4.01 Specification Adobe PDF Reference Microsoft Word 2003 Rich Text Format (RTF) Specification, version 1.8 Save the format file. String File Open the string file using a plain text editor that supports Unix-style line endings and the string files encoding, such as jEdit. Verify that the correct encoding has been detected or selected. Locate and edit text that you want to customize. Do not change or remove keys. Modifiable text is located to the right of the equal symbol (=) in each line. Save the string file. Font File (Optional) If you want to customize the font of report graph titles and Y-axis labels, for Font File, select Browse and locate your font. If your font is located in the system font folder, you may need to first copy the font from the system font folder to another location, such as a temporary folder or your desktop, to be able to select the font for upload.
Some font licenses prohibit copying or simultaneous use on multiple hosts or by multiple users. Verify your fonts license.
Reports
Page 232
Add a report language: To add a report language go to Report > Advanced > Language and select Create New (see Figure 173). Configure the below variables and select OK to save the language entry. Figure 173:Add report language window
Configure the following settings: Language Description Format File String File Font File (Optional) Enter the language name. Enter a description for the language entry. For the Format File, select Browse and locate your customized format file. For the String File, select Browse and locate your customized string file. If you want to customize the font of report graph titles and Y-axis labels, for Font File, select Browse and locate your font. If your font is located in the system font folder, you may need to first copy the font from the system font folder to another location, such as a temporary folder or your desktop, to be able to select the font for upload.
The time required to upload the language customization files varies by the size of the files and the speed of your connection. If there are any errors with your files, correct the errors, then repeat this procedure.
The following table lists error messages that can result when adding a report language. Table 13:Language file error messages Error message Description Your format or string file contains syntax errors. To locate the errors, compare your customized file with a default languages file. Refer to file format specifications or view default files for valid syntax.
Reports
Page 233
Table 13:Language file error messages (continued) Your string file is missing strings for one or Specified language string file is missing one or more keys. To locate missing strings, compare more strings. your customized format file with a default languages string file. Specified font file is not a standard TrueType font (*.ttf). Your font file is not a TrueType font. Only TrueType fonts are supported. Your format or string file contains syntax errors. To locate the errors, compare your customized file with a default languages file. Refer to file format specifications or view default files for valid syntax.
Reports
Page 234
Indexer based reports support FortiGate, FortiClient, and FortiMail. FortiWeb is only supported with SQL Database.
If you have disabled the SQL database for log storage in System > Config > SQL Database, you will configure reports based on logs from the proprietary indexer file system. See Enable/disable SQL database on page 205 for more information. Logs are the basis of all FortiAnalyzer reports and must be collected or uploaded before you can generate a report, see Log & Archive on page 175 for more information about logs. After logs are collected or uploaded, you can then define the three basic components that make up a report based on logs from the proprietary indexed file system: report layout (the report template and the contents) output and data filter templates, language (optional components) report schedule (log data parameters and time range). This section includes the following topics: Viewing scheduled reports Configuring report schedules Configuring reports
Reports
Page 235
This page displays the following information: Delete Refresh Select to remove selected reports. Select to refresh the list. If the FortiAnalyzer unit is in the process of generating a report, use Refresh to update the status of the report generation. Select the report name to view the entire report in HTML format. Select the Expand Arrow to view the individual reports in HTML format. Device Type Started Finished The type of device of which the logs were used for generating the report. The date and time when the FortiAnalyzer unit generated the report. The date and time when the FortiAnalyzer unit completed the report. If the FortiAnalyzer unit is in the process of generating a report, a progress bar will appear in this column. If the FortiAnalyzer unit has not yet started generating the report, which can occur when another report is not yet finished, Pending appears in this column. The file size of the reports HTML format output, if any. The size does not reflect other output formats that may be present, such as PDF. Other Formats Select a file format, if any, to view the generated report in that format. In addition to HTML, if any, the generated reports may also be available in PDF, RTF, XML/XSL, and ASCII text formats, depending on the output configuration. Current Page By default, the first page of the list of items is displayed. The total number of pages displays after the current page number. For example, if 2/10 appears, you are currently viewing page 2 of 10 pages. To view pages, select the left and right arrows to display the first, previous, next, or last page. To view a specific page, enter the page number in the field and then press Enter.
Report Files
Size (bytes)
Reports
Page 236
Configure the following settings: Create New Edit Delete Run Select to create a new report schedule. Edit an existing report schedule. Delete a report schedule. Run a report schedule immediately, (on demand), instead of waiting for the scheduled time.
Reports
Page 237
Configure the following settings: Name Description Layout Language Schedule Daily Weekly Enter a name for the schedule. Enter a description for the schedule. This field is optional. Select a configured report layout from the drop-down list. You must apply a report layout to a report schedule. Select a language from the drop-down list or choose Default to use the default language. Select one of the following to have the report generated on demand, once, daily, weekly, or monthly at a specified date and time. Select to generate the report every day at the same time. Enter the start time and select a start and end date for the report. Select to generate the report on specified days of the week. Select the days of the week, enter the start time, and select a start and end date for the report.
Reports
Page 238
Monthly
Select to generate the report on a specific day or days of the month. Enter the days with a comma to separate the days. For example, you want to generate the report on the first day, the 21st day and 30th day: 1, 21, 30, then enter the start time and select a start and end date for the report. Select to have the report generated only once on the specified date. Select to have the report generated on demand. You can specify the variables that were selected in the charts when configuring the report layout. If you did not specify any variables in the charts added to report layout, proceed to Data Filter.
Device/Group
Select a device or device group from the list. If a layout is not selected, no FortiGate units or groups will appear in the list. Select to create a report based on virtual domains. Enter a specific virtual domain to include in the report. Select to create a report based on a network user. Enter the user or users in the field. Select to create a report based on a group network users, defined locally. Enter the name of the group or groups in the field. Select an LDAP directory from the drop-down list or select Create New, to create a new LDAP server entry. See Configuring LDAP queries for reports on page 144 for more information. Enter an LDAP group. This option appears only when LDAP Query is selected. See Configuring LDAP queries for reports on page 144 for more information. Select a data filter template from the drop-down list to the report schedule. Select Create New Data Filter to create a new data filter entry. Local Time for: Select to base the time period on the local time of the FortiAnalyzer unit or the selected devices. Log time stamps reflect when the FortiAnalyzer unit received the message, not when the device generated the log message. If you have devices located in different time zones, and are creating a report layout based on a span of time, ensure that the time span is relative to the device, not the FortiAnalyzer unit. For example, if you have a device and a FortiAnalyzer unit located three time zones apart, a report for the time frame from 9 AM to 11 AM will yield different results depending on whether the report time frame is relative to the devices local time, or to the FortiAnalyzer units local time. From: Select the beginning date and time of the log time range. To: Select the ending date and time of the log time range.
LDAP Group
Data Filter
Time Period
Reports
Page 239
Select the type of output you want the report to be in and if you want to apply an output template as well. Select the type of file format you want the generated report to be. You can choose from PDF, XML, HTML (default), MS Word, Text, and MHT. Note: Only those file formats that are enabled in both output template and schedule output types are sent by email. For example, if PDF and Text formats are selected in the output template, and then PDF and MHT are selected in the report schedule, the reports file format in the email attachment is PDF.
Email/Upload
Select the check box if you want to apply a report output template from the drop-down list.
Configuring reports
This section includes the following topics: To configure a report layout Edit an existing report layout Create a new report layout Run a report
Reports
Page 240
This page displays the following information: Default Layout Bandwidth_Analysi An overview of bandwidth consuming applications and users s Forensic_Analysis Threat_Analysis An overview of detailed network activity information such as instant messaging programs and email. An overview of user AntiVirus, Intrusion Protection and AntiSpam threats for the time period.
Web_Filtering-Grou An overview of user web site activity for a group of users while also p_Activity providing a summary and analysis information on usage and behavior. Web_Filtering-User An overview of user web site activity plus detailed audit of all _Activity blocked sites and all sites visited. Create New Edit Delete Clone Run Create a new report layout. Edit an existing report layout. Delete a report layout. The pre-configured report layouts can not be deleted. Create a duplicate of a report layout to use as a basis for creating a new report layout. Run a report layout immediately (on demand), instead of waiting for the report layouts scheduled time.
Reports
Page 241
Configure the following settings: Name Description Company Name Report Title Header Title Page Logo Enter a name for the report. Enter a description, for example, for what the report is about. Enter the name of your company or organization. Enter a title name for the report, for example, Report_1. Enter a header name for the report. Select the Browse logo files icon to choose a logo that will appear on the title page of the report. You need to select a logo file format that is compatible with your selected file format outputs. The logo will not appear if it is incompatible with the chosen file format. You can choose JPG, PNG, and GIF logo formats for PDFs and HTML; WMF is also supported for RTF.
Reports
Page 242
Header Logo
Select the Browse logo files icon to choose a logo that will appear only in the header of the report. Logo formats for headers also need to be compatible with the chosen file format. The same logo formats for the title page also apply to headers. Select to add default or user-defined charts to your report. Select a device type from the drop-down list. The available types are FortiGate, FortiClient and FortiMail. The reports log information will come from the selected device type. For example, if you selected FortiMail, the log information used is only FortiMail logs. Select a category or all categories of charts from the drop-down list. Note: Customized charts (Custom Charts) are under Others category.
Category
Chart Name
The names of the charts in each category. The category name is in bold, and the charts associated within that category name and data source are displayed beneath. Select the plus (+) symbol in the row containing the main chart name to add all charts of the category to the report. Select the plus (+) symbol in each row to add charts individually. When the plus (+) symbol is selected, a minus (-) symbol appears. Select the minus (-) symbol in each row to remove the selected chart or charts.
Action
Reports
Page 243
Reports
Page 244
Reports
Page 245
Configure the following settings: Name Description Company Name Report Title Header Title Page Logo Enter a name for the report. Enter a description of the report. Enter the name of your company or organization. Enter a title name for the report. Enter a header name for the report. Select the Browse logo files icon to choose a logo that will appear on the title page of the report. You need to select a logo file format that is compatible with your selected file format outputs. The logo will not appear if it is incompatible with the chosen file format. You can choose JPG, PNG, and GIF logo formats for PDFs and HTML; WMF is also supported for RTF. Header Logo Select the Browse logo files icon to choose a logo that will appear only in the header of the report. Logo formats for headers also need to be compatible with the chosen file format. The same logo formats for the title page also apply to headers.
Chart List Add Chart (s) Add Section Select to add default or user-defined charts to your report. Select to add a section to a report that keeps charts separate from each other. Title: Enter a name to describe the charts and information. Description: Enter a description, if applicable, to describe the charts. Add Text Select to add a note or comment about a section or to include additional information about the charts that are in the report.
Report layouts can not be deleted if they are associated with a report schedule; if you want to delete a report layout, remove that layout from the schedule it is associated with, and then delete it.
Reports
Page 246
Run a report
To run a report with a default or custom layout, go to Report > Config > Layout and select the layout from the list and select Run (see Figure 184). Configure the following variables and select OK to run the report. Figure 184:Run report now window
Configure the following settings: Name Layout Language Log Data Filtering Name of report. For example, Bandwidth_Analysis. This field is greyed out, but displays the report layout selected. The default language is English. Select an alternate language using the drop down menu. You can specify the variables that were selected in the charts when configuring the report layout. If you did not specify any variables in the charts added to report layout, proceed to Data Filter. Device/Group Virtual Domain User Group LDAP Query Select a device or device group from the list. If a layout is not selected, no FortiGate units or groups will appear in the list. Select to create a report based on virtual domains. Enter a specific virtual domain to include in the report. Select to create a report based on a network user. Enter the user or users in the field. Select to create a report based on a group network users, defined locally. Enter the name of the group or groups in the field. Select an LDAP directory from the drop-down menu, or select Create New to configure a new LDAP server.
Reports
Page 247
Select a data filter from the drop-down menu, or select Create New Data Filter to configure a new data filter. Select local time for either the FortiAnalyzer or Selected Devices. Specify the time period from the drop-down menu. Specify the report output type. These include the following: HTML (enabled by default); PDF; MS Word; Text; MHT; and XML.
Email/Upload
Enable and select report output or select Create New Report Output from the drop-down list.
Reports
Page 248
Configure the following settings: Create New Edit Delete Select to create a new data filter template. Select to edit an existing data filter template. Select to delete an existing data filter template.
Enter a name for the new data filter. Enter a description for the data filter. This is optional. Select all to include only the logs in the report that match all data filter criteria. If the logs does not match all criteria, the FortiAnalyzer will exclude the log message from the report. Select any to include the logs in the report that match any of the data filter criteria. If the logs match any of the criteria, the FortiAnalyzer will include the log message in the report.
Reports
Page 249
Source (s)
Enter the source IP or a range of source IP addresses to include matching logs. You can also select from the alias list. Separate multiple sources with a comma. You can filter on IP ranges or subnets. The following formats are supported: IP Range: xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx; Subnet: xxx.xxx.xxx.xxx/xxx.xxx.xxx.xxx; or xxx.xxx.xxx.xxx/cidr. Note: you cannot use the format 172.20.110.0-255.
Alias not
Select the appropriate alias from the drop-down list. Select to include the log messages that do not match this criterion. For example, you might includes logs except those matching a specific source IP address. Enter the destination IP or a range of destination IP addresses to include matching logs. You can also select from the alias list. Separate multiple destinations with a comma. You can filter on IP ranges or subnets. The following formats are supported: IP Range: xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx; Subnet: xxx.xxx.xxx.xxx/xxx.xxx.xxx.xxx; or xxx.xxx.xxx.xxx/cidr. Note: you cannot use the format 172.20.110.0-255.
Destination (s)
Alias not
Select the appropriate alias from the drop-down list. Select to include the log messages that do not match this criterion. For example, you might want to include logs except those matching a specific destination IP address. Enter the network interface or interfaces to include matching logs. Separate multiple interface names with a comma. Select to instead include only log messages that do not match this criterion. For example, you might include logs except those matching a specific network interface. Enter the device policy ID numbers to include matching logs. The report will include logs from all device log files containing policy ID numbers, which excludes event and DLP archive logs. Separate multiple policy IDs with a comma. Select to instead include only log messages that do not match this criterion. For example, you might include logs except those matching a specific policy ID. Enter specific services to include matching logs. Separate multiple services with a comma. Select to instead include only log messages that do not match this criterion. For example, you might include logs except those matching a specific service.
Page 250 FortiAnalyzer v4.3.6 Administration Guide
Policy ID (s)
not
Reports
Enter the email domain or domains that you want included in the filter. An email domain is a set of email accounts that reside on a particular email server. The email domain is the portion of the users email address following the @ symbol. For more information about email domains, see the FortiMail Administration Guide. This field is used only when creating FortiMail reports.
not
Select to instead include only log messages that do not match this criterion. For example, you might include logs except those matching a specific email domain. Enter one of the following types of email directions: IN: The incoming email traffic direction; OUT: The outgoing email traffic direction; UNKNOWN: The unknown email traffic direction. This field is used only when creating FortiMail reports.
not
Select to instead include only log messages that do not match this criterion. For example, you might include logs except those matching a specific email direction. Enter one or more senders of the email. This field is used only when creating FortiMail reports.
not
Select to instead include only log messages that do not match this criterion. For example, you might include logs except those matching a specific email sender. Enter one or more receivers of the email. This field is used only when creating FortiMail reports.
not
Select to instead include only log messages that do not match this criterion. For example, you might include logs except those matching a specific email recipient. Select specific days of the week to include matching logs. Select the categories you want to filter logs by selectively including web filtering logs that match your criteria, then indicate included categories by selecting one or more category check box. You can select a whole category by selecting the check box beside the Expand Arrow of the category. You can also select the individual subcategories that are within the category by selecting the Expand Arrow to display the sub-categories. For example, you might select to include all web filtering logs with a category of Potentially Bandwidth Consuming, or you might select only Internet Radio and TV within that category.
not
Select to instead include only logs that do not match the criterion. For example, you might include logs except those matching a specific web category.
Reports
Page 251
Priority
Priority Select a severity level from the Available Levels column and then use the -> arrow to move the level to the Selected Levels column. If you want to remove a severity level from the Selected Levels column, select the level first and then use the <- arrow to move the level back to the Available Levels column.
Enter a generic filter for the data filter template. Enter a keyword in this field. Enter a number for the value. Select to instead include only log messages that do not match this criterion. For example, you might include logs except those matching a specific generic filter. Select Add to add the keyword and value number to the generic filter list. The generic filter list displays all configured generic filters in the field beside both Add and Delete. Select to delete the generic filter. Select the generic filter first, and then select Delete.
Add
Delete
Reports
Page 252
Keys are required and must not be removed or changed. Keys map a string to a location in the report, and are the same in each language file. If you change or remove keys, the FortiAnalyzer unit can not associate your string with a location in the report, string file validation will fail, and the string file upload will not succeed. String values may be changed to customize report text. If your custom string values use a different encoding or character set than the default language file, customize your format file to reflect your new character set and/or encoding. Comment lines are optional; you can add them throughout the file to provide notes on your work. The format file contains settings for the file format renderers, including encodings. The format file contains sections that are preceded by an output type label, consisting of the file format name followed by a colon (:). Within each output types section, one or more settings exist, consisting of a variable name followed by an equal symbol (=) and its value, contained by quotes (). You can add comments to the format file by preceding them with a number symbol (#). For example, in these lines: # Localization uses a Latin character set. html: html_charset="iso-8859-1" The comment is: # Localization uses a Latin character set. The output type label is html:, the variable name is html_charset, and the variables value is iso-8859-1. Variables are required and must not be removed or changed. If you change or remove variables, the FortiAnalyzer unit may not be able to properly format your reports. If your custom string values use a different encoding or character set than the default language file, you must customize your format file to reflect your new character set and/or encoding. If your string file requires double-byte encoding, set doublebytes="1", otherwise, set doublebytes="0". The variables value must be in a pattern acceptable by the output type. If the variable value syntax is not correct, format file validation will fail, and the format file upload will not succeed. Supported encodings used by the string file and referenced in the format file include those specified by the PDF, RTF, and HTML standards. For character set, encoding syntax, and other specifications, see the following documents: W3C HTML 4.01 Specification; Adobe PDF Reference; Microsoft Word 2003 Rich Text Format (RTF) Specification, version 1.8. Comment lines are optional; you can add them throughout the file to provide notes on your work. If you require further format file customization, including adjustments to PDF objects, contact Customer Service & Support.
Both format and string files use Unix-style line endings (LF characters, not CR-LF).
Go to Report > Config > Language to view the default report language options.
Reports Page 253 FortiAnalyzer v4.3.6 Administration Guide
Select to create a new report language type. Select to edit a language entry. Select to delete a customized language entry. The option to delete is not available for the pre-configured language entries. Remove the font file from the selected report language. Select Download Format File to download the file format settings. Select Download String File to download the language resource. Select Download Font File to download the custom font file. This option is disabled for default languages and report language customizations using a default font.
The string file contains many keys, and each report type uses a subset of those keys. If your language modification does not appear in your report, verify that you have modified the string of a key used by that report type.
