Monthly Archives: April 2016

Reports

FortiAnalyzer units can analyze information collected from the log files of managed log devices. It then presents the information in tabular and graphical reports that provide a quick and detailed analysis of activity on your networks.

To reduce the number of reports needed, reports are independent from devices, and contain layout information in the form of a report template. The devices, and any other required information, can be added as parameters to the report at the time of report generation.

The Reports tab allows you to configure reports using the predefined report templates, configure report schedules, view report history and the report calendar, and configure and view charts, macros, datasets, and output profiles.

If ADOMs are enabled, each ADOM will have its own report settings including chart library, macro library, dataset library, and output profiles.

FortiCache, FortiMail and FortiWeb reports are available when ADOMs are enabled. Reports for these devices are configured within their respective default ADOM. These devices also have device specific charts and datasets.

This chapter contains the following sections:

Reports
Report layouts
Chart library
Macro library
Report calendar
Advanced

Reports

FortiAnalyzer includes preconfigured reports and report templates for FortiGate, FortiMail, and FortiWeb log devices. These report templates can be used as is, or you can clone and edit the templates. You can also create new reports and report templates that can be customized to your requirements. For a list of preconfigured reports see “Report Templates” on page 207.

Predefined report templates are identified by a blue report icon, , and custom report templates are identified by a green report icon, . When a schedule has been enabled, the schedule icon, , will appear to the left of the report template name.

In the Reports tab, go to Reports > [report] to view and configure the report configuration, advanced settings, and layout, and to view completed reports. The currently running reports and completed reports are shown in the View Report tab, see “View report tab” on page 173.

Figure 118:Report page

Right-clicking on a template in the tree menu opens a pop-up menu with the following options:

Report

Create New

Create a new report. See “To create a new report:” on page 167.

Custom report templates are identified by the custom report icon, , beside the report name. Predefined report templates are identified by the predefined report icon, .

Rename Rename a report.

Clone	Clone the selected report. See “To clone a report:” on page 167.
Delete	Delete the report. The default reports cannot be deleted. See “To delete a report:” on page 167.
Import	Import a report. See “Import and export” on page 167.

Export Export a report. See “Import and export” on page 167.

Folder
Create New	Create a new report folder. See “To create a new report folder:” on page 168.

Rename Rename a report folder. See “To rename a report folder:” on page 168.

Delete Delete a report folder. Any report templates in the folder will be deleted. See “To delete a report folder:” on page 168.

Reports and report templates can be created, edited, cloned, and deleted. You can also import and export report templates. New content can be added to and organized on a template, including: new sections, three levels of headings, text boxes, images, charts, and line and page breaks.

To create a new report:

In the Reports tab, right-click on Reports in the tree menu.
Under the Report heading, select Create New.

The Create New Report dialog box opens.

Enter a name for the new report and select OK.
Configure report settings in the Configuration tab. The configuration tab includes time period, device selection, report type, schedule, and notifications.
Select the Report layouts to configure the report template.
Select the Advanced settings tab to configure report filters and other advanced settings.
Select Apply to save the report template.

To clone a report:

Right-click on the report you would like to clone in the tree menu and select Clone.

The Clone Report Template dialog box opens.

Enter a name for the new template, then select OK.

A new template with the same information as the original template is created with the given name. You can then modify the cloned report as required.

To delete a report:

Right-click on the report template that you would like to delete in the tree menu, and select Delete under the Report
In the confirmation dialog box, select OK to delete the report template.

Import and export

Report templates can be imported from and exported to the management computer.

To import a report template:

Right-click on Reports, and select Import.

The Import Report Template dialog box opens.

Select Browse, locate the report template (.dat) file on your management computer, and select OK.

The report template will be loaded into the FortiAnalyzer unit.

To export a report template:

Right-click on the report you would like to export in the tree menu and select Export.
If a dialog box opens, select to save the file (.dat) to your management computer, and select OK.

The report template can now be imported to another FortiAnalyzer device.

Report folders

Report folders can be used to help organize your reports.

To create a new report folder:

In the Reports tab, right-click on Reports in the tree menu.
Under the Folder heading, select Create New.
In the Create New Folder dialog box, enter a name for the folder, and select OK.

A new folder is created with the given name.

To rename a report folder:

Right-click on the report folder that you need to rename in the tree menu.
Under the Folder heading, select Rename.
In the Rename Folder dialog box, enter a new name for the folder, and select OK.

To delete a report folder:

Right-click on the report folder that you would like to delete in the tree menu, and select Delete under the Folder
In the confirmation dialog box, select OK to delete the report folder.

Configuration tab

In FortiAnalyzer v5.2.0 and later, the Reports tab layout has changed. When creating a new report, the Configuration tab is the first tab that is displayed. In this tab you can configure the time period, select devices, enable schedules, and enable notification.

Report schedules provide a way to schedule an hourly, daily, weekly, or monthly report so that the report will be generated at a specific time. You can also manually run a report schedule at any time, and enable or disable report schedules. Report schedules can also be edited and disabled from the Report Calendar. See “Report calendar” on page 198 for more information.

