Category Archives: FortiAnalyzer

FortiAnalyzer Open Ports

Outgoing Ports table Purpose		Protocol/Port
FortiGuard AV/IPS, SMS, FTM, Licensing, Policy Override, RVS, URL/AS Update		TCP/443
3rd-Party Servers	LDAP & PKI Authentication	TCP/389, UDP/389
	Log & Report	TCP/21, TCP/22
	Configuration Backups	TCP/22
	Alert Email	TCP/25
	DNS	UDP/53
	NTP	UDP/123
	SNMP Traps	UDP/162
	Report Query	TCP/389
	Syslog & OFTP	TCP or UDP/514
	RADIUS	UDP/1812

Outgoing Ports Purpose		Protocol/Port
FortiAnalyzer	Syslog, OFTP, Registration, Quarantine, Log & Report	TCP/514
FortiAnalyzer	Event Logs	UDP/5246*
FortiCloud	Initial Discovery	TCP/443
	Syslog, OFTP, Registration, Quarantine, Log & Report	TCP/514
	Event Logs	UDP/5246*
FortiGate	Syslog, Registration, Quarantine, Log & Report	TCP/443
FortiGate	CAPWAP	UDP/5246, UDP/5247

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiAnalyzer Open Ports Diagram

Leave a reply

FortiAnalyzer Open Ports Diagram

FortiAnalyzer 5.4.2 Release Notes

Leave a reply

Change Log

Date	Change Description
2016-12-14	Initial release of 5.4.2.
2016-12-15	Added 400028 to Known Issues and 389255 and 383563 to Resolved Issues. Noted that FortiAnalyzer supports Microsoft Hyper-V 2016 in the FortiAnalyzer VM Firmware section.

Introduction

This document provides the following information for FortiAnalyzer version 5.4.2 build 1151:

l Supported models l What’s new in FortiAnalyzer version 5.4.2 l Special Notices l Upgrade Information l Product Integration and Support l Resolved Issues l Known Issues

For more information on upgrading your FortiAnalyzer device, see the FortiAnalyzer Upgrade Guide.

Supported models

FortiAnalyzer version 5.4.2 supports the following models:

FortiAnalyzer	FAZ-200D, FAZ-300D, FAZ-400E, FAZ-1000D, FAZ-1000E, FAZ-2000B, FAZ-2000E, FAZ-3000D, FAZ-3000E, FAZ-3000F, FAZ-3500E, FAZ-3500F, FAZ-3900E, and FAZ4000B.
FortiAnalyzer VM	FAZ-VM64, FAZ-VM64-AWS, FAZ-VM64-Azure, FAZ-VM64-HV, FAZ-VM64-KVM, and FAZ-VM64-XEN (Citrix XenServer and Open Source Xen).

Introduction What’s new in FortiAnalyzer version 5.4.2

What’s new in FortiAnalyzer version 5.4.2

The following is a list of new features and enhancements in FortiAnalyzer version 5.4.2.

Security Service—Indicators of Compromise

IOC Enhancement

Improved threat catch rate

FortiView

FortiView improvements

Improved filters, refresh interval selection and summary headers on drilldown l Performance improvements
Device-level hcache now supported in FortiView

Reports

SAAS Application Report

Default report template for monitoring sanctioned and unsanctioned SAAS applications

Cyber Threat Assessment Report

New report template for cyber threat assessment Report Usability Improvements

l Simplified template configuration l Streamlined report workflow

Event Management

Events Calendar View

Displays alerts on calendar with weekly/monthly views for quick access and intuitive event monitoring

What’s new in FortiAnalyzer version 5.4.2 Introduction

Log View

Add CVE-ID to Log View

Common Vulnerabilities and Exposures number (CVE ID) for known security threats added to Log View > Security > Intrusion Prevention

System Settings

Dashboard

New widget for collector mode to monitor log forwarding rate

Product Intgration

Support for FortiAuthenticator integration

Help

Links to how-to videos in the Help menu

Special Notices

This section highlights some of the operational changes that administrators should be aware of in FortiAnalyzer version 5.4.2.

IPsec connection to FortiOS for logging

FortiAnalyzer 5.4.2 no longer supports an IPsec connection with FortiOS 5.0/5.2. However UDP or TCP + reliable are supported.

Instead of IPsec, you can use the FortiOS reliable logging feature to encrypt logs and send them to FortiAnalyzer. You can enable the reliable logging feature on FortiOS by using the configure log fortianalyzer setting command. You can also control the encryption method on FortiOS by using the set encalgorithm default/high/low/disable command.

FortiAnalyzer 5.4.1 and earlier does support IPsec connection with FortiOS 5.0/5.2.

Datasets Related to Browse Time

FortiAnalyzer 5.4.2 contains enhancements to calculating the estimated browse time. Due to the changes, cloned datasets that query for browse time may not be able to return any results after upgrade.

System Configuration or VM License is Lost after Upgrade

When upgrading FortiAnalyzer from 5.4.0 or 5.4.1 to 5.4.2, it is imperative to reboot the unit before installing the

5.4.2 firmware image. Please see the FortiAnalyzer Upgrade Guide for details about upgrading. Otherwise, FortiAnalyzer may lose system configuration or VM license after upgrade. There are two options to recover the FortiAnalyzer unit:

Reconfigure the system configuration or add VM license via CLI with execute add-vm-license <vm license>.
Restore the 5.4.0 backup and upgrade to 5.4.2.

SSLv3 on FortiAnalyzer-VM64-AWS

Due to known vulnerabilities in the SSLv3 protocol, FortiAnalyzer-VM64-AWS only enables TLSv1 by default. All other models enable both TLSv1 and SSLv3. If you wish to disable SSLv3 support, please run:

config system global set ssl-protocol t1sv1 end

No support for remote SQL database Special Notices

No support for remote SQL database

Starting with FortiAnalyzer software versions 5.0.7 and 5.2.0, remote SQL database support will only cover the insertion of log data into the remote MySQL database. Historical log search and reporting capabilities, which rely on the remote SQL data, will no longer be supported.

Those wishing to use the full set of FortiAnalyzer features are encouraged to switch as soon as possible to storing SQL data locally on the FortiAnalyzer. The local database can be built based upon existing raw logs already stored on the FortiAnalyzer.

Pre-processing logic of ebtime

Logs with the following conditions met are considered usable for the calculation of estimated browsing time:

Traffic logs with logid of 13 or 2, when logid == 13, hostname must not be empty. The service field should be either HTTP, 80/TCP or 443/TCP.

If all above conditions are met, then devid, vdom, and user (srcip if user is empty) are combined as a key to identify a user. For time estimation, the current value of duration is calculated against history session start and end time, only un-overlapped part are used as the ebtime of the current log.

In version 5.0.5 or later, Explicit Proxy logs (logid=10) are checked when calculating the estimated browsing time.

Log Aggregation or Forwarding

Log aggregation or forwarding works from 5.4 to 5.4 or 5.4.1 to 5.4.1. Please use the same FortiAnalyzer version on all the units. Other FortiAnalyzer versions not supported.

Upgrade Information

Upgrading to FortiAnalyzer 5.4.2

You can upgrade FortiAnalyzer 5.2.0 or later directly to 5.4.2.If you are upgrading from versions earlier than 5.2.0, you will need to upgrade to FortiAnalyzer 5.2 first. (We recommend that you upgrade to 5.2.9, the latest version of FortiAnalyzer 5.2.)

Downgrading to previous versions

FortiAnalyzer does not provide a full downgrade path. You can downgrade to a previous firmware release via the GUI or CLI, but doing so results in configuration loss. A system reset is required after the firmware downgrading process has completed. To reset the system, use the following CLI commands via a console port connection:

execute reset all-settings execute format {disk | disk-ext4}

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service &

Support portal, https://support.fortinet.com. To verify the integrity of the download, select the Checksum link next to the HTTPS download link. A dialog box will be displayed with the image file name and checksum code. Compare this checksum with the checksum of the firmware image.

FortiAnalyzer VM firmware

Fortinet provides FortiAnalyzer VM firmware images for Amazon AWS, Citrix and Open Source XenServer, Linux KVM, Microsoft Hyper-V Server, and VMware ESX/ESXi virtualization environments.

Amazon Web Services l The 64-bit Amazon Machine Image (AMI) is available on the AWS marketplace.

FortiAnalyzer VM firmware Upgrade Information

Citrix XenServer and Open Source XenServer

.out: Download the 64-bit firmware image to upgrade your existing FortiAnalyzer VM installation.
.out.OpenXen.zip: Download the 64-bit package for a new FortiAnalyzer VM installation. This package contains the QCOW2 file for the Open Source Xen Server.
.out.CitrixXen.zip: Download the 64-bit package for a new FortiAnalyzer VM installation. This package contains the Citrix XenServer Disk (VHD), and OVF files.

Linux KVM

.out: Download the 64-bit firmware image to upgrade your existing FortiAnalyzer VM installation.
.out.kvm.zip: Download the 64-bit package for a new FortiAnalyzer VM installation. This package contains QCOW2 that can be used by qemu.

Microsoft Azure

The files for Microsoft Azure have AZURE in the filenames, for example FAZ_VM64_AZURE-v<number>build<number>-FORTINET.out.hyperv.zip.

