Category Archives: FortiAnalyzer

Web Based Manager

Leave a reply

Web-based Manager

This section describes general information about using the Web-based Manager to access the FortiAnalyzer system with a web browser.

This section includes the following topics:

  • System requirements
  • Connecting to the Web-based Manager
  • Web-based Manager overview
  • Web-based Manager configuration

System requirements

Web browser support

The FortiAnalyzer Web-based Manager supports the following web browsers:

  • Microsoft Internet Explorer versions 10 and 11
  • Mozilla Firefox versions 30 and 31
  • Google Chrome version 36

Other web browsers may function correctly, but are not supported by Fortinet.

Screen resolution

Fortinet recommends setting your monitor to a screen resolution of 1280×1024. This allows for all the objects in the Web-based Manager to be properly viewed.

 

 

Connecting to the Web-based Manager

The FortiAnalyzer unit can be configured and managed using the Web-based Manager or the CLI. This section will step you through connecting to the unit via the Web-based Manager.

For more information on connecting your specific FortiAnalyzer unit, read that device’s QuickStart guide.

To connect to the Web-based Manager:

  1. Connect the unit to a management computer using an Ethernet cable.
  2. Configure the management computer to be on the same subnet as the internal interface of the FortiAnalyzer unit:
    • IP address: 192.168.1.2
    • Netmask: 255.255.255.0.
  3. On the management computer, start a supported web browser and browse to https://192.168.1.99.
  4. Type admin in the User Name field, leave the Password field blank, and select Login.

You should now be able to use the FortiAnalyzer Web-based Manager.

For information on enabling administrative access protocols and configuring IP addresses, see “To edit a network interface:” on page 71.

Web-based Manager overview

The FortiAnalyzer Web-based Manager consists of four primary parts: the tab bar, the main menu bar, the tree menu, and the content pane. The content pane includes a toolbar and, in some tabs, is horizontally split into two sections. The main menu bar is only visible in certain tabs when ADOMs are disabled (see “System Information widget” on page 46).

You can use the Web-based Manager menus, lists, and configuration pages to configure most FortiAnalyzer settings. Configuration changes made using the Web-based Manager take effect immediately without resetting the FortiAnalyzer system or interrupting service.

The Web-based Manager also includes online help, accessed by selecting the help icon in the right side of the tab bar.

Tab bar

The Web-based Manager tab bar contains the device model, the available tabs, the Help button and the Log Out button.

Figure 3: The tab bar

Device Manager Manage groups, devices, and VDOMs, and view real-time monitor data.

See “Device Manager” on page 32.
FortiView Drill down top sources, top applications, top destinations, top web sites, top threats, and top cloud applications. This tab was implemented to match the FortiView implementation in FortiGate.

The Log View tab is found in the FortiView tab. View logs for managed devices. You can display, download, import, and delete logs on this page.

See “FortiView” on page 115.
Event Management Configure and view events for managed log devices.

See “Event Management” on page 151.

This tab is not available when the unit is in Collector mode. See “Operation modes” on page 15 for more information.
Reports Configure report templates, schedules, and output profiles, and manage charts and datasets.

See “Reports” on page 165.

This tab is not available when the unit is in Collector mode. See “Operation modes” on page 15 for more information.
System Settings Configure system settings such as network interfaces,

administrators, system time, server settings, and others. You can also perform maintenance and firmware operations.

See “System Settings” on page 42.
 Change Password Select to change the password. Restricted_User and Standard_User admin profiles do not have access to the System Settings tab. An administrator with either of these admin profiles will see the change password icon in the navigation pane.
 Help Open the FortiAnalyzer online help.
 Log Out Log out of the Web-based Manager.

Tree menu

The Web-based Manager tree menu is on the left side of the window. The content in the menu varies depending on which tab is selected and how your FortiAnalyzer unit is configured.

Some elements in the tree menu can be right-clicked to access different configuration options.

Content pane

The content pane is on the right side of the window. The information changes depending on which tab is being viewed and what element is selected in the tree menu. The content pane of the Log View and Reports tabs are split horizontally into two frames.