Figure 119:Configuration tab

The following settings are available in the Configuration tab:

Time Period	The time period that the report will cover. Select a time period, or select Other to manually specify the start and end date and time.
Devices	The devices that the report will include. Select either All Devices or Specify to add specific devices. Select the add icon, , to select devices.
User or IP	Enter the user name or the IP address of the user on whom the report will be based. This field is only available for the three predefined report templates in the Detailed User Report folder.
Type	Select either Single Report (Group Report) or Multiple Reports (Per-Device). This option is only available if multiple devices are selected.
Enable Schedule	Select to enable report template schedules.
Generate PDF Report Every	Select when the report is generated. Enter a number for the frequency of the report based on the time period selected from the drop-down list.
Starts On	Enter a starting date and time for the file generation.
Ends	Enter an ending date and time for the file generation, or set it for never ending.
Enable Notification	Select to enable report notification.
Output Profile	Select the output profile from the drop-down list, or select Create New, , to create a new output profile. See “Output profile” on page 203.

Pages: 1 2 3 4 5 6 7 8 9

Event Management

1 Reply

Event Management

In the Event Management tab you can configure events handlers based on log type and logging filters. You can select to send the event to an email address, SNMP community, or syslog server. Events can be configured per device, for all devices, or for the local FortiAnalyzer. You can create event handlers for FortiGate and FortiCarrier devices. In v5.2.0 or later, Event Management supports local FortiAnalyzer event logs.

Events can also be monitored, and the logs associated with a given event can be viewed.

Events

The events page provides a list of the generated events. Right-clicking on an event in the table gives you the option of viewing event details including the raw log entries associated with that event, adding review notes, and acknowledging the event.

To view events, go to the Event Management tab and select Event Management > All Events. You can also view events by severity and by handler. When ADOMs are enabled, select the ADOM, and then select All Events.

Figure 112:Events page

The following information is displayed:

Time Period	Select a time period from the drop-down list. Select one of: Last 30 mins, Last 1 hour, Last 4 hours, Last 12 hours, Last 1 day, Last 7 days, Last N hours, Last N days, All. If applicable, enter the number of days or hours for N in the N text box.
Show Acknowledged	Select to show or hide acknowledged events. Acknowledged events are greyed out in the list.
Search	Search for a specific event.
Count	The number of log entries associated with the event. Click the heading to sort events by count.
Event Name	The name of the event. Click the heading to sort events by event name.
Severity	The severity level of the event. Event severity level is a user configured variable. The severity can be Critical, High, Medium, or Low. Click the heading to sort events by severity.
Event Type	The event type. For example, Traffic or Event. Click the heading to sort events by event type.
Additional Info	Additional information about the event. Click the heading to sort events by additional information.
Last Occurrence	The date and time that the event was created and added to the events page. Click the heading to sort events by last occurrence.
Pagination	Adjust the number of logs that are listed per page and browse through the pages.

Right-click on an event in the list to open the right-click menu. The following options are available:

View Details	The Event Details page is displayed. See “Event details” on page 153.
Acknowledge	Acknowledge an event. If Show Acknowledge is not selected, the event will be hidden. See “Acknowledge events” on page 154.

Event details

Event details provides a summary of the event including the event name, severity, type, count, additional information, last occurrence, device, event handler, raw log entries, and review notes. You can also acknowledge and print events in this page.

To view log messages associated with an event:

In the events list, either double-click on an event or right-click on an event then select View Details in the right-click menu.

The Event Details page opens.

Figure 113:Event details page

The following information and options are available:

Print	Select the print icon to print the event details page. The log details pane is not printed.
Return	Select the return icon to return to the All Events page.
Event Name	The name of the event, also displayed in the title bar.
Severity	The severity level configured for the event handler.
Type	The event category of the event handler.
Count	The number of logged events associated with the event.
Additional Info	This field either displays additional information for the event or a link to the FortiGuard Encyclopedia . A link will be displayed for AntiVirus, Application Control, and IPS event types.
Last Occurrence	The date and time of the last occurrence.
Device	The device hostname associated with the event.
Event Handler	The name of the event handler associated with the event. Select the link to edit the event handler. See “Event handler” on page 155.
Text box	Optionally, you can enter a 1023 character comment in the text field. Select the save icon, , to save the comment, or cancel, , to cancel your changes.
Logs	The logs associated with the log event are displayed. The columns and log fields are dependent on the event type.
Pagination	Adjust the number of logs that are listed per page and browse through the pages.
Log details	Log details are shown in the lower content pane for the selected log. The details will vary based on the log type.

Select the return icon, , to return to the All Events

Acknowledge events

You can select to acknowledge events to remove them from the event list. An option has been added to this page to allow you to show or hide these acknowledged events.

To acknowledge events:

From the event list, select the event or events that you would like to acknowledge.
Right-click and select Acknowledge in the right-click menu.

Select the Show Acknowledge checkbox in the toolbar to view acknowledged events.

Pages: 1 2 3

FortiSwitch Standalone Mode Administration Guide

Leave a reply

Introduction

Welcome and thank you for selecting Fortinet products for your network configuration.

This guide contains information about the administration of a FortiSwitch unit in standalone mode. In standalone mode, a FortiSwitch is managed by connected directly to the unit, either using the web-based manager (also known as the GUI) or the CLI.

If you will be managing your FortiSwitch unit using a FortiGate, please see the guide Managing a FortiSwitch unit with a FortiGate.