.out: Download the firmware image to upgrade your existing FortiAnalyzer VM installation.
.hyperv.zip: Download the package for a new FortiAnalyzer VM installation. This package contains a Virtual Hard Disk (VHD) file for Microsoft Azure.

Microsoft Hyper-V Server

The files for Microsoft Hyper-V Server have HV in the filenames, for example, FAZ_VM64_HV-v<number>build<number>-FORTINET.out.hyperv.zip.

.out: Download the firmware image to upgrade your existing FortiAnalyzer VM installation.
.hyperv.zip: Download the package for a new FortiAnalyzer VM installation. This package contains a Virtual Hard Disk (VHD) file for Microsoft Hyper-V Server.

VMware ESX/ESXi

.out: Download either the 64-bit firmware image to upgrade your existing VM installation.
.ovf.zip: Download either the 64-bit package for a new VM installation. This package contains an Open Virtualization Format (OVF) file for VMware and two Virtual Machine Disk Format (VMDK) files used by the OVF file during deployment.

For more information see the FortiManager product data sheet available on the Fortinet web site, http://www.fortinet.com/products/fortimanager/virtual-security management.html. VM installation guides are available in the Fortinet Document Library.

Upgrade Information SNMP MIB files

SNMP MIB files

You can download the FORTINET-FORTIMANAGER-FORTIANALYZER.mib MIB file in the firmware image file folder. The Fortinet Core MIB file is located in the main FortiAnalyzer v5.00 file folder.

Product Integration and Support

FortiAnalyzer version 5.4.2 support

The following table lists FortiAnalyzer version 5.4.2 product integration and support information:

Web Browsers	l Microsoft Internet Explorer version 11 l Mozilla Firefox version 50 l Google Chrome version 54 Other web browsers may function correctly, but are not supported by Fortinet.
FortiOS/FortiOS Carrier	l 5.4.0 to 5.4.2 l 5.2.0 to 5.2.10 l 5.0.4 to 5.0.12 l 4.3.2 to 4.3.18
FortiAnalyzer	l 5.4.0 to 5.4.2 l 5.2.0 to 5.2.9 l 5.0.0 to 5.0.13
FortiCache	l 4.1.3 l 4.0.4
FortiClient	l 5.2.0 and later l 5.0.4 and later
FortiMail	l 5.3.8 l 5.2.9 l 5.1.6 l 5.0.10
FortiManager	l 5.4.0 to 5.4.2 l 5.2.0 and later l 5.0.0 and later

Feature support

FortiSandbox		l 2.3.2 l 2.2.2 l 2.1.3 l 2.0.3 l 1.4.0 and later l 1.3.0 l 1.2.0 and 1.2.3
FortiSwitch ATCA		l 5.0.0 and later l 4.3.0 and later l 4.2.0 and later
FortiWeb		l 5.6.0 l 5.5.4 l 5.4.1 l 5.3.8 l 5.2.4 l 5.1.4 l 5.0.6
FortiDDoS		l 4.2.3 l 4.1.12
FortiAuthenticator		l 4.2.0
Virtualization		l Amazon Web Service AMI, Amazon EC2, Amazon EBS l Citrix XenServer 6.2 l Linux KVM Redhat 6.5 l Microsoft Azure l Microsoft Hyper-V Server 2008 R2, 2012 & 2012 R2 l OpenSource XenServer 4.2.5 l VMware: l ESX versions 4.0 and 4.1 l ESXi versions 4.0, 4.1, 5.0, 5.1, 5.5, and 6.0

Feature support

The following table lists FortiAnalyzer feature support for log devices.

FortiGate Management

Platform	Log View	FortiView	Event Management	Reports
FortiGate	ü	ü	ü	ü
FortiCarrier	ü	ü	ü	ü
FortiAnalyzer	ü		ü
FortiCache	ü		ü	ü
FortiClient registered to FortiGate	ü	ü		ü
FortiClient registered to FortiClient EMS	ü	ü		ü
FortiDDoS	ü	ü	ü	ü
FortiMail	ü		ü	ü
FortiManager	ü		ü
FortiSandbox	ü		ü	ü
FortiWeb	ü		ü	ü
Syslog	ü		ü

FortiGate Management

You can enable FortiManager features on some FortiAnalyzer models. FortiAnalyzer models with FortiManager features enabled can manage a small number of FortiGate devices, and all but a few FortiManager features are enabled on FortiAnalyzer. The following table lists the supported modules for FortiAnalyzer with FortiManager Features enabled:

FortiManager Management Modules	FortiAnalyzer with FortiManager Features Enabled
Device Manager	ü
Policy & Objects	ü
AP Manager	ü

Language support

FortiManager Management Modules	FortiAnalyzer with FortiManager Features Enabled
FortiClient Manager	ü
VPN Manager	ü
FortiGuard
FortiMeter
FGT-VM License Activation

Language support

The following table lists FortiAnalyzer language support information.

Language	GUI	Reports
English	ü	ü
Chinese (Simplified)	ü	ü
Chinese (Traditional)	ü	ü
French		ü
Hebrew		ü
Hungarian		ü
Japanese	ü	ü
Korean	ü	ü
Portuguese		ü
Russian		ü
Spanish		ü

To change the FortiAnalyzer language setting, go to System Settings > Admin > Admin Settings, in Administrative Settings > Language select the desired language from the drop-down list. The default value is Auto Detect.

Russian, Hebrew, and Hungarian are not included in the default report languages. You can import language translation files for these languages via the command line interface using one of the following commands:

execute sql-report import-lang <language name> <ftp> <server IP address> <user name> <password> <file name>

execute sql-report import-lang <language name> <sftp <server IP address> <user name>

<password> <file name> execute sql-report import-lang <language name> <scp> <server IP address> <user name>

<password> <file name> execute sql-report import-lang <language name> <tftp> <server IP address> <file name> For more information, see the FortiAnalyzer CLI Reference.

Supported models

The following tables list which FortiGate, FortiCarrier, FortiDDoS, FortiAnalyzer, FortiMail, FortiManager, FortiWeb, FortiCache, and FortiSandbox models and firmware versions can log to a FortiAnalyzer appliance running version 5.4.2. Please ensure that the log devices are supported before completing the upgrade.

FortiGate models

Model

Firmware Version

FortiGate: FG-30D, FG-30D-POE, FG-30E, FG-30E-3G4G-INTL, FG-30E-

3G4G-NAM, FG-50E, FG-51E, FG-52E, FG-60D, FG-60D-POE, FG-60E,

FG-61E, FG-70D, FG-70D-POE, FG-80C, FG-80CM, FG-80D, FG-90D,

FG-90D-POE,FG-90E, FG-91E, FG-92D, FG-94D-POE, FG-98D-POE, FG-

100D, FG-100E, FG-101E, FG-140D, FG-140D-POE, FG-200D, FG-200DPOE, FG-240D, FG-240D-POE, FG-280D-POE, FG-200E, FG-201E, FGT-

300D, FG-400D, FG-500D, FG-600C, FG-600D, FG-800C, FG-800D, FG-

900D, FG-1000C, FG-1000D, FG-1200D, FG-1500D, FG-1500DT, FG-

3000D, FG-3100D, FG-3200D, FG-3240C, FG-3600C, FG-3700D, FG3700DX, FG-3810D, FG-3815D, FG-2000E, FG-2500E, FG 3800D, FG7040E-1, FG-7040E-2, FG-7040E-3, FG-7040E-4, FG-7040E-5,FG-7040E6, FG-7060E-1, FG-7060E-2, FG-7060E-3, FG-7060E-4, FG-7060E-5,FG7060E-6

FortiGate 5000 Series: FG-5001C, FG-5001D

FortiGate DC: FG-80C-DC, FG-600C-DC, FG-800C-DC, FG-1000C-DC,

FG-1500D-DC, FG-3000D-DC, FG-3100D-DC, FG-3200D-DC, FG-3240CDC, FG-3600C-DC, FG-3700D-DC, FG-3800D-DC, FG-3810D-DC

FortiGate Low Encryption: FG-80C-LENC, FG-100D-LENC, FG-600CLENC, FG-1000C-LENC

FortiWiFi: FWF-30D, FWF-30E, FWF-30E-3G4G-INTL, FWF-30E-3G4G-

NAM, FWF-50E, FWF-50E-2R, FWF-51E, FWF-30D-POE, FWF-60D,

FWF-60D-POE, FWF-90D, FWF-90D-POE, FWF-92D, FWF-60E, FWF61E, FWF-80CM, FWF-81CM

FortiGate VM: FG-VM, FG-VM64, FG-VM64-AWS, FG-VM64AWSONDEMAND, FG-VM64-HV, FG-VM64-KVM, FG-VM64-XEN, FGVMX-Service-Manager

FortiGate Rugged: FGR-30D, FGR-35D, FGR-60D, FGR-90D

5.4

Model

Firmware Version

FortiGate: FG-20C, FG-20C-ADSL-A, FG-30D, FG-30D-POE, FG-40C,

FG-60C, FG-60C-POE, FG-60C-SFP, FG-60D, FG-60D-3G4G-VZW, FG-

60D-POE, FG-70D, FG-70D-POE, FG-80C, FG-80CM, FG-80D, FG-90D,

FG-90D-POE, FG-92D, FG-94D-POE, FG-98D-POE, FG-100D, FG-110C,

FG-111C, FG-140D, FG-140D-POE, FG-140D-POE-T1, FG-200B, FG200B-POE, FG-200D, FG-200D-POE, FG-240D, FG-240D-POE, FG-280D-

POE, FG-300C, FG-300D, FG-310B, FG-311B, FG-400D, FG-500D, FG600D, FG-900D, FG-600C, FG-620B, FG-621B, FG-800C, FG-800D, FG-