To edit the report language, go to Report > Config > Language, choose the language entry from the list and select Edit (Figure 188). Configure the below variables and select OK to save. Figure 188:Edit report language window
Reports
Page 254
Configure the following settings: Language Descrition Format File The language field displays the language entry that you have selected. Enter a description for the report language entry. If you changed the encoding of the string file, go to Download > Download Format File and open the format file using a plain text editor that supports Unix-style line endings, such as jEdit, and edit the encoding and character set values for each file format. If you have switched between a single-byte and a double-byte encoding, also set the doublebytes value to true (1) or false (0). For specifications on how to indicate encoding and character set, refer to each file formats specifications: W3C HTML 4.01 Specification Adobe PDF Reference Microsoft Word 2003 Rich Text Format (RTF) Specification, version 1.8 Save the format file. String File Open the string file using a plain text editor that supports Unix-style line endings and the string files encoding, such as jEdit. Verify that the correct encoding has been detected or selected. Locate and edit text that you want to customize. Do not change or remove keys. Modifiable text is located to the right of the equal symbol (=) in each line. Save the string file. Font File (Optional) If you want to customize the font of report graph titles and Y-axis labels, for Font File, select Browse and locate your font. If your font is located in the system font folder, you may need to first copy the font from the system font folder to another location, such as a temporary folder or your desktop, to be able to select the font for upload.
Some font licenses prohibit copying or simultaneous use on multiple hosts or by multiple users. Verify your fonts license.
Reports
Page 255
Configure the following settings: Language Description Format File String File Font File (Optional) Enter the language name. Enter a description for the language entry. For the Format File, select Browse and locate your customized format file. For the String File, select Browse and locate your customized string file. If you want to customize the font of report graph titles and Y-axis labels, for Font File, select Browse and locate your font. If your font is located in the system font folder, you may need to first copy the font from the system font folder to another location, such as a temporary folder or your desktop, to be able to select the font for upload.
Time required to upload the language customization files varies by the size of the files and the speed of your connection. If there are any errors with your files, correct the errors, then repeat this procedure.
Reports
Page 256
The following table lists error messages that can result when adding a report language. Table 14:Language file error messages Error message Specified format file contains invalid syntax. Description Your format or string file contains syntax errors. To locate the errors, compare your customized file with a default languages file. Refer to file format specifications or view default files for valid syntax. Your string file is missing strings for one or more keys. To locate missing strings, compare your customized format file with a default languages string file. Your font file is not a TrueType font. Only TrueType fonts are supported. Your format or string file contains syntax errors. To locate the errors, compare your customized file with a default languages file. Refer to file format specifications or view default files for valid syntax.
Specified language string file is missing one or more strings. Specified font file is not a standard TrueType font (*.ttf). Specified format file contains invalid syntax.
Reports
Page 257
SQL database storage must be enabled to perform network vulnerability scans. See Configuring SQL database storage on page 119 for more information.
New vulnerabilities appear in any organization's network due to problems such as flaws in software or faulty application configuration. The vulnerability management feature can determine whether your organizations computers are vulnerable to attacks. With this feature, you can define your host assets or discover hosts in the network, configure vulnerability management scans, generate reports, and interpret the results. FortiAnalyzer units come with a default database of more than 2 500 vulnerabilities. For FortiGuard Vulnerability Management Service subscribers, this database can be periodically updated via the FortiGuard Distribution Network (FDN) to receive definitions of the most recently discovered vulnerabilities. For details, see Scheduling & uploading vulnerability management updates on page 149. The vulnerability scan is suitable for scanning many types of hosts, including those running Microsoft Windows or Unix variants such as Linux and Apple Mac OS X, as well as a variety of applications and services/daemons. The workflow of vulnerability scan is as following:
Scanning OS if Required
This section includes the following topics: Model support How to use the network vulnerability scan feature Configuring host assets Discovering network host assets Preparing for authenticated scanning Configuring vulnerability scans Viewing scan results
Page 258
Model support
Table 15:Model support Model FAZ-100B FAZ-100C FAZ-400B FAZ-400C FAZ-800 FAZ-800B FAZ-1000B FAZ-1000C FAZ-2000 FAZ-2000A FAZ-2000B FAZ-4000A FAZ-4000B FAZ-VM FAZ-VM64 Supported Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Max. Hosts to Scan 200 200 500 500 1000 1000 2000 2000 Unlimited (65535) Unlimited (65535) Unlimited (65535) Unlimited (65535) Unlimited (65535) Unlimited (65535) Unlimited (65535) No. Concurrent Scans 4 4 8 8 8 8 16 16 20 20 20 32 32 32 32
Page 259
This page displays the following information: Create New View Select to add a host asset. See To add a host asset: on page 260. Select an asset and click View to displace the scan result of this asset, including the host IP address and host discovery method.
Discover Assets Select one or more assets and click Discover Assets to discover these assets. See Discovering network host assets on page 262. Start Scan Select one or more assets and click Start Scan to scan these assets. Quick check only the most commonly used ports Standard check the ports used by most known applications Full check all TCP and UDP ports For a detailed list of the TCP and UDP ports examined by each scan mode, see Table 16 on page 266. Name Type IP Address/Range The host name. The type of the host: IP address or IP address range. The IP address of the host, or the IP address range of the hosts.
Right-click Menu Right-click a row to show context menu for performing some actions. To add a host asset: 1. Go to Network Vulnerability Scan > Asset Definition > Asset Definition. 2. Click Create New. 3. Enter the appropriate information and click OK.
Page 260
Configure the following settings: Name Type Host IP Address The name of the host. Names can not contain spaces. Select Host for a single host, or Range for multiple hosts in a contiguous IP address range. If you set Type to Host, enter the host IP address. If you set Type to Range, enter the first and last IP addresses of the range. All the hosts within the range will be included in the host asset. Select to use authentication on a Windows operating system. Enter the username and password in the fields provided. For more information, see Preparing for authenticated scanning on page 262. UNIX Authentication Select to use authentication on a Unix operating system. Enter the username and password in the fields provided. For more information, see Preparing for authenticated scanning on page 262.
Windows Authentication
Page 261
administrators account, it might be more convenient to set up a separate account for the exclusive use of the vulnerability scanner with a password that does not change. This section describes the requirements by Microsoft Windows hosts and Unix hosts for authenticated scan.
Page 263
Setting Windows Firewall: Protect all network connections Windows Firewall: Allow remote administration exception Allow unsolicited messages from1 Windows Firewall: Allow file and printer sharing exception Allow unsolicited messages from1 Windows Firewall: Allow ICMP exceptions Allow unsolicited messages from1
1Windows
prompts you for a range of IP addresses. Enter either * or the IP address of the FortiAnalyzer unit that is performing the vulnerability scan.
Page 264
Unix hosts
The user account provided for authentication must be able at a minimum to execute these commands: The account must be able to execute uname in order to detect the platform for packages. If the target is running Red Hat, the account must be able to read /etc/redhat-release and execute rpm. If the target is running Debian, the account must be able to read /etc/debian-version and execute dpkg.
Page 265
The following table outlines ports scanned in each scan mode. Table 16:Ports scanned in each scan mode Standard Scan TCP: 1-3, 5, 7, 9, 11, 13, 15, 17-25, 27, 29, 31, 33, 35, 37-39, 41-223, 242-246, 256-265, 280-282, 309, 311, 318, 322-325, 344-351, 363, 369-581, 587, 592-593, 598, 600, 606-620, 624, 627, 631, 633-637, 666-674, 700, 704-705, 707, 709-711, 729-731, 740-742, 744, 747-754, 758-765, 767, 769-777, 780-783, 786, 799-801, 860, 873, 886-888, 900-901, 911, 950, 954-955, 990-993, 995-1001, 1008, 1010-1011, 1015, 1023-1100, 1109-1112, 1114, 1123, 1155, 1167, 1170, 1207, 1212, 1214, 1220-1222, 1234-1236, 1241, 1243, 1245, 1248, 1269, 1313-1314, 1337, 1344-1625, 1636-1774, 1776-1815, 1818-1824, 1901-1909, 1911-1920, 1944-1951, 1973, 1981, 1985-2028, 2030, 2032-2036, 2038, 2040-2049, 2053, 2065, 2067, 2080, 2097, 2100, 2102-2107, 2109, 2111, 2115, 2120, 2140, 2160-2161, 2201-2202, 2213, 2221-2223, 2232-2239, 2241, 2260, 2279-2288, 2297, 2301, 2307, 2334, 2339, 2345, 2381, 2389, 2391, 2393-2394, 2399, 2401, 2433, 2447, 2500-2501, 2532, 2544, 2564-2565, 2583, 2592, 2600-2605, 2626-2627, 2638-2639, 2690, 2700, 2716, 2766, 2784-2789, 2801, 2908-2912, 2953-2954, 2998, 3000-3002, 3006-3007, 3010-3011, 3020, 3047-3049, 3080, 3127-3128, 3141-3145, 3180-3181, 3205, 3232, 3260, 3264, 3267-3269, 3279, 3306, 3322-3325, 3333, 3340, 3351-3352, 3355, 3372, 3389, 3421, 3454-3457, 3689-3690, 3700, 3791, 3900, 3984-3986, 4000-4002, 4008-4009, 4080, 4092, 4100, 4103, 4105, 4107, 4132-4134, 4144, 4242, 4321, 4333, 4343, 4443-4454, 4500-4501, 4567, 4590, 4626, 4651, 4660-4663, 4672, 4899, 4903, 4950, 5000-5005, 5009-5011, 5020-5021, 5031, 5050, 5053, 5080, 5100-5101, 5145, 5150, 5190-5193, 5222, 5236, 5300-5305, 5321, 5400-5402, 5432, 5510, 5520-5521, 5530, 5540, 5550, 5554-5558, 5569, 5599-5601, 5631-5632, 5634, 5678-5679, 5713-5717, 5729, 5742, 5745, 5755, 5757, 5766-5767, 5800-5802, 5900-5902, 5977-5979, 5997-6053, 6080, 6103, 6110-6112, 6123, 6129, 6141-6149, 6253, 6346, 6387, 6389, 6400, 6455-6456, 6499-6500, 6515, 6558, 6588, 6660-6670, 6672-6673, 6699, 6767, 6771, 6776, 6831, 6883, 6912, 6939, 6969-6970, 7000-7021, 7070, 7080, 7099-7100, 7121, 7161, 7174, 7200-7201, 7300-7301, 7306-7308, 7395, 7426-7431, 7491, 7511, 7777-7778, 7781, 7789, 7895, 7938, 7999-8020, 8023, 8032, 8039, 8080-8082, 8090, 8100, 8181, 8192, 8200, 8383, 8403, 8443, 8450, 8484, 8732, 8765, 8886-8894, 8910, 9000-9001, 9005, 9043, 9080, 9090, 9098-9100, 9400, 9443, 9535, 9872-9876, 9878, 9889, 9989-10000, 10005, 10007, 10080-10082, 10101, 10520, 10607, 10666, 11000, 11004, 11223, 12076, 12223, 12345-12346, 12361-12362, 12456, 12468-12469, 12631, 12701, 12753, 13000, 13333, 14237-14238, 15858, 16384, 16660, 16959, 16969, 17007, 17300, 18000, 18181-18186, 18190-18192, 18194, 18209-18210, 18231-18232, 18264, 19541, 20000-20001, 20011, 20034, 20200, 20203, 20331, 21544, 21554, 21845-21849, 22222, 22273, 22289, 22305, 22321, 22555, 22800, 22951, 23456, 23476-23477, 25000-25009, 25252, 25793, 25867, 26000, 26208, 26274, 27000-27009, 27374, 27665, 29369, 29891, 30029, 30100-30102, 30129, 30303, 30999, 31336-31337, 31339, 31554, 31666, 31785, 31787-31788, 32000, 32768-32790, 33333, 33567-33568, 33911, 34324, 37651, 40412, 40421-40423, 42424, 44337, 47557, 47806, 47808, 49400, 50505, 50766, 51102, 51107, 51112, 53001, 54321, 57341, 60008, 61439, 61466, 65000, 65301, 65512 UDP: 7, 9, 13, 17, 19, 21, 37, 53, 67-69, 98, 111, 121, 123, 135, 137-138, 161, 177, 371, 389, 407, 445, 456, 464, 500, 512, 514, 517-518, 520, 555, 635, 666, 858, 1001, 1010-1011, 1015, 1024-1049, 1051-1055, 1170, 1243, 1245, 1434, 1492, 1600, 1604, 1645, 1701, 1807, 1812, 1900, 1978, 1981, 1999, 2001-2002, 2023, 2049, 2115, 2140, 2801, 3024, 3129, 3150, 3283, 3527, 3700, 3801, 4000, 4092, 4156, 4569, 4590, 4781, 5000-5001, 5036, 5060, 5321, 5400-5402, 5503, 5569, 5632, 5742, 6073, 6502, 6670, 6771, 6912, 6969, 7000, 7300-7301, 7306-7308, 7778, 7789, 7938, 9872-9875, 9989, 10067, 10167, 11000, 11223, 12223, 12345-12346, 12361-12362, 15253, 15345, 16969, 20001, 20034, 21544, 22222, 23456, 26274, 27444, 30029, 31335, 31337-31339, 31666, 31785, 31789, 31791-31792, 32771, 33333, 34324, 40412, 40421-40423, 40426, 47262, 50505, 50766, 51100-51101, 51109, 53001, 61466, 65000 Full Scan All TCP and UDP ports (1-65535)
Page 266
Quick Scan
TCP: 11, 13, 15, 17, 19-23, 25, 37, 42, 53, 66, 69-70, 79-81, 88, 98, 109-111, 113, 118-119, 123, 135, 139, 143, 220, 256-259, 264, 371, 389, 411, 443, 445, 464-465, 512-515, 523-524, 540, 548, 554, 563, 580, 593, 636, 749-751, 873, 900-901, 990, 992-993, 995, 1080, 1114, 1214, 1234, 1352, 1433, 1494, 1508, 1521, 1720, 1723, 1755, 1801, 2000-2001, 2003, 2049, 2301, 2401, 2447, 2690, 2766, 3128, 3268-3269, 3306, 3372, 3389, 4100, 4443-4444, 4661-4662, 5000, 5432, 5555-5556, 5631-5632, 5634, 5800-5802, 5900-5901, 6000, 6112, 6346, 6387, 6666-6667, 6699, 7007, 7100, 7161, 7777-7778, 8000-8001, 8010, 8080-8081, 8100, 8888, 8910, 9100, 10000, 12345-12346, 20034, 21554, 32000, 32768-32790 UDP: 7, 13, 17, 19, 37, 53, 67-69, 111, 123, 135, 137, 161, 177, 407, 464, 500, 517-518, 520, 1434, 1645, 1701, 1812, 2049, 3527, 4569, 4665, 5036, 5060, 5632, 6502, 7778, 15345 To view the scheduled scan list, go to Network Vulnerability Scan > Scan Schedule.
This page displays the following information: Create New Start Scan Stop Pause Resume Name Target Schedule Status Progress Select to add a scan schedule. See To schedule a scan: on page 267. Select a schedule and click Start Scan to initiate an on-demand scan and override the schedule. Select to stop an on-demand scan. Select to pause an on-demand scan. Select to resume an on-demand scan. The name of the scheduled scan. The assets selected for scanning. The scheduled scan time. The status of the scan process. The progress of the scan process.
To schedule a scan: 1. Go to Network Vulnerability Scan > Scan Schedule. 2. Click Create New and enter the following information.
Page 267
3. Configure the following settings: Name Available Assets Enter a name for this scan schedule. The current host assets. See Configuring host assets on page 260. Select an asset and click the right arrow to move it into the Member Assets field to be scanned. Member Assets The host assets are moved from the Available Assets field into this field for scanning.
Vulnerability Scan Select a scan mode. Mode Quick check only the most commonly used ports Standard check the ports used by most known applications Full check all TCP and UDP ports For a detailed list of the TCP and UDP ports examined by each scan mode, see Table 16 on page 266. Schedule Enable Schedule Select to enable the scan schedule.
Page 268
Recurrence
Select Daily, Weekly, or Monthly. If you select Weekly, the Day of Week drop-down list appears. If you select Monthly, the Day of Month drop-down list appears.
If you want to stop scanning for a certain time period, enter the time. Select to enable the following scan options if required: TCP port scan UDP port scan OS detection Service detection
4. Click OK.
This page displays the following information: View Name Start Time End Time Status Select to display a selected scan result. The name of the scan result. The results include on-demand and scheduled scans. The time when the scan started. The time when the scan ended. The progress of the scan.
Page 269
To view a scan result: 1. Go to Network Vulnerability Scan > Vulnerability Result > Vulnerability Result. 2. Select a scan result and click View. The network vulnerability scan report appears in the right-hand pane. Figure 195:Vulnerability scan results page
Scan Name
Host Name
This page displays the following information: (Scan) Name Start Time End Time Status Total Hosts (Host) Name The name of the scan result. The time when the scan started. The time when the scan ended. The progress of the scan. The total number of hosts scanned. The name of the scanned host. If the scanned hosts type is Host, one host name appears. If the scanned hosts type is Range, the names of the hosts in the IP range appear. For more information about host type, see Configuring host assets on page 260. The IP address of the scanned host. The version of the operation system of the scanned host.
IP Address OS Version
Vulnerability Level The vulnerability rating of the scanned host. Total Vulnerabilities Vulnerability
Network Vulnerability Scan
The total number of vulnerabilities found on the host. The name of the vulnerability detected.
Page 270 FortiAnalyzer v4.3.6 Administration Guide
Select the ID to view the details of the vulnerability in the FortiGuard Center. The category that the vulnerability belongs to. The severity level of the vulnerability. The port of the host that was scanned to detect the vulnerability.
Page 271
Tools
The Tools menu provides the ability to view the files on your FortiAnalyzer unit using the File Explorer, and to view packets on your network using the Network Analyzer. By default, the Tools menu is hidden. To make it visible, go to System > Admin > Settings and enable Show Network Analyzer, and enable Show File Explorer. For details, see Configuring the Web-based Managers global settings on page 117. This section contains the following topics: Network analyzer File explorer
Network analyzer
Network Analyzer can be used as an enhanced local network traffic sniffer to diagnose areas of the network where firewall policies may require adjustment, or where traffic anomalies occur. Network Analyzer logs all traffic seen by the interface for which it is enabled. If that network interface is connected to the span port of a switch, observed traffic will include all traffic sent through the switch by other hosts. You can then locate traffic that should be blocked, or that contains other anomalies. All captured traffic information is saved to the FortiAnalyzer hard disk. You can then display this traffic information directly, search it, or generate reports from it. This section describes how to enable and view traffic captured by the Network Analyzer. It also describes Network Analyzer log storage configuration options. Network Analyzer is not visible under the Tools menu until it is enabled in System > Admin > Settings.