Web-based Manager configuration

Global settings for the Web-based Manager apply regardless of which administrator account you use to log in. Global settings include the idle timeout, TCP port number on which the Web-based Manager listens for connection attempts, the network interface(s) on which it listens, and the language of its display.

This section includes the following topics:

  • Language support
  • Administrative access
  • Restricting access by trusted hosts
  • Idle timeout

Language support

The Web-based Manager supports multiple languages; the default language setting is Auto Detect. Auto Detect uses the language configured on your management computer. If that language is not supported, the Web-based Manager will default to English.

You can change the Web-based Manager language to English, Simplified Chinese, Traditional Chinese, Japanese, or Korean. For best results, you should select the language that the management computer operating system uses.

To change the Web-based Manager language:

  1. Go to System Settings > Admin > Admin Settings.

Figure 4: Administration settings

  1. In the Language field, select a language from the drop-down list, or select Auto Detect to use the same language as configured for your management computer.
  2. Select Apply.

The following table lists FortiAnalyzer language support information.

Table 3: Language support

Language Web-based Manager Reports Documentation
English a a a
French   a  
Spanish   a  
Portuguese   a  
Korean a a  
Chinese (Simplified) a a  
Chinese (Traditional) a a  
Japanese a a  
Russian   a  
Hebrew   a  
Hungarian   a  

To change the FortiAnalyzer language setting, go to System Settings > Admin > Admin Settings, in Administrative Settings > Language select the desired language on the drop-down menu. The default value is Auto Detect.

Russian, Hebrew, and Hungarian are not included in the default report languages. You can import language translation files for these languages via the command line interface using one of the following commands:

execute sql-report import-lang <language name> <ftp> <server IP address> <user name> <password> <file name> execute sql-report import-lang <language name> <sftp <server IP address> <user name> <password> <file name> execute sql-report import-lang <language name> <scp> <server IP address> <user name> <password> <file name> execute sql-report import-lang <language name> <tftp> <server IP address> <file name>

For more information, see the FortiAnalyzer CLI Reference available from the Fortinet Document Library.

Administrative access

Administrative access enables an administrator to connect to the system to view and change configuration settings. The default configuration of your system allows administrative access to one or more of the interfaces of the unit as described in the QuickStart and installation guides for your device.

Administrative access can be configured in IPv4 or IPv6 and includes settings for: HTTPS, HTTP, PING, SSH (Secure Shell), TELNET, SNMP, Web Service, and Aggregator.

To change administrative access:

  1. Go to System Settings > Network.

By default, port1 settings will be presented. To configure administrative access for a different interface, select All Interfaces, and then select the interface from the list.

  1. Set the IPv4 IP/Netmask or the IPv6 Address, select one or more Administrative Access types for the interface, and set the default gateway and Domain Name System (DNS) servers.

Figure 5: Network management interface

  1. Select Apply to finish changing the access settings.

For more information, see “Network” on page 69.

Restricting access by trusted hosts

To prevent unauthorized access to the Web-based Manager you can configure administrator accounts with trusted hosts. With trusted hosts configured, the admin user can only log in to the Web-based Manager when working on a computer with the trusted host as defined in the admin account.

For more information, see “Administrator” on page 75.

Idle timeout

By default, the Web-based Manager disconnects administrative sessions if no activity takes place for fifteen minutes. This idle timeout is recommended to prevent someone from using the Web-based Manager from a PC that is logged in and then left unattended.

To change the Web-based Manager idle timeout:

  1. Go to System Settings > Admin > Admin Settings (see Figure 4 on page 22).
  2. Change the Idle Timeout minutes as required.
  3. Select Apply to save the setting.

For more information, see “Administrator settings” on page 86.

Reboot and shutdown the FortiAnalyzer unit

Always reboot and shutdown the FortiAnalyzer system using the unit operation options in the Web-based Manager or the CLI to avoid potential configuration problems.

Figure 6: Unit operation actions in the Web-based Manager

To reboot the FortiAnalyzer unit:

  1. In the Web-based Manager, go to System Settings > Dashboard.
  2. In the Unit Operation widget, select Reboot or, in the CLI Console widget, enter: execute reboot The system will be rebooted.