1000C, FG-1000D, FG-1200D, FG-1240B, FG-1500D, FG-1500DT, FG-

3000D, FG-3016B, FG-3040B, FG-3100D, FG-3140B, FG-3200D, FG-

3240C, FG-3600C,FG-3700D, FG-3700DX, FG-3810A, FG-3810D, FG3815D, FG-3950B, FG-3951B

FortiGate 5000 Series: FG-5001A, FG-5001A-SW, FG-5001A-LENC, FG5001A-DW-LENC, FG-5001A-SW-LENC, FG-5001B, FG-5001C, FG5001D, FG-5101C

FortiGate DC: FG-80C-DC, FG-300C-DC, FG-310B-DC, FG-600C-DC,

FG-620B-DC, FG-621B-DC, FG-800C-DC, FG-1000C-DC, FG-1240B-DC,

FGT-1500D-DC, FG-3000D-DC, FG-3040B-DC, FG-3100D-DC, FG-3140B-

DC, FG-3200D-DC, FG-3240C-DC, FG-3600C-DC, G-3700D-DC, FG3810A-DC, FG-3810D-DC, FG-3815D-DC, FG-3950B-DC, FG-3951B-DC

FortiGate Low Encryption: FG-20C-LENC, FG-40C-LENC, FG-60CLENC, FG-80C-LENC, FG-100D-LENC, FG-200B-LENC, FG-300C-LENC,

FG-620B-LENC, FG-1000C-LENC, FG-1240B-LENC, FG-3040B-LENC,

FG-310B-LENC, FG-600C-LENC, FG-3140B-LENC, FG-3810A-LENC, FG3950B-LENC

FortiWiFi: FWF-20C, FWF-20C-ADSL-A, FWF-30D, FWF-30D-POE, FWF-

40C, FWF-60C, FWF-60CM, FWF-60CX-ADSL-A, FWF-60D, FWF-60D3G4G-VZW, FWF-60D-POE, FWF-80CM, FWF-81CM, FWF-90D, FWF90D-POE, FWF-92D

FortiGate Rugged: FGR-60D, FGR-100C

FortiGate VM: FG-VM-Azure, FG-VM, FG-VM64, FG-VM64-HV, FG-

VM64-KVM, FG-VM64-XEN

FortiSwitch: FS-5203B, FCT-5902D

5.2

Model

Firmware Version

FortiGate: FG-20C, FG-20C-ADSL-A, FG-30D, FG-30D-POE, FG-40C,

FG-60C, FG-60C-POE, FG-60C-SFP, FG-60D, FG-60D-3G4G-VZW, FG-

60D-POE, FG-70D, FG-70D-POE, FG-80C, FG-80CM, FG-80D, FG-90D,

FG-90D-POE, FG-92D, FG-94D-POE, FG-98D-POE, FG-100D, FG-110C,

FG-111C, FG-140D, FG-140D-POE, FG-140D-POE-T1, FG-200B, FG200B-POE, FG-200D, FG-200D-POE, FG-240D, FG-240D-POE, FG-280D-

POE, FG-300C, FG-300D, FG-310B, FG-311B, FG-500D, FG-600C, FG-

620B, FG-621B, FG-700D, FG-800C, FG-900D, FG-1000C, FG-1000D,

FG-1200D, FG-1240B, FG-1500D, FG-3000D, FG-3016B, FG-3040B, FG-

3100D, FG-3140B, FG-3200D, FG-3240C, FG-3600C, FG-3700D, FG3810A, FG-3950B, FG-3951B

FortiGate 5000 Series: FG-5001A, FG-5001A-SW, FG-5001A-LENC, FG5001A-DW-LENC, FG-5001A-SW-LENC, FG-5001B, FG-5001C, FG5001D, FG-5101C

FortiGate DC: FG-80C-DC, FG-300C-DC, FG-310B-DC, FG-600C-DC,

FG-620B-DC, FG-621B-DC, FG-800C-DC, FG-1000C-DC, FG-1240B-DC,

FG-3000D-DC, FG-3040B-DC, FG-3100D-DC, FG-3140B-DC, FG-3200D-

DC, FG-3240C-DC, FG-3600C-DC, FG-3700D-DC, FG-3810A-DC, FG3950B-DC, FG-3951B-DC

FortiGate Low Encryption: FG-20C-LENC, FG-40C-LENC, FG-60CLENC, FG-80C-LENC, FG-100D-LENC, FG-200B-LENC, FG-300C-LENC,

FG-310B-LENC, FG-600C-LENC, FG-620B-LENC, FG-1000C-LENC, FG-

1240B-LENC, FG-3040B-LENC, FG-3140B-LENC, FG-3810A-LENC, FG3950B-LENC

FortiWiFi:FWF-20C, FWF-20C-ADSL-A, FWF-30D, FWF-30D-POE, FWF-

40C, FWF-60C, FWF-60CM, FWF-60CX-ADSL-A, FWF-60D, FWF-60DPOE, FWF-60D-3G4G-VZW, FWF-80CM, FWF-81CM, FWF-90D, FWF90D-POE, FWF-92D

FortiGate Rugged: FGR-60D, FGR-90D, FGR-100C

FortiGateVoice: FGV-40D2, FGV-70D4

FortiGate VM: FG-VM, FG-VM64, FG-VM64-AWS, FG-VM64AWSONDEMAND, FG-VM64-HV, FG-VM64-KVM, FG-VM64-XEN

FortiSwitch: FS-5203B

5.0

FortiCarrier Models

Model	Firmware Version
FortiCarrier: FCR-3000D, FCR-3100D, FCR-3200D, FCR-3700D, FCR3700DX, FCR-3800D, FCR-3810D, FCR-3815D, FCR-5001C, FCR-5001D, FCR-3000D-DC, FCR-3100D-DC, FCR-3200D-DC, FCR-3240C, FCR3600C, FCR-3700D-DC, FCR-3810D-DC, FCR-5001C FortiCarrier DC: FCR-3000D-DC, FCR-3100D-DC, FCR-3200D-DC, FCR- 3240C-DC, FCR-3600C-DC, FCR-3700D-DC, FCR-3810D-DC, FCR3815D-DC FortiCarrier VM: FCR-VM, FCR-VM64, FCR-VM64-AWS, FCR-VM64AWSONDEMAND, FCR-VM64-HV, FCR-VM64-KVM	5.4
FortiCarrier: FCR-3000D, FCR-3100D, FCR-3200D, FCR-3240C, FCR3600C, FCR-3700D, FCR-3700DX, FCR-3810A, FCR-3810D, FCR-3815D, FCR-3950B, FCR-3951B, FCR-5001A, FCR-5001B, FCR-5001C,FCR5001D, FCR-5101C, FCR5203B, FCR-5902D FortiCarrier DC: FCR-3000D-DC, FCR-3100D-DC, FCR-3200D-DC, FCR- 3700D-DC, FCR-3810D-DC FortiCarrier Low Encryption: FCR-5001A-DW-LENC FortiCarrier VM: FCR-VM, FCR-VM64, FCR-VM64-HV, FCR-VM64-KVM, FCR-Vm64-XEN, FCR-VM64-AWSONDEMAND	5.2
FortiCarrier: FCR-3240C, FCR-3600C, FCR-3810A, FCR-3950B, FCR3951B, FCR-5001A, FCR-5001B, FCR-5001C, FCR-5001D, FCR-5101C FortiCarrier DC: FCR-3240C-DC, FCR-3600C-DC, FCR-3810A-DC, FCR- 3950B-DC, FCR-3951B-DC FortiCarrier Low Encryption: FCR-5001A-DW-LENC FortiCarrier VM: FCR-VM, FCR-VM64	5.0

FortiDDoS models

Model	Firmware Version
FortiDDoS: FI-200B, FI-400B, FI-600B, FI-800B, FI-900B, FI-1000B, FI1200B, FI-2000B	4.2, 4.1, 4.0

FortiAnalyzer models

Model	Firmware Version
FortiAnalyzer: FAZ-200D, FAZ-300D, FAZ-400E, FAZ-1000D, FAZ1000E, FAZ-2000B, FAZ-2000E, FAZ-3000D, FAZ-3000E, FAZ-3000F, FAZ-3500E, FAZ-3500F, FAZ-3900E, and FAZ-4000B. FortiAnalyzer VM: FAZ-VM64, FAZ-VM64-Azure, FAZ-VM64-HV, FAZVM64-XEN (Citrix XenServer and Open Source Xen), FAZ-VM64-KVM, and FAZ-VM64-AWS.	5.4
FortiAnalyzer: FAZ-100C, FAZ-200D, FAZ-200E, FAZ-300D, FAZ-400C, FAZ-400E, FAZ-1000C, FAZ-1000D, FAZ-1000E, FAZ-2000B, FAZ-3000D, FAZ-3000E, FAZ-3000F, FAZ-3500E, FAZ-3500F, FAZ-3900E, FAZ-4000B FortiAnalyzer VM: FAZ-VM, FAZ-VM-AWS, FAZ-VM64, FAZ-VM64- Azure, FAZ-VM64-HV, FAZ-VM64-KVM, FAZ-VM64-XEN	5.2
FortiAnalyzer: FAZ-100C, FAZ-200D, FAZ-200E, FAZ-300D, FAZ-400B, FAZ-400C, FAZ-400E, FAZ-1000B, FAZ-1000C, FAZ-1000D, FAZ-1000E, FAZ-2000A, FAZ-2000B, FAZ-3000D, FAZ-3000E, FAZ-3000F, FAZ3500E, FAZ-3500F, FAZ-4000A, FAZ-4000B FortiAnalyzer VM: FAZ-VM, FAZ-VM64, FAZ-VM64-AWS, FAZ-VM64- Azure, FAZ-VM64-HV, FAZ-VM-KVM, FAZ-VM-XEN	5.0