Tools
Page 272
To connect the FortiAnalyzer unit for use with the network analyzer feature: 1. Connect an Ethernet cable to a port on the FortiAnalyzer unit other than the port used to collect device logs. For example, if you receive logs and quarantined files on port1, you might use Network Analyzer on port2. Using a separate port for sniffing prevents log and quarantine traffic from cluttering Network Analyzer messages, and enables you to analyze networks without tampering with network settings related to normal logging and quarantine activity. 2. Connect the other end of the Ethernet cable to the span or mirroring port of an Ethernet switch. If connected to the span or mirror port of a switch, Network Analyzer can observe all traffic passing through the switch. 3. In the Web-based Manager, go to System > Admin > Settings > GUI Menu Customization, enable Show Network Analyzer and select Apply. Figure 197:Enable Network Analyzer in GUI Menu Customization
4. In the Web-based Manager, go to System > Network > Interface. 5. If the interface you will use with Network Analyzer is currently down, select Bring Up to enable it. 6. Select Edit for the interface you will use with Network Analyzer.
Tools
Page 273
7. In the IP/Netmask field, enter the IP address and netmask for the interface, such as 100.20.10.110/255.255.255.0. 8. Select OK. You can now configure Network Analyzer settings in Tools > Network Analyzer > Config. Figure 198:Configure Network Analyzer settings
Tools
Page 274
This page displays the following information: Type Historical Log The type of log you are viewing. Select to view the historical Network Analyzer log messages. For more information, see Viewing historical network analyzer log messages on page 276. Select to stop updating the realtime logs.
Pause
Column Settings Select to change the columns to view and the order they appear on the page. For more information, see Displaying and arranging log columns on page 280. Search Last Activity Src Dst Src Port Dst Port Protocol Message Enter a keyword to perform a simple search on the available log information, then press the Enter key to begin the search. The date and time the traffic was transmitted. The IP address of the sender of the traffic. The IP address of the recipient of the traffic. The port a UDP or TCP packet was being sent from. The port a UDP or TCP packet was being sent to. The protocol used when sending the traffic. Information payload of the traffic sent through the switch.
View n per page Select the number of rows of log entries to display per page. Change Display Options Resolve Host Select to display host names by a recognizable name rather than IP Name addresses. For more information about on configuring IP address host names, see Configuring IP aliases on page 137. Resolve Service Select to display the network service names rather than the port numbers, such as HTTP rather than port 80.
Tools
Page 275
Formatted
Select to display the Network Analyzer log files in columnar format. This is the default view. For more information, see Customizing the network analyzer log view on page 280. Select to display the Network Analyzer log information as it actually appears in the log file. For more information, see Customizing the network analyzer log view on page 280.
Raw
Current Page
This page displays the following information: Type Timeframe Realtime Log The type of log you are viewing. Select the time frame during which you want to view the logs. Select to view the realtime Network Analyzer log messages. For more information, see Viewing current network analyzer log messages on page 274.
Column Settings Select to change the columns to view and the order they appear on the page. For more information, see Displaying and arranging log columns on page 280. Printable Version Select to download an HTML file containing all log messages that match the current filters. The HTML file is formatted to be printable. Time required to generate and download large reports varies by the total amount of log messages, the complexity of any search criteria, the specificity of your column filters, and the speed of your network connection. Download Current View Select to download only those log messages which are currently visible, according to enabled filters.
Tools
Page 276
Search Advanced
Enter a keyword to perform a simple search on the log information available. Press Enter to begin the search. Select to search the Network Analyzer log files for matching text using two search types: Quick Search and Full Search. For more information, see Searching the network analyzer logs on page 283. The date and time the traffic was transmitted. The IP address of the sender of the traffic. The IP address of the recipient of the traffic. The port a UDP or TCP packet was being sent from. The destination port of the traffic. The protocol used when sending the traffic. Information payload on the traffic sent through the switch.
Last Activity Src Dst Src Port Dst port Protocol Message
View n per page Select the number of rows of log entries to display per page. Current page By default, the first page of vulnerabilities is displayed. The total number of pages appears after the current page number. For example, if 2 of 10 appears, you are currently viewing page 2 of 10 pages. To view pages, select the left and right arrows to display the first, previous, next, or last page. To view a specific page, enter the page number in the field and then press Enter. Change Display Options Resolve Host Select to display host names by a recognizable name rather than IP Name addresses. For more information about on configuring IP address host names, see Configuring IP aliases on page 137. Resolve Service Formatted Select to display the network service names rather than the port numbers, such as HTTP rather than port 80. Select to display the Network Analyzer log files in columnar format. This is the default view. For more information, see Customizing the network analyzer log view on page 280. Select to display the Network Analyzer log information as it actually appears in the log file. For more information, see Customizing the network analyzer log view on page 280.
Raw
Tools
Page 277
For more information about setting the maximum file size and log rolling options, see Rolling and uploading network analyzer logs on page 286. To view the log file list, go to Tools > Network Analyzer > Browse. Figure 201:Network analyzer log file list page
This page displays the following information: Display Select to view the contents of the selected log file.
Download Select to save the selected log file to your local hard disk. From To Size (bytes) The date and time when the FortiAnalyzer unit starts to generate the log file. The date and time when the FortiAnalyzer unit completes generating the log file when the file reaches its maximum size or the scheduled time. The size of the log file.
3. Click Download. 4. Select any of the following download options you want and click OK. Figure 202:Download log file window
5. Configure the following settings: Log file format Compress with gzip Downloads the log in text (.txt), comma-separated value (.csv), or standard .log (native) format. Each log element is separated by a comma. CSV files can be viewed in spreadsheet applications. Compress the .log or .csv file with gzip compression. For example, downloading a log-formatted file with gzip compression would result in a download with the file extension .log.gz.
6. If prompted by your web browser, select a location to save the file, or open it without saving. To download a partial (filtered) log file: 1. Go to Tools > Network Analyzer > Browse. 2. Select a log file. 3. Click Display. Figure 203:Download a partial (filtered) log file
4. Select a filter icon to restrict the current view to only items which match your criteria, then select OK. For more information about filtering information, see Filtering logs on page 181. 5. Select Download Current View.
Tools
Page 279
6. Select any of the download options you want and click OK. Log file format Compress with gzip Downloads the log in text (.txt), comma-separated value (.csv), or standard .log (native) format. Each log element is separated by a comma. CSV files can be viewed in spreadsheet applications. Compress the .log or .csv file with gzip compression. For example, downloading a log-formatted file with gzip compression would result in a download with the file extension .log.gz.
7. If prompted by your web browser, select a location to save the file, or open it without saving.
3. Select Formatted or Raw. If you select Formatted, options appear that enable you to display and arrange log columns and/or filter log columns.
Tools
Page 280
To display or hide columns: 1. Go to a page which displays log messages, such as Tools > Network Analyzer > Historical. 2. Select Column Settings. Figure 205:Column display settings window
Lists of available and displayed columns for the log type appear. 3. Select which columns to hide or display. In the Available Fields area, select the names of individual columns you want to display, then select the single right arrow to move them to the Display Fields area. Alternatively, to display all columns, select the double right arrow. In the Display Fields area, select the names of individual columns you want to hide, then select the single left arrow to move them to the Available Fields area. Alternatively, to hide all columns, select the double left arrow. To return all columns to their default displayed/hidden status, select Default. 4. Select OK. To change the order of the columns: 1. Go to a page which displays log messages, such as Tools > Network Analyzer > Historical. 2. Select Column Settings. Lists of available and displayed columns for the log type appear. 3. In the Display Fields area, select a column name whose order of appearance you want to change. 4. Select the up or down arrow to move the column in the ordered list. Placing a column name towards the top of the Display Fields list will move the column toward the left side of the formatted log view. 5. Select OK.
Tools
Page 281
Filtering logs
When viewing log messages in formatted view, you can filter columns to display only those log messages that do or do not contain your specified content in that column. By default, most column headings contain a gray filter icon, which becomes green when a filter is configured and enabled.
Filters do not appear in raw view, or for unindexed log fields in formatted view. When viewing realtime logs, you cannot filter on the time column: by definition of the realtime aspect, only current logs are displayed.
Filter icon
To filter log messages by column contents: 1. In the heading of the column that you want to filter, select the filter icon. Figure 207:Filters window
2. If you want to exclude log messages with matching content in this column, select NOT. If you want to include log messages with matching content in this column, deselect NOT. 3. Enter the text that matching log messages must contain. Matching log messages will be excluded or included in your view based upon whether you have selected or deselected NOT. 4. Select OK. A columns filter icon is green when the filter is currently enabled. To disable a filter: 1. In the heading of the column whose filter you want to disable, select the filter icon. A columns filter icon is green when the filter is currently enabled. 2. To disable the filter on this column, click the Remove Filter icon (x). Alternatively, to disable the filters on all columns, select Clear all filters. This disables the filter; it does not delete any filter text you might have configured. 3. Select OK. A columns filter icon is gray when the filter is currently disabled.
Tools
Page 282
Filtering tips
When filtering by source or destination IP, you can use the following in the filtering criteria: a single address (2.2.2.2); an address range using a wild card (1.2.2.*); an address range (1.2.2.1-1.2.2.100). You can also use a Boolean operator (or) to define mutually exclusive choices: 1.1.1.1 or 2.2.2.2; 1.1.1.1 or 2.2.2.*; 1.1.1.1 or 2.2.2.1-2.2.2.10. Most column filters require that you enter the columns entire contents to successfully match and filter contents; partial entries do not match the entire contents, and so will not create the intended column filter. For example, if the column contains a source or destination IP address (such as 192.168.2.5), to create a column filter, enter the entire IP address to be matched. If you enter only one octet of the IP address, (such as 192) the filter will not completely match any of the full IP addresses, and so the resulting filter would omit all logs, rather than including those logs whose IP address contains that octet. Exceptions to this rule include columns that contain multiple words or long strings of text, such as messages or URLs. In those cases, you may be able to filter the column using a substring of the text contained by the column, rather than the entire text contained by the column.
Tools
Page 283
Configure the following settings: Time Period From Select to search logs from a time frame, or select Specify and define a custom time frame by selecting the From and To date and times. Enter the date and select the time of the beginning of the custom time range. This option appears only when Date is Specify. To Enter the date and select the time of the end of the custom time range. This option appears only when Date is Specify. Keyword(s) Enter search terms which will be matched to yield log message search results. To specify that results must include all, any, or none of the keywords, select from Match. Select to perform a Quick Search, whose keywords cannot contain special characters and that searches only indexed fields. Select to perform a Full Search, whose keywords may contain special characters, and searches all log message fields. The time of the search varies by the complexity of the search query and the amount of log messages to be searched. Select to stop the search process. Select the blue arrow to hide or expand additional search options.
Other Filters Specify additional criteria, if any, that can be used to further restrict the search criteria. Src IP: Enter an IP address to include only log messages containing a matching source IP address. For example, entering 192.168.2.1 would cause search results to include only log messages containing src=192.168.2.1. Dst IP: Enter an IP address to include only log messages containing a matching destination IP address. For example, entering 192.168.2.1 would cause search results to include only log messages containing dst=192.168.2.1.
Search tips
If your search does not return the results you expect, but log messages exist that should contain matching text, examine your keywords and filter criteria using the following search characteristics and recommendations. Separate multiple keywords with a space (arp who-has 1.1.1.1). Keywords cannot contain unsupported special characters. Supported characters vary by selection of Quick Search or Full Search. Keywords must literally match log message text, with the exception of case insensitivity and wild cards; resolved names and IP aliases will not match. Some keywords will not match unless you include both the log field name and its value, surrounded by quotes (Ack=2959769124). Remove unnecessary keywords and search filters which can exclude results. For a log message to be included in the search results, all keywords must match; if any of your
Tools
Page 284
keywords does not exist in the message, the match will fail and the message will not appear in search results. You can use the asterisk (*) character as a wild card (192.168.2.*). For example, you could enter any partial term or IP address, and then enter * to match all terms that have identical beginning characters or numbers. You can search for IP ranges, including subnets. For example: 172.168.1.1/24 or 172.168.1.1/255.255.255.0 matches all IP addresses in the subnet 172.168.1.1/255.255.255.0 172.168.1.1-140.255 matches all IP addresses from 172.168.1.1 to 172.168.140.255 The search returns results that match all of the search terms. For example, consider two similar keyword entries: 172.20.120.127 tcp and 172.20.120.127 udp. If you enter the keywords 172.20.120.127 tcp, UDP traffic would not be included in the search results, since although the first keyword (the IP address) matches, the second keyword, tcp, does not match.
Large logs require more time to download. Download times can be improved by selecting Compress with gzip.
To download log search results: 1. Go to Tools > Network Analyzer > Historical. 2. Perform a search using either simple or advanced search. If your search finds one or more matching log events, a Download Current View button appears next to the Printable Version button. 3. Select Download Current View. Options appear for the downloads file format and compression. 4. Select the download options that you want, then select OK. Log file format Compress with gzip Downloads the log file in text (.txt), comma-separated value (.csv), or standard .log (Native) file format. Compress the downloaded log file with gzip compression. For example, downloading a log-formatted file with gzip compression would result in a download with the file extension .log.gz.
5. If prompted by your web browser, select a location to save the file, or open it without saving.
Tools
Page 285
Tools
Page 286
Configure the following settings: Enable Network Analyzer on Enable and select the port on which Network Analyzer observes traffic. If you disable this option and log out, Network Analyzer will be hidden in the web-based manager menu. For more information about on re-enabling Network Analyzer and making it visible again, see Connecting the FortiAnalyzer unit to analyze network traffic on page 272. Enter the amount of disk space reserved for Network Analyzer logs. The dialog also displays the amount used of the allocated space. Select what the FortiAnalyzer unit does when the allocated disk space is filled up. Select to either overwrite the older log file or stop logging until you can clear some room. To avoid completely filling the hard disk space, use the log rolling and uploading options. Reuse settings from Select to use the same log rolling and uploading settings that you set for standard logs standard logs files in Logs > Config. This option is selected by default. Log rolling settings Define when the FortiAnalyzer unit should roll its Network Analyzer log files. This option becomes active only if you deselect Reuse Settings from Standard Logs.
Allocated Disk Space (MB) When Allocated Disk Space is All Used
Tools
Page 287
Enter the maximum size of each Network Analyzer log file. When the log file reaches the specified maximum size, the FortiAnalyzer unit saves the current log file with an incremental number and starts a new active log file. For example, if the maximum size is reached, the current xlog.log is renamed to xlog.n.log, then a new xlog.log is created to receive new log messages. Set the time of day when the FortiAnalyzer unit renames the current log file and starts a new active log file. Daily: Roll log files daily, even if the log file has not yet reached maximum file size. Weekly: Roll log files weekly, even if the log file has not yet reached maximum file size. Optional: Roll log files only when the log file reaches the maximum file size, regardless of time interval.
Select to upload log files to an server when a log file rolls. Select the protocol to use when uploading to the server: File Transfer Protocol (FTP) Secure File Transfer Protocol (SFTP) Secure Copy Protocol (SCP)
Enter the IP address of the log upload server. Enter the user name required to connect to the upload server. By default, the user name is anonymous; select the field to enter a different user name. Enter the password required to connect to the upload server. Re-enter the password to verify correct entry. Enter a location on the upload server where the log file should be saved. Select when the FortiAnalyzer unit should upload files to the server. When rolled: Uploads logs whenever the log file is rolled, based on Log file should be rolled. Daily at: Uploads logs at the configured time, regardless of when or what size it rolls at according to Log file should be rolled.
Select to upload the log file in text (.txt), comma-separated value (.csv), or standard .log (native) file format. Select to compress the log files in gzip format before uploading to the server.
Delete files after Select to remove the log file from the FortiAnalyzer hard disk once the uploading FortiAnalyzer unit completes the upload.
Tools
Page 288
File explorer
File Explorer is not enabled by default. To enable File Explorer, go to System > Admin > Settings and enable Show File Explorer under GUI Menu Customization. File Explorer diplays the FortiAnalyzer units directories and files. There are two main directories: Archive: Contains files associated with eDiscovery, full DLP archiving, and the quarantine. Storage: Contains information unlikely to change once written, like logs and reports.
The file explorer lists log files stored using the Proprietary Index file system only. If you have enabled SQL database storage, logs stored using that method will not appear in the file explorer.
To expand or hide the two main directories or their subdirectories, click the plus or minus icon located beside each directory name. For details, see Configuring the Web-based Managers global settings on page 117. Figure 210:File explorer window
Tools
Page 289
Maintaining Firmware
Fortinet recommends reviewing this section before upgrading or downgrading the FortiAnalyzer firmware because it contains important information about how to properly back up your current configuration settings and log data, including what to do if the upgrade or downgrade is unsuccessful. In addition to firmware images, Fortinet releases patch releases: maintenance release builds that resolve important issues. Fortinet strongly recommends reviewing the release notes for the patch release before upgrading the firmware. Installing a patch release without reviewing release notes or testing the firmware may result in changes to settings or unexpected issues. Fortinet recommends upgrading the FortiAnalyzer unit during a low traffic period, for example at night, to re-index log data. During the upgrade process, the FortiAnalyzer unit re-indexes log data, which takes time to complete if there is a large amount of log data. You can verify that the indexing of log data is complete by viewing the Alert Message console on the Dashboard. Downgrading from FortiAnalyzer v4.0 to FortiAnalyzer v3.0 MR7 is not supported.
FortiAnalyzer v3.0 MR7 is no longer supported (EOS) as of July 18, 2011. FortiAnalyzer v4.0 is no longer supported (EOS) as of February 24, 2012 FortiAnalyzer v4.0 MR1 is no longer supported (EOS) as of August 24, 2012.
This section includes the following topics: Firmware upgrade path and general firmware upgrade steps Backing up your configuration Testing firmware before upgrading/downgrading Installing firmware from the BIOS menu in the CLI Upgrading your FortiAnalyzer unit
Maintaining Firmware
Page 290
V3.0 MR6
V3.0 MR7
V4.0
V4.0 MR1
V4.0 MR2
V4.0 MR3
Follow the general upgrade steps below: Download and review the release notes for the firmware release; Download the firmware release; Back up the current configuration; See Backing up your configuration on page 291. Testing the firmware; See Testing firmware before upgrading/downgrading on page 293 and Installing firmware from the BIOS menu in the CLI on page 295. Upgrade the firmware. See Upgrading your FortiAnalyzer unit on page 295.
Always back up your configuration and log data before installing a patch release, upgrading/downgrading firmware, or resetting configuration to factory defaults
Fortinet recommends backing up all configuration settings from your FortiAnalyzer unit before upgrading. This ensures all configuration settings are retained if you later want to downgrade and want to restore those configuration settings.
Maintaining Firmware
Page 291
To back up your configuration file through the Web-based Manager: 1. Go to System > Maintenance > Backup & Restore. Figure 212:Backup & Restore menu
2. Select Local PC from the Backup Configuration to list. 3. If you want to encrypt your configuration file, select Encrypt configuration file, enter a password, and enter the password again to confirm. 4. Select Backup.
Maintaining Firmware
Page 292
5. Select one of the following: Log file format Compress with gzip Select to download log files in text (.txt), comma-separated value (.csv), or standard .log (native) file format. Each log element is separated by a comma. CSV files can be viewed in spreadsheet applications. Compress the .log or .csv file with gzip compression. For example, downloading a log-formatted file with gzip compression would result in a download with the file extension .log.gz.