Do you want to continue? (y/n)

  1. Select y to continue. The FortiAnalyzer system will be rebooted.

To shutdown the FortiAnalyzer unit:

  1. In the Web-based Manager, go to System Settings > Dashboard.
  2. In the Unit Operation widget, select Shutdown or, in the CLI Console widget, enter: execute shutdown The system will be halted.

Do you want to continue? (y/n)

  1. Select y to continue. The FortiAnalyzer system will be shut down.

To reset the FortiAnalyzer unit:

  1. In the CLI Console widget, enter:

execute reset all-settings This operation will reset all settings to factory defaults

Do you want to continue? (y/n)

  1. Select y to continue. The device will reset to factory default settings and reboot.

To reset logs and re-transfer all logs into the database:

  1. In the CLI Console widget, enter:

execute reset-sqllog-transfer WARNING: This operation will re-transfer all logs into database.

Do you want to continue? (y/n)

  1. Select y to continue.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Key Concepts

Leave a reply

Key Concepts

This chapter defines basic FortiAnalyzer concepts and terms.

If you are new to FortiAnalyzer, this chapter can help you to quickly understand this document and your FortiAnalyzer platform.

This topic includes:

  • Administrative domains
  • Operation modes
  • Log storage
  • Workflow

Administrative domains

Administrative domains (ADOMs) enable the admin administrator to constrain other

FortiAnalyzer unit administrators’ access privileges to a subset of devices in the device list. For Fortinet devices with virtual domains (VDOMs), ADOMs can further restrict access to only data from a specific device’s VDOM.

Enabling ADOMs alters the structure of and the available functions in the Web-based Manager and CLI, according to whether or not you are logging in as the admin administrator, and, if you are not logging in as the admin administrator, the administrator account’s assigned access profile. See “System Information widget” on page 46 for information on enabling and disabling

ADOMs.

For information on working with ADOMs, see “Administrative Domains” on page 27. For information on configuring administrators and administrator settings, see“Admin” on page 73.

Operation modes

The FortiAnalyzer unit has two operation modes:

  • Analyzer: The default mode that supports all FortiAnalyzer features. This mode used for aggregating logs from one or more log collectors. In this mode, the log aggregation configuration function is disabled.
  • Collector: The mode used for saving and uploading logs. For example, instead of writing logs to the database, the collector can retain the logs in their original (binary) format for uploading. In this mode, the report function and some functions under the System Settings tab are disabled.

The analyzer and collector modes are used together to increase the analyzer’s performance. The collector provides a buffer to the FortiAnalyzer by off-loading the log receiving task from the analyzer. Since log collection from the connected devices is the dedicated task of the collector, its log receiving rate and speed are maximized.

The mode of operation that you choose will depend on your network topology and individual requirements. For information on how to select an operation mode, see “Changing the operation mode” on page 50.

Feature comparison between analyzer and collector mode

The operation mode options have been simplified to two modes, Analyzer and Collector. Standalone mode has been removed.

Table 2: Feature comparison between Analyzer and Collector modes

  Analyzer Mode Collector Mode
Event Management Yes No
Monitoring (drill-down/charts) Yes No
Reporting Yes No
FortiView/Log View Yes Yes
Device Manager Yes Yes
System Settings Yes Yes
Log Forwarding No Yes

Analyzer mode

The analyzer mode is the default mode that supports all FortiAnalyzer features. If your network log volume does not compromise the performance of your FortiAnalyzer unit, you can choose this mode.

Figure 1 illustrates the network topology of the FortiAnalyzer unit in analyzer mode.

Figure 1: Topology of the FortiAnalyzer unit in analyzer mode

 

Analyzer and collector mode

The analyzer and collector modes are used together to increase the analyzer’s performance. The collector provides a buffer to the analyzer by off-loading the log receiving task from the analyzer. Since log collection from the connected devices is the dedicated task of the collector, its log receiving rate and speed are maximized.

In most cases, the volume of logs fluctuates dramatically during a day or week. You can deploy a collector to receive and store logs during the high traffic periods and transfer them to the analyzer during the low traffic periods. As a result, the performance of the analyzer is guaranteed as it will only deal with log insertion and reporting when the log transfer process is over.

