It has been a lonnnnng time since I have posted. That is my fault. Sometimes you need to relax. I relaxed, a LOT and got fat in the process. I am back now! and FortiOS 6.6 which is upcoming in the next few months will have LTS (long term support) with a renewed focus on security and stability. If that doesn’t make your worm wiggle I dunno what will.
This topic describes how to configure two FortiAnalyzer units as the Analyzer and Collector and make them work together. In the scenario shown in the diagram below, Company A has a remote branch network with a FortiGate unit and a FortiAnalyzer 400E in Collector mode. In its head office, Company A has another FortiGate unit and a
FortiAnalyzer 3000D in Analyzer mode. The Collector forwards the logs of the FortiGate unit in the remote branch to the Analyzer in the head office for data analysis and reports generation. The Collector is also used for log archival.
For related concepts, see Two operation modes on page 19 and Analyzer–Collector collaboration on page 21. You need to complete the initial setup for your FortiAnalyzer units first. See Initial setup on page 16.
To configure the Collector:
For the Collector, you should allocate most of the disk space for Archive logs. You should keep the Archive logs long enough to meet the regulatory requirements of your organization. After this initial configuration, you can monitor the storage usage and adjust it as you go.
Collectors and Analyzers
Following is a storage configuration example of the Collector.
In particular,
l Set Remote ServerType to FortiAnalyzer. l Set ServerIP to the IP address of the Analyzer that this Collector will forward logs to. l Click Select Device and select the FortiGate device that the Collector will forward logs for.
To configure the Analyzer:
Collectors and Analyzers
config system log-forward-service set accept-aggregation enable
end
Once the FortiGate of the remote office is added, the Analyzer starts receiving its logs from the Collector.
At times, you might want to fetch logs from the Collector to the Analyzer. The Collector will perform the role of the fetch server, and the Analyzer will perform the role of fetch client. For information about how to conduct log fetching, see Fetcher Management on page 195.
A FortiAnalyzer high availability (HA) cluster provides the following features:
A FortiAnalyzer HA cluster can have a maximum of four units: one primary or master unit with up to three backup or slave units. All units in the cluster must be of the same FortiAnalyzer series. All units are visible on the network.
All units must run in the same operation mode: Analyzer or Collector.
To configure HA options go to System Settings > HA and configure FortiAnalyzer units to create an HA cluster or change cluster configuration.
In System Settings > HA, use the ClusterSettings pane to create or change HA configuration, and use the Cluster Status pane to monitor HA status.
To configure a cluster, set the Operation Mode of the primary unit to High Availability. Then add the IP addresses and serial numbers of each backup unit to primary unit peer list. The IP address and serial number of the primary unit and all backup units must be added to each backup unit’s HA configuration. The primary unit and all backup units must have the same Group Name, Group ID and Password.
You can connect to the primary unit GUI to work with FortiAnalyzer. Using configuration synchronization, you can configure and work with the cluster in the same way as you work with a standalone FortiAnalyzer unit.
Configure the following settings:
| Cluster Status | |
| Operation Mode | Select High Availability to configure the FortiAnalyzer unit for HA. Select Standalone to stop operating in HA mode. |
| Preferred Role | Select the preferred role when this unit first joins the HA cluster.
If the preferred role is Master, then this unit becomes the primary unit if it is configured first in a new HA cluster. If there is an existing primary unit, then this unit becomes a backup (slave) unit. The default is Slave so that the unit can synchronize with the primary unit. A slave or backup unit cannot become a master or primary unit until it is synchronized with the current primary unit. |
| Cluster Virtual IP | |
| Interface | The interface the FortiAnalyzer HA unit uses to provide redundancy. |
| IP Address | The IP address for which the FortiAnalyzer HA unit is to provide redundancy. |
| Cluster Settings | |
| Peer IP | Type the IP address of another FortiAnalyzer unit in the cluster. |
| Peer SN | Type the serial number of the FortiAnalyzer unit corresponding to the entered IP address. |
| Group Name | Type a group name that uniquely identifies the FortiAnalyzer HA cluster. All units in a cluster must have the same Group Name, Group ID and Password. |
| Group ID | Type a group ID from 1 to 255 that uniquely identifies the FortiAnalyzer HA cluster. |
| Password | A password for the HA cluster. All members of the HA cluster must have the same password. |
| Heart Beat Interval | The time the primary unit waits between sending heartbeat packets, in seconds. The heartbeat interval is also the amount of time that backup units waits before expecting to receive a heartbeat packet from the primary unit. |
| Priority | The priority or seniority of the backup unit in the cluster. |
| Log Data Sync | This option is on by default. It provides real-time log synchronization among cluster members. |
To ensure logs are synchronized among all HA units, FortiAnalyzer HA synchronizes logs in two states: initial logs synchronization and real-time log synchronization.