6. Select OK. 7. Select a location when prompted by your web browser to save the file. To back up log files through the CLI Enter the following to back up all log files: execute backup logs all {ftp | sftp | scp} <server_ipv4> <username_str> <password_str> <directory_str> After successfully backing up your configuration file, either from the CLI or the Web-based Manager, proceed with upgrading.
After you test the firmware, and reboot the FortiAnalyzer unit, the original configuration is cleared. You need to restore the configuration after testing the firmware.
To test the firmware image before upgrading/downgrading: 1. Copy the new firmware image file to the root directory of the TFTP server. 2. Start the TFTP server. 3. Log in to the CLI. 4. Enter the following command to ping the computer running the TFTP server: execute ping <server_ipaddress> Pinging the computer running the TFTP server verifies that the FortiAnalyzer unit and TFTP server are successfully connected.
Maintaining Firmware
Page 293
5. Enter the following to restart the FortiAnalyzer unit. execute reboot 6. As the FortiAnalyzer unit reboots, a series of system startup messages appears. When the following message appears, Press any key to display configuration menu 7. Immediately press any key to interrupt the system startup.
You have only three seconds to press any key. If you do not press a key soon enough, the FortiAnalyzer unit reboots and you must log in and repeat steps 3 to 7 again.
If you successfully interrupt the startup process, the following message appears: [G]: Get firmware image from TFTP server. [F]: Format boot device. [B]: Boot with backup firmware and set as default. [C]: Configuration and information. [Q]: Quit menu and continue to boot with default firmware. [H]: Display this list of options. 8. Type G to get the new firmware image from the TFTP server. The following message appears: Enter TFTP server address [192.168.1.168]: 9. Type the address of the TFTP server and press Enter. The following message appears: Enter Local Address [192.168.1.188]: 10. Type the internal IP address of the FortiAnalyzer unit. This IP address connects the FortiAnalyzer unit to the TFTP server. This IP address must be on the same network as the TFTP server, but make sure you do not use an IP address of another device on the network. The following message appears: Enter firmware image file name [image.out]: 11. Enter the firmware image file name and press Enter. The TFTP server uploads the firmware image file to the FortiAnalyzer unit and the following appears: Save as Default firmware/Backup firmware/Run image without saving: [D/B/R] 12. Type R. The FortiAnalyzer firmware image installs and saves to system memory. The FortiAnalyzer unit starts running the new firmware image with the current configuration. When you are done testing the firmware, you can reboot the FortiAnalyzer unit and resume using the original firmware. You will need to restore the original configuration file after the testing.
Maintaining Firmware
Page 294
If you encounter access problems to the Web-based Manager after upgrading the firmware, you can re-install the previous firmware image from the BIOS menu in the CLI. During some upgrades, the firmware image may not successfully install on the FortiAnalyzer unit, which may be caused by the corrupted firmware image. To install firmware from the BIOS menu, use the procedure in Testing firmware before upgrading/downgrading on page 293. At step 12 in the procedure, enter D instead of R. The option D installs the firmware permanently on the FortiAnalyzer unit, as the default firmware.
The FortiAnalyzer upgrade path is as following: v3.0 MR6 > v3.0 MR7 > v4.0 > v4.0 MR1 > v4.0 MR2 > v4.0 MR3. However, the RVS configuration will not be carried forward and the FortiGuard configuration will be reset to its defaults.
Always back up your configuration and log data before installing a patch release, upgrading/downgrading firmware, or resetting configuration to factory defaults.
To upgrade through the Web-based Manager: 1. Copy the firmware image file to your management computer. 2. Log in to the Web-based Manager as the administrative user. 3. Go to System > Dashboard > Status. 4. In the System Information area, select Update for Firmware Version.
Maintaining Firmware
Page 295
5. Enter the path of the firmware image file, or select Browse and locate the file. 6. Select OK. 7. The FortiAnalyzer unit uploads the firmware image file, upgrades to the new firmware version, restarts, and displays the FortiAnalyzer login. This process may take a few minutes. When the upgrade is successfully installed: Ping to your FortiAnalyzer unit to verify there is still a connection; Clear the browsers cache and log in to the Web-based Manager. After logging back in to the Web-based Manager, you should save the configuration settings that are carried forward. Go to System > Maintenance > Backup & Restore to save the configuration settings that are carried forward.
Upgrade notice
If you use the proprietary indexed file system for log storage in v4.0 MR2, after upgrading to v4.0 MR3, an upgrade notice appears when you log in to the Web-based Manager, asking if you want to switch to the SQL database and migrate all logs to the SQL database. Figure 214:Database upgrade notice
If you want to switch to the SQL database, click Upgrade Now and select local or remote SQL database, then click OK. For more information about SQL database configuration, see Configuring SQL database storage on page 119. Your logs stored in the proprietary indexed file system will still be kept after the switch. Database switch affects report configuration. For more information, see Reports on page 203.
Maintaining Firmware Page 296 FortiAnalyzer v4.3.6 Administration Guide
Always back up your configuration and log data before installing a patch release, upgrading/downgrading firmware, or resetting configuration to factory defaults.
The following procedure assumes that you have already downloaded the firmware image to your management computer. The procedures may vary depending on the firmware versions you use for the upgrade. To upgrade the FortiAnalyzer unit through the CLI: 1. Copy the new firmware image file to the root directory of the TFTP server. 2. Start the TFTP server. 3. Log in to the CLI. 4. Enter the following command to ping the computer running the TFTP server: execute ping <server_ipaddress> Pinging the computer running the TFTP server verifies that the FortiAnalyzer unit and TFTP server are successfully connected. 5. Enter the following command to copy the firmware image from the TFTP server to the FortiAnalyzer unit: execute restore image tftp <name_str> <tftp_ip4> Where <name_str> is the name of the firmware image file and <tftp_ip> is the IP address of the TFTP server. For example, if the firmware image file name is image.out and the IP address of the TFTP server er is 192.168.1.168, enter: execute restore image tftp image.out 192.168.1.168 The FortiAnalyzer unit responds with a message similar to the following: This operation will replace the current firmware version! Do you want to continue? (y/n) 6. Type y. The FortiAnalyzer unit uploads the firmware image file, upgrades to the new firmware version, and restarts. This process takes a few minutes. 7. Reconnect to the CLI. 8. Enter the following command syntax to confirm the firmware image installed successfully: get system status
Maintaining Firmware
Page 297
Troubleshooting
This chapter provides troubleshooting techniques for some frequently encountered problems. It includes general troubleshooting methods and specific troubleshooting tips using both the command line interface (CLI) and the Web-based Manager. Some CLI commands provide troubleshooting information not available through the Web-based Manager. The Web-based Manager is better suited for viewing large amounts of information on screen, reading logs and archives, and viewing status through the dashboard. For more information on troubleshooting, see the Knowledge Base. This section contains the following topics: Troubleshooting process Troubleshooting FortiAnalyzer issues
Troubleshooting process
Before you begin troubleshooting, you need to prepare. Doing so will shorten the time to solve your issue. This section includes the following topics: Establish a baseline Define the problem Gathering facts Search for a solution Create a troubleshooting plan Gather system information Check port assignments Troubleshoot connectivity issues Obtain any required additional equipment Ensure you have administrator access to required equipment Contact customer service & support
Establish a baseline
Note that many of these questions compare the current situation to normal operation. For this reason Fortinet recommends that you know what your normal operating status is. This can easily be accomplished through logs, or regularly running information gathering commands and saving the output. Then when there is a problem, this regular operation data will enable you to determine what is different. It is a good idea to back up the FortiAnalyzer configuration for your unit on a regular basis. Apart from troubleshooting, if you accidently change something the backup can help you restore normal operation efficiently.
Troubleshooting
Page 298
Gathering facts
Fact gathering is an important part of defining the problem. Consider the following: Where did the problem occur? When did the problem occur and to whom? What components are involved? What is the affected application? Can the problem be traced using a packet sniffer? Can the problem be traced in the session table? Can log files be obtained that indicate that a failure has occurred? Answers to these questions will help you narrow down the problem, and what you have to check during your troubleshooting. The more things you can eliminate, the fewer things you need to check during troubleshooting.
Troubleshooting
Page 299
Troubleshooting
Page 300
Table 17:Web-based Manager information gathering features System > Dashboard > Status Displays a dashboard with widgets that each indicates performance level or other status. By default, widgets display the serial number and current system status of the FortiAnalyzer unit, including uptime, system resource usage, host name, firmware version, system time, and log throughput. The dashboard also contains a CLI widget that enables you to use the command line through the Web-based Manager. These widgets appear on a single dashboard. System > Network > Interface System > Network > Routing Displays details about each configured system interface (port). Displays a list of configured static routes including their IPs, masks, and gateways.
Table 18:CLI information gathering features diagnose debug crashlog Displays details on application proxies that have backtraces, list traps, and registration dumps. diagnose debug report diagnose fortiguard status diagnose netlink Displays the FortiAnalyzer configuration. Displays the running status of the FortiGuard daemon. Displays the netlink information, including the FortiAnalyzer units interface statistics, interface status and parameters, the physical and virtual IP addresses associated with the network interfaces of the FortiAnalyzer unit, routing table contents, routing cache information, TCP socket information, and UDP sockets information.
diagnose sniffer packet Performs a packet trace on a specified network interface. diagnose sys diagnose test execute ping execute traceroute get system performance get system status Displays the system information. Tests the connectivity of the remote LDAP authentication server. Tests connectivity to other devices on your network or elsewhere. Traces the route of packets between the FortiAnalyzer unit and a specified server. Displays CPU usage, memory usage, and uptime. Provides the firmware version, serial number, bios, and host name.
The above CLI commands explain how to display data. Many of these commands also have options for modifying data. For CLI command syntax details for these and other commands, see the FortiAnalyzer v4.0 MR3 CLI Reference.
Troubleshooting
Page 301
Troubleshooting
Page 302
If any of these checks solve the problem, it was a hardware connection issue. You should still perform some basic software tests to ensure complete connectivity. If the hardware connections are correct and the unit is powered on but you cannot connect using the CLI or Web-based Manager, you may be experiencing bootup problems. See Bootup issues on page 316.
If ping does not work, you likely have it disabled on at least one of the interface settings, and firewall policies for that interface.
Both ping and traceroute require particular ports to be open on firewalls to function. Since you typically use these tools to troubleshoot, you can allow them in the firewall policies and on interfaces only when you need them, and otherwise keep the ports disabled for added security.
Troubleshooting
Page 303
Troubleshooting
Page 304
2. In the command window, enter the ping command and an IP address, for example: ping 172.20.120.169 Ping options include: -t, to send packets until you press Control-C -a, to resolve addresses to domain names where possible -n x, where x is an integer stating the number of packets to send To ping a device from a Linux PC: 1. Go to a command line prompt. 2. Enter: /bin/etc/ping 172.20.120.169
Troubleshooting
Page 305
2. Enter the tracert command to trace the route from the host PC to the destination web site, for example: tracert fortinet.com In the tracert output, the first, or left column, is the hop count, which cannot go over 30 hops. The second, third, and fourth columns are how long each of the three packets takes to reach this stage of the route. These values are in milliseconds and normally vary quite a bit. Typically a value of <1ms indicates a local connection. The fifth, or far right column, is the domain name of that device and its IP address or possibly just the IP address. To use traceroute on a Linux PC: 1. Go to a command line prompt. 2. Enter: /bin/etc/traceroute fortinet.com The Linux traceroute output is very similar to the MS Windows tracert output.
Troubleshooting
Page 306
To sniff packets
The CLI syntax of the internal FortiAnalyzer packet sniffer command is:
This example checks network traffic on port1, with no filter, and captures 10 packets: diagnose network sniffer packet port1 none 1 10 See the FortiAnalyzer v4.0 MR3 CLI Reference for an explanation of the command and its parameters.
Troubleshooting
Page 307
When you are registered and ready to contact support: 1. Prepare the following information first: your contact information; the firmware version; a recent server policy configuration; access to recent event, traffic and attack logs; a network topology diagram and IP addresses; a list of troubleshooting steps performed so far and the results. For bootup problems: provide all console messages and output; if you suspect a hard disk issue, provide your evidence. 2. Document the problem and the steps you took to define the problem. 3. Open a support ticket.
Solution
If the FortiAnalyzer unit loses its file system at run time, you will see Read Only on top of the Web-based Manger. If the unit cannot mount its file system as Read + Write during bootup, the unit will boot in maintenance mode. Both the read-only mode and maintenance mode are either caused by a hard disk failure for FortiAnalyzer units without RAID or complete RAID failure for FortiAnalyzer units with RAID.
Troubleshooting Page 308 FortiAnalyzer v4.3.6 Administration Guide
Report issue
FortiAnalyzer reports show the same users twice (name in uppercase and lowercase).
Solution
When a FortiGate unit is set to require authentication, it may use two methods to authenticate: Lightweight Directory Access Protocol (LDAP) and Fortinet Single Sign On (FSSO). The behavior is different depending on the method used and this will cause the FortiAnalyzer unit to have two different log entries for the same user: one with upper case name and one with lower case name. The FortiAnalyzer reports will show the same user twice. This is because the FortiAnalyzer filter is case-sensitive. This issue was resolved in FortiOS 4.0 MR1 with the addition of a new CLI command to allow ALL user names logged to be in upper case. This is useful when the same servers are shared by LDAP and FSSO.
Solution
The binary files indicated in the message are used by the FortiAnalyzer report engine to generate reports. During a firmware upgrade, the binary files may have changed due to some new features. In such a case, the affected binary files are regenerated. This message means that some of the binary file have not yet regenerated. The speed of regeneration (how long it takes to complete) depends on the activity of the FortiAnalyzer unit, such as the logging rate and number of reports running. The number displayed in the message will steadily decrease. It may briefly increase when log files are manually imported, or in some cases during log rolling on a non-processed file. This is a normal process, and will resolve itself once the regeneration is complete.
Solution
There are three key CPU-intensive operations on a FortiAnalyzer unit: Log indexing; A FortiAnalyzer unit deployed in a network can receive hundreds of log messages per second throughout the day. The FortiAnalyzer unit indexes nearly all fields in a log message
Troubleshooting
Page 309
to include it in the database. This process can be very CPU intensive, as the indexing component is continually running to keep up with the incoming log messages. Report generation and other enhanced features; Due to the many reporting functions, various report generations can be running at any time during the day, including: security event reports; traffic summary reports; regular reports whose complexity can vary depending on the requirements; quota checking with log rolling; network sniffing; vulnerability scan. Summary reports daemon. The summary reports daemon (sumreportsd) is responsible for computing data for drill down widgets configured on the dashboard. The widgets are: Top Web Traffic; Intrusion Activity; Virus Activity; Top FTP Traffic; Top Email Traffic; Top IM/P2P Traffic; Top Traffic. By default, none of these drilldown widgets are enabled. Depending on the hardware platform or the amount of logs present in the FortiAnalyzer unit, sumreportsd may consume a considerable amount of CPU when running and may run for a considerable amount of time (from a few minutes, to hours, or even longer if it has to compute new data while still processing old ones). The resulting effect is that drilldown widgets may be empty or not up to date. All these tasks can be CPU intensive, especially when a combination of them is occurring at the same time. This often can cause the CPU usage to stay at 90% or more. It is important to set the indexing operation to the lowest priority so that the critical processes, such as receiving log messages, are not affected. On smaller devices, such as the FortiAnalyzer-100C, where the CPU and disk speeds are not as fast as the higher-end models, the CPU usage can appear more pronounced. In case of high CPU usage and depending on the current environments on the FortiAnalyzer unit, it is suggested to: reduce the devices being monitored to only the ones needed; reduce the Time Scope of a widget to a lower value (Hour or Day); disable all drill down widgets from all admin accounts.
Troubleshooting
Page 310
HA log issue
When sending FortiGate logs to the FortiAnalyzer unit with a secure connection, only the primary unit's logs are successfully received by the FortiAnalyzer unit.
Solution
When configuring a secure connection to send log information, you need to set the secure connection for all units in an HA cluster on the FortiAnalyzer unit. If the FortiAnalyzer unit will still not accept log information from the FortiGate unit for which you have enabled secure connection, check if you entered the preshared key and the device information correctly.
Solution
The FortiAnalyzer unit uses the DNS settings to enable connections for network file sharing. If the DNS settings are not configured correctly, or have incorrect DNS entries, the FortiAnalyzer unit cannot perform reverse lookups for users attempting to connect. If the FortiAnalyzer unit cannot perform this check, the operation times out, appearing to the user as being unable to connect. To verify your DNS configuration, go to System > Network > DNS. For more information, see Configuring DNS on page 99. The FortiAnalyzer unit uses the DNS settings for a number of network functions. The DNS settings must be valid to ensure the system functions correctly.
Solution
Vulnerability Management is an additional service which, similar to FortiGuard Services, must be purchased and registered. Even if the FortiAnalyzer unit is registered and licensed, Vulnerability Management Service will show as Not Registered if not purchased and registered. Vulnerability management updates are not working.
Solution
1. Make sure you have a valid license Vulnerability management is a separate subscription that must be purchased. Make sure that there is a valid VM subscription before starting to troubleshoot. For more information, see Scheduling & uploading vulnerability management updates on page 149.
Troubleshooting
Page 311
2. Check the default gateway. The FortiAnalyzer unit needs a default gateway to be able to access the Internet and download updates. Go to System > Network > Routing and make sure the default gateway is configured correctly. If the default gateway is configured correctly, it should be possible to ping IP addresses on the Internet (assuming that nothing is blocking the pings). This can be tested by using the command: execute ping <IP address on the Internet> 3. Make sure nothing is blocking port 443 from the FortiAnalyzer unit. The FortiAnalyzer unit will contact the update servers on port 443. If something (usually a firewall) is blocking port 443 from the FortiAnalyzer unit, it will not be able to receive updates. Check if something is blocking port 443 by sniffing the traffic using the command: diagnose sniff packet any 'port 443' 4 If something is blocking port 443, TCP SYNs will be seen going out but with no TCP SYN/ACKs coming back in. 4. Enable Debug. There are a number of other issues that may be causing a problem with VM updates. The easiest way to check all of them is to enable debugging and check the output for errors. Run the commands below: diagnose debug output enable diagnose debug application fortiguard 8 execute update-vm The output will show any errors that are happening with the update process. Once the update is complete, it is important to disable debug using the commands: diagnose debug application fortiguard 0 diagnose debug output disable
Upgrade issue
The message Upload file is too big or invalid may appear when upgrading a FortiAnalyzer unit from the Web-based Manager.
Solution
Assuming that the correct firmware image has been downloaded from support.fortinet.com, a possible cause of this problem is related to the free memory on a FortiAnalyzer unit that has had a long uptime. In order to load the required firmware image, it is necessary to reboot the FortiAnalyzer unit so that more system resources become available. Once the device has been rebooted, the upgrade will proceed as required.
Solution
Enable cookies and JavaScript in your browser. Make sure that cookies are not erased when you close your browser.
Troubleshooting
Page 312
Cookies store preferences for the browser you use to access the Web-based Manager. If the cookies are erased when you close the browser (session cookies), the preferences are not saved, and will not be available the next time you open the browser. JavaScript is used for navigation of the menus and tabs in the Web-based Manager. The following procedures describe how to enable cookies and JavaScript in Internet Explorer and Firefox.