FortiMail models

Model	Firmware Version
FortiMail: FE-60D, FE-200D, FE-200E, FE-400C, FE-400E, FE-1000D, FE- 2000B, FE-2000E, FE-3000C, FE-3000D, FE-3000E, FE-3200E, FE-5002B FortiMail Low Encryption: FE-3000C-LENC FortiMail VM: FE-VM64, FE-VM64-HV, FE-VM64-XEN	5.3.7
FortiMail: FE-60D, FE-200D, FE-200E, FE-400C, FE-400E, FE-1000D, FE2000B, FE-3000C, FE-3000D, FE-5002B FortiMail VM: FE-VM64, FE-VM64-HV, FE-VM64-XEN	5.2.8
FortiMail: FE-100C, FE-200D, FE-200E, FE-400B, FE-400C, FE-400E, FE- 1000D, FE-2000B, FE-3000C, FE-3000D, FE-5001A, FE-5002B FortiMail VM: FE-VM64	5.1.6
FortiMail: FE-100C, FE-200D, FE-200E, FE-400B, FE-400C, FE-1000D, FE-2000A, FE-2000B, FE-3000C, FE-3000D, FE-4000A, FE-5001A, FE5002B FortiMail VM: FE-VM64	5.0.10

FortiSandbox models

Model

Firmware Version

FortiSandbox: FSA-1000D, FSA-3000D, FSA-3000E, FSA-3500D

FortiSandbox VM: FSA-VM

2.3.2

FortiSandbox: FSA-1000D, FSA-3000D, FSA-3500D

FortiSandbox VM: FSA-VM

2.2.0

2.1.0

FortiSandbox: FSA-1000D, FSA-3000D

FortiSandbox VM: FSA-VM

2.0.0

1.4.2

FortiSandbox: FSA-1000D, FSA-3000D

1.4.0 and 1.4.1

1.3.0

1.2.0 and later

FortiSwitch ACTA models

Model	Firmware Version
FortiController: FTCL-5103B, FTCL-5902D, FTCL-5903C, FTCL-59	5.2.0
FortiSwitch-ATCA: FS-5003A, FS-5003B FortiController: FTCL-5103B, FTCL-5903C, FTCL-5913C	5.0.0
FortiSwitch-ATCA: FS-5003A, FS-5003B	4.3.0 4.2.0

FortiWeb models

Model	Firmware Version
FortiWeb: FWB-2000E	5.6.0
FortiWeb: FWB-100D, FWB-400C, FWB-400D, FWB-1000C, FWB-1000D, FWB-3000C, FWB-3000CFSX, FWB-3000D, FWB-3000DFSX, FWB3000E, FWB-3010E, FWB-4000C, FWB-4000D, FWB-4000E FortiWeb VM: FWB-VM-64, FWB-XENAWS, FWB-XENOPEN, FWB- XENSERVER, FWB-HYPERV, FWB-KVM, FWB-AZURE	5.5.3
Model	Firmware Version
FortiWeb: FWB-100D, FWB-400C, FWB-1000C, FWB-3000C, FWB3000CFSX, FWB-3000D, FWB-3000DFSX, FWB-3000E, FWB-4000C, FWB-4000D, FWB-4000E FortiWeb VM: FWB-VM64, FWB-XENAWS, FWB-XENOPEN, FWB- XENSERVER, FWB-HYPERV	5.4.1
FortiWeb: FWB-100D, FWB-400B, FWB-400C, FWB-1000B, FWB-1000C, FWB-1000D, FWB-3000C, FWB-3000CFSX, FWB-3000D, FWB3000DFSX, FWB-3000E, FWB-4000C, FWB-4000D, FWB-4000E FortiWeb VM: FWB-VM64, FWB-XENAWS, FWB-XENOPEN, FWB- XENSERVER, and FWB-HYPERV	5.3.8
FortiWeb: FWB-100D, FWB-400B, FWB-400C, FWB-1000B, FWB-1000C, FWB-1000D, FWB-3000C, FWB-3000CFSX, FWB-3000D, FWB3000DFSX, FWB-3000E, FWB-4000C, FWB-4000D, FWB-4000E FortiWeb VM: FWB-VM64, FWB-HYPERV,FWB-XENAWS, FWBXENOPEN, FWB-XENSERVER	5.2.4

FortiCache models

Model	Firmware Version
FortiCache: FCH-400C, FCH-400E, FCH-1000C, FCH-1000D, FCH3000C, FCH-3000D, FCH-3900E FortiCache VM: FCH-VM64	4.0

Resolved Issues

The following issues have been fixed in FortiAnalyzer version 5.4.2. For inquires about a particular bug, please contact Customer Service & Support.

Device Manager

Bug ID	Description
382383	When there are many unregistered devices, they may intermittently disconnect from FortiAnalyzer.
382811	FortiAnalyzer should be able to sustain stable connections with more than 3500 devices and able to receive logs successfully.
306276	FortiCarrier ADOM should not be displayed when no device is registered.

FortiView

Bug ID	Description
217103	FortiAnalyzer should allow users to view or download the Application Control archive files.
233869	There should be an option to clear search history.
371773	There may be performance issues to view logs when using the scroll bar.
379612	The filter, [-msg=”Virtual cluster’s vdom is added”], should display the relevant logs in the Log View.
379977	FortiAnalyzer cannot filter out users for SSL & Dialup IPSec VPNs.
382557	Drop box may become too narrow to view and select FortiGate device.
386279	Users need to click on the Go button twice before the log time frame is updated.
308171	Aggregated Dialed Time is incorrectly calculated in VPN-Top-Dial-Up and VPN-Users-ByDuration datasets.
387209	FortiGate devices that query FortiGuard should not be flagged as highly suspicious.
390173	FortiAnalyzer is unable to display part of the DLP content.

Logging Resolved Issues

Bug ID	Description
395191	UTM Deny logs are displayed with no action on FortiAnalyzer’s GUI.
397036	FortiAnalyzer should accept more characters for log view and policy search.

Logging

Bug ID	Description
373262	FortiAnalyzer should allow users to specify the invoke time to auto delete logs.
381559	HA device logs are not received in aggregation mode.
383238	FortiAnalyzer should increase the limit for the number of aggregated clients.
393615	When using wildcard in the second or third octet for source IP in the Log View filter, incorrect results are returned.

Reporting

Bug ID	Description
248563	Within the WiFi Network Summary report, AP Name should be the FortiAP’s name instead of the VAP interface’s name.
373718	Reports show devices with their serial numbers instead of hostnames.
377589	Blocked sites should not be counted within the Top 50 Site By Browsing Time.
383251	Reports may not contain any user data when a user filter is applied.
234007	Estimated browsing time dataset should pull log data according to time period specified.
383955	GUI fails to display chart library if there is a chart with invalid table columns.
397822	Users may not be able to generate custom reports after resizing FAZ-VM disk and rebuilding DB.
391482	User changes on LDAP server may not get updated on FortiAnalyzer for the user filter in reports.

Resolved Issues System Settings

System Settings

Bug ID	Description
386865	Sorting for Analytics or Archive does not work on the Storage Info page.
391076	Qmail server is rejecting Email from FortiAnalyzer as the mail body contains bare LFs.
366224	FortiAnalyzer generates invalid Event logs on auto deleting policy from ADOM.

Bug ID

Description

384180

FortiAnalyzer 5.4.2 is no longer vulnerable to the following TMP Reference:

2016-0023

Visit https://fortiguard.com/psirt for more information.

380634

FortiAnalyzer 5.4.2 is no longer vulnerable to the following CVE-Reference:

2016-5387

Visit https://fortiguard.com/psirt for more information.

Others

Bug ID	Description
365639	The XML call to searchFazLog does not return the pktlog information.
366332	Logs are not imported when there are more than 1000 log files.
376758	FortiAnalyzer needs a diagnostic command to show supported platforms.
388071	FortiAnalyzer may not be able to render a proper web GUI page when making a change.
389137	Port 8900 and 8901 may be open without being in use.
391900	Scheduled log ftp backup may not be successful.

Common Vulnerabilities and Exposures

Common Vulnerabilities and Exposures Resolved Issues

Bug ID

Description

389255

FortiAnalyzer5.4.2 is no longer vulnerable to the following CVE-References:

l 2016-6308 l 2016-6307 l 2016-6306 l 2016-6305 l 2016-6304 l 2016-6303 l 2016-6302 l 2016-2183 l 2016-2182 l 2016-2181 l 2016-2179 l 2016-2178 l 2016-2177

Visit https://fortiguard.com/psirt for more information.