Supported Models

This guide is for all FortiSwitch models that are supported by FortiSwitchOS. This includes the following models:

FortiSwitch-28C, FortiSwitch-108D-POE, FortiSwitch-124D, FortiSwitch-124D-POE,

FortiSwitch Rugged-124D, FortiSwitch-224D-POE, FortiSwitch-324B-POE,

FortiSwitch-348B, FortiSwitch-448B, FortiSwitch-1024D, FortiSwitch-1048D, and

FortiSwitch-3032D

Before You Begin

Before you start administrating your FortiSwitch unit, it is assumed that you have completed the initial configuration of the FortiSwitch unit, as outlined in the QuickStart Guide for your FortiSwitch model and have administrative access to the FortiSwitch unit’s web-based manager and CLI.

How this Guide is Organized

This guide is organized into the following chapters:

System Settings contains information about the initial configuration of your FortiSwitch unit.
Ports contains information on configuring your FortiSwitch’s ports.
1x contains information on using 802.1x protocol.
LACP Mode contains information on using a FortiSwitch in Link Aggregation Control Protocol (LACP) mode.
TACACS contains information on using TACACS authetication with your FortiSwitch unit.
Power over Ethernet contains information on using Power over Ethernet (PoE) with your FortiSwitch.

Pages: 1 2 3 4 5 6 7

FortiView

Leave a reply

FortiView

The FortiView tab allows you to access both FortiView drill down and Log view menus. FortiView in FortiAnalyzer collects data from FortiView in FortiGate. In order for information to appear in the FortiView dashboards in FortiGate, disk logging must be selected for the FortiGate unit. Select the FortiView tab and select the ADOM from the drop-down list.

FortiView

Use FortiView to drill down real-time and historical traffic from log devices by sources, applications, destinations, web sites, threats, and cloud applications. Each FortiView can be filtered by a variety of attributes, as well as by device and time period. These attributes can be selected using the right-click context menu. Results can also be filtered using the various columns.

The following FortiViews are available:

Top sources
Top applications
Top destinations
Top web sites
Top threats
Top cloud applications

Top sources

The Top Sources dashboard displays information about the sources of traffic on your unit. You can drill down the displayed information, and also select the device and time period, and apply search filters.

Figure 88:Top sources

The following information is displayed:

Source	Displays the source IP address and/or user name, if applicable. Select the column header to sort entries by source. You can apply a search filter to the source (srcip) column.
Device	Displays the device IP address or FQDN. Select the column header to sort entries by device. You can apply a search filter to the device (dev_src) column.
Threat Weight	Displays the threat weight value. Select the column header to sort entries by threat weight.
Sessions	Displays the number of sessions. Select the column header to sort entries by sessions.
Bandwidth (Sent/Received)	Displays the bandwidth value for sent and received packets. Select the column header to sort entries by bandwidth.

The following options are available:

Refresh	Refresh the displayed information.
Search	Click the search field to add a search filter for user (user), source IP (srcip), source device (dev_src), source interface (srcintf), destination interface (dstintf), policy ID (policyid), security action (utmaction), or virtual domain (vd). Select the GO button to apply the search filter. Alternatively, you can right-click the column entry to add the search filter. Select the clear icon, , to remove the search filter.
Devices	Select the device from the drop-down list or select All Devices. Select the GO button to apply the device filter.
Time Period	Select the time period from the drop-down list. Select Custom from the list to specify the start and end date and time. Select the GO button to apply the time period filter.
N	When selecting a time period with last N in the entry, you can enter the value for N in this text field.
Custom	When Custom is selected the custom icon will be displayed. Select the icon to change the custom time period.
Go	Select the GO button to apply the filter.
Pagination	Select the number of entries to display per page and browse pages.
Right-click menu

Application	Select to drill down by application to view application related information including the application, number of sessions, and bandwidth (sent/received). You can select to sort entries displayed by selecting the column header. You can apply a search filter in the application (app) column to further filter the information displayed. Select the GO button to apply the search filter. Select the return icon, , to return to the Top Sources page.
Destination	Select to drill down by destination to view destination related information including the destination IP address and geographic region, the threat weight value, number of sessions, and bandwidth (sent/received). You can select to sort entries displayed by selecting the column header. You can apply a search filter in the destination (dstip) column to further filter the information displayed. Select the GO button to apply the search filter. Select the return icon, , to return to the Top Sources page.
Threat	Select to drill down by threat to view threat related information including the threat type, category, threat level, threat weight, and number of incidents. You can select to sort entries displayed by selecting the column header. You can apply a search filter in the threat (threat) or category (threattype) columns to further filter the information displayed. Select the GO button to apply the search filter. Select the return icon, , to return to the Top Sources page.
Domain	Select to drill down by domain to view domain related information including domain, category, browsing time, threat weight, number of sessions, and bandwidth (sent/received). You can select to sort entries displayed by selecting the column header. Select the GO button to apply the search filter. Select the return icon, , to return to the Top Sources page.
Category	Select to drill down by category to view category related information including category, browsing time, threat weight, number of sessions, and bandwidth (sent/received). You can select to sort entries displayed by selecting the column header. Select the GO button to apply the search filter. Select the return icon, , to return to the Top Sources page.
Sessions	Select to drill down by sessions to view session related information including date/time, source/device, destination IP address and geographic region, service, bandwidth (sent/received), user, application, and security action. You can select to sort entries displayed by selecting the column header. You can apply a search filter in the destination (dstip), service (service), user (user), or application (app) columns to further filter the information displayed. Select the GO button to apply the search filter. Select the return icon, , to return to the Top Sources page.
Search	Add a search filter by source IP (srcip) or source device (dev_src). Select the GO button to apply the filter. Select the clear icon, , to remove the search filter.