In Mozilla Firefox:
1. Go to Tools > Options. 2. Select Privacy. 3. Select Use custom settings for history. 4. Select Accept cookies from sites. 5. Select Accept third-party cookies and Keep until: they expire. 6. Select Content. 7. Select Enable JavaScript. 8. Select OK.
Solution
The disk usage on a FortiGate unit shows the usage of the allocated space for that particular FortiGate unit configured on the FortiAnalyzer unit. While the disk usage on the FortiAnalyzer unit represents the total disk usage on the FortiAnalyzer unit as a whole. For information about configuring allocated space for a device, see Manually configuring a device or HA cluster on page 162.
Device IP issue
Device IP address displays as 0.0.0.0 on the FortiAnalyzer unit device list (Devices > All Devices > Allowed) even if the FortiGate unit is already registered on the FortiAnalyzer unit.
Solution
The FortiAnalyzer unit will change the IP once it receives logs from the FortiGate unit. The IP address of the FortiGate unit is 0.0.0.0 if the FortiAnalyzer unit has not received logs from the FortiGate unit.
Troubleshooting Page 313 FortiAnalyzer v4.3.6 Administration Guide
The FortiAnalyzer unit may not be receiving logs even if the Test Connectivity test on the FortiGate unit shows that the FortiGate unit is connected to the FortiAnalyzer unit (on the FortiGate unit: Log&Report > Log Config > Log Settings > FortiAnalyzer > Test Connectivity). This can be due to the fact that the FortiGate unit is configured to send logs to the FortiAnalyzer unit but is not generating any logs yet or that a connectivity problem between the FortiGate unit and the FortiAnalyzer unit on port 514 UDP (Test connectivity runs on port 514 TCP).
Non-encrypted connection
You can use sniffer commands to check if the FortiGate unit is generating logs and if the FortiAnalyzer unit is receiving them. Note that the commands below are for a non-encrypted traffic. On the FortiGate unit: diagnose sniffer packet any 'host <IP address of FortiAnalyzer> and port 514' 4 On the FortiAnalyzer unit: diagnose sniffer packet any 'host <IP address of the FortiGate> and port 514' This shows whether the FortiGate unit is sending traffic and whether the FortiAnalyzer unit is receiving it. The TCP sessions in the sniffer outputs are for content archive logs while UDP session are for normal logs just about everything else. Common cases: 1. The FortiGate unit is generating logs but the FortiAnalyzer unit is not receiving them. This is usually due to something dropping (filtering) out port 514 (UDP or TCP) between the FortiGate and the FortiAnalyzer units. 2. The FortiGate unit is not generating logs. Check the logging options on the firewall policies and the protection profiles. Make sure they are set to send logs to the FortiAnalyzer unit. Also check the logging level on the FortiGate unit and make sure it is not set too high (Log&Report > Log Config > Log Settings > FortiAnalyzer > Minimum log level). If these are set correctly, you can check the filters on the FortiGate unit by running the CLI command: show full log fortianalyzer filters
Encrypted connections
You can sniff the connection between the FortiGate unit and the FortiAnalyzer unit using the commands: On the FortiGate unit: diagnose sniffer packet any 'host <IP address of FortiAnalyzer>'4 On the FortiAnalyzer unit: diagnose sniffer packet any 'host <IP address of FortiGate>' UDP port 500 is for IKE trying to create the VPN tunnel between the FortiGate unit and the FortiAnalyzer unit. If this is the only thing you see between the two devices, then the encryption settings between the FortiGate unit and FortiAnalyzer unit are not correct and the tunnel cannot be established. IP protocol 50 is for ESP which carries the encrypted traffic. If you see IP protocol 50 leaving the FortiGate unit but not reaching the FortiAnalyzer unit, then something is dropping the packets in the middle, although seeing IP protocol 50 means that the connection settings are correct between the two devices.
Troubleshooting
Page 314
Use the any interface if you want to confirm that a specific packet is received or sent by the Fortinet device, without specifically knowing on which interface this may be. This will essentially enable the sniffer for all interfaces. For example:
diagnose sniff packet interface any 'tcp port 3389' 3.
The Fortinet device may not display all packets if too much information is requested to be displayed, or the traffic being sniffed is significant. When this occurs, the unit will log the following message once the trace is terminated: 12151 packets received by filter 3264 packets dropped by kernel When this occurs, it is possible that what you were attempting to capture was not actually captured. In order to avoid this, you may try to tighten the display filters, reduce the verbose level, or perform the trace during a lower traffic period. The packet timestamps as displayed by the sniffer may become skewed or delayed under high-load conditions. This may occur even if no packets were dropped (as mentioned above). Therefore, it is not recommended that you rely on these values in order to troubleshoot or measure performance issues that require absolute precise timing. Enabling the sniffer will consume additional CPU resources. This can be as high as an additional 25% of CPU usage on low-end models. Therefore, enabling it on a unit that is experiencing excessively high CPU usage can only render the situation worse. If you must perform a sniff, keep the sniffing sessions short. The Ethernet source and/or destination MAC addresses may be incorrect when using the any interface. They may be displayed as all zeros (00:00:00:00:00:00) or 00:00:00:00:00:01.
No logs received with encryption enabled between a FortiGate unit and a FortiAnalyzer unit
Logs are being sent correctly from the FortiGate unit to the FortiAnalyzer unit when encryption is disabled but no logs are received once encryption is enabled. Sniffing the traffic between the FortiGate unit and the FortiAnalyzer unit only shows UDP port 500 (IKE) but does not show IP protocol 50 (ESP):
Troubleshooting
Page 315
On the FortiGate unit, run the command: diagnose sniff packet any 'host <IP address of FortiAnalyzer> and port 514' 4 On the FortiAnalyzer unit, run the command: diagnose sniff packet any 'host <IP address of the FortiGate> and port 514' 4 The VPN monitor on the FortiGate unit (VPN > IPsec > Monitor) also shows the tunnel as down. The most common cause of this problem is that the Local ID on the FortiGate unit is not configured correctly. Use the following commands to enable encryption between the FortiGate unit and the FortiAnalyzer unit: On the FortiGate unit: config log fortianalyzer setting set encrypt enable set psksecret <presharedkey_str> set localid <devname_str> end On the FortiAnalyzer unit: config log device edit <devname_str> set secure psk set psk <presharedkey_str> set id <devid_str> end The local ID on the FortiGate unit (line 4) needs to match the device name on the FortiAnalyzer unit (line 2). If these values do not match, the IPsec tunnel will not be established.
Bootup issues
When powering on your FortiAnalyzer unit, you may experience problems. Bootup issues, while rare, can be very difficult to troubleshoot due to the lack of information about your issue. When the unit not running, you do not have access to your typical tools such as diagnose CLI commands. This section walks you through some possible issues to give you direction in these situations. To troubleshoot a bootup problem with your unit, go to the section that lists your problem. If you have multiple problems, go the problem closest to the top of the list first, and work your way down the list.
It is rare that units experience any of the symptoms listed here. Fortinet hardware is reliable with a long expected operation life
Troubleshooting
Page 316
The issues covered in this section all refer to various potential bootup issues including: You have text on the screen, but you have problems. You do not see the boot options menu. You have problems with the console text. You have visible power problems. You have a suspected defective FortiAnalyzer unit. Examples: Error message "EXT3-fs error (device...)"
You have text on the screen, but you have problems. Solution
1. If the text on the screen is garbled, ensure your console communication parameters are correct. Check your QuickStart Guide for settings specific to your model. 2. If that fixes your problem, you are done. 3. If not, go to You do not see the boot options menu.
FortiAnalyzer units ship with a baud rate of 9600 by default. If you have access, verify this with the CLI command config system console get, or parse an archived configuration file for the term baudrate.
2. If that fixes your problem, you are done. 3. If it doesnt fix your problem, go to You have a suspected defective FortiAnalyzer unit.
Troubleshooting
Page 317
5. When pressing a key do you see one of the following messages? [G] Get Firmware image from TFTP server [F] Format boot device [B] Boot with backup firmware and act as default [Q] Quit menu and continue to boot with default firmware [H] Display this list of options If Yes, go to You have a suspected defective FortiAnalyzer unit.. 6. If No, ensure you serial communication parameters are set to no flow control, and the proper baud rate and reboot the FortiAnalyzer unit by powering off and on.
FortiAnalyzer units ship with a baud rate of 9600 by default. If you have access, parse an archived configuration file for the term baudrate or verify this setting with the CLI command: config system console, get
7. Did the reboot fix the problem? If that fixes your problem, you are done. If that doesnt fix your problem, go to You have a suspected defective FortiAnalyzer unit..
Troubleshooting
Page 318
Example 1:
Reading boot image 1463602 bytes. Initializing firewall... System is started. EXT3-fs error (device md(9,0)): ext3_readdir: bad entry in directory #1474561: r ec_len is smaller than minimal - offset=0, inode=0, rec_len=0, name_len=0 EXT3-fs error (device md(9,0)): ext3_readdir: bad entry in directory #1474561: r ec_len is smaller than minimal - offset=0, inode=0, rec_len=0, name_len=0
Example 2:
Reading boot image 1463602 bytes. Initializing firewall... System is started. EXT3-fs error (device ide0(3,1)): ext3_get_inode_loc: unable to read inode block - inode=65409, block=131074 EXT3-fs error (device ide0(3,1)) in ext3_reserve_inode_write: IO failure EXT3-fs error (device ide0(3,1)): ext3_get_inode_loc: unable to read inode block - inode=65409, block=131074 EXT3-fs error (device ide0(3,1)) in ext3_reserve_inode_write: IO failure EXT3-fs error (device ide0(3,1)): ext3_get_inode_loc: unable to read inode block - inode=130817, block=262146 EXT3-fs error (device ide0(3,1)) in ext3_reserve_inode_write: IO failure EXT3-fs error (device ide0(3,1)): ext3_get_inode_loc: unable to read inode block - inode=65409, block=131074 EXT3-fs error (device ide0(3,1)) in ext3_reserve_inode_write: IO failure Some error details may vary from a device to another, but the EXT3-fs error indicates there is an issue with the local file system.
Solution
This issue appears to be due to some corruption in the file system that affects the boot device and/or firmware loading. In most cases the issue may be resolved by reformatting the boot device and then reinstalling the firmware via TFTP. Make sure to reload the same firmware version as the one used to save the configuration backup file. In case there is no configuration backup file, the unit needs to be reconfigured from scratch.
Troubleshooting
Page 319
Troubleshooting
Page 320
FORTINET-FORTIANALYZER-MIB This Fortinet-proprietary MIB enables your SNMP manager to query for FortiAnalyzer-specific information and to receive FortiAnalyzer-specific traps. RFC-1213 (MIB II) The FortiAnalyzer SNMP agent supports MIB II groups, except: There is no support for the EGP group from MIB II (RFC 1213, section 3.11 and 6.10). Protocol statistics returned for MIB II groups (IP, ICMP, TCP, UDP, etc.) do not accurately capture all FortiAnalyzer traffic activity. More accurate information can be obtained from the information reported by the FortiAnalyzer MIB. RFC-2665 (Ethernet-like MIB) The FortiAnalyzer SNMP agent supports Ethernet-like MIB information except the dot3Tests and dot3Errors groups.
You can obtain these MIB files from the Customer Service & Support web site, https://support.fortinet.com. To be able to communicate with your FortiAnalyzer units SNMP agent, you must first compile these MIBs into your SNMP manager. If the standard MIBs used by the SNMP agent are already compiled into your SNMP manager, you do not have to compile them again. To view a trap or querys name, object identifier (OID), and description, open its MIB file in a plain text editor. All traps sent include the message, the FortiAnalyzer units serial number, and host name. For instructions on how to configure traps and queries, see Configuring the SNMP agent on page 127.
Page 321
Feature Administrative domains (ADOMs) Devices per ADOM Administrators Administrator access profiles RADIUS servers RADIUS authentication groups RADIUS servers per authentication group Static routes SMB shares SMB users SMB groups SMB users per group SMB read-only users & groups per share SMB read-write users & groups per share NFS exports NFS RO clients per export NFS RW clients per export Registered log devices (FGT/FMG/FML/SL +FC)
Page 322
Table 20:Maximum values of FortiAnalyzer models (continued) HA members per log device Log device groups Log devices per device group Unregistered log devices Blocked log devices Report LDAP servers Report IP aliases Report schedules Report layouts Objects/queries per report layout Report outputs Report filters Report datasets 5 50 100 100 100 6 256 250 250 500 250 250 250 5 100 200 200 200 6 256 250 250 500 250 250 250 3 250 1000 1000 1000 500 31 10 8 8 100 16 500 5 250 500 500 500 6 512 500 500 500 500 500 500 3 500 1000 1000 1000 500 31 10 16 16 100 32 1000 5 1000 2000 2000 2000 6 512 500 500 500 500 500 500 3 500 1000 1000 1000 500 31 10 16 16 100 32 2000 5 1000 2000 2000 2000 6 512 750 750 500 750 750 750 3 750 1000 1000 1000 500 31 10 32 32 256 64 65535 5 1000 2000 2000 2000 6 512 1000 1000 500 1000 1000 1000 3 1000 1000 1000 1000 500 31 10 32 32 256 64 65535
Outputs per report dataset 3 Report custom charts SQL report layouts 250 1000
SQL report chart templates 1000 SQL report datasets SQL report components per layout Alerts/SNMP managers (CmdGens/NotRcvrs) 1000 500 31
Alerts/SNMP managers per 10 community Alerts email servers Alerts syslog servers Alerts events Alerts destinations per event Network vulnerability scan assets
Maximum Value Matrix
1 1 10 16 200
Page 323
Table 20:Maximum values of FortiAnalyzer models (continued) Network vulnerability scans Administrator sessions NTP servers 80 300 20 160 300 20 2000 160 300 20 4000 320 300 20 4000 400 300 20 8000 640 300 20 24000
a. The FortiAnalyzer 100B and 100C do not support Administrative Domains (ADOMs).
Page 324
Creating datasets
The following procedure describes how to create datasets in the Web-based Manager. You can also use the CLI command config sql-report dataset to create datasets. For details, see the FortiAnalyzer v4.0 MR3 CLI Reference and the Examples section. To create a custom dataset in the Web-based Manager: 1. Enable the SQL database for log storage in System > Config > SQL Database. For information on selecting the storage method, see Configuring SQL database storage on page 119. 2. Go to Report > Advanced > Data Set. 3. Click Create New. 4. Configure the following, then click OK.
Page 325
5. Configure the following settings: Name Enter the name for the dataset.
Log Type Enter the type of logs to be used for the dataset. ($log) $log is used in the SQL query to represent the log type you select, and it is run against all tables of this type. SQL Query Enter the SQL query syntax to retrieve the log data you want from the SQL database. Different SQL systems use different query syntaxes to deal with date/time format. The FortiAnalyzer unit uses PostgreSQL as the local database and supports MySQL as the remote database. To facilitate querying in both MySQL and PostgreSQL systems, you can use the following default date/time macros and query syntaxes for the corresponding time period you choose: Hour_of_day: For example, you can select Yesterday for the Time Period and enter the syntax "select $hour_of_day as hourstamp, count(*) from $log where $filter group by hourstamp order by hourstamp. Day_of_week: For example, you can select This Week for the Time Period and enter the syntax "select $day_of_week as datestamp, count(*) from $log where $filter group by datestamp order by datestamp". Day_of_month: For example, you can select This Month for the Time Period and enter the syntax "select $day_of_month as datestamp, count(*) from $log where $filter group by datestamp order by datestamp. Week_of_year: For example, you can select This Year for the Time Period and enter the syntax "select $week_of_year as weekstamp, count(*) from $log where $filter group by weekstamp order by weekstamp. Month_of_year: For example, you can select This Year for the Time Period and enter the syntax "select $month_of_year as monthstamp, count(*) from $log where $filter group by monthstamp order by monthstamp. The results of running the queries will display the date and time first, followed by the log data.
Page 326
Test
Click to test whether or not the SQL query is successful. See To test a SQL query: on page 327.
To test a SQL query: 1. Follow the procedures in To create a custom dataset in the Web-based Manager: on page 325. 2. After entering the SQL query, click Test. The SQL query console opens. Figure 217:SQL query test results window
3. Configure the following settings: Device VDom Select a specific FortiGate unit, FortiMail unit, or FortiClient installation, or select all devices, to apply the SQL query to. If you want to apply the SQL query to a FortiGate VDOM, enter the name of the VDOM. Then use $filter in the where clause of the SQL query to limit the results to the FortiGate VDom you specify. Select to query the logs from a time frame, or select Specified and define a custom time frame by selecting the Begin Time and End Time. Then use $filter in the where clause of the SQL query to limit the results to the period you select.
Past N If you selected Past N Hours/Days/Weeks for Time Period, enter the Hours/Day number. s/Weeks
Page 327
Begin Time Enter the date (or use the calendar icon) and time of the beginning of the custom time range. This option appears only when you select Specified in the Time Period ($filter) field. End Time Enter the date (or use the calendar icon) and time of the end of the custom time range. This option appears only when you select Specified in the Time Period ($filter) field. SQL Query Run Enter the SQL query to retrieve the log data you want from the SQL database. Click to execute the SQL query. The results display. If the query is not successful, see Troubleshooting on page 328. Clear Save Options Select to remove the displayed query results. Select to save the SQL query console configuration to the dataset configuration. The Device and VDOM configurations are not used by the dataset configuration. Close Click to return to the dataset configuration page.
Troubleshooting
If the query is unsuccessful, an error message appears in the results window indicating the cause of the problem.
Page 328
Connection problems
If well formed queries do not produce results, and logging is turned on for the log type, there may be a database configuration problem with the remote database. Ensure that: MySQL is running and using the default port 3306. You have created an empty database and a user with create permissions for the database. Here is an example of creating a new MySQL database named fazlogs, and adding a user for the database: #Mysql u root p mysql> Create database fazlogs; mysql> Grant all privileges on fazlogs.* to fazlogger@* identified by fazpassword; mysql> Grant all privileges on fazlogs.* to fazlogger@localhost identified by fazpassword;
SQL tables
The FortiAnalyzer unit creates a database table for each managed device and each log type, when there is log data. If the FortiAnalyzer unit is not receiving data from a device, or logging is not enabled under System > Config > SQL Database, it does not create log tables for that device. SQL tables follow the naming convention of [Device Name]-[SQL table type]-[timestamp], where the SQL table type is one of the types listed in Table on page 329.
The timestamp portion of the log name depends on the FortiAnalyzer unit firmware release. It is either the creation time of the table (in releases before 4.2.1), or the timestamp of the log on disk (in releases 4.2.1 and later).
To view all the named tables created in a database, you can use: local (PostgreSQL) database: SELECT * FROM pg_tables remote (MySQL): SHOW TABLES The names of all created tables and their types are stored in a master table named table_ref. Table 21:Log types and table types Log Type Traffic log Event log SQL table type tlog elog Description The traffic log records all traffic to and through the FortiGate interface. The event log records management and activity events. For example, when an administrator logs in or logs out of the web-based manager. The antivirus log records virus incidents in Web, FTP, and email traffic.