383563

FortiAnalyzer 5.4.2 is no longer vulnerable to the following CVE-Reference:

l 2016-5696

Visit https://fortiguard.com/psirt for more information.

Known Issues

The following issues have been identified in FortiAnalyzer version 5.4.2. For inquires about a particular bug or to report a bug, please contact Fortinet Customer Service & Support.

FortiView

Bug ID	Description
396699	Filter should be persistent when changing view from formatted log to raw log or vice versa.

Bug ID	Description
395243	FortiAnalyzer should correctly show the local user and radius wildcard user who is performing delete, download, or import log file actions from Log Browse.
396417	Test Emails fails when the recipient has a different domain than the account configured under SMTP server settings.

Logging

Bug ID	Description
388185	Log files for Router should include IP addresses for sites that have multiple addresses.
389592	Filter does not return any results if message is part of the filter.
400028	Policy UUID is not inserted into SQL DB

Reporting

Bug ID	Description
390502	FortiAnalyzer should allow cloning of the pre-defined reports: User Top 500 Websites by Bandwidth and User Top 500 Websites by Session.

System Settings

Troubleshooting and logging

Leave a reply

Troubleshooting and logging

This section explains how to troubleshoot logging configuration issues, as well as connection issues, that you may have with your FortiGate unit and a log device. This section also contains information about how to use log messages when troubleshooting issues that are about other FortiGate features, such as VPN tunnel errors.

Using log messages to help in troubleshooting issues

Log messages can help when troubleshooting issues that occur, since they can provide details about what is occurring. The uses and methods for involving logging in troubleshooting vary depending on the problem. The following are examples of how log messages can assist when troubleshooting networking issues.

Using IPS packet logging in diagnostics

This type of logging should only be enabled when you need to know about specific diagnostic information, for example, when you suspect a signature is triggered by a false positive. These log messages can help troubleshoot individual problems with misidentified or missing packets and network intrusions involving malicious packets.

To configure IPS packet logging

1. Go to Security Profiles > Intrusion Protection.

2. Select the IPS sensor that you want to enable IPS packet logging on, and then select Edit.

3. In the filter options, enable Packet Logging.

4. Select OK.

If you want to configure the packet quota, number of packets that are recorded before alerts and after attacks, use the following procedure.

To configure additional settings for IPS packet logging

1. Log in to the CLI.

2. Enter the following to start configuring additional settings:

config ips settings

set ips-packet-quota <integer>

set packet-log-history <integer>

set packet-log-post-attack <integer>

end

Using HA log messages to determine system status

When the FortiGate unit is in HA mode, you may see the following log message content within the event log:

type=event subtype=ha level=critical msg= “HA slave heartbeat interface internal lost neighbor information”

OR type=event subtype=ha level=critical msg= “Virtual cluster 1 of group 0 detected new joined HA member”

OR type=event subtype=ha level=critical msg= “HA master heartbeat interface internal get peer information”

The log messages occur within a given time, and indicate that the units within the cluster are not aware of each other anymore. These log messages provide the information you need to fix the problem.

Connection issues between FortiGate unit and logging devices

If external logging devices are not recording the log information properly or at all, the problem will likely be due to one of two situations: no data is being received because the log device cannot be reached, or no data is being sent because the FortiGate unit is no longer logging properly.

Unable to connect to a supported log device

After configuring logging to a supported log device, and testing the connection, you may find you cannot connect. To determine whether this is the problem:

1. Verify that the information you entered is correct; it could be a simple mistake within the IP address or you may have not selected Apply on the Log Settings page after changing them, which would prevent them from taking effect.

2. Use execute ping to see if you can ping to the log device.

3. If you are unable to ping to the log device, check to see if the log device itself working and that it is on the network and assigned an appropriate address.

FortiGate unit has stopped logging

If the FortiGate unit stopped logging to a device, test the connection between both the FortiGate unit and device using the execute ping command. The log device may have been turned off, is upgrading to a new firmware version, or just not working properly.

The FortiGate unit may also have a corrupted log database. When you log into the web-based manager and you see an SQL database error message, it is because the SQL database has become corrupted. View “SQL database errors” in the next section before taking any further actions, to avoid losing your current logs.

Log database issues

If attempting to troubleshoot issues with the SQL log database, use the following to help guide you to solving issues that occur.

SQL statement syntax errors

There may be errors or inconsistencies in the SQL used to maintain the database. Here are some example error messages and possible causes:

You have an error in your SQL syntax (remote/MySQL) or ERROR: syntax error at or near… (local/PostgreSQL)

Verify that the SQL keywords are spelled correctly, and that the query is well-formed.
Table and column names are demarked by grave accent (`) characters. Single (‘) and double (“) quotation marks will cause an error.

No data is covered.

The query is correctly formed, but no data has been logged for the log type. Verify that you have configured the FortiGate unit to save that log type. On the Log Settings page, make sure that the log type is checked.

Connection problems

If well-formed SQL queries do not produce results, and logging is turned on for the log type, there may be a database configuration problem with the remote database.

Ensure that:

MySQL is running and using the default port 3306.
You have created an empty database and a user who has read/write permissions for the database.
Here is an example of creating a new MySQL database named fazlogs, and adding a user for the database:

1. #Mysql –u root –p

2. mysql> Create database fazlogs;

3. mysql> Grant all privileges on fazlogs.* to ‘fazlogger’@’*’ identified by ‘fazpassword’;

4. mysql> Grant all privileges on fazlogs.* to ‘fazlogger’@’localhost’ identified by ‘fazpassword’;

SQL database errors

If the database seems inacessible, you may encounter the following error message after upgrading or downgrading the FortiGate unit’s firmware image.

Example of an SQL database error message

The error message indicates that the SQL database is corrupted and cannot be updated with the SQL schemas any more. When you see this error message, you can do one of the following:

select Cancel and back up all log files; then select Rebuild to blank and rebuild the database.
select Rebuild immediately, which will blank the database and previous logs will be lost.

Until the database is rebuilt, no information will be logged by the FortiGate unit regardless of the log settings that are configured on the unit. When you select Rebuild, all logs are lost because the SQL database is erased and then rebuilt again. Logging resumes automatically according to your settings after the SQL database is rebuilt.

To view the status of the database, use the diagnose debug sqldb-error status command in the CLI. This command will inform you whether the database has errors present.

If you want to view the database’s errors, use the diagnose debug sqldb-error read command in the CLI. This command indicates exactly what errors occurred, and what tables contain those errors.

Log files are backed up using the execute backup {disk | memory } {alllogs | logs} command in the CLI. You must use the text variable when backing up log files because the text variable allows you to view the log files outside the FortiGate unit. When you back up log files, you are really just copying the log files from the database to a specified location, such as a TFTP server.

Logging daemon (Miglogd)

The number of logging daemon child processes has been made available for editing. A higher number can affect performance, and a lower number can affect log processing time, although no logs will be dropped or lost if the number is decreased.

If you are suffering from performance issues, you can alter the number of logging daemon child processes, from 0 to 15, using the following syntax. The default is 8.

config system global

set miglogd-children <integer>

end

Advanced logging

Leave a reply

Advanced logging

This section explains how to configure other log features within your existing log configuration. You may want to include other log features after initially configuring the log topology because the network has either outgrown the initial configuration, or you want to add additional features that will help your network’s logging requirements.

The following topics are included in this section:

Configuring logging to multiple Syslog servers
Using Automatic Discovery to connect to a FortiAnalyzer unit
Activating a FortiCloud account for logging purposes
Viewing log storage space
Customizing and filtering log messages
Viewing logs from the CLI
Configuring NAC quarantine logging
Logging local-in policies
Tracking specific search phrases in reports
Reverting modified report settings to default settings

Configuring logging to multiple Syslog servers

When configuring multiple Syslog servers (or one Syslog server), you can configure reliable delivery of log messages from the Syslog server. Configuring of reliable delivery is available only in the CLI.

If VDOMs are enabled, you can configure multiple FortiAnalyzer units or Syslog servers for each VDOM.

To enable logging to multiple Syslog servers

1. Log in to the CLI.

2. Enter the following commands:

config log syslogd setting set csv {disable | enable} set facility <facility_name> set port <port_integer>

set reliable {disable | enable}

set server <ip_address>

set status {disable | enable}

end

3. Enter the following commands to configure the second Syslog server:

config log syslogd2 setting set csv {disable | enable} set facility <facility_name> set port <port_integer>

set reliable {disable | enable}

set server <ip_address>

set status {disable | enable}

end

4. Enter the following commands to configure the third Syslog server:

config log syslogd3 setting set csv {disable | enable} set facility <facility_name> set port <port_integer>

set reliable {disable | enable}

set server <ip_address>

set status {disable | enable}

end

Most FortiGate features are, by default, enabled for logging. You can disable individual FortiGate features you do not want the Syslog server to record, as in this example:

config log syslogd filter

set traffic {enable | disable}

set web {enable | disable}

set url-filter {enable | disable}

end

Using Automatic Discovery to connect to a FortiAnalyzer unit

Automatic Discovery can be used if the FortiAnalyzer unit is on the same network.