Top applications

The Top Applications dashboard shows information about the applications being used on your network, including the application name, category, and risk level. You can drill down the displayed information, also select the device and time period, and apply search filters.

Figure 89:Top applications

The following information is displayed:

Application	Displays the application port and service. Select the column header to sort entries by application. You can apply a search filter to the application (app) column.
Category	Displays the application category. Select the column header to sort entries by category. You can apply a search filter to the category (appcat) column.
Risk	Displays the application risk level. Hover the mouse cursor over the entry in the column for additional information. Select the column header to sort entries by category. Risk uses a new 5-point risk rating. The rating system is as follows: • Critical: Applications that are used to conceal activity to evade detection. • High: Applications that can cause data leakage, are prone to vulnerabilities, or downloading malware. • Medium: Applications that can be misused. • Elevated: Applications that are used for personal communications or can lower productivity. • Low: Business related applications or other harmless applications.
Sessions	Displays the number of sessions. Select the column header to sort entries by sessions.
Bandwidth (Sent/Received)	Displays the bandwidth value for sent and received packets. Select the column header to sort entries by bandwidth.

The following options are available:

Refresh	Refresh the displayed information.
Search	Click the search field to add a search filter by application (app), source interface (srcintf), destination interface (dstintf), policy ID (policyid), security action (utmaction), or virtual domain (vd). Select the GO button to apply the search filter. Alternatively, you can right-click the column entry to add the search filter. Select the clear icon, , to remove the search filter.
Devices	Select the device from the drop-down list or select All Devices. Select the GO button to apply the device filter.
Time Period	Select the time period from the drop-down list. Select Custom from the list to specify the start and end date and time. Select the GO button to apply the time period filter.
N	When selecting a time period with last N in the entry, you can enter the value for N in this text field.
Custom	When Custom is selected the custom icon will be displayed. Select the icon to change the custom time period.
Go	Select the GO button to apply the filter.
Pagination	Select the number of entries to display per page and browse pages.
Right-click menu

Source	Select to drill down by source to view source related information including the source IP address, device MAC address or FQDN, threat weight, number of sessions, and bandwidth (sent/received). You can select to sort entries displayed by selecting the column header. You can apply a search filter in the source (srcip) and device (dev_src) columns to further filter the information displayed. Select the GO button to apply the search filter. Select the return icon, , to return to the Top Applications page.
Destination	Select to drill down by destination to view destination related information including the destination IP address and geographic region, the threat weight value, number of sessions, and bandwidth (sent/received). You can select to sort entries displayed by selecting the column header. You can apply a search filter in the destination (dstip) column to further filter the information displayed. Select the GO button to apply the search filter. Select the return icon, , to return to the Top Applications page.
Threat	Select to drill down by threat to view threat related information including the threat type, category, threat level, threat weight, and number of incidents. You can select to sort entries displayed by selecting the column header. You can apply a search filter in the threat (threat) or category (threattype) columns to further filter the information displayed. Select the GO button to apply the search filter. Select the return icon, , to return to the Top Applications page.
Sessions	Select to drill down by sessions to view session related information including date/time, source/device, destination IP address and geographic region, service, bandwidth (sent/received), user, application, and security action. You can select to sort entries displayed by selecting the column header. You can apply a search filter in the destination (dstip), service (service), user (user), or application (app) columns to further filter the information displayed. Select the GO button to apply the search filter. Select the return icon, , to return to the Top Applications page.
Search	Add a search filter by application or category. Select the GO button to apply the filter. Select the clear icon, , to remove the search filter.

Pages: 1 2 3 4 5 6

System Settings

Leave a reply

System Settings

The System Settings tab enables you to manage and configure system options for the FortiAnalyzer unit. This includes the basic network settings to connect the device to the corporate network, the configuration of administrators and their access privileges, and managing and updating firmware for the device

The System Settings tab provides access to the following menus and sub-menus:

Dashboard	Select this menu to configure, monitor, and troubleshoot your FortiAnalyzer device. Dashboard widgets include: System Information, License Information, Unit Operation, System Resources, Alert Message Console, CLI Console, Log Receive Monitor, Logs/Data Received, and Statistics.
All ADOMs	Select this menu to create new ADOMs and monitor all existing ADOMs.
RAID management	Select this menu to configure and monitor your Redundant Array of Independent Disks (RAID) setup. This page displays information about the status of RAID disks as well as what RAID level has been selected. It also displays how much disk space is currently consumed.
Network	Select this menu to configure your FortiAnalyzer interfaces. You can also view the IPv4/IPv6 Routing Table and access Diagnostic Tools.
Admin	Select this menu to configure administrator user accounts, as well as configure global administrative settings for the FortiAnalyzer unit. • Administrator • Profile • Remote authentication server • Administrator settings
Certificates	Select this menu to configure the following: • Local certificates • CA certificates • Certificate revocation lists

Event log

Select this menu to view FortiAnalyzer event log messages. On this page you can:

• Download the logs in .log or .csv formats

• View raw logs or logs in a formatted table

• Browse the event log, FDS upload log, and FDS download log

Task monitor

Select this menu to monitor FortiAnalyzer tasks.

Advanced

Select to configure advanced settings.

• SNMP v1/v2c

• Mail server

• Syslog server

• Meta fields

• Device log settings

• File management

• Advanced settings

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13

Device Manager

Leave a reply

Device Manager

The Device Manager tab allows you to add and edit devices and VDOMs, and view completed reports for devices and VDOMs.