When you add a unit to an HA cluster, the primary unit synchronizes its logs with the new unit. After initial sync is complete, the backup unit automatically reboots. After the reboot, the backup unit rebuilds its log database with the synchronized logs.
You can see the status in the ClusterStatus pane Initial Logs Sync column.
After the initial log synchronization, the HA cluster goes into real-time log synchronization state.
Log Data Sync is turned on by default for all units in the HA cluster.
When Log Data Sync is turned on in the primary unit, the primary unit forwards logs in real-time to all backup units. This ensures that the logs in the primary and backup units are synchronized.
Log Data Sync is turned on by default in backup units so that if the primary unit fails, the backup unit selected to be the new primary unit will continue to synchronize logs with backup units.
If you want to use a FortiAnalyzer unit as a standby unit (not as a backup unit), then you don’t need real-time log synchronization so you can turn off Log Data Sync.
Configuration synchronization provides redundancy and load balancing among the cluster units. A FortiAnalyzer HA cluster synchronizes the configuration of the following modules to all cluster units: l Device Manager l Incidents & Events l Reports l Most System Settings
FortiAnalyzer HA synchronizes most System Settings in the HA cluster. The following table shows which System Setting configurations are synchronized:
| System Setting | Configuration synchronized |
| Dashboard > System Information | Only Administrative Domain is synchronized. All other settings in the System Information widget are not synchronized. |
| All ADOMs | Yes |
| Storage Info | Yes |
| Network | No |
| HA | No |
| Admin | Yes |
| Certificates > Local Certificates | No |
| Certificates > CA Certificates | Yes |
| Certificates > CRL | Yes |
| Log Forwarding | Yes |
| Fetcher Management | Yes |
| Event Log | No |
| Task Monitor | Yes |
| Advanced > SNMP | Yes |
| Advanced > Mail Server | Yes |
| Advanced > Syslog Server | Yes |
| Advanced > Meta Fields | Yes |
| Advanced > Device Log Settings | Yes |
| Advanced > File Management | Yes |
| Advanced > Advanced Settings | Yes |
In System Settings > HA, the ClusterStatus pane shows the HA status. This pane displays information about the role of each cluster unit, the HA status of the cluster, and the HA configuration of the cluster.
The ClusterStatus pane displays the following information:
| Role | Role of each cluster member. |
| Serial Number | Serial number of each cluster member. |
| IP | IP address of each cluster members including the host. |
| Host Name | Host name of the HA cluster. |
| Uptime/Downtime | Uptime or downtime of each cluster member. |
| Initial Logs Sync | Status of the initial logs synchronization. |
| Configuration Sync | Status of synchronizing configuration data. |
| Message | Status or error messages, if any. |
If the primary or master unit becomes unavailable, another unit in the cluster is selected as the primary unit using the following rules:
If the FortiAnalyzer being replaced is the primary, after replacing it, use execute fgfm reclaim-dev-tunnel to force FortiGates to connect to the new FortiAnalyzer.
Because FortiAnalyzer HA synchronizes logs among HA units, the HA cluster can balance the load and improve overall responsiveness. Load balancing enhances the following modules:
When generating multiple reports, the loads are distributed to all HA cluster units in a round-robin fashion. When a report is generated, the report is synchronized with other units so that the report is visible on all HA units.
Similarly, for SOC, cluster units share some of the load when these modules generate output for their widgets.
You can upgrade the firmware of an operating FortiAnalyzer cluster in the same way as upgrading the firmware of a standalone FortiAnalyzer unit.
Upgrade the backup units first. Upgrade the primary (master) unit last, after all backup units have been upgraded and have synchronized with the primary unit. When you upgrade the primary unit, one of the backup units is automatically selected to be the primary unit following the rules you set up in If the primary unit fails on page 254. This allows the HA cluster to continue operating through the upgrade process with primary and backup units.
During the upgrade, you might see messages about firmware version mismatch. This is to be expected. When the upgrade is completed and all cluster members are at the same firmware version, you should not see this message.