To connect using automatic discovery

1. Log in to the CLI.

2. Enter the following command syntax:

config log fortianalyzer setting set status enable

set server <ip_address>

set gui-display enable

set address-mode auto-discovery end

If your FortiGate unit is in Transparent mode, the interface using the automatic discovery feature will not carry traffic. For more information about how to enable the interface to also carry traffic when using the automatic discovery feature, see the Fortinet Knowledge Base article, Fortinet Discovery Protocol in Transparent mode.

The FortiGate unit searches within the same subnet for a response from any available FortiAnalyzer units.

Activating a FortiCloud account for logging purposes

When you subscribe to FortiCloud, you can configure to send logs to the FortiCloud server. The account activation can be done within the web-based manager, from the License Information widget located in System > Dashboard.

From this widget, you can easily create a new account, or log in to the existing account. From within the License Information widget, after the account is activated, you can go directly to the FortiCloud web portal, or log out of the service if you are already logged in.

To activate a FortiCloud account for logging purposes:

The following assumes that you are already at System > Dashboard and that you have located the License Information widget.

1. In the License Information widget, select Activate in the FortiCloud section.

The Registration window appears. From this window, you create the login credentials that you will use to access the account.

2. Select Create Account and enter then information for the login credentials.

After entering the login credentials, you are automatically logged in to your FortiCloud account.

3. Check that the account has been activated by viewing the account status from the License Information widget. If you need more space, you can subscribe to the 200Gb FortiCloud service by selecting Upgrade in the FortiCloud section of the widget.

Viewing log storage space

The diag sys logdisk usage command allows you to view detailed information about how much space is currently being used for logs. This is useful when you see a high percentage, such as 92 percent for the disk’s capacity. The FortiGate unit uses only 75 percent of the available disk capacity to avoid a high storage amount so when there is a high percentage, it refers to the percentage of the 75 percent that is available. For example, 92 percent of the 75 percent is available.

The following is an example of what you may see when you use diag sys logdisk usage command on a unit with no VDOMs configured:

diag sys logdisk usage

The following appears:

Total HD usage: 176MB/3011 MB Total HD logging space: 22583MB

Total HD logging space for each vdom: 22583MB

HD logging space usage for vdom “root”: 30MB/22583MB

Customizing and filtering log messages

When viewing log messages, you may want to customize and filter the information that you are seeing in the Log & Report menu (for example, Log & Report > Traffic Log > Forward Traffic). Filtering and customizing the display provides a way to view specific log information without scrolling through pages of log messages to find the information.

Customizing log messages is the process of removing or adding columns to the log display page, allowing you to view certain desired information. The most columns represent the fields from within a log message, for example, the user column represents the user field, as well as additional information. If you want to reset the customized columns on the page back to their defaults, you need to select Reset All Columns within the column title right- click menu.

Filtering information is similar to customizing, however, filtering allows you to enter specific information that indicates what should appear on the page. For example, including only log messages that appeared on February 24, between the hours of 8:00 and 8:30 am.

To customize and filter log messages

The following is an example that displays all traffic log messages that originate from the source IP address 172.20.120.24, as well as displaying only the columns:

OS Name
OS Version
Policy ID
Src (Source IP)

The following assumes that you are already on the page of the log messages you want to customize and filter. In this example, the log messages that we are customizing and filtering are in Log & Report > Traffic Log > Forward Traffic.

1. On the Forward Traffic page, right click anywhere on a column title.

2. Right click on a column title, and mouse over Column Settings to open the list.

3. Select each checkmarked title to uncheck it and remove them all from the displayed columns.

4. Scroll down to the list of unchecked fields and select ‘OS Name’, ‘OS Version’, ‘Policy ID’, and ‘Src’ to add checkmarks next to them.

5. Click outside the menu, and wait for the page to refresh with the new settings in place.

6. Select the funnel icon next to the word Src in the title bar of the Src column.

7. Enter the IP you want displayed (in this example, 172.20.120.24) in the text box.

8. Click Apply, and wait for the page to reload.

Viewing logs from the CLI

You can easily view log messages from within the CLI. In this example, we are viewing DLP log messages.

1. Log in to the CLI and then enter the following to configure the display of the DLP log messages.

execute log filter category 9 execute log filter start-line 1 execute log filter view-lines 20

The customized display of log messages in the CLI is similar to how you customize the display of log messages in the web-based manager. For example, category 9 is the DLP log messages, and the start-line is the first line in the log database table for DLP log messages, and there will be 20 lines (view-lines 20) that will display.

2. Enter the following to view the log messages:

execute log display

The following appears below execute log display:

600 logs found

20 logs returned

along with the 20 DLP log messages.

Configuring NAC quarantine logging

NAC quarantine log messages provide information about what was banned and quarantined by a Antivirus profile. The following explains how to configure NAC quarantine logging and enable it on a policy. This procedure assumes the Antivirus profile is already in place.

To configure NAC quarantine logging

1. Go to Policy & Objects > Policy > IPv4.

2. Select the policy that you want to apply the Antivirus profile to, and then select Edit.

3. Within the Security Profiles section, enable Antivirus and then select the profile from the drop-down list.

4. Select OK.

5. Log in to the CLI.

6. Enter the following to enable NAC quarantine in the DLP sensor:

config antivirus profile edit <profile_name>

config nac-quar log enable end

Logging local-in policies

Local-in security policies are policies the control the flow of internal traffic, and can be used to broaden or restrict an administrator’s access privileges. These local-in policies can also be configured to log traffic and activity that the policies control.

You can enable logging of local-in policies in the CLI, with the following commands:

config system global

set gui-local-in-policy enable end

The Local-In Policy page will then be available in Policy & Objects > Policy > Local In. You can configure what local-in traffic to log in the CLI, or in Log & Report > Log Config > Log Settings, under Local Traffic Logging.

When deciding what local-in policy traffic you want logged, consider the following:

Special Traffic

Traffic activity Traffic Direction Description

FortiGuard update annouce- ments

FortiGuard update requests

IN All push announcements of updates that are coming from the

FortiGuard system. For example, IPS or AV updates.

OUT All updates that are checking for antivirus or IPS as well as other

FortiGuard service updates.

Firewall authen- tication

IN The authentication made using either the web-based manager or CLI.

Traffic activity Traffic Direction Description

Central man- agement (a FortiGate unit being managed by a FortiMan- ager unit)

IN The access that a FortiManager has managing the FortiGate unit.

DNS IN All DNS traffic.

DHCP/DHCP Relay

IN All DHCP and/or DHCP Relay traffic.

HA (heart beat sync policy)

IN/OUT For high-end platforms with a backplane heart beat port.

HA (Session sync policy)

IN/OUT

This will get information from the CMDB and updated by sessi sync daemon.

CAPWAP

This activity is logged only when a HAVE_CAPWAP is defined.

Radius

This is recorded only within FortiCarrier.

NETBIOS forward

Any interface that NETBIOS forward is enabled on.

RIP

OSPF

VRRP

BFD

IGMP

This is recorded only when PIM is enabled.

PIM

This is recorded only when PIM is enabled.

BGP

This is recorded only when config bgp and bgp neightbor is enabled in the CLI.

WCCP policy

Any interface that WCCP is enabled; however, if in Cache mode, this is not recorded because it is not available.

WAN Opt/ Web

Cache

IN Any interface where WAN Opt is enabled.

WANOpt Tunnel IN This is recorded when HAVE_WANOPT is defined.

Traffic activity

Traffic Direction

Description

SSL–VPN

Any interface from a zone where the action in the policy is SSL VPN.

IPSEC

L2TP

PPTP

VPD

This is recorded only when FortiClient is enabled.

Web cache db test facility

This is recorded only when WA_CS_REMOTE_TEST is defined.

GDBserver

This is recorded only when debug is enabled.

Tracking specific search phrases in reports

It is possible to use the Web Filter to track specific search keywords and phrases and record the results for display in the report.

You should verify that the web filter profile you are using indicates what search phrases you want to track and monitor, so that the report includes this information.

1. Log in to the CLI and enter show webfilter profile default.

This provides details about the webfilter profile being used by the security policy. In this example, the details

(shown in the following in bold) indicate that safe search is enabled, but not specified or being logged.

show webfilter profile default config webfilter profile

edit “default”

set comment “default web filtering” set inspection-mode flow-based

set options https-scan set post-action comfort

config web

set safe-search url end

config ftgd-wf config filters

edit 1

set action block set category 2

next edit 2

set action block set category 7

next edit 3

set action block set category 8

2. Enter the following command syntax so that logging and the keyword for the safe search will be included in logging.

config webfilter profile edit default

config web

set log-search enable

set keyword-match “fortinet” “easter” “easter bunny” end

end

3. To test that the keyword search is working, go to a web browser and begin searching for the words that were included in the webfilter profile, such as easter.

You can tell that the test works by going to Log & Report > Traffic Log > Forward Traffic and viewing the log messages.

Reverting modified report settings to default settings

If you need to go back to the original default report settings, you can easily revert to those settings in the Report menu. Reverting to default settings means that your previously modified report settings will be lost.

To revert back to default report settings, in Log & Report > Report > Local, select Customize, and then Restore Defaults from the top navigation. This may take a minute or two. You can also use the CLI command execute report-config reset to reset the report to defaults.

If you are having problems with report content being outdated or incorrect, especially after a firmware update, you can recreate the report database using your current log information with the CLI command execute report recreate-db.

