FortiAuthenticator 4.0 Introduction

Introduction

The FortiAuthenticator device is an identity and access management solution. Identity and access management solutions are an important part of an enterprise network, providing access to protected network assets and tracking user activities to comply with security policies.

FortiAuthenticator provides user identity services to the Fortinet product range, as well as third party devices.

FortiAuthenticator delivers multiple features including:

  • Authentication: FortiAuthenticator includes Remote Authentication Dial In User Service (RADIUS) and Lightweight Directory Access Protocol (LDAP) server authentication methods. l Two Factor Authentication: FortiAuthenticator can act as a two-factor authentication server with support for onetime passwords using FortiToken 200, FortiToken Mobile, Short Message Service (SMS), or e-mail.

FortiAuthenticator two-factor authentication is compatible with any system which supports RADIUS.

  • 1X Support: FortiAuthenticator supports 802.1X for use in FortiGate Wireless and Wired networks. l User Identification: FortiAuthenticator can identify users through multiple data sources, including Active

Directory, Desktop Client, Captive Portal Logon, RADIUS Accounting, Kerberos, and a Representational State Transfer (REST) API. It can then communicate this information to FortiGate, FortiCache, or FortiMail units for use in Identity Based Policies.

  • Certificate Management: FortiAuthenticator can create and sign digital certificates for use, for example, in FortiGate VPNs and with the FortiToken 300 USB Certificate Store.
  • Integration: FortiAuthenticator can integrate with third party RADIUS and LDAP authentication systems, allowing you to reuse existing information sources. The REST API can also be used to integrate with external provisioning systems.

FortiAuthenticator is a critical system, and should be isolated on a network interface that is separated from other hosts to facilitate server-related firewall protection. Be sure to take steps to prevent unauthorized access to the FortiAuthenticator.

Introduction                                                                                                                              Before you begin

FortiAuthenticator on a multiple FortiGate unit network

The FortiAuthenticator series of identity and access management appliances complement the FortiToken range of two-factor authentication tokens for secure remote access. FortiAuthenticator allows you to extend the support for FortiTokens across your enterprise by enabling authentication with multiple FortiGate appliances and third party devices. FortiAuthenticator and FortiToken deliver cost effective, scalable secure authentication to your entire network infrastructure.

The FortiAuthenticator device provides an easy-to-configure remote authentication option for FortiGate users. Additionally, it can replace the Fortinet Single Sign-On (FSSO) Agent on a Windows Active Directory (AD) network.

For more information about FortiTokens, see the FortiToken information page on the Fortinet web site.

This chapter contains the following topics:

l Before you begin l How this guide is organized l Registering your Fortinet product l What’s new in FortiAuthenticator 4.0

Before you begin

Before you begin using this guide, please ensure that:

  • You have administrative access to the GUI and/or CLI.

For details of how to accomplish this, see the QuickStart Guide provided with your product, or online at http://docs.fortinet.com/fortiauthenticator/hardware.

  • The FortiAuthenticator unit is integrated into your network. l The operation mode has been configured.

How this guide is organized                                                                                                           Introduction

  • The system time, DNS settings, administrator password, and network interfaces have been configured.

Network Time Protocol (NTP) is critical for the time to be accurate and stable for the Time-based One-time Password (TOTP) method used in two-factor authentication to function correctly. See Configuring the system time, time zone, and date on page 27.

  • Any third party software or servers have been configured using their documentation.

While using the instructions in this guide, note that administrators are assumed to have all permissions, unless otherwise specified. Some restrictions will apply to administrators with limited permissions.

How this guide is organized

This FortiAuthenticator Administration Guide contains the following sections:

  • Setup describes initial setup for standalone and HA cluster FortiAuthenticator configurations.
  • System describes the options available in the system menu tree, including: network configuration, administration settings, and messaging settings.
  • Authentication describes how to configure built-in and remote authentication servers and manage users and user groups.
  • Port-based Network Access Control describes how to configure the FortiAuthenticator unit for IEEE 802.1X Extensible Authentication Protocol (EAP) authentication methods, Bring Your Own Device (BYOD), and MAC-based device authentication.
  • Fortinet Single Sign-On describes how to use the FortiAuthenticator unit in a Single Sign On (SSO) environment. l RADIUS Single Sign-On describes how to use the FortiAuthenticator unit RADIUS accounting proxy. l Monitoring describes how to monitor SSO and authentication information.
  • Certificate Management describes how to manage X.509 certificates and how to set up the FortiAuthenticator unit to act as an Certificate Authority (CA).
  • Logging describes how to view the logs on your FortiAuthenticator unit. l Troubleshooting provides suggestions to resolve common problems.