To upgrade FortiAnalyzer HA cluster firmware:
See the FortiAnalyzerRelease Notes and FortiAnalyzerUpgrade Guide in the Fortinet Document Library for more information.
When the primary unit is upgraded, it automatically becomes a backup unit and one of the backup units is automatically selected to be the primary unit following the rules you set up in If the primary unit fails on page 254.
This allows the HA cluster to continue operating through the upgrade process with primary and backup units.
To configure two-factor authentication for administrators you will need the following:
l FortiAnalyzer l FortiAuthenticator l FortiToken
On the FortiAuthenticator, you must create a local user and a RADIUS client.
Before proceeding, ensure you have configured your FortiAuthenticator, created a NAS entry for your FortiAnalyzer, and created or imported FortiTokens.
For more information, see the Two-FactorAuthenticatorInteroperability Guide and FortiAuthenticator Administration Guide in the Fortinet Document Library.
Create a local user:
| Username | Enter a user name for the local user. | |
| Password creation | Select Specify a password from the dropdown list. | |
| Password | Enter a password. The password must be a minimum of 8 characters. | |
| Password confirmation | Re-enter the password. The passwords must match. | |
| Allow RADIUS authentication | Enable to allow RADIUS authentication. | |
| Role | Select the role for the new user. | |
| Enable account expiration | Optionally, select to enable account expiration. For more information see the FortiAuthenticator Administration Guide. | |
| Disabled | Select to disable the local user. |
| Password-based authentication | Leave this option selected. Select [Change Password] to change the password for this local user. |
| Token-based authentication | Select to enable token-based authentication. |
| Deliver token code by | Select to deliver token by FortiToken, email, or SMS. Click Test Token to test the token. |
| Allow RADIUS authentication | Select to allow RADIUS authentication. |
| Enable account expiration | Optionally, select to enable account expiration. For more information see the FortiAuthenticator Administration Guide. |
| User Role | |
| Role | Select either Administrator or User. |
| Full Permission | Select to allow Full Permission, otherwise select the admin profiles to apply to the user. This option is only available when Role is Administrator. |
| Web service | Select to allow Web service, which allows the administrator to access the web service via a REST API or by using a client application. This option is only available when Role is Administrator. |
| Restrict admin login from trusted management subnets only | Select to restrict admin login from trusted management subnets only, then enter the trusted subnets in the table. This option is only available when Role is Administrator. |
| Allow LDAP Browsing | Select to allow LDAP browsing. This option is only available when Role is User. |
Create a RADIUS client:
| Name | Enter a name for the RADIUS client entry. |
| Client name/IP | Enter the IP address or Fully Qualified Domain Name (FQDN) of the
FortiAnalyzer. |
| Secret | Enter the server secret. This value must match the FortiAnalyzer RADIUS server setting at System Settings > Admin > Remote Authentication Server. |
| First profile name | See the FortiAuthenticator Administration Guide. |
| Description | Enter an optional description for the RADIUS client entry. |
| Apply this profile based on RADIUS attributes | Select to apply the profile based on RADIUS attributes. |
| Authentication method | Select Enforce two-factorauthentication from the list of options. |
| Username input format | Select specific user name input formats. |
| Realms | Configure realms. |
| Allow MAC-based authentication | Optional configuration. |
| Check machine authentication | Select to check machine based authentication and apply groups based on the success or failure of the authentication. |
| Enable captive portal | Enable various portals. |
| EAP types | Optional configuration. |
On the FortiAnalyzer, you need to configure the RADIUS server and create an administrator that uses the RADIUS server for authentication.
Configure the RADIUS server:
| Name | Enter a name to identify the FortiAuthenticator. |
| Server Name/IP | Enter the IP address or fully qualified domain name of your FortiAuthenticator. |
| Server Secret | Enter the FortiAuthenticator secret. |
| Secondary Server Name/IP | Enter the IP address or fully qualified domain name of the secondary FortiAuthenticator, if applicable. |
| Secondary Server Secret | Enter the secondary FortiAuthenticator secret, if applicable. |
| Port | Enter the port for FortiAuthenticator traffic. |
| Authentication Type | Select the authentication type the FortiAuthenticator requires. If you select the default ANY, FortiAnalyzer tries all authentication types.