Logging and reporting for large networks

Leave a reply

Logging and reporting for large networks

This section explains how to configure the FortiGate unit for logging and reporting in a larger network, such as an enterprise network. To set up this type of network, you are modifying the default log settings, and you are also modifying the default report.

The following procedures are examples and can be used to help you when configuring your own network’s log topology.

Since some of these settings must be modified or enabled or disabled in the CLI, it is recommended to review the FortiGate CLI Reference for any additional information about the commands used herein, as well as any that you would need to use in your own newtork’s log topology.

Modifying default log device settings

The default log device settings must be modified so that system performance is not compromised. The FortiGate unit, by default, has all logging of FortiGate features enabled and well as logging to either the FortiGate unit’s system memory or hard disk, depending on the model.

Modifying multiple FortiGate units’ system memory default settings

When the FortiGate unit’s default log device is its system memory, you can modify it to fit your log network topology. In this topic, the following is an example of how you can modify these default settings.

To modify the default system memory settings

1. Log in to the CLI.

2. Enter the following command syntax to modify the logging settings:

config log memory setting set ips-archive disable set status enable

end

3. Enter the following command syntax to modify the FortiGate features that are enabled for logging:

config log memory filter set attack enable

set forward-traffic enable set local-traffic enable set netscan enable

set email-log-imap enable

set multicast-traffic enable set scanerror enable

set app-ctrl enable end

4. Repeat steps 2 and 3 for the other FortiGate units.

5. Test the modified settings using the procedure below.

Modifying multiple FortiGate units’ hard disk default log settings

You will have to modify each FortiGate unit’s hard disk default log settings. The following is an example of how to modify these default settings.

To modify the default hard disk settings

1. Log in to the CLI.

2. Enter the following command syntax to modify the logging settings:

config log disk setting

set ips-archive disable set status enable

set max-log-file-size 1000 set storage Internal

set log-quota 100

set report-quota 100 end

3. In the CLI, enter the following to disable certain event log messages that you do not want logged:

config log disk filter

set sniffer-traffic disable set local-traffic enable

end

4. Repeat the steps 2 to 4 for the other FortiGate units.

5. Test the modified settings using the procedure below.

Testing the modified log settings

After modifying both the settings and the FortiGate features for logging, you can test that the modified settings are working properly. This test is done in the CLI.

To test sending logs to the log device

1. In the CLI, enter the following command syntax:

diag log test

When you enter the command, the following appears:

generating a system event message with level – warning generating an infected virus message with level – warning generating a blocked virus message with level – warning generating a URL block message with level – warning generating a DLP message with level – warning

generating an IPS log message generating an anomaly log message

generating an application control IM message with level – information generating an IPv6 application control IM message with level – information generating deep application control logs with level – information generating an antispam message with level – notification

generating an allowed traffic message with level – notice generating a multicast traffic message with level – notice generating a ipv6 traffic message with level – notice

generating a wanopt traffic log message with level – notification

generating a HA event message with level – warning generating netscan log messages with level – notice generating a VOIP event message with level – information generating a DNS event message with level – information generating authentication event messages

generating a Forticlient message with level – information generating a NAC QUARANTINE message with level – notification generating a URL block message with level – warning

2. In the web-based interface, go to Log & Report > Event Log > User, and view the logs to see some of the recently generated test log messages.

You will be able to tell the test log messages from real log messages because they do not have “real” information;

for example, the test log messages for the vulnerability scan contain the destination IP address of 1.1.1.1 or 2.2.2.2.

Configuring the backup solution

Even though you are logging to multiple FortiAnalyzer units, this is more of a redundancy solution rather than a complete backup solution in this example.

The multiple FortiAnalyzer units act similar to a HA cluster, since if one FortiAnalyzer unit fails, the others continue storing the logs they receive. In a backup solution, the logs are backed up to another secure location if something happens to the log device.

A good alternate or redundant option is the FortiCloud service, which can provide secure online logging and management for multiple devices.

Configuring logging to multiple FortiAnalyzer units

The following example shows how to configure logging to multiple FortiAnalyzer units. Configuring multiple FortiAnalyzer units is quick and easy; however, you can only configure up to three FortiAnalyzer units per FortiGate unit.

To configure multiple FortiAnalyzer units

1. In the CLI, enter the following command syntax to configure the first FortiAnalyzer unit:

config log fortianalyzer setting set status enable

set server 172.20.120.22 set max-buffer-size 1000 set buffer-max-send 2000 set address-mode static set conn-timeout 100

set monitor-keepalive-period 120

set monitor-failure-retry-period 2000

end

2. Disable the features that you do not want logged, using the following example command syntax. You can view the

CLI Reference to see what commands are available.

config log fortianalyzer filter set traffic (enable | disable)

… end

3. Enter the following commands for the second FortiAnalyzer unit:

config log fortianalyzer2 setting set status enable

set server 172.20.120.23 set max-buffer-size 1000 set buffer-max-send 2000 set address-mode static set conn-timeout 100

set monitor-keepalive-period 120

set monitor-failure-retry-period 2000

end

4. Disable the features that you do not want logged, using the following example command syntax.

config log fortianalyzer filter set web (enable | disable)

… end

5. Enter the following commands for the last FortiAnalyzer unit:

config log fortianalyzer3 setting set status enable

set server 172.20.120.23 set max-buffer-size 1000 set buffer-max-send 2000 set address-mode static set conn-timeout 100

set monitor-keepalive-period 120

set monitor-failure-retry-period 2000

end

6. Disable the features that you do not want logged, using the following example command syntax.

config log fortianalyzer filter

set web-filter (enable | disable)

… end

7. Test the configuration by using the procedure, “Testing the modified log settings”.

8. On the other FortiGate units, configure steps 1 through 6, ensuring that logs are being sent to the FortiAnalyzer units.

Configuring logging to the FortiCloud server

The FortiCloud server can be used as a redundant backup, or your primary logging solution. The following assumes that this service has already been registered, and a subscription has been purchased for expanded space. The following is an example of how to these settings are configured for a network’s log configuration. You need to have access to both the CLI and the web-based manager when configuring uploading of logs. The upload time and interval settings can be configured in the web-based interface.

To configure logging to the FortiCloud server

1. Go to System > Dashboard > Status and click Login next to FortiCloud in the License Information widget.

2. Enter your username and password, and click OK. (Or register, if you have not yet done so.)

3. Logs will automatically be uploaded to FortiCloud as long as your FortiGate is linked to your FortiCloud account.

4. To configure the upload time and interval, go to Log & Report > Log Config > Log Settings.

5. Under the Logging and Archiving header, you can select your desired upload time.

6. With FortiCloud you can easily store and access FortiGate logs that can give you valuable insight into the health and security of your network.

Modifying the default FortiOS report

The default FortiOS report is provided to help you quickly and easily configure and generate a report. Below is a sample configuration with multiple examples of significant customizations that you can make to tailor reports for larger networks.

Creating datasets

You need to create a new dataset for gathering information about HA, admin activity and configuration changes.

Creating datasets requires SQL knowledge.

To create the datasets

1. Log in to the CLI.

2. Enter the following command syntax:

config report dataset edit ha

set query “select subtype_ha count(*) as totalnum from event_log

where timestamp >= F_TIMESTAMP (‘now’, ‘hour’, ‘-23’) and group by subtype_ha order by totalnum desc”

3. Create a dataset for the admin activity, that includes log ins and log outs from the three FortiGate administrators.

set query “select subtype_admin count(*) as totalnum from event_log

where timestamp >= F_TIMESTAMP (‘now’, ‘hour’, ‘-23’) and group by subtype_

admin order by totalnum desc”

4. Create a dataset for the configuration changes that the administrators did for the past 24 hours.

set query “select subtype_config count(*) as totalnum from event_log

where timestamp >= F_TIMESTAMP (‘now’, ‘hour’, ‘-23’) and group by subtype_

config order by totalnum desc”

end

Creating charts for the datasets

1. Log in to the CLI.

2. Enter the following to create a new chart:

config report chart edit ha.24h

set type table

set period last24h set dataset ha

set category event set favorite no

set style auto

set title “24 Hour HA Admin Activity”

end

Uploading the corporate images

You need to upload the corporate images so that they appear on the report’s pages, as well as on the cover page. Uploading images is only available in the web-based manager.

To upload corporate images

1. Go to Log & Report > Report > Local.

2. Select the Image icon and drag it to a place on the page.

3. The Graphic Chooser window appears.

4. Select Upload and then locate the image that you want to upload and upload the image.

The images are automatically uploaded and saved.

5. Repeat step 4 until the other corporate images are uploaded.

6. Select Cancel to close the Graphic Chooser window and return to the page.

The images can then be placed as you like by reopening the Graphic Chooser as in step 2.

Adding a new report cover and page

You need to add a new cover for the report, as well as a new page that will display the HA activity, admin activity and configuration changes.

To add and customize a new report cover

1. Go to Log & Report > Report > Local.

2. Select Customize.

3. In Sections, select the current default report section, and enter Report Cover in the field that appears; then press Enter to save the change.

4. Remove all content from the Report Cover section, and select the image icon and drag it into the main portion of the cover page; select a cover page image and then select OK.

5. Select the font size you want, and drag the text icon into the area beneath the image to add a title or explanation for the cover page.