Figure 9 shows the Device Manager tab.

Figure 9: Device manager tab

The tree menu shows the devices and VDOMs within the selected ADOM. If ADOMs are disabled, the tree menu simply shows the devices. When ADOMs are enabled, the ADOM is selected using the drop-down list in the toolbar.

The device and VDOM list can be searched using the search box in the content pane toolbar. The columns shown in the list can be customized, and the list can be sorted by selecting a column header.

To change the column settings:

Right-click on a column heading in the content pane.

Columns currently included in the content pane table have a green check mark next them.

Figure 10:Column right-click menu

Select a column from the list to add or remove that column from the table.

Select Reset to Default to reset the table to its default state

Devices

Devices are organized by device type. VDOMs and model devices can be created and deleted.

Devices and VDOMs

Device models can be added and deleted, devices can be edited, and VDOMs can be deleted. The Add Device wizard is used to add model devices.

To add a model device:

Right-click on a group in the tree menu or in the content pane and, from the right-click menu, select Add Device, or, if ADOMs are not enabled, select Add Device from the toolbar.

The Add Device wizard opens.

Figure 11:Add device wizard login screen

Enter the device IP address, user name, and password in the requisite fields.
Select Next to continue to the next page of the wizard: Add Device.

Figure 12:Add device wizard add device screen

Enter the following information:

Name	Enter a name for the device.
Description	Enter a description for the device (optional).
Device Type	Select the device type from the drop-down list. Select FortiGate for FortiGate ADOMs, FortiSwitch for FortiSwitch ADOMs, etc.
Device Model	Select the device model from the drop-down list.
Firmware Version	Select the firmware version from the drop-down list.
HA Cluster	Select if the device is part of a high availability cluster.
Serial Number	Enter the device serial number. This value must match the device model selected. When HA Cluster is enabled, you can enter the serial numbers of all members of the cluster.
Disk Log Quota (min. 100MB)	Enter the disk log quota in MB. This option is only available for certain device types.
When Allocated Disk Space is Full	Select to overwrite the oldest logs or to stop logging when the allocated disk space is full.
Device Permissions	Select the device permissions from: Logs, DLP Archive, Quarantine, and IPS Packet Log.
Other Device Information	Enter other device information (optional), including: Company/Organization, Contact, City, Province/State, and Country.

Select Next to proceed to the next add device page.

Figure 13:Add device wizard add device screen two

After the device has been created successfully, select Next to proceed to the summary page.

Figure 14:Add device wizard summary screen

Select Finish to add the device model.

To edit a device:

In the Device Manager tab, in the tree menu, select the group that contains the device you need to edit.
In the content pane, right-click on the on the device and select Edit from the right-click menu.

The Edit Device dialog box opens.

Figure 15:Edit a device

Edit the following information as needed:

Name	The name of the device.
Description	Descriptive information about the device.

Company/Organization Company or organization information.

Country	Enter the country.
Province/State	Enter the province or state.
City	Enter the city.
Contact	Enter the contact name.
IP Address	The IP address of the device.
Admin User	The administrator username.
Password	The administrator password.
Device Information	Information about the device, including serial number, device model, firmware version, connected interface.
HA Cluster	Select if the device is part of a high availability cluster.
Serial No.	When HA Cluster is enabled, you can enter the serial numbers of all members of the cluster.
Disk Log Quota (min. 100MB)	The amount of space that the disk log is allowed to use, in MB.
When Allocated Disk Space is Full	The action for the system to take when the disk log quota is filled, either Overwrite Oldest Logs, or Stop Logging.
Secure Connection	Select check box to enable this feature. Secure Connection secures Odette File Transfer Protocol (OFTP) traffic through an IPsec tunnel.
ID	The device serial number.
Pre-Shared Key	The pre-shared key for the IPsec connection between the FortiGate and FortiAnalyzer.
Device Permissions	The device’s permissions. Select any of: Logs, DLP Archive, Quarantine, and IPS Packet Log.

Select OK to finish editing the device.

To delete a device or VDOM:

In the Device Manager tab, in the tree menu, select the group that contains the device or VDOM you need to delete.
In the content pane, right-click on the on the device or VDOM and select Delete in the right-click menu.
Select OK in the confirmation window to delete the device or VDOM.

Unregistered devices

In FortiAnalyzer v5.2.0 and later, the config system global set unregister-pop-up command is disabled by default. When a device is configured to send logs to FortiAnalyzer, the unregistered device table will not be displayed. Instead, a new entry named Unregistered Devices will appear in the Device Manager tab tree menu. You can then add devices to specific ADOMs or delete devices using the toolbar buttons or right-click menu.

Figure 16:Unregistered devices

Device reports

You can view, download, and delete device reports in the Device Manager content pane. Selecting a device or VDOM in the tree menu will display all reports associated with that device or VDOM in the content pane. For more information, see “View report tab” on page 173.

To view latest reports from the Device Manager tab:

In the Device Manager tab select the ADOM that contains the device whose reports you would like to view from the drop-down list.
Select the device or VDOM from the tree menu.
The report history is shown in the content pane, showing a list of all the reports that have been run for that device or VDOM.

Figure 17:Report history

In the Format column, select HTML to display the report in a browser window, or select PDF to download the report as a PDF file to your management computer.