As illustrated in Figure 2: company A has two remote branch networks protected by multiple FortiGate units. The networks generate large volumes of logs which fluctuate significantly during a day. It used to have a FortiAnalyzer 4000B in analyzer mode to collect logs from the FortiGate units and generate reports. To further boost the performance of the FortiAnalyzer 4000B, the company deploys a FortiAnalyzer 400C in collector mode in each branch to receive logs from the FortiGate units during the high traffic period and transfer bulk logs to the FortiAnalyzer 4000B during the low traffic period.

Figure 2: Topology of the FortiAnalyzer units in analyzer/collector mode

FortiAnalyzer v5.2.0 Administration Guide

To set up the analyzer/collector configuration:

  1. On the FortiAnalyzer unit, go to System Settings > Dashboard.
  2. In the System Information widget, in the Operation Mode field, select Change.
  3. Select Analyzer in the Change Operation Mode dialog box.
  4. Select OK.
  5. On the first collector unit, go to System Settings > Dashboard.
  6. In the System Information widget, in the Operation Mode field, select Change.
  7. Select Collector the Change Operation Mode dialog box.
  8. Select OK.

For more information on configuring log forwarding, see “Log forwarding” on page 40.

Log storage

The FortiAnalyzer unit supports Structured Query Language (SQL) logging and reporting. The log data is inserted into the SQL database for generating reports. Both local and remote SQL database options are supported.

For more information, see “Reports” on page 165.

Workflow

Once you have successfully deployed the FortiAnalyzer platform in your network, using and maintaining your FortiAnalyzer unit involves the following:

  • Configuration of optional features, and re-configuration of required features if required by changes to your network
  • Backups
  • Updates
  • Monitoring reports, logs, and alerts

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

What’s New in FortiAnalyzer V5.2

Leave a reply

What’s New in FortiAnalyzer v5.2

FortiAnalyzer v5.2 includes the following new features and enhancements.

FortiAnalyzer v5.2.0

FortiAnalyzer v5.2.0 includes the following new features and enhancements.

Event Management

  • Event Handler for local FortiAnalyzer event logs
  • FortiOS v4.0 MR3 logs are now supported.
  • Support subject customization of alert email.

FortiView

  • New FortiView module

Logging

  • Updated compact log v3 format from FortiGate • Explicit proxy traffic logging support
  • Improved FortiAnalyzer insert rate performance
  • Log filter improvements
  • FortiSandbox logging support
  • Syslog server logging support

Reports

  • Improvements to report configuration
  • Improvements to the Admin and System Events Report template
  • Improvements to the VPN Report template
  • Improvements to the Wireless PCI Compliance Report template
  • Improvements to the Security Analysis Report template
  • New Intrusion Prevention System (IPS) Report template
  • New Detailed Application Usage and Risk Report template
  • New FortiMail Analysis Report template
  • New pre-defined Application and Websites report templates
  • Macro library support
  • Option to display or upload reports in HTML format
  • FortiCache reporting support

 

Other


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Introduction

Leave a reply

Introduction

FortiAnalyzer platforms integrate network logging, analysis, and reporting into a single system, delivering increased knowledge of security events throughout your network. The FortiAnalyzer family minimizes the effort required to monitor and maintain acceptable use policies, as well as identify attack patterns to help you fine-tune your policies. Organizations of any size will benefit from centralized security event logging, forensic research, reporting, content archiving, data mining and malicious file quarantining.

FortiAnalyzer offers enterprise class features to identify threats, while providing the flexibility to evolve along with your ever-changing network. FortiAnalyzer can generate highly customized reports for your business requirements, while aggregating logs in a hierarchical, tiered logging topology.

You can deploy FortiAnalyzer physical or virtual appliances to collect, correlate, and analyze geographically and chronologically diverse security data. Aggregate alerts and log information from Fortinet appliances and third-party devices in a single location, providing a simplified, consolidated view of your security posture. In addition, FortiAnalyzer platforms provide detailed data capture for forensic purposes to comply with policies regarding privacy and disclosure of information security breaches.