Antivirus log
vlog
Page 329
Table 21:Log types and table types (continued) Webfilter log wlog The web filter log records HTTP FortiGate log rating errors including web content blocking actions that the FortiGate unit performs. The attack log records attacks that are detected and prevented by the FortiGate unit. The spam filter log records blocking of email address patterns and content in SMTP, IMAP, and POP3 traffic. The data leak prevention log records log data that is considered sensitive and that should not be made public. This log also records data that a company does not want entering their network. The application control log records data detected by the FortiGate unit and the action taken against the network traffic depending on the application that is generating the traffic, for example, instant messaging software, such as MSN Messenger. The DLP archive log, or clog.log, records all log messages, including most IM log messages as well as the following session control protocols (VoIP protocols) log messages: SIP start and end call SCCP phone registration SCCP call info (end of call) SIMPLE log message Vulnerability Management log nlog The vulnerability management log, or netscan log, contains logging events generated by a network scan.
rlog
FortiAnalyzer logs also include log subtypes, which are types of log messages that are within the main log type. For example, in the event log type there are the subtype admin log messages. FortiAnalyzer log types and subtypes are numbered, and these numbers appear within the log identification field of the log message. Table 22:Log Sub-types Log Type traffic (Traffic Log) Sub-Type allowed Policy allowed traffic violation Policy violation traffic Other
Page 330
Table 22:Log Sub-types (continued) event (Event Log) For FortiGate devices: system System activity event ipsec IPsec negotiation event dhcp DHCP service event ppp L2TP/PPTP/PPPoE service event admin Admin event ha HA activity event auth Firewall authentication event pattern Pattern update event alertemail Alert email notifications chassis FortiGate-5000 series chassis event sslvpn-user SSL-VPN user event sslvpn-admin SSL-VPN administration event sslvpn-session SSL-VPN session even his-performance Performance statistics vipssl VIP SSL events ldb-monitor LDB monitor events dlp (Data Leak Prevention) app-crtl (Application Control Log) DLP archive (DLP Archive Log) dlp Data Leak Prevention app-crtl-all All application control HTTP Virus infected FTP FTP content metadata SMTP SMTP content metadata POP3 POP3 content metadata IMAP IMAP content metadata virus (Antivirus Log) infected Virus infected filename Filename blocked oversize File oversized webfilter (Web Filter Log) content content block urlfilter URL filter FortiGuard block FortiGuard allowed FortiGuard error ActiveX script filter Cookie script filter Applet script filter
Page 331
Table 22:Log Sub-types (continued) ips (Attack Log) signature Attack signature anomaly Attack anomaly emailfilter (Spam Filter Log) SMTP POP3 IMAP
The system has become unstable. Event logs, specifically administrative events, can generate an emergency severity level. Immediate action is required. Functionality is affected. An error condition exists and functionality could be affected. Functionality could be affected. Information about normal events. Attack logs are the only logs that generate an Alert severity level. Event, Antivirus, and Spam filter logs. Event and Spam filter logs. Event and Antivirus logs. Traffic and Web Filter logs.
General information about system Content Archive, Event, and Spam filter operations. logs.
The Debug severity level, not shown in Table 23, is rarely used. It is the lowest log severity level and usually contains some firmware status information that is useful when the FortiGate unit is not functioning properly. Debug log messages are only generated if the log severity level is set to Debug. Debug log messages are generated by all types of FortiGate features.
Page 332
The time the log event was received by the FortiAnalyzer. The time the log event was generated on the device.
all all
The HA cluster ID if the FortiGate runs in HA mode. all The serial number of the device. all
A ten-digit number. The first two digits represent all the log type and the following two digits represent the log subtype. The last one to five digits are the message id. For more detail about what the combination of type, subtype and message ID means, see the FortiGate Log Message Reference. The subtype of the log message. The possible all values of this field depend on the log type. See Table 22 for a list of subtypes associated with each log type.
subtype
varchar(255)
varchar(255)
Page 333
Table 24:Common fields (continued) type timestamp pri varchar(255) int default 0 varchar(255) varchar(255) int unsigned default 0 varchar(255) The log type. Timestamp for the event The log priority level. See Table 23 for a list of priority levels and the log types that generate them. all all all
vd
varchar(255)
varchar(255)
The virtual domain where the traffic was logged. If all no virtual domains are enabled and configured, this field contains the virtual domain, root. The name of the user creating the traffic. The name of the group creating the traffic. all except nlog all except nlog all except nlog all except nlog all except nlog all except nlog all except clog and nlog
varchar(255) varchar(255) varchar(40) (255 for alog) varchar(40) (255 for alog) int default 0
varchar(255) varchar(255)
varchar(40) The source IP address. (255 for alog) varchar(40) The destination IP address. (255 for alog) smallint unsigned default 0 smallint unsigned default 0 varchar(255) The source port of the TCP or UDP traffic. The source protocol is zero for other types of traffic. The destination port number of the TCP or UDP traffic. The destination port is zero for other types of traffic. The interface where the through traffic comes in. For outgoing traffic originating from the firewall, it is unknown.
dst_port
int default 0
src_int
varchar(255)
dst_int
varchar(255)
varchar(255)
The interface where the through traffic goes to the all except public or Internet. For incoming traffic to the clog and firewall, it is unknown. nlog The ID number of the firewall policy that applies to all except the session or packet. Any policy that is nlog automatically added by the FortiGate will have an index number of zero. For more information, see the Knowledge Base article, Firewall policy=0.
policyid
bigint default 0
Page 334
Table 24:Common fields (continued) service varchar(255) varchar(255) The service of where the activity or event occurred, all except whether it was on a web page using HTTP or clog HTTPs. This field is an enum, and can have one of the following values: http https smtp pop3 imap ftp mm1 mm3 mm4 mm7 nntp im smtps pop3s imaps identidx profile bigint default 0 varchar(255) int unsigned default 0 varchar(255) The identity index number. all except nlog
The protection profile associated with the firewall all except policy that traffic used when the log message was dlog, recorded. tlog, and nlog The type of profile associated with the firewall all except policy that traffic used when the log message was dlog, recorded. tlog, and nlog The profile group associated with the firewall all except policy that traffic used when the log message was dlog, recorded. tlog, and nlog
profiletype
varchar(255)
varchar(255)
profilegroup
varchar(255)
varchar(255)
Page 335
Page 336
Table 25:Application control log fields (continued) kind varchar(255) varchar(255) This field is an enum, and can be one of the following values: login chat file photo audio call regist unregister call-block request response dir varchar(255) varchar(255) The direction of the traffic. This field is an enum, and can be one of the following: incoming outgoing N/A src_name dst_name proto varchar(255) varchar(255) int default 0 varchar(255) varchar(255) smallint unsigned default 0 The name of the source or the source IP address. The destination name or destination IP address. The protocol number that applies to the session or packet. The protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA). Serial number of the log message. The application control list (under UTM > Application Control > Application Control List on the FortiGate unit) that contains the policy that triggered this log item. The application category. The application name. You can look the application type up in UTM > Application Control > Application List, and then select the name that is in the field to go to more detailed information on the FortiGuard Encyclopedia.
serial app_list
app_type app
varchar(255) varchar(255)
varchar(255) varchar(255)
Page 337
Table 25:Application control log fields (continued) action varchar(255) varchar(255) The action the FortiGate unit took for this session or packet. This field is an enum and can be one of the following values: pass block monitor kickout encrypt-kickout reject count filename filesize message content reason bigint default 0 int unsigned default 0 varchar(255) varchar(255) Total number of blocked applications. The file name associated with the blocked application. The file size of the file. The blocked message of chat applications. Content of the blocked applications. The reason why the log was recorded. This field is an enum, and can be one of the following values: meter-overload-drop meter-overload-refuse rate-limit dialog-limit long-header unrecognized-form unknown block-request invalid-ip exceed-rate req phone msg attack_id varchar(255) varchar(255) varchar(255) varchar(255) varchar(255) varchar(255) Request. Phone number of the blocked application. Explains why the log was recorded. Attack ID.
bigint default 0 int unsigned default 0 varchar(255) varchar(255) varchar(255) varchar(255) varchar(255) varchar(255)
Page 338
Page 339
Table 26:Attack log fields (continued) proto smallint default 0 varchar(255) tinyint unsigned default 0 varchar(255) The protocol of the event.
ref count
A reference URL to the Fortiguard IPS database for more information about the attack. The number of times that attack was detected within a short period of time. This is useful when the attacks are DoS attacks. The unique ID for this attack. This number is used for cross-references IPS packet logs. Explains the activity or event that the FortiGate unit recorded. In this example, an attack occurred that could have caused a system crash.
incident_seria bigint default 0 int unsigned lno default 0 msg varchar(255) varchar(255)
bigint default 0 int unsigned default 0 bigint default 0 int unsigned default 0 bigint default 0 int unsigned default 0 varchar(255) varchar(40) varchar(40) varchar(40) varchar(40) varchar(255) varchar(40) varchar(40) varchar(40) varchar(40)
The unique number for each archive. It is used for cross reference purposes. The ID of the archive event. The session number. The ID of the endpoint, such as MSISDN or account ID. The IP of the client. The IP of the server. The local IP. The remote IP.
Page 340
Table 27:DLP archive/content log fields (continued) cstatus varchar(255) varchar(255) The cstatus field can be any one of the following: clean infected heuristic banned_word blocked exempt oversize carrier_endpoint_filter (FortiOS Carrier only) mass_mms (FortiOS Carrier only) dlp fragmented spam im_summary im-message im_file_request (a file was transferred im_file_accept (an file was accepted) im_file_cancel im_voice (an IM voice chat) im_photo_share_request (a photo was shared) im_photo_share_cancel im_photo_share_stop im_photo_xfer (a photo was transferred during the chat) voip error
Page 341
Table 27:DLP archive/content log fields (continued) infection varchar(255) varchar(255) The infection type. This field is an enum, and can be one of the following: bblock fileexempt file intercept mms block carrier end point filter mms flood mms duplicate virus virusrm heuristic html script script filter banned word exempt word oversize virus heuristic worm mime block fragmented exempt ip blacklist dnsbl FortiGuard - AntiSpam ip blacklist helo emailblacklist mimeheader dns FortiGuard - AntiSpam ase block banned word ipwhitelist emailwhitelist fewhitelist headerwhitelist wordwhitelist dlp dlpban pass mms content checksum
Page 342
Table 27:DLP archive/content log fields (continued) virus rcvd sent method url cat cat_desc to from subject direction varchar(255) varchar(255) The virus name. The number of bytes that were received from the client. The number of bytes that were received from the server. The type of HTTP command used. For example, GET. The URL address of the web site that was accessed. The http/https category. The http/https category description. To From Subject Incoming or outgoing. Mail attachment present.
bigint default 0 int unsigned default 0 bigint default 0 int unsigned default 0 varchar(255) varchar(255) varchar(255) varchar(255) varchar(255) varchar(255) varchar(255) varchar(255) varchar(255) varchar(255) varchar(255) varchar(255) varchar(255) varchar(255) varchar(255) varchar(255) tinyint unsigned default 0 varchar(255)
The FTP command. This field is an enum and can be one of: NONE USER PASS ACCT STOR RETR QUIT
The archive file name. The local user. The remote user. The protocol.
Page 343
Table 27:DLP archive/content log fields (continued) kind varchar(255) varchar(255) The kind field can be any one of the following: summary chat file (a file was transferred) photo (photo sharing) photo-xref (a photo was transferred) audio (a voice chat) oversize (an oversized file) fileblock (a file was blocked) fileexempt virus dlp call-block (SIP call blocked) call-info (SIP call information) call (SIP call) register (SIP register) unregister (SIP unregister) action dir varchar(255) varchar(255) varchar(255) varchar(255) The action. The direction, either "inbound" or "outbound". The message number. The local start date. The local end date. IM chat content. File name. File size. Message. Connection mode. Heuristic. The duration of the session. The reason. Phone number.
messages bigint default 0 int unsigned default 0 start-date end-date content filename filesize message varchar(255) varchar(255) varchar(255) varchar(255) varchar(255) varchar(255) varchar(255) varchar(255)
Page 344
Table 27:DLP archive/content log fields (continued) dlp_senso varchar(255) r message_ varchar(255) type varchar(255) varchar(255) DLP sensor. The message type. This field is an enum, and be one of: request response request_n ame varchar(255) varchar(255) varchar(255) Request name. Malformed content description. This field is an enum, and can be one of the values listed in Table 28 on page 345. Malformed data. Line. Column.
malform_d bigint default 0 int unsigned ata default 0 line column varchar(255) varchar(255)
Table 28:Values for malform-desc <att-field>-expec <att-value>-expe <bandwidth>-ex ted cted pected <delta-seconds> <encoding-name <fmt>-expected -expected >-expected-in-rt pmap <bwtype>-expec <callid>-expecte <CSeq-num>-ex ted d pected <gen-value>-exp <generic-param> <integer>-expect ected -with-invalid-<ge ed n-value> <method>-does- <method>-expec not-match-the-re ted quest-line
<Method>-expec <payload-type>- <proto>-expecte <repeat-interval> <response-num> <seq>-number-e ted-after-<CSeq- expected-in-rtp d -expected -expected xpected num> map <sess-id>-expec <sess-version>-e <text>-expected <time>-expected <token>-expecte <typed-time>-ex ted xpected d-in-<proto>-afte pected r-slash <username>-exp <word>-expecte boundary-param colon-expected ected d eter-appears-mo re-than-once domain-name-in valid domain-name-ov duplicated-sip-h ersize eader digits-expected domain-label-ov ersize EQUAL-expecte d-after-<m-attrib ute>
invalid-<SIP-Vers invalid-<start-tim invalid-<stop-tim invalid-<transpor invalid-<userinfo invalid-branch-p ion>-on-request- e> e> t> > arameter line
SQL Log Databases Page 345 FortiAnalyzer v4.3.6 Administration Guide
Table 28:Values for malform-desc (continued) invalid-candidate invalid-escape-e invalid-escape-e invalid-escape-e invalid-escape-e invalid-expires-p -line ncoding-in-<reas ncoding-in-<user ncoding-in-uri-he ncoding-in-uri-pa arameter on-phrase> info> ader rameter invalid-fqdn invalid-port invalid-ipv4-addr invalid-ipv6-addr invalid-maddr-pa invalid-max-forw invalid-method-u ess ess rameter ards ri-parameter invalid-port-after- invalid-port-after- invalid-port-in-rtc invalid-q-parame invalid-quoted-st ip-address-in-alt- ip-address-in-ca p-line ter ring-in-display-n line ndidate-line ame invalid-transporturi-parameter
invalid-quoting-c invalid-received- invalid-rport-para invalid-status-co invalid-tag-para haracter parameter meter de meter invalid-ttl-param eter
invalid-ttl-uri-par invalid-uri-heade invalid-uri-heade invalid-uri-heade invalid-uri-param ameter r-name r-name-value-pai r-value eter-pname r IP4-or-IP6-expec ipv4-address-ex ted pected LWS-expected IPv4-or-IPv6-add ress-expected
invalid-uri-param invalid-user-uri-p IP-expected eter-value arameter ipv6-address-ex pected left-angle-bracke line-order-error t-is-mandatory
multipart-Conten no-matching-dou no-METHOD-on- no-SLASH-after- no-SLASH-after- no-tag-paramete t-Type-has-no-b ble-quote request-line <protocol-name> <protocol-versio r oundary n> o-line-not-allowe port-expected d-on-media-level port-not-allowed r-line-not-allowe right-angle-brack s-line-not-allowe d-on-media-level et-not-found d-on-media-level
sdp-alt-line-befor sdp-candidate-li sdp-invalid-alt-lin sdp-rtcp-line-bef sdp-v-o-s-t-lines sip-udp-messag e-m-line ne-before-m-line e ore-m-line -are-mandatory e-truncated sip-Yahoo-candi slash-expected-a SLASH-expected space-violation date-invalid-prot fter-<encoding-n -after-<m-type> ocol ame>-in-rtpmap token-expected too-many-rtcp-li nes too-many-c-lines too-many-candid too-many-i-lines ate-lines too-many-s-lines too-many-v-line uri-parameter-re peat trailing-bytes syntax-malforme t-line-not-allowe d d-on-media-level too-many-m-line too-many-o-lines s unexpected-char unknown-header acter
Page 346
dport
int default 0
The host name or IP address. The URL address of the web site that was visited. The senders email address. The receivers email address. Explains the activity or event that the FortiGate unit recorded. The name of the rule within the DLP sensor. The compound name.
compoundnam varchar(255) e
SQL Log Databases
Page 347
Table 29:DLP log fields (continued) action varchar(255) varchar(255) The action that was specified within the rule. In some rules within sensors, you can specify content archiving. If no log type is specified, this field displays log-only. This field is an enum, and can have one of the following values: log-only block exempt ban ban sender quarantine ip quarantine interface severity smallint default 0 tinyint unsigned default 0 The level of severity for the specified rule.
