Log Aggregation or Forwarding
FortiAnalyzer 5.4 cannot aggregate or forward logs to FortiAnalyzer 5.2 units. Please use the same FortiAnalyzer 5.4 version across all units.
Log Aggregation or Forwarding – FortiAnalyzer 5.4
Leave a reply
Author Archives: Mike
Authentication Settings for Log Aggregation – FortiAnalyzer 5.4
Authentication Settings for Log Aggregation
FortiAnalyzer version 5.4.0 requires an administrator to be defined on the log aggregation server. For authentication to the log aggregation server, the administrator and its password must be set on all log aggregation forwarders.
SQL Storage Settings For Collect Mode – FortiAnalyzer 5.4.0
SQL Storage Settings for Collector Mode
During upgrade to FortiAnalyzer 5.4.0, the SQL database in units running in Collector mode are disabled to optimize performance. You can re-enable the SQL storage settings to view logs and analytics with the following CLI command:
config system sql
set status local
end
FortiAnalyzer 5.4 Has Been Released!
If you are using a FortiAnalyzer in any capacity, go ahead and upgrade to 5.4. You will be thankful!
There are some things you need to take note of though before proceeding:
- in 5.4, Fortinet changed the raw log / SQL design and support per vdom log file and also quota is now ADOM based, so a rebuild of SQL db is needed.
What’s new in FortiAnalyzer version 5.4.0
The following is a list of new features and enhancements in FortiAnalyzer version 5.4.0.
- New GUI look
- Remote SQL database deprecated
- Device support improvements
- Log forwarding improvements
- Log storage improvements
- Fetch offline logs
- FortiClient improvements
- FortiView improvements
- Reports improvements
- Others
- Improved Event Management usability
- Added Factory Reset option to Event Handler
Introduction
- Improved Action and Security Action for the Traffic Log
- Improved HA Conversion efficiency
- Correlated FortiClient Logs with FortiOS Logs for Application Detection
- Added logging support for FortiDDoS l JSON API Syntax Validation for Report Configuration
- Added SSN/Credit DLP Charts
- PCI DSS Compliance Report
- Added View Related Logs Option in FortiView
- Added the ability to clone a chart from report layout
- Added options for chart import and export l Added CVE Information to FortiView and Reports
- Supporting EMS Managed Endpoint Logs
- Support FortiOS Web Application Firewall (WAF) and GTP Logs
Client Threat Assessment Program – Easy Money
So, if you are a Fortinet partner and you aren’t utilizing the Client Threat Assessment Program (CTAP) you are losing money all over the place. Here is a list of why:
- It’s Free
- Fortinet PAYS YOU to do them
- It provides excellent insight into potential new clients networks
- It’s FREE
That is pretty much it. If your sales people can’t give away free, no obligation necessary, assessments then you might have bigger issues at your office. I am currently ranked #1 in the South East (good ol southern boy after all) for these things and it is literally some of the easiest money I have ever made. Not to mention, it enables me to get my foot in the door at potential new clients without any real hassle or pain.
What’s New – FortiAnalyzer 5.2
So, for those of you that utilize the FortiAnalyzer (in place of or in addition to Splunk, ArcSight etc) here is the “What’s New” for FortiAnalyzer 5.2. This is a copy of the Fortinet direct documentation for those that don’t have access to it.
What’s New in FortiAnalyzer v5.2
FortiAnalyzer v5.2 includes the following new features and enhancements.
FortiAnalyzer v5.2.0
FortiAnalyzer v5.2.0 includes the following new features and enhancements.
Event Management
- Event Handler for local FortiAnalyzer event logs
- FortiOS v4.0 MR3 logs are now supported.
- Support subject customization of alert email.
FortiView
- New FortiView module
Logging
- Updated compact log v3 format from FortiGate • Explicit proxy traffic logging support
- Improved FortiAnalyzer insert rate performance
- Log filter improvements
- FortiSandbox logging support
- Syslog server logging support
Reports
- Improvements to report configuration
- Improvements to the Admin and System Events Report template
- Improvements to the VPN Report template
- Improvements to the Wireless PCI Compliance Report template
- Improvements to the Security Analysis Report template
- New Intrusion Prevention System (IPS) Report template
- New Detailed Application Usage and Risk Report template
- New FortiMail Analysis Report template
- New pre-defined Application and Websites report templates
- Macro library support
- Option to display or upload reports in HTML format
- FortiCache reporting support
Other
- HA cluster auto discover
HA With Different Revision Hardware
So, I have run into some instances as of late where I was forced to use different revisions of the same hardware (two FortiGate’s that match model wise but are different hardware revisions, you know, cause Fortinet likes to evolve things half way through a lifecycle) in high available (HA) clusters. This is easily done with a few tweaks at the CLI level to enable it to properly function. I ignore 4.x version code because if you are still running that you are going to have a bad time in general.
execute ha ignore-hardware-revision enable
execute ha ignore-hardware-revision status
This will make the hardware work with ease in an HA cluster. Take note, you still need the same model, this just helps with variances in hardware revision between the two!
Disable SSL VPN Portal
If you are in an environment where you want to make sure that the SSL VPN portal page does NOT show that is fine. You can use the following command to disable the SSL VPN Portal page of a FortiGate
Config VPN SSL Settings
Set sslvpn-enable disable
End
This is commonly used when you are wanting to accept only IPSec tunnels etc to your device. I usually just leave mine up and customize the page to look cool and creative but that is me!