6. Select Save to save the new report cover.

To add and customize a new page

1. Go to Log & Report > Report > Local.

2. Select Customize.

3. Select Sections, and select Create New to add a new section to the report. Name it Report Content, and press Enter, and OK to close the menu.

4. At the bottom of the editing window is the Section selection, where each Section is represented by a box. Select the second box.

5. Edit the content for the report as you like.

For a simpler report structure, make use of the ‘FortiGate UTM Security Analysis Report’ charts, which automatically format themselves and fill in all necessary information.

For more complex reports, add headings, default and custom charts, and explanatory text.

6. Select Save to save the new report content.

The report will automatically combine all sections. You can use headers and text to more clearly separate parts of the report, and all properly configured charts have titles built-in.

Logging and reporting for small networks

2 Replies

Logging and reporting for small networks

This section explains how to configure the FortiGate unit for logging and reporting in a small office or SOHO/SMB network. To properly configure this type of network, you will be modifying the default log settings, as well as the default FortiOS report.

The following procedures are examples and can be used to help you when configuring your own network’s log topology. Since some of these settings must be modified or enabled or disabled in the CLI, it is recommended to review the FortiGate CLI Reference for any additional information about the commands used herein, as well as any that you would need to use in your own network’s log topology.

Modifying default log device settings

The default log device settings must be modified so that system performance is not compromised. The FortiGate unit, by default, has all logging of FortiGate features enabled, except for traffic logging. The default logging location will be either the FortiGate unit’s system memory or hard disk, depending on the model. Units with a flash disk are not recommended for disk logging.

Modifying the FortiGate unit’s system memory default settings

When the FortiGate unit’s default log device is its system memory, the following is modified for a small network topology. The following is an example of how to modify these default settings.

To modify the default system memory settings

1. Log in to the CLI.

2. Enter the following command syntax to modify the logging settings:

config log memory setting set ips-archive disable set status enable

end

3. The following example command syntax modifies which FortiGate features that are enabled for logging:

config log memory filter set attack enable

set forward-traffic enable set local-traffic enable set netscan enable

set email-log-imap disable set multicast-traffic enable set scanerror enable

set app-ctrl enable end

Modifying the FortiGate unit’s hard disk default settings

When the FortiGate unit’s default log device is its hard disk, you need to modify those settings to your network’s logging needs so that you can effectively log what you want logged. The following is an example of how to modify these default settings.

To modify the default hard disk settings

1. Log in to the CLI.

2. Enter the following command syntax to modify the logging settings:

config log disk setting

set ips-archive disable set status enable

set max-log-file-size 1000 set storage FLASH

set log-quota 100

set report-quota 100 end

3. In the CLI, enter the following to disable certain event log messages that you do not want logged:

config log disk filter

set sniffer-traffic disable set local-traffic enable

end

Testing sending logs to the log device

After modifying both the settings and the FortiGate features for logging, you can test that the modified settings are working properly. This test is done in the CLI.

To test sending logs to the log device

1. In the CLI, enter the following command syntax:

diag log test

When you enter the command, the following appears:

generating an IPS log message generating an anomaly log message

generating an allowed traffic message with level – notice generating a multicast traffic message with level – notice generating a ipv6 traffic message with level – notice

generating a wanopt traffic log message with level – notification generating a HA event message with level – warning

generating netscan log messages with level – notice generating a VOIP event message with level – information generating a DNS event message with level – information generating authentication event messages

generating a Forticlient message with level – information generating a NAC QUARANTINE message with level – notification generating a URL block message with level – warning

2. In the web-based interface, go to Log & Report > Event Log > User, and view the logs to see some of the recently generated test log messages.

You will be able to tell the test log messages from real log messages because they do not have “real” information;

for example, the test log messages for the vulnerability scan contain the destination IP address of 1.1.1.1 or 2.2.2.2.

Configuring the backup solution

A backup solution provides a way to ensure logs are not lost. The following backup solution explains logging to a FortiCloud server and uploading logs to a FortiAnalyzer unit. With this backup solution, there can be three simultaneous storage locations for logs, the first being the FortiGate unit itself, the FortiAnalyzer unit and then the FortiCloud server.

Configuring logging to a FortiCloud server

To configure logging to the FortiCloud server

1. Go to System > Dashboard > Status and click Login next to FortiCloud in the License Information widget.

2. Enter your username and password, and click OK. (Or register, if you have not yet done so.)

3. Logs will automatically be uploaded to FortiCloud as long as your FortiGate is linked to your FortiCloud account.

4. To configure the upload time and interval, go to Log & Report > Log Config > Log Settings.

5. Under the Logging and Archiving header, you can select your desired upload time.

With FortiCloud you can easily store and access FortiGate logs that can give you valuable insight into the health and security of your network.

Configuring uploading logs to the FortiAnalyzer unit

The logs will be uploaded to the FortiAnalyzer unit at a scheduled time. The following is an example of how to upload logs to a FortiAnalyzer unit.

To upload logs to a FortiAnalyzer unit

1. Go to Log & Report > Log Config > Log Settings.

2. In the Logging and Archiving section, select the check box beside Send Logs to FortiAnalyzer/FortiManager.

3. Select FortiAnalyzer (Daily at 00:00).

4. Enter the FortiAnalyzer unit’s IP address in the IP Address field.

5. To configure the daily upload time, open the CLI.

6. Enter the following to configure when the upload occurs, and the time when the unit uploads the logs:

config log fortianalyzer setting

set upload-interval {daily | weekly | monthly}

set upload-time <hh:mm>

end

7. To change the upload time, in the web-based manager, select Change beside the upload time period, and then make the changes in the Upload Schedule window. Select OK.

Testing uploading logs to a FortiAnalyzer unit

You should test that the FortiGate unit can upload logs to the FortiAnalyzer unit, so that the settings are configured properly.

To test the FortiAnalyzer upload settings

1. Go to Log & Report > Log Config > Log Settings.

2. In the Logging and Archiving section, under Send Logs to FortiAnalyzer/FortiManager, change the time to the current time by selecting Change.

For example, the current time is 11:10 am, so Change now has the time 11:10.

3. Select OK.

The logs will be immediately sent to the FortiAnalyzer unit, and will be available to view from within the

FortiAnalyzer’s interface.

Modifying the default FortiOS report

The default FortiOS report is provided to help you quickly and easily configure and generate a report. The following is an example of how to modify the default FortiOS report.

To modify the default FortiOS report

1. In the web-based manager, go to Log & Report > Report > Local.

2. Select Customize to open the Report Editor.

3. Change the default Fortinet image to the new image: select the Fortinet image and right-click so that Delete icon appears, and then select Delete; drag the Image icon to the box where the Fortinet image was previous; choose or upload a new image and then select OK.

4. Return to Log & Report > Report > Local.

5. Under Report Options, set the Generate report schedule to Daily and set a Time for the report to be compiled every day.

6. Enable Email Generated Reports. You may have to configure an SMTP server to send the reports before this option can be enabled. The SMTP configuration can be found in System > Config > Messaging Servers.

7. Select Apply to save the changes.

8. Select Run Now to generate a new On Demand report based on your changes.

9. Select the report from the Historical Reports list to view it.

Running On Demand reports can be a good way to compare report modifications as you configure.

Best Practices: Log management

Leave a reply

Best Practices: Log management

When the FortiGate unit records FortiGate activity, valuable information is collected that provides insight into how to better protect network traffic against attacks, including misuse and abuse. There is a lot to consider before enabling logging on a FortiGate unit, such as what FortiGate activities to enable and which log device is best suited for your network’s logging needs. A plan can help you in deciding the FortiGate activities to log, a log device, as well as a backup solution in the event the log device fails.

This plan should provide you with an outline, similar to the following:

what FortiGate activities you want and/or need logged (for example, security features)
the logging device best suited for your network structure
if you want or require archiving of log files
ensuring logs are not lost in the event a failure occurs.

After the plan is implemented, you need to manage the logs and be prepared to expand on your log setup when the current logging requirements are outgrown. Good log management practices help you with these tasks.

Log management practices help you to improve and manage logging requirements. Logging is an ever-expanding tool that can seem to be a daunting task to manage. The following management practices will help you when issues arise, or your logging setup needs to be expanded.

1. Revisit your plan on a yearly basis to verify that your logging needs are being met by your current log setup. For example, your company or organization may require archival logging, but not at the beginning of your network’s lifespan. Archival logs are stored on a FortiGate unit’s local hard drive, a FortiAnalyzer unit, or a FortiCloud server, in increasing order of size.

2. Configure an alert message that will notify you of activities that are important to be aware about. For example: if a branch office does not have a FortiGate administrator, you will need to know at all times that the IPsec VPN tunnel is still up and running. An alert email notification message can be configured to send only if IPsec tunnel errors occur.

3. If your organization or company uses peer-to-peer programs such as Skype or other instant messaging software, use the Applications FortiView dashboard, or the Executive Summary’s report widget (Top 10 Application Bandwidth Usage Per Hour Summary) to help you monitor the usage of these types of instant messaging software. These widgets can help you in determining how these applications are being used, including if there is any misuse and abuse. Their information is taken from application log messages; however, application log messages should be viewed as well since they contain the most detailed information.

4. Ensure that your backup solution is up-to-date. If you have recently expanded your log setup, you should also review your backup solution. The backup solution provides a way to ensure that all logs are not lost in the event that the log device fails or issues arise with the log device itself.