Note: RADIUS server authentication for local administrator users stored in FortiAuthenticator requires the PAP authentication type. |
Create the administrator:
Test the configuration:
The GUI supports multiple languages, including:
l English l Simplified Chinese l Spanish l Traditional Chinese l Japanese l Korean
By default, the GUI language is set to Auto Detect, which automatically uses the language used by the management computer. If that language is not supported, the GUI defaults to English. For best results, you should select the language used by the operating system on the management computer.
For more information about language support, see the FortiAnalyzerRelease Notes.
To change the GUI language:
To ensure security, the idle timeout period should be short. By default, administrative sessions are disconnected if no activity takes place for five minutes. This idle timeout is recommended to prevent anyone from using the GUI on a PC that was logged in to the GUI and then left unattended. The idle timeout period can be set from 1 to 480 minutes.
To change the idle timeout:
You can enable and configure password policy for the FortiAnalyzer.
To configure the password policy:
| Minimum Length | Specify the minimum number of characters that a password must be, from 8 to 32. Default: 8. |
| Must Contain | Specify the types of characters a password must contain: uppercase and lowercase letters, numbers, and/or special characters. |
| Admin Password
Expires after |
Specify the number of days a password is valid for. When the time expires, an administrator will be prompted to enter a new password. |
By default, the number password retry attempts is set to three, allowing the administrator a maximum of three attempts at logging in to their account before they are locked out for a set amount of time (by default, 60 seconds).
The number of attempts and the default wait time before the administrator can try to enter a password again can be customized. Both settings can be configured using the CLI.
To configure the lockout duration:
config system global set admin-lockout-duration <seconds>
end
To configure the number of retry attempts:
config system global set admin-lockout-threshold <failed_attempts>
end
To set the lockout threshold to one attempt and set a five minute duration before the administrator can try to log in again, enter the following CLI commands:
config system global set admin-lockout-duration 300 set admin-lockout-threshold 1
end
The administration settings page provides options for configuring global settings for administrator access to the FortiAnalyzer device. Settings include:
To improve security, you can change the default port configurations for administrative connections to the FortiAnalyzer. When connecting to the FortiAnalyzer unit when the port has changed, the port must be included, such as https://<ip_address>:<port>. For example, if you are connecting to the FortiAnalyzer unit using port 8080, the URL would be https://192.168.1.99:8080. When you change to the default port number for HTTP, HTTPS, or SSH, ensure that the port number is unique.
By default, the GUI disconnects administrative sessions if no activity occurs for five minutes. This prevents someone from using the GUI if the management computer is left unattended.
The language the GUI uses. For best results, you should select the language used by the management computer. l GUI theme
The default color theme of the GUI is Blueberry. You can choose another color or an image. l Password policy
Enforce password policies for administrators.
To configure the administration settings:
Administration Settings
| HTTP Port | Enter the TCP port to be used for administrative HTTP access. Default: 80. Select Redirect to HTTPS to redirect HTTP traffic to HTTPS. |
| HTTPS Port | Enter the TCP port to be used for administrative HTTPS access. Default: 443. |
| HTTPS & Web
Service Server Certificate |
Select a certificate from the dropdown list. |
| Idle Timeout | Enter the number of minutes an administrative connection can be idle before the administrator must log in again, from 1 to 480 (8 hours). See Idle timeout on page 246 for more information. |
| View Settings | |
| Language | Select a language from the dropdown list. See GUI language on page 245 for more information. |
| Theme | Select a theme for the GUI. The selected theme is not applied until you click Apply, allowing to you to sample different themes. Default: Blueberry. |
| Password Policy | Click to enable administrator password policies. See Password policy on page
244 and Password lockout and retry attempts on page 245 for more information. |
| Minimum Length | Select the minimum length for a password, from 8 to 32 characters. Default:
8. |
| Must Contain | Select the types of characters a password must contain. |
| Admin Password
Expires after |
Select the number of days a password is valid for, after which it must be changed. |
SAML can be enabled across all Security Fabric devices, enabling smooth movement between devices for the administrator. FortiAnalyzer can play the role of the identity provider (IdP) or the service provider (SP) when an external identity provider is available.
Devices configured to the IdP can be accessed through the Quick Access menu which appears in the top-right corner of the main menu. The current device is indicated with an asterisk (this feature is currently only supported in FAZ/FMG).
Logging into an SP device will redirect you to the IdP login page. By default, it is a Fortinet login page. After successful authentication, you can access other SP devices from within the same browser without additional authentication.
To configure FortiAnalyzer as a service provider:
If this is a first-time set up, you can import the IdP certificate that you downloaded while configuring the IdP device.