Log forwarding

When your FortiAnalyzer device is configured in collector mode, you can configure log forwarding in the Device Manager tab. You can configure to forward logs for selected devices to another FortiAnalyzer, a syslog server, or a Common Event Format (CEF) server.

To put your FortiAnalyzer in collector mode:

Go to System Settings > Dashboard.
In the System Information widget, in the Operation Mode field, select [Change].
In the Change Operation Mode dialog box, select Collector, and then select OK.

The Web-based Manager will refresh and the Device Manager, Log View, and System Settings tabs will be available. See “Changing the operation mode” on page 50 for more information.

To configure log forwarding:

Go to the Device Manager tab and select Log Forwarding.
Select Create New from the toolbar.

The Add log forwarding page is displayed.

Figure 18:Add log forwarding dialog box

Configure the following settings:

Server Name Enter a name to identify the remote server.

Remote Server Type Select the remote server type. Select one of the following: FortiAnalyzer, Syslog, Common Event Format (CEF).

Server IP	Enter the server IP address.
Select Devices	Select the add icon, , to select devices. Select devices and select OK to add the devices.
Enable Log Aggregation	Select to enable log aggregation. This option is only available when Remote Server Type is set to FortiAnalyzer.
Password	Enter the server password.
Confirm Password	Re-enter the server password.
Upload Daily at	Select a time from the drop-down list.
Enable Real-time Forwarding	Select to enable real-time log forwarding.
Level	Select the logging level from the drop-down list. Select one of the following: Emergency, Alert, Critical, Error, Warning, Notification, Information, or Debug.
Server Port	Enter the server port. When Remote Server Type is FortiAnalyzer, the port cannot be changed. The default port is 514.

Select OK to save the setting.

Administrative Domains

5 Replies

Administrative Domains

When ADOMs are enabled, you must select the ADOM from the drop-down list in the toolbar.

The Device Manager, FortiView, Event Management, and Reports tab are displayed per ADOM. The devices within each ADOM are shown in the default All FortiGate group. When ADOMs are disabled, the tree menu simply displays All FortiGates and Unregistered Devices, if there are any. Non-FortiGate devices are grouped into their own specific ADOMs.

ADOMs are not enabled by default, and enabling and configuring the domains can only be performed by the admin administrator. The maximum number of ADOMs you can add depends on the specific FortiAnalyzer system model. Please refer to the FortiAnalyzer data sheet for information on the maximum number of devices and ADOMs that your model supports.

The number of devices within each group is shown in parentheses next to the group name.

Log in as admin.
Go to System Settings > Dashboard.
In the System Information widget, select Enable next to Administrative Domain.
Select OK in the confirmation dialog box to enable ADOMs.

To disable the ADOM feature:

Remove all log devices from all non-root ADOMs.
Delete all non-root ADOMs, by right-clicking on the ADOM in the tree menu in the Device Manager tab and selecting Delete from the pop-up menu.
Go to System Settings > Dashboard.
In the system information widget, select Disable next to Administrative Domain.
Select OK in the confirmation dialog box to disable ADOMs.

Adding an ADOM

You can create both FortiGate and FortiCarrier ADOMs for versions 5.2, 5.0, and 4.3. FortiAnalyzer has default ADOMs for all non-FortiGate devices. When one of these devices is promoted to the DVM table, the device is added to their respective default ADOM and will be visible in the tree menu.

To add an ADOM:

Go to System Settings > All ADOMs and select Create New in the toolbar.

Alternatively, in the Device Manager tab, from the ADOM drop-down list, select Manage ADOMs. In the Manage ADOMs window that opens, select Create New.

The Create ADOM dialog box opens.

Figure 7: Create an ADOM

Enter the following information:

Name	Enter an unique name that will allow you to distinguish this ADOM from your other ADOMs.
Device Type	Select the device type from the drop-down list.
Version	Select the firmware version of the devices that will be in the ADOM. Select one the following: 5.2, 5.0, or 4.3.
Search	Enter a search term to find a specific device (optional).
Devices Groups	Transfer devices, VDOMs, and groups from the available member list on the left to the selected member list on the right to assign those devices to the ADOM.

Select OK to create the ADOM.

To edit an ADOM:

Go to System Settings > All ADOMs, right-click on the ADOM you need to edit, and select Edit in the right-click menu.

Alternatively, in the Device Manager tab, from the ADOM drop-down list, select Manage ADOMs. In the Manage ADOMs window that opens, right-click on the ADOM you need to edit, and select Edit in the right-click menu.

The Edit ADOM dialog box opens.

Figure 8: Edit an ADOM

Edit the following information as required:

Name	Edit the ADOM name.
Device Type	This field cannot be edited.
Version	This field cannot be edited.
Search	Enter a search term to find a specific device (optional).
Devices Groups	Transfer devices VDOMs, and groups from the available member list on the left to the selected member list on the right to assign those devices to the ADOM.
Status	Enable or disable the ADOM.

Select OK to finish editing the ADOM.

To delete an ADOM:

Go to System Settings > All ADOMs, right-click on the ADOM you need to delete, and select Delete in the right-click menu.
Alternatively, in the Device Manager tab, from the ADOM drop-down list, select Manage ADOMs. In the Manage ADOMs window that opens, right-click on the ADOM you need to delete, and select Delete in the right-click menu.
Select OK in the confirmation dialog box to delete the ADOM.