Page 348
Table 30:Email filter log fields (continued) service varchar(255) varchar(255) The service of where the activity or event occurred. For DLP logs, this field is an enum, and can have one of the following values: http smtp pop3 imap ftp mm1 mm3 mm4 mm7 im nntp https smtps imaps pop3s serial sport bigint default 0 int unsigned default 0 int default 0 smallint unsigned default 0 smallint unsigned default 0 varchar(255) The serial number of the log message. The source port.
dport
int default 0
carrier_ep
varchar(255)
The FortiOS Carrier end-point identification. For example, it would display the MSISDN of the phone that sent the MMS message. If you do not have FortiOS Carrier, this field always displays N/A. The senders email address. The receivers email address. The name of the Banned Word policy. Tracker The email direction. This field is an enum, and can have one of the following values: tx rx
agent
varchar(255)
varchar(255)
This field is for FortiGate units running FortiOS Carrier. If you do not have FortiOS Carrier running on your FortiGate unit, this field always displays N/A. Explains the activity or event that the FortiGate unit recorded. In this example, the senders email address is in the blacklist and matches the fourth email address in that list.
msg
varchar(255)
varchar(255)
Page 349
Page 350
Table 31:Event log fields (continued) action varchar(255) varchar(255) The action the FortiGate unit should take for this firewall policy. For event logs, the possible values of this field depend on the subcategory of the event: subcategory ipsec: negotiate error install_sa delete_phase1_sa delete_ipsec_sa dpd tunnel-up tunnel-down tunnel-stats phase2-up phase2-down subcategory nac-quarantine: ban-ip ban-interface ban-src-dst-ip subcategory sslvpn-user tunnel-up tunnel-down ssl-login-fail subcategory sslvpn-admin info subcategory sslvpn-session tunnel-stats ssl-web-deny ssl-web-pass ssl-web-timeout ssl-web-close ssl-sys-busy ssl-cert ssl-new-con ssl-alert ssl-exit-fail ssl-exit-error tunnel-up tunnel-down tunnel-statsssl-tunnel-unknown-tag ssl-tunnel-error
Page 351
Table 31:Event log fields (continued) action (continued) subcategory voip: permit block monitor kickout encrypt-kickout cm-reject exempt ban ban-user log-only subcategory his-performance perf-stats session_id count proto cpu bigint default 0 int unsigned default 0 bigint default 0 int unsigned default 0 varchar(255) smallint default 0 varchar(255) tinyint unsigned default 0 The session ID The number of dropped SIP packets. The protocol The CPU usage, for performance.
epoch mem
bigint default 0 int unsigned default 0 smallint default 0 tinyint unsigned default 0
The unique number for each archive. It is used for cross reference purposes. The memory usage, for performance.
bigint default 0 int unsigned default 0 bigint default 0 int unsigned default 0 varchar(255) smallint default 0 varchar(255) tinyint unsigned default 0
The duration of the interval for item counts (such as infected, scanned, etc) in this log entry. The number of infected messages. Source IP address. High availability group
tunnel_id bssid
tunnel_type varchar(255)
Page 352
Table 31:Event log fields (continued) event_id ip ha_role rem_ip suspicious sn to bigint default 0 int unsigned default 0 varchar(40) varchar(255) varchar(40) varchar(40) varchar(255) varchar(40) Event ID IP address High availability role. Remote IP (used in ipsec subcategory logs). The number of suspicious messages. Serial number of the event Destination IP address. Total IP sessions. The physical AP name. The number of scanned messages. Virtual cluster. Remote IP (Used in sslvpn-* subcategory logs). The FortiOS Carrier end-point identification. For example, it would display the MSISDN of the phone that sent the MMS message. If you do not have FortiOS Carrier, this field always displays N/A. An International Mobile Subscriber Identity or IMSI is a unique number associated with all GSM and UMTS network mobile phone users. Local IP From virtual cluster. Remote port.
total_sessio bigint default 0 int unsigned n default 0 ap scanned vcluster remote_ip carrier_ep varchar(255) varchar(255)
bigint default 0 int unsigned default 0 bigint default 0 int unsigned default 0 varchar(40) varchar(255) varchar(40) varchar(255)
imsi
varchar(255)
varchar(255)
loc_ip
varchar(40)
varchar(40)
from_vclust bigint default 0 int unsigned er default 0 rem_port int default 0 smallint unsigned default 0 varchar(255) varchar(40)
varchar(255) varchar(40)
The MSISDN of the carrier endpoint. Tunnel IP. The number of intercepted messages. The virtual AP name. The access point name.
Page 353
Table 31:Event log fields (continued) out_intf blocked mac to_vcluster acct_stat varchar(255) varchar(255) The out interface. The number of blocked messages. MAC address. To virtual cluster. The accounting state. This is an enum and can have one of the following values: Start Stop Interim-Update Accounting-On Accounting-Off selection varchar(255) varchar(255) The selection. This is an enum and can have one of the following values: apns-vrf ms-apn-no-vrf net-apn-no-vrf reason rate varchar(255) smallint default 0 int default 0 varchar(255) tinyint unsigned default 0 smallint unsigned default 0 The reason this log was generated. Traffic rate
loc_port
Local port.
vcluster_me bigint default 0 int unsigned mber default 0 vcluster_sta varchar(255) te app-type nsapi varchar(255) smallint default 0 int default 0 varchar(255) varchar(255) tinyint unsigned default 0 smallint unsigned default 0 tinyint unsigned default 0
Virtual cluster member. Virtual cluster state. Application type. Network Service Access Point Identifier, an identifier used in cellular data networks. Destinatlon port.
dport
channel
smallint default 0
Channel.
Page 354
Table 31:Event log fields (continued) cookies checksum dst_host nf_type varchar(255) varchar(255) Cookies. The number of content checksum blocked messages. Destination host name or IP. The notification type. This is an enum and can have one of the following values: bword file_block carrier_ep_bwl flood dupe alert mms_checksum virus vdname varchar(255) varchar(255) tinyint unsigned default 0 The VDOM name. Linked Network Service Access Point Identifier.
Next Statistics. Virus name. International Mobile Equipment Identity or IMEI is a number, usually unique, to identify GSM, WCDMA, and iDEN mobile phones, as well as some satellite phones. The device interface name. The wireless security. This field is an enum, and can have one of the following values: open wep64 wep128 wpa-psk wpa-radius wpa wpa2 wpa2-auto
devintfnam e security
varchar(255) varchar(255)
varchar(255) varchar(255)
policy_id rai
Table 31:Event log fields (continued) hostname xauth_user uli xauth_grou p sent varchar(255) varchar(255) varchar(255) varchar(255) numeric(20) default 0 numeric(20) default 0 varchar(255) varchar(255) varchar(255) varchar(255) bigint unsigned default 0 bigint unsigned default 0 The host name or IP Authenticated user name. User Location Information. Authenticated user group. Number of bytes sent.
rcvd
sess_durati on
The duration of the session. Heartbeat down reason. This field is an enum, and can have one of the following values: linkfail neighbor-info-lost
hbdn_reaso varchar(255) n
banned_src varchar(255)
varchar(255)
Banned source. This field is an enum, and can have one of the following values: ips dos dlp-rule dlp-compound av
sync_type
Synchronization type. This field is an enum, and can have one of the following values: configurations external-files
varchar(255) varchar(255)
Page 356
Table 31:Event log fields (continued) sync_status varchar(255) varchar(255) Synchronization status. This field is an enum, and can have one of the following values: out-of-sync in-sync alert sensor endpoint stage varchar(255) varchar(255) varchar(255) smallint default 0 varchar(255) varchar(255) varchar(255) varchar(255) tinyint unsigned default 0 varchar(255) Alert. Sensor name. The endpoint. Stage.
voip_proto
This field is an enum, and can have one of the following values: sip sccp
deny_cause varchar(255)
varchar(255)
This field is an enum, and can have one of the following values: packet-sanity invalid-reserved-field reserved-msg out-state-msg reserved-ie out-state-ie invalid-msg-length invalid-ie-length miss-mandatory-ie ip-policy non-ip-policy sgsn-not-authorized sgsn-no-handover ggsn-not-authorized invalid-seq-num msg-filter apn-filter imsi-filter adv-policy-filter
desc dir
varchar(255) varchar(255)
varchar(255) varchar(255)
Page 357
Table 31:Event log fields (continued) kind varchar(255) varchar(255) This field is an enum, and can have one of the following values: register unregister call call-info call-block init varchar(255) varchar(255) This field is an enum, and can have one of the following values: local remote mode varchar(255) varchar(255) This field is an enum, and can have one of the following values: aggressive main quick xauth xauth_client cert-type varchar(255) varchar(255) Certificate type. This field is an enum, and can have one of the following values: CA CRL Local Remote ui exch varchar(255) varchar(255) varchar(255) varchar(255) User interface. This field is an enum, and can have one of the following values: NSA_INIT AUTH CREATE_CHILD rat-type varchar(255) varchar(255) This field is an enum, and can have one of the following values: utran geran wlan gan hspa
Page 358
Table 31:Event log fields (continued) error_num varchar(255) varchar(255) This field is an enum, and can have one of the following values: Invalid ESP packet detected. Invalid ESP packet detected (HMAC validation failed). Invalid ESP packet detected (invalid padding). Invalid ESP packet detected (invalid padding length). Invalid ESP packet detected (replayed packet). Received ESP packet with unknown SPI. method phase2_na me spi c-sgsn request_na me seq c-ggsn in_spi u-sgsn out_spi u-ggsn c-sgsn-teid enc_spi varchar(255) varchar(255) varchar(255) varchar(40) varchar(255) varchar(255) varchar(40) varchar(255) varchar(40) varchar(255) varchar(40) varchar(255) varchar(255) varchar(255) varchar(40) varchar(255) varchar(255) varchar(40) varchar(255) varchar(40) varchar(255) varchar(40) The method. IPsec VPN Phase 2 name IPsec VPN SPI. SGSN IP address for GTP signalling. Request name Sequence number GGSN IP address for GTP signalling. Remote SPI in IPsec VPN configuration. SGSN IP address for GTP user traffic. Local SPI in IPsec VPN configuration. GGSN IP address for GTP user traffic. SGSN TEID (Tunnel endpoint identifier) for signalling. Encryption SPI in IPsec VPN. GGSN TEID for signalling. Decryption SPI in IPsec VPN. Message type. This field is an enum, and can have one of the following values: request response malform_de varchar(255) sc tunnel u-sgsn-teid varchar(255) varchar(255) varchar(255) Malformed description. This field is an enum. See Malform Description Values: on page 363 for possible values. Tunnel name SGSN TEID for user traffic.
c-ggsn-teid bigint default 0 int unsigned default 0 dec_spi varchar(255) varchar(255) varchar(255)
message_ty varchar(255) pe
Page 359
Table 31:Event log fields (continued) u-ggsn-teid bigint default 0 int unsigned default 0 malform_da bigint default 0 int unsigned ta default 0 tunnel-idx line column c-pkts bigint default 0 int unsigned default 0 varchar(255) varchar(255) GGSN TEID for user traffic. Malformed data. VPN tunnel index. The content of misformed SIP line. The syntax error point in the SIP line. Number of packets for signalling.
bigint default 0 int unsigned default 0 numeric(20) default 0 varchar(255) bigint unsigned default 0 varchar(255) varchar(255) bigint unsigned default 0 bigint unsigned default 0 varchar(255) bigint unsigned default 0
phone
SCCP phone device name. Profile group name. Number of bytes for signalling.
u-pkts
Next stat. User data. This field is an enum, and can have one of the following values: responder initiator
result
varchar(255)
varchar(255)
This field is an enum, and can have one of the following values: ERROR OK DONE PENDING
Page 360
Table 31:Event log fields (continued) xauth_result varchar(255) varchar(255) Authorization result. This field is an enum, and can have one of the following values: XAUTH authentication successful XAUTH authentication failed esp_transfo varchar(255) rm varchar(255) ESP Transform. This field is an enum, and can have one of the following values: ESP_NULL ESP_DES ESP_3DES ESP_AES esp_auth varchar(255) varchar(255) ESP Authorization. This field is an enum, and can have one of the following values: no authentication HMAC_SHA1 HMAC_MD5 HMAC_SHA256 error_reaso varchar(255) n varchar(255) Text explanation for the error. This field is an enum, and can have one of the following values: invalid certificate invalid SA payload probable pre-shared key mismatch peer SA proposal not match local policy peer notification not enough key material for tunnel encapsulation mode mismatch no matching gateway for new request aggressive vs main mode mismatch for new request
Page 361
Table 31:Event log fields (continued) peer_notif varchar(255) varchar(255) Peer Notification. This field is an enum, and can have one of the following values: NOT-APPLICABLE INVALID-PAYLOAD-TYPE DOI-NOT-SUPPORTED SITUATION-NOT-SUPPORTED INVALID-COOKIE INVALID-MAJOR-VERSION INVALID-MINOR-VERSION INVALID-EXCHANGE-TYPE INVALID-FLAGS INVALID-MESSAGE-ID INVALID-PROTOCOL-ID INVALID-SPI INVALID-TRANSFORM-ID ATTRIBUTES-NOT-SUPPORTED NO-PROPOSAL-CHOSEN BAD-PROPOSAL-SYNTAX PAYLOAD-MALFORMED INVALID-KEY-INFORMATION INVALID-ID-INFORMATION INVALID-CERT-ENCODING INVALID-CERTIFICATE BAD-CERT-REQUEST-SYNTAX INVALID-CERT-AUTHORITY INVALID-HASH-INFORMATION AUTHENTICATION-FAILED INVALID-SIGNATURE ADDRESS-NOTIFICATION NOTIFY-SA-LIFETIME CERTIFICATE-UNAVAILABLE UNSUPPORTED-EXCHANGE-TYPE UNEQUAL-PAYLOAD-LENGTHS CONNECTED RESPONDER-LIFETIME REPLAY-STATUS INITIAL-CONTACT R-U-THERE R-U-THERE-ACK HEARTBEAT RETRY-LIMIT-REACHED
Page 362
Malform Description Values: unexpected-character invalid-quoting-character trailing-bytes header-line-oversize msg-body-oversize domain-name-oversize domain-label-oversize syntax-malformed duplicated-sip-header space-violation invalid-ipv4-address invalid-ipv6-address invalid-port invalid-fqdn no-matching-double-quote empty-quoted-string invalid-<userinfo> invalid-escape-encoding-in-<userinfo> invalid-escape-encoding-in-uri-parameter invalid-escape-encoding-in-uri-header invalid-escape-encoding-in-<reason-phrase> port-expected port-not-allowed domain-name-invalid <gen-value>-expected invalid-<gen-value> invalid-<quoted-string>-in-<gen-value> ipv4-address-expected ipv6-address-expected uri-expected invalid-transport-uri-parameter invalid-user-uri-parameter invalid-method-uri-parameter invalid-ttl-uri-parameter invalid-uri-parameter-pname invalid-uri-parameter-value uri-parameter-repeat invalid-uri-header-name invalid-uri-header-value invalid-uri-header-name-value-pair invalid-quoted-string-in-display-name left-angle-bracket-is-mandatory
SQL Log Databases Page 363 FortiAnalyzer v4.3.6 Administration Guide
right-angle-bracket-not-found invalid-status-code no-METHOD-on-request-line uri-parameters-not-allowed-by-RFC unknown-scheme whitespace-expected LWS-expected invalid-<SIP-Version>-on-request-line invalid-<protocol-name> invalid-<protocol-version> invalid-<transport> no-SLASH-after-<protocol-name> no-SLASH-after-<protocol-version> header-parameter-expected invalid-ttl-parameter invalid-maddr-parameter invalid-received-parameter invalid-branch-parameter invalid-rport-parameter via-parameter-repeat <seq>-number-expected <method>-expected <method>-does-not-match-the-request-line <response-num>-expected <CSeq-num>-expected <Method>-expected-after-<CSeq-num> expires-header-repeated <delta-seconds>-expected invalid-max-forwards token-expected invalid-expires-parameter invalid-q-parameter <generic-param>-with-invalid-<gen-value> <m-type>-expected SLASH-expected-after-<m-type> <m-subtype>-expected <m-attribute>-expected-after-SEMI boundary-parameter-appears-more-than-once EQUAL-expected-after-<m-attribute> invalid-<quoted-string>-in-<m-value> invalid-<m-value> multipart-Content-Type-has-no-boundary digits-expected
SQL Log Databases Page 364 FortiAnalyzer v4.3.6 Administration Guide
IN-expected IP-expected IP4-or-IP6-expected IPv4-or-IPv6-address-expected line-order-error z-line-not-allowed-on-media-level <time>-expected <typed-time>-expected r-line-not-allowed-on-media-level <repeat-interval>-expected <bwtype>-execpted colon-expected <bandwidth>-expected t-line-not-allowed-on-media-level invalid-<start-time> invalid-<stop-time> too-many-i-lines <text>-expected too-many-c-lines too-many-v-line v-line-not-allowed-on-media-level too-many-o-lines o-line-not-allowed-on-media-level <username>-expected <sess-id>-expected <sess-version>-expected too-many-s-lines s-line-not-allowed-on-media-level too-many-m-lines <media>-expected <integer>-expected <proto>-expected <token>-expected-in-<proto>-after-slash <fmt>-expected <att-field>-expected <att-value>-expected <payload-type>-expected-in-rtpmap <encoding-name>-expected-in-rtpmap slash-expected-after-<encoding-name>-in-rtpmap invalid-<clock-rate>-in-rtpmap invalid-<encoding-parameters>-in-rtpmap invalid-candidate-line sdp-candidate-line-before-m-line
SQL Log Databases Page 365 FortiAnalyzer v4.3.6 Administration Guide
sip-Yahoo-candidate-invalid-protocol invalid-port-after-ip-address-in-candidate-line too-many-candidate-lines sdp-invalid-alt-line sdp-alt-line-before-m-line invalid-port-after-ip-address-in-alt-line sdp-rtcp-line-before-m-line invalid-port-in-rtcp-line too-many-rtcp-lines <callid>-expected <word>-expected invalid-tag-parameter no-tag-parameter sdp-v-o-s-t-lines-are-mandatory unknown-header end-of-line-error sip-udp-message-truncated missing-mandatory-field
Description
tran_disp
varchar(255)
varchar(255)
Table 32:Traffic log fields (continued) tran_port int default 0 smallint unsigned default 0 smallint unsigned default 0 varchar(255) The translated port number in NAT mode. For transparent mode, it is zero (0). The protocol that applies to the session or packet. The protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA). The application or program used. This field is an enum, and can have one of the following values: N/A BitTorrent eDonkey Gnutella KaZaa Skype WinNY AIM ICQ MSN YAHOO duration rule sent rcvd sent_pkt rcvd_pkt vpn SN carrier_ep bigint default 0 int unsigned default 0 bigint default 0 int unsigned default 0 bigint default 0 int unsigned default 0 bigint default 0 int unsigned default 0 bigint default 0 int unsigned default 0 bigint default 0 int unsigned default 0 varchar(255) varchar(255) bigint default 0 int unsigned default 0 varchar(255) varchar(255) This represents the value in seconds. The rule number. The total number of bytes sent. The total number of bytes received. The total number of packets sent during the session. The total number of packets received during the session. The name of the VPN tunnel used by the traffic. The serial number of the log message. The FortiOS Carrier end-point identification. For example, it would display the MSISDN of the phone that sent the MMS message. If you do not have FortiOS Carrier, this field always displays N/A.
proto
int default 0
app_type
varchar(255)
Page 367
Table 32:Traffic log fields (continued) wanopt_app varchar(255) _type varchar(255) The type of WAN optimization that was used. This field is an enum, and can have one of the following values: web-cache cifs tcp ftp mapi http wan_in wan_out lan_in lan_out app bigint default 0 int unsigned default 0 bigint default 0 int unsigned default 0 bigint default 0 int unsigned default 0 bigint default 0 int unsigned default 0 varchar(255) varchar(255) This field always displays WAN in. This field always displays WAN out. This field always displays LAN in. This field always displays LAN out. The type of application. On the FortiGate unit, you can look the application type up in UTM > Application Contol > Application List, and then select the name that is in the field to go to more detailed information on the FortiGuard Encyclopedia. The application category that the application is associated with. The number of sent traffic shaper bytes that were dropped. The number of received traffic shaper bytes that were dropped. The number of per-IP traffic shaper bytes that were dropped. The name of the traffic shaper sending the bytes. The name of the traffic shaper receiving the bytes The name of the per-IP traffic shaper.
varchar(255)
varchar(255)
bigint default 0 int unsigned default 0 bigint default 0 int unsigned default 0 bigint default 0 int unsigned default 0 varchar(255) varchar(255) varchar(255)
Page 368
Table 33. Antivirus log fields (continued) msg varchar(255) varchar(255) Explains the activity or event that the FortiGate unit recorded. For example, the file that was downloaded from the web site exceeded the specified size limit. The source port of where the traffic is originating from.