Feature support

The following table lists FortiAnalyzer feature support for log devices.

Table 1: Feature support per platform

Platform Logging FortiView Event Management Reports
FortiGate a a a a
FortiCarrier a a a a
FortiMail a     a
FortiWeb a     a
FortiCache a     a
FortiClient a      
FortiSandbox a      
Syslog a      

FortiAnalyzer documentation

The following FortiAnalyzer product documentation is available:

                                 •    FortiAnalyzer Administration Guide

This document describes how to set up the FortiAnalyzer system and use it with supported Fortinet units.

                                 •   FortiAnalyzer device QuickStart Guides

These documents are included with your FortiAnalyzer system package. Use this document to install and begin working with the FortiAnalyzer system and FortiAnalyzer Web-based Manager.

                                 •   FortiAnalyzer Online Help

You can get online help from the FortiAnalyzer Web-based Manager. FortiAnalyzer online help contains detailed procedures for using the FortiAnalyzer Web-based Manager to configure and manage FortiGate units.

                                 •   FortiAnalyzer CLI Reference

This document describes how to use the FortiAnalyzer Command Line Interface (CLI) and contains references for all FortiAnalyzer CLI commands.

                                 •   FortiAnalyzer Release Notes

This document describes new features and enhancements in the FortiAnalyzer system for the release, and lists resolved and known issues. This document also defines supported platforms and firmware versions.

                                 •   FortiAnalyzer Log Message Reference

This document describes the structure of FortiAnalyzer log messages and provides information about the log messages that are generated by the FortiAnalyzer system.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Replacing hardware that is logging to a FortiAnalyzer

1 Reply

I am sure you have all come across this issue. You are logging your FortiGates (or other devices) to the FortiAnalyzer and you experience a failure of said hardware. You have a backup of the config so you move the config over to the replacement device but now your new firewall or device is listed as an unregistered device in the FortiAnalyzer. This is actually a pretty easy issue to fix as you only have to replace the serial number of the original device with the serial of the new device. Below is the config steps to perform this via CLI of the FortiAnalyzer:

execute device replace <old serial number> <name> <new serial number>


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Connecting To The Web Based Manager – FortiAnalyzer 5.2

Leave a reply

Connecting to the Web-based Manager

The FortiAnalyzer unit can be configured and managed using the Web-based Manager or the CLI. This section will step you through connecting to the unit via the Web-based Manager.

For more information on connecting your specific FortiAnalyzer unit, read that device’s QuickStart guide.

To connect to the Web-based Manager:

  1. Connect the unit to a management computer using an Ethernet cable.
  2. Configure the management computer to be on the same subnet as the internal interface of the FortiAnalyzer unit:
    • IP address: 192.168.1.2
    • Netmask: 255.255.255.0.
  3. On the management computer, start a supported web browser and browse to https://192.168.1.99.
  4. Type admin in the User Name field, leave the Password field blank, and select Login.

You should now be able to use the FortiAnalyzer Web-based Manager.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

System Requirements – FortiAnalyzer 5.2

Leave a reply

System requirements

Web browser support

The FortiAnalyzer Web-based Manager supports the following web browsers:

  • Microsoft Internet Explorer versions 10 and 11
  • Mozilla Firefox versions 30 and 31
  • Google Chrome version 36

Other web browsers may function correctly, but are not supported by Fortinet.

Screen resolution

Fortinet recommends setting your monitor to a screen resolution of 1280×1024. This allows for all the objects in the Web-based Manager to be properly viewed.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Feature Comparison between analyzer and collector mode – FortiAnalyzer 5.2

Leave a reply

Feature comparison between analyzer and collector mode

The operation mode options have been simplified to two modes, Analyzer and Collector. Standalone mode has been removed.

Table 2: Feature comparison between Analyzer and Collector modes

  Analyzer Mode Collector Mode
Event Management Yes No
Monitoring (drill-down/charts) Yes No
Reporting Yes No
FortiView/Log View Yes Yes
Device Manager Yes Yes
System Settings Yes Yes
Log Forwarding No Yes

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!