Assigning devices to an ADOM

The admin administrator selects the devices to be included in an ADOM. You cannot assign the same device to two different ADOMs.

To assign devices to an ADOM:

Open the Edit ADOM dialog box (see “To edit an ADOM:” on page 29).
From the Available member list, select which devices you want to associate with the ADOM and select the right arrow to move them to the Selected member

If the administrative device mode is Advanced, you can add separate FortiGate VDOMs to the ADOM as well as FortiGate units.

When done, select OK. The selected devices appear in the device list for that ADOM.

Assigning administrators to an ADOM

The admin administrator can create other administrators and assign an ADOM to their account, constraining them to configurations and data that apply only to devices in their ADOM.

By default, when ADOMs are enabled, existing administrator accounts other than admin are assigned to the root domain, which contains all devices in the device list. For more information about creating other ADOMs, see “Adding an ADOM” on page 28.

To assign an administrator to an ADOM:

Other administrators cannot configure administrator accounts when ADOMs are enabled.

Go to System Settings > Admin > Administrator.
Configure the administrator account, and select the Admin Domains that the administrator account will be able to use to access the FortiManager system.

See “Administrator” on page 75 for more information.

ADOM device modes

An ADOM has two device modes: normal and advanced. In normal mode, you cannot assign different FortiGate VDOMs to multiple FortiManager ADOMs. The FortiGate unit can only be added to a single ADOM.

In advanced mode, you can assign different VDOMs from the same FortiGate unit to multiple

ADOMs.

Advanced ADOM mode will allow users to assign VDOMs from a single device to different ADOMs, but will result in a reduced operation mode and more complicated management scenarios. It is recommended for advanced users only.

To change the ADOM mode, go to System Settings > Advanced > Advanced Settings and change the selection in the ADOM Mode field.

Alternatively, use the following command in the CLI:

config system global set adom-mode {normal | advanced}

end

Normal mode is the default setting. To change from advanced back to normal, you must ensure no FortiGate VDOMs are assigned to an ADOM.

Web Based Manager

Leave a reply

Web-based Manager

This section describes general information about using the Web-based Manager to access the FortiAnalyzer system with a web browser.

This section includes the following topics:

System requirements
Connecting to the Web-based Manager
Web-based Manager overview
Web-based Manager configuration

System requirements

Web browser support

The FortiAnalyzer Web-based Manager supports the following web browsers:

Microsoft Internet Explorer versions 10 and 11
Mozilla Firefox versions 30 and 31
Google Chrome version 36

Other web browsers may function correctly, but are not supported by Fortinet.

Screen resolution

Fortinet recommends setting your monitor to a screen resolution of 1280×1024. This allows for all the objects in the Web-based Manager to be properly viewed.

Connecting to the Web-based Manager

The FortiAnalyzer unit can be configured and managed using the Web-based Manager or the CLI. This section will step you through connecting to the unit via the Web-based Manager.

For more information on connecting your specific FortiAnalyzer unit, read that device’s QuickStart guide.

To connect to the Web-based Manager:

Connect the unit to a management computer using an Ethernet cable.
Configure the management computer to be on the same subnet as the internal interface of the FortiAnalyzer unit:
- IP address: 192.168.1.2
- Netmask: 255.255.255.0.
On the management computer, start a supported web browser and browse to https://192.168.1.99.
Type admin in the User Name field, leave the Password field blank, and select Login.

You should now be able to use the FortiAnalyzer Web-based Manager.

For information on enabling administrative access protocols and configuring IP addresses, see “To edit a network interface:” on page 71.

Web-based Manager overview

The FortiAnalyzer Web-based Manager consists of four primary parts: the tab bar, the main menu bar, the tree menu, and the content pane. The content pane includes a toolbar and, in some tabs, is horizontally split into two sections. The main menu bar is only visible in certain tabs when ADOMs are disabled (see “System Information widget” on page 46).

You can use the Web-based Manager menus, lists, and configuration pages to configure most FortiAnalyzer settings. Configuration changes made using the Web-based Manager take effect immediately without resetting the FortiAnalyzer system or interrupting service.

The Web-based Manager also includes online help, accessed by selecting the help icon in the right side of the tab bar.

Tab bar

The Web-based Manager tab bar contains the device model, the available tabs, the Help button and the Log Out button.

Figure 3: The tab bar

Device Manager	Manage groups, devices, and VDOMs, and view real-time monitor data. See “Device Manager” on page 32.
FortiView	Drill down top sources, top applications, top destinations, top web sites, top threats, and top cloud applications. This tab was implemented to match the FortiView implementation in FortiGate. The Log View tab is found in the FortiView tab. View logs for managed devices. You can display, download, import, and delete logs on this page. See “FortiView” on page 115.
Event Management	Configure and view events for managed log devices. See “Event Management” on page 151. This tab is not available when the unit is in Collector mode. See “Operation modes” on page 15 for more information.
Reports	Configure report templates, schedules, and output profiles, and manage charts and datasets. See “Reports” on page 165. This tab is not available when the unit is in Collector mode. See “Operation modes” on page 15 for more information.
System Settings	Configure system settings such as network interfaces, administrators, system time, server settings, and others. You can also perform maintenance and firmware operations. See “System Settings” on page 42.
Change Password	Select to change the password. Restricted_User and Standard_User admin profiles do not have access to the System Settings tab. An administrator with either of these admin profiles will see the change password icon in the navigation pane.
Help	Open the FortiAnalyzer online help.
Log Out	Log out of the Web-based Manager.