sport
int default 0
dport
int default 0
The serial number of the log message. Direction The file filter. This field is an enum, and can have one of the following values: none file pattern file type
Page 369
Table 33. Antivirus log fields (continued) filetype varchar(255) varchar(255) The file type. This field is an enum, and can have one of the following values: file checksum varchar(255) varchar(255) varchar(255) varchar(255) arj cab lzh rar tar zip bzip gzip bzip2 bat msc uue mime base64 binhex com elf exe hta html jad class cod javascript msoffice fsg upx petite aspack prc sis hlp activemime jpeg gif tiff png bmp ignored unknown
Page 370
Table 33. Antivirus log fields (continued) quarskip varchar(255) varchar(255) This field is an enum, and can have one of the following values: No skip No quarantine for HTTP GET file pattern block. No quarantine for oversized files. File was not quarantined. virus ref varchar(255) varchar(255) varchar(255) varchar(255) The virus name. The URL reference that gives more information about the virus. If you enter the URL in your web browsers address bar, the URL directs you to the specific page that contains information about the virus. The URL address of where the file was acquired. The FortiOS Carrier end-point identification. For example, it would display the MSISDN of the phone that sent the MMS message. If you do not have FortiOS Carrier, this field always displays N/A. This field is for FortiGate units running FortiOS Carrier. If you do not have FortiOS Carrier running on your FortiGate unit, this field always displays N/A. The from email address. The to email address. Protocol specific command, such as POST and GET for HTTP, MODE and REST for FTP. Detection type, possible values: virus grayware
url carrier_ep
varchar(255) varchar(255)
varchar(255) varchar(255)
agent
varchar(255)
varchar(255)
Page 371
Table 34:Web filter log fields (continued) sport int default 0 smallint unsigned default 0 smallint unsigned default 0 varchar(255) varchar(255) The source port.
dport
int default 0
hostname carrier_ep
varchar(255) varchar(255)
The host name or IP. The FortiOS Carrier end-point identification. For example, it would display the MSISDN of the phone that sent the MMS message. If you do not have FortiOS Carrier, this field always displays N/A. The request type. This field is an enum, and can have one of the following values: direct referral
req_type
varchar(255)
varchar(255)
The URL. A text message explaining the log entry. For example, 'Message was blocked because it contained a banned word.' The direction. This field is for FortiGate units running FortiOS Carrier. If you do not have FortiOS Carrier running on your FortiGate unit, this field always displays N/A. From To The name of the banned word policy that triggered the log event. The Web Filter error. The HTTP method. This field is an enum, and can have one of the following values: ip domain
class
tinyint unsigned default 0 varchar(255) tinyint unsigned default 0 varchar(255) varchar(255) varchar(255)
Class
class_desc cat
Category description The mode. Can be 'rule' or 'off-site'. Rule type. This field is an enum, and can have one of the following values: directory domain rating
rule_data
varchar(255)
varchar(255)
Rule data
Page 372
Table 34:Web filter log fields (continued) ovrd_tbl ovrd_id count url_type varchar(255) varchar(255) Override table Override ID The number of scripts blocked by the scriptfilter within the page. URL Type. This field is an enum, and can have one of the following values: http https ftp telnet mail urlfilter_idx urlfilter_list bigint default 0 int unsigned default 0 varchar(255) varchar(255) varchar(255) URL Filter Index URL Filter List Quota Exceeded. Can be 'yes' or 'no'. Quota time used (in seconds). Maximum quota time allowed (in seconds).
bigint default 0 int unsigned default 0 bigint default 0 int unsigned default 0 varchar(255) varchar(255)
quota_used bigint default 0 int unsigned default 0 quota_max bigint default 0 int unsigned default 0
Page 373
Table 35:Netscan log fields (continued) port int default 0 smallint unsigned default 0 varchar(255) varchar(255) The port scanned.
varchar(255) varchar(255)
The name of the vulnerability found. The found vulnerability category. The found vulnerability ID. A link to the detected vulnerability in FortiGuard. The severity of the vulnerability. This field is an enum, and can have one of the following values: critical high medium low info
The operating system of the scanned asset. The family of the operating system on the scanned asset. The generation of the operating system on the scanned asset. The vendor of the operating system on the scanned asset. Informational message.
Examples
The following examples illustrate how to write custom datasets. After you create the datasets, you can use them when you configure chart templates under Report > Advanced > Chart. Figure 218:Adding a dataset to a chart template
Page 374
Then you can add the chart template to a report when you create the new report under Report > Unclassified Reports. For more information, see Configuring report chart templates on page 221. Figure 219:Adding a chart to a report
On the FortiAnalyzer unit, datasets can be created via the CLI or the Web-based Manager.
Page 375
Web-based Manager procedure: 1. Go to Report > Advanced > Dataset. 2. Click Create New to create a new dataset and enter a name (such as "apps_type"). 3. Under Log Type($log), select Application Control. 4. Enter the query: SELECT app_type, COUNT( * ) AS totalnum FROM $log AND app_type IS NOT NULL GROUP BY app_type ORDER BY totalnum DESC CLI procedure: To perform the same task using the CLI, use these commands: config sql-report dataset edit apps_type set device-type FortiGate set log-type app-ctrl set query "SELECT app_type, COUNT( * ) AS totalnum FROM $log AND app_type IS NOT NULL GROUP BY app_type ORDER BY totalnum DESC" end
Page 376
Notes: $log queries all application control logs. The application control module classifies each firewall session in app_type. One firewall session may be classified to multiple app_types. For example, an HTTP session can be classified to: HTTP, Facebook, etc. Some app/app_types may not be able to detected, then the app_type field may be null or N/A. These will be ignored by this query. The result is ordered by the total session number of the same app_type. The most frequent app_types will appear first.
Page 377
4. Enter the query: SELECT attack_id, COUNT( * ) AS totalnum FROM $log and attack_id IS NOT NULL GROUP BY attack_id ORDER BY totalnum DESC LIMIT 10 CLI procedure: To perform the same task using the CLI, use these commands: config sql-report dataset edit top_attacks set device-type FortiGate set log-type attack set query "SELECT attack_id, COUNT( * ) AS totalnum FROM $log and attack_id IS NOT NULL GROUP BY attack_id ORDER BY totalnum DESC LIMIT 10" end Notes: The result is ordered by the total attack number of the same attack_id. The most frequent attack_id will appear first.
Page 378
Notes: The WAN optimizer module will log each application bandwidth. All bandwidth data is logged in traffic logs and wan opt data will have the subtype wanopt-traffic SUM(wan_in + wan_out) AS bandwidth - this calculates the total in and out traffic.
Page 379
Page 380
Table 37:FortiAnalyzer listening ports Functionality Windows share Syslog, log forwarding Port(s) UDP 137-139 and TCP 445 UDP 514 Note: If a secure connection has been configured between a FortiGate and a FortiAnalyzer, syslog traffic will be sent into an IPsec tunnel. Data will be exchanged over UDP 500/4500, Protocol IP/50. SSH administrative access to the CLI Telnet administrative access to the CLI HTTP administrative access to the Web-based Manager HTTPS administrative access to the Web-based Manager; remote management from a FortiManager unit Device registration of FortiGate or FortiManager units; remote access to quarantine, logs & reports from a FortiGate unit; remote management from a FortiManager unit (configuration retrieval) (OFTP) NFS share HTTP or HTTPS administrative access to the Web-based Manager's CLI dashboard widget. Protocol used will match the protocol used by the administrator when logging in to the Web-based Manager. Log aggregation server Log aggregation server support requires model FortiAnalyzer-800 or greater. Remote management from a FortiManager unit (configuration installation) Remote MySQL database connection Table 38:FortiAnalyzer FDN ports Functionality Vulnerability Management updates Port(s) TCP 443 TCP 8080 TCP 3306 TCP 3000 TCP 22 TCP 23 TCP 80 TCP 443 TCP 514
Port Numbers
Page 381
Appendix E: ConnectWise
FortiAnalyzer compatibility with ConnectWise
The FortiAnalyzer unit integrates with the ConnectWise Management Services Platform (MSP) by providing statistics from FortiGate logs and reports for the MSPs Executive Summary report. The statistics include: Top 10 web sites Top 10 intrusions prevented Top 10 web filter categories Total bandwidth usage Total number of events The Executive Summary provides important metrics from different solutions to generate informative reports for the end users. By connecting to the ConnectWise MSP, the FortiAnalyzer unit uploads reporting data each time it runs. The ConnectWise support is controlled through the CLI only. For more information, see the config connectwise report command in FortiAnalyzer v4.0 MR3 CLI Reference. This section describes how to configure the ConnectWise server and the FortiAnalyzer unit to generate executive reports. This process assumes that you have installed the ConnectWise server properly.
This configuration uses ConnectWise 2010. It might be different from your version.
To set the integrator login and add a new management IT: 1. Login to ConnectWise. 2. From the navigation pane, click Setup > Setup Tables.
Page 382
Username Password
Enter the user name, such as UserName1. Enter the password, such as PassW1.
4. In Enable Available APIs, select Managed Services API. 5. Click Save. 6. Search and select Management IT and click Add New.
ConnectWise
Page 383
Name
Enter the name of the Management IT, such as FortiAnalyzer Central Office.
Management IT Solution Select Custom. Custom Solution Name 7. Click Save. To configure the Management IT in company record: 1. Login to ConnectWise. 2. From the navigation pane, click Contacts > Company. 3. Search for your company name. Before you log into the ConnectWise server, your company information has already been set up. Enter the same name as the Management IT.
ConnectWise
Page 384
4. Go to the Management tab. 5. Under Management Solutions, create a new management solution. Company Solution Select your company name. Select the name for the Management IT created in step Step 6, FortiAnalyzer Central Office/FortiAnalyzer Central Office. Enter a management ID, such as FAZCentralOfficeManagementID.
Management ID
6. Click Save. To add configurations for FortiGate units: 1. Login to ConnectWise. 2. From the navigation pane, click Contacts > Company. 3. Search for your company name. Before you log into the ConnectWise server, your company information has already been set up. 4. Click the Configuration tab to create a new configuration for the FortiGate units.
ConnectWise
Page 385
5. For Configuration Type, select Network Security Appliance. 6. For Name, enter the same name used by these FortiGate units on the FortiAnalyzer unit, such as FG100A. 7. Enter the other information as required. 8. Click Save. 9. Repeat this procedure for all the FortiGate units that report their usage to ConnectWise through the FortiAnalyzer unit. To configure the FortiAnalyzer unit: 1. In the FortiAnalyzer CLI, type the following commands to enable ConnectWise report: config connectwise report set status enable set integration-login-id <user_name_used_in_ConnectWise_Management IT_config> set integration-password <Password_used_in_ConnectWise_Management IT_config> set company-name <company_ID_used_at_ConnectWise_login> set management-solution-name <ConnectWise_Managment_ID_name> set connectwise-server <ConnectWise_server_address> end 2. Create a device group if you only want certain FortiGate units to report to ConnectWise. For more information, see Configuring device groups on page 172. 3. Create a report for the FortiGate units to report to ConnectWise. For more information, see Reports on page 203. 4. Create a report output template for the FortiGate units to report to ConnectWise.
ConnectWise
Page 386
5. Create a report schedule (for proprietary indexed file system) or configure report settings (for SQL database). For more information, see Configuring report schedules on page 237 and Report settings on page 210. When configuring the report schedule or settings: Use the report layout you configured. Select the device group you created if you only want certain FortiGate units to report to ConnectWise, or select All FortiGates. Use the report output template you configured.
ConnectWise
Page 387
Index
A
access profile 50 adding configuring defining log severity levels 332 administrative access interface settings 94 restricting 93, 94, 108 administrative domains. See ADOMs administrator "admin" account 27, 28, 34 admin, accessing ADOMs 57 assigning to ADOM 57 password 34 permissions 34 ADOMs 51 access privileges 50 accessing as admin administrator 57 admin account privileges 50 assigning administrators 57 disabling 54 enabling 51 Global 50 maximum number 322 permissions 50 root 54 aggregation client 134 alerts 122, 129, 131 testing 126 alias 137 ARP 306 authenticated network scan preparing 262 authentication 27
C
cable null modem 28 certificate default 28 mismatch 28 self-signed 27 warning 27 certificate authority (CA) 27 charts 241 create a template 222 pre-defined 221 view custom templates 226 classifying FortiGate network interfaces 173 CLI commands 301 connecting to 28 clock 63, 64 column view network analyzer logs 280 command line interface (CLI) 17, 26, 59, 81, 108 Console widget 81 prompt 65 command prompt 65 common name (CN) field 27 communications (COM) port 28 connecting web UI 27 connection attempt handling 169 ConnectWise 22 contract 67 count 189 CPU usage 69, 70
B
backing up log files 292 backing up the configuration using the CLI 292 using web-based manager 291 backup & restore 147 baseline 49 baud rate 318 blocking device connection attempts 170 Boolean operator 283 Bootup issues 316 browse network analyzer 277 sniffer 277 browser 26, 27 warnings 27
D
dashboard 59 data filter 248 create new 249 data sets 226 custom 226 pre-defined 226 database SQL 20 DC (duplicate count) 190 default administrator account 27, 28, 34 certificate 28 IP address 35 password 17, 27, 28, 29, 30, 34 settings 27, 28 URL 27 delete after upload network analyzer log 288
Page 388
device adding or deleting 165 groups 172 list 157 maximum number 161 registration and reports 188 reports 208 unregistered vs. registered 161 device communication 22 disk space allocated to Network Analyzer 287 DLP archive 185 backing up 195 DNS server 35, 99 test connection 305 domain name certificate 28 DOS 26 down 93 download logs 193, 285 network analyzer logs 278 search results 285
FortiGuard scheduling updates 38 Vulnerability Management 36 FortiMail 21 Fortinet Technical Support 36 Fortinet Discovery Protocol (FDP) 93, 94, 96 Fortinet Distribution Network (FDN) 36 Fortinet Distribution Server (FDS) 36 FortiWeb 21 FTP 288 further reading 42
G
gateway 35 gzip 74, 279, 280, 285, 288
H
HA cluster 165 hard disk 77 historical viewer network analyzer 276 host name 27, 65 HTTP 95 HTTPS 27, 93, 94 HyperTerminal 28
E
eDiscovery 197 error log level 44 Ethernet 27, 28 event log 44
I
ICMP 94 importing log files 192 indexed log fields 283 installation 17 interface configuring 35 IP address 28, 35 IP alias 137 resolve host names 188
F
factory default settings 27, 28 Federal Information Processing Standards (FIPS) 16 file extension 74, 279, 285 filter criteria 283 icon 279, 282, 283 logs 181 network analyzer 282 tip 283 tips 182 firmware install 62 version 63 formatted view network analyzer logs 280 FortiClient 21 FortiGate adding 41 registering 41 FortiGate unit registering 40
J
JavaScript 81
K
kernel upgrade 23
L
license information, widget 67 license validation 36 lightweight directory access protocol (LDAP) 144, 147 Linux 306 local console access 81 log event 44 log forwarding 135
Page 389
logs 63 backing up 195 configuring 42 content. See DLP archive CSV format 285 DNS 22 download 285 enhancements 21 FortiClient 21 FortiMail 21 FortiWeb 21 gzip 74, 279, 280, 285 indexed fields 283 integrity validation 21 raw view 282, 283 search 283 search tips 184 unindexed fields 282, 283 UTM 21
network file share (NFS) 16 network interface administrative access 94 status 93 network interfaces, classifying (FortiGate) 173 network share 16, 100 Network Time Protocol (NTP) 35, 63 new disk adding for 2000B and 4000B 78 null modem cable 28
O
operation mode 20, 31
P
password 27, 28, 29, 30, 34, 111 administrator 17 log upload 288 patch releases 290 performance 59 permissions 34 access profile 111 ADOMs 50 ping 43, 94 port destination 275 numbers 302 scan 16 source 275 port number 36 port1 27, 28 ports UDP ports 33434-33534 305 powering on 316 prompt 81 protocol FTP 288 SCP 288 SFTP 288
M
mail server 126 maximum transmission unit (MTU) 95 Maximum Values Matrix 322 media access control (MAC) address 94 memory usage 69 menu layout 20 Microsoft Internet Explorer 27 migrating data 152 mode operation 31 Mozilla Firefox 27 MS Windows 305
N
netmask 35 network interface 27, 28 sniffer 277 network analyzer browse 277 column view 275 delete after download 288 download logs 278 enable 287 filter 282 gzip 288 historical viewer 276 real-time viewer 274 resolve host names 275, 277 roll settings 286 upload to 288 network analyzer logs column view 280 formatted view 280
Q
quarantine 188 count 189 duplicate count 190 ticket number 190 query 144, 147 DNS 99
R
raid monitor, widget 75 random access memory (RAM) 69 real-time viewer network analyzer 274 Register a FortiGate unit 40 remote authentication dial in user service (RADIUS) 114
Page 390
report add a language 233, 256 add a section 209, 211 browsing 235 calendar 229 chart template 221 charts 241 custom 219 data filter 249 data filters 248 data sets 226 default device 208 edit a language 254 edit a layout 241 edit a section 211 email filters 22 enhancements 19 index based 219 language 230, 231, 252 layout 234, 237, 240, 241, 244 new folder 220 profiles 241 redefined 217 remote output 214 run 247 schedule 229 settings 210 SQL based 204 report engine, widget 75 resolve host names 188 network analyzer 275, 277 RJ-45 27, 28 roll settings network analyzer 286 root administrator account 34 root (Management Administrative Domain) 54 root ADOM 51, 54 router 35
share 16 simple network management protocol (SNMP) system name 65 SMP support 23 sniffer 272, 277 See also network analyzer SNMP community 129 event 131 manager 129 queries 131 span port 272 special characters 65 SQL database 205 remote database 206 reports 204 SQL database 20 SSL 63 statistics widget 72 subnet 285 supported RFCs 1213 127 2665 127, 321 sync interval 64 Syslog server 131 system information, widget 62 system operation, widget 68 system resources, widget 69 system time 35, 301
T
TACACS+ server 22 Telnet 26, 81, 95 terminal 26, 28 Terminal Access Controller Access-Control System (TACACS+) 115 test configuration 42 ticket number 190 time 35, 63 time to live (TTL) 305 time zone 36, 37 traceroute 43, 305 tracert 306 troubleshooting 43, 298 packet sniffing 307 routing table 306 trust certificate 27
S
scheduled reports configuring 237 scheduling 63 scheduling updates 38 SCP 288 search DLP archive 185 download results 285 Network Analyzer logs 272, 283 tips 184, 284 user data 185 secure connection 188 Secure Shell (SSH) 26, 81, 93, 95 security certificate 27 self-signed 27 serial number 63 serial port parameters 317 severity levels (logs) 332 SFTP 288
Fortinet Technologies Inc.
U
unindexed log fields 282, 283 UNIX 26 unknown 169 unregistered 161, 188 up 93 upgrade FortiGuard Vulnerability Management 36
Page 391
V
verify configuration 42 virus See quarantine vulnerability management 258 assets 260 database 258 signatures 258 vulnerability scan 22 viewing results 269
W
web browser 26, 27 warnings 27 web filtering 184
web services 96 web UI 27 widget 59 intrusion activity 91 license information 67 log receive monitor 79 logs/data received 71 raid monitor 75 report engine 75 statistics 72 system information 62 system operation 68 system resources 69 top email traffic 86 top ftp traffic 87 top im/p2p traffic 88 top traffic 83 top web traffic 84 virus activity 90 WSDL file obtaining 98
Page 392