Tree menu

The Web-based Manager tree menu is on the left side of the window. The content in the menu varies depending on which tab is selected and how your FortiAnalyzer unit is configured.

Some elements in the tree menu can be right-clicked to access different configuration options.

Content pane

The content pane is on the right side of the window. The information changes depending on which tab is being viewed and what element is selected in the tree menu. The content pane of the Log View and Reports tabs are split horizontally into two frames.

Web-based Manager configuration

Global settings for the Web-based Manager apply regardless of which administrator account you use to log in. Global settings include the idle timeout, TCP port number on which the Web-based Manager listens for connection attempts, the network interface(s) on which it listens, and the language of its display.

This section includes the following topics:

Language support
Administrative access
Restricting access by trusted hosts
Idle timeout

Language support

The Web-based Manager supports multiple languages; the default language setting is Auto Detect. Auto Detect uses the language configured on your management computer. If that language is not supported, the Web-based Manager will default to English.

You can change the Web-based Manager language to English, Simplified Chinese, Traditional Chinese, Japanese, or Korean. For best results, you should select the language that the management computer operating system uses.

To change the Web-based Manager language:

Go to System Settings > Admin > Admin Settings.

Figure 4: Administration settings

In the Language field, select a language from the drop-down list, or select Auto Detect to use the same language as configured for your management computer.
Select Apply.

The following table lists FortiAnalyzer language support information.

Table 3: Language support

Language	Web-based Manager	Reports	Documentation
English	a	a	a
French		a
Spanish		a
Portuguese		a
Korean	a	a
Chinese (Simplified)	a	a
Chinese (Traditional)	a	a
Japanese	a	a
Russian		a
Hebrew		a
Hungarian		a

To change the FortiAnalyzer language setting, go to System Settings > Admin > Admin Settings, in Administrative Settings > Language select the desired language on the drop-down menu. The default value is Auto Detect.

Russian, Hebrew, and Hungarian are not included in the default report languages. You can import language translation files for these languages via the command line interface using one of the following commands:

execute sql-report import-lang <language name> <ftp> <server IP address> <user name> <password> <file name> execute sql-report import-lang <language name> <sftp <server IP address> <user name> <password> <file name> execute sql-report import-lang <language name> <scp> <server IP address> <user name> <password> <file name> execute sql-report import-lang <language name> <tftp> <server IP address> <file name>

For more information, see the FortiAnalyzer CLI Reference available from the Fortinet Document Library .

Administrative access

Administrative access enables an administrator to connect to the system to view and change configuration settings. The default configuration of your system allows administrative access to one or more of the interfaces of the unit as described in the QuickStart and installation guides for your device.

Administrative access can be configured in IPv4 or IPv6 and includes settings for: HTTPS, HTTP, PING, SSH (Secure Shell), TELNET, SNMP, Web Service, and Aggregator.

To change administrative access:

Go to System Settings > Network.

By default, port1 settings will be presented. To configure administrative access for a different interface, select All Interfaces, and then select the interface from the list.

Set the IPv4 IP/Netmask or the IPv6 Address, select one or more Administrative Access types for the interface, and set the default gateway and Domain Name System (DNS) servers.

Figure 5: Network management interface

Select Apply to finish changing the access settings.

For more information, see “Network” on page 69.

Restricting access by trusted hosts

To prevent unauthorized access to the Web-based Manager you can configure administrator accounts with trusted hosts. With trusted hosts configured, the admin user can only log in to the Web-based Manager when working on a computer with the trusted host as defined in the admin account.

For more information, see “Administrator” on page 75.

Idle timeout

By default, the Web-based Manager disconnects administrative sessions if no activity takes place for fifteen minutes. This idle timeout is recommended to prevent someone from using the Web-based Manager from a PC that is logged in and then left unattended.

To change the Web-based Manager idle timeout:

Go to System Settings > Admin > Admin Settings (see Figure 4 on page 22).
Change the Idle Timeout minutes as required.
Select Apply to save the setting.

For more information, see “Administrator settings” on page 86.

Reboot and shutdown the FortiAnalyzer unit

Always reboot and shutdown the FortiAnalyzer system using the unit operation options in the Web-based Manager or the CLI to avoid potential configuration problems.

Figure 6: Unit operation actions in the Web-based Manager

To reboot the FortiAnalyzer unit:

In the Web-based Manager, go to System Settings > Dashboard.
In the Unit Operation widget, select Reboot or, in the CLI Console widget, enter: execute reboot The system will be rebooted.

Do you want to continue? (y/n)

Select y to continue. The FortiAnalyzer system will be rebooted.

To shutdown the FortiAnalyzer unit:

In the Web-based Manager, go to System Settings > Dashboard.
In the Unit Operation widget, select Shutdown or, in the CLI Console widget, enter: execute shutdown The system will be halted.

Do you want to continue? (y/n)

Select y to continue. The FortiAnalyzer system will be shut down.

To reset the FortiAnalyzer unit:

In the CLI Console widget, enter:

execute reset all-settings This operation will reset all settings to factory defaults

Do you want to continue? (y/n)

Select y to continue. The device will reset to factory default settings and reboot.

To reset logs and re-transfer all logs into the database:

In the CLI Console widget, enter:

execute reset-sqllog-transfer WARNING: This operation will re-transfer all logs into database.

Do you want to continue? (y/n)

Select y to continue.