Registering your Fortinet product

Before you begin configuring and customizing features, take a moment to register your Fortinet product at the Fortinet Technical Support web site at https://support.fortinet.com. Many Fortinet customer services such as firmware updates, technical support, FortiGuard Antivirus, and other FortiGuard services require product registration.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

What’s new in FortiAuthenticator 4.0

What’s new in FortiAuthenticator 4.0

FortiAuthenticator 4.0 includes a host of new and expanded features designed to make it more robust and versatile than ever before, while maintaining ease of use.

New features include:

  • Captive portal guest management – Social and MAC address authentication

Social Wifi authentication allows FortiAuthenticator to utilize third-party user identity methods to authenticate users into a wireless guest network. Supported authentication methods include:

  • Google + l Facebook l LinkedIn l Twitter l Form based authentication (similar to the existing self-registration feature) l SMS based authentication l Email-based authentication
  • MAC address authentication

For more details, see Captive portal on page 80.

  • New SNMP event

A new event (trap) has been added to the SNMP community configuration settings: “HA status is changed.” For more details, see Administration on page 33. l Add Riverbed RADIUS VSAs

The Riverbed RADIUS dictionary has been added to the RADIUS engine to allow Riverbed vendor attributes to be used in Authentication.

  • Role based administration
    • new feature that allows FortiAuthenticator to create and edit admin profiles (similar to FortiOS). Each administrator can be granted either full permissions or an admin profile, and they can be granted read-only or read/write permissions sets. For more details, see Administration on page 33
  • Bulk purge inactive users menu

New options are now available for bulk purging inactive user accounts. For more details, see User management on page 57.

  • Allow expired FTM reactivation
    • new feature that enhances the FTM activation flow allows administrators to see more quickly why a user cannot authenticate using a FortiToken if their pre-configured timeout period expired. For more details, see FortiToken devices and mobile apps on page 72.
  • Remote LDAP password change

What’s new in FortiAuthenticator 4.0

A new feature that — through the use of Windows AD — allows users to change their passwords without provision changes being made to the network by a system administrator. For more details, see Remote authentication servers on page 88

  • RADIUS sub auth client profiles
    • new feature that allows you to assign attributes to RADIUS Auth Client profiles, so that they are more distinguishable for FortiAuthenticator even if the authentication requests may originate from the same IP address. For more details, see RADIUS service on page 91.
  • Windows FAC agent – group/OU exemptions
    • new feature that exempts users from two-factor authentication using AD container filtering has been added to the FortiAuthenticator Agent for Microsoft Windows, and for OWA users. Users who are members of an exempt groups and the users located under an exempt AD container are only required to provide a password to authenticate, i.e. no FortiToken code. For more details, see FortiAuthenticator Agents on page 100. l SSO filtering options expansion

New object types have been added to the group filtering function. For more details, see FortiGate group filtering on page 120

  • SSO – include username with “$”

FortiAuthenticator now includes usernames containing the “$” character in its SSO feature. For more details, see General settings on page 106.

  • DC/TS agent monitoring
    • new subsection of Monitoring which displays information on the server’s Domain Controller (DC) and Terminal Server (TS) Agents, found at SSO Monitor> SSO > DC/TS Agents. For more details, see SSO on page 129.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Fortinet FortiGate 6040E

FortiGate 6040E

In case you guys haven’t heard the news yet, Fortinet has released the FortiGate 6040E. This is a pretty handy firewall that helps Enterprise organizations achieve the level of UTM/NGFW functionality they need without having to spend obscene amounts of money on hardware capable.

Fortinet FortiGate 6040E

Fortinet FortiGate 6040E

This device is substantially stronger, has modified management capabilities and can flow 320 Gbps of firewall throughput (80 Gbps UTM/NGFW). The FortiGate 6040E has 6 available options right now that you can see in the image below.

6 options are available for the FortiGate 6040E

6 options are available for the FortiGate 6040E

Fortinet’s blog has a really good break out of the device as well as the benefits and cool features it has. Click here to see!


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Reports

Reports

FortiAnalyzer units can analyze information collected from the log files of managed log devices. It then presents the information in tabular and graphical reports that provide a quick and detailed analysis of activity on your networks.

To reduce the number of reports needed, reports are independent from devices, and contain layout information in the form of a report template. The devices, and any other required information, can be added as parameters to the report at the time of report generation.

The Reports tab allows you to configure reports using the predefined report templates, configure report schedules, view report history and the report calendar, and configure and view charts, macros, datasets, and output profiles.

If ADOMs are enabled, each ADOM will have its own report settings including chart library, macro library, dataset library, and output profiles.

FortiCache, FortiMail and FortiWeb reports are available when ADOMs are enabled. Reports for these devices are configured within their respective default ADOM. These devices also have device specific charts and datasets.

This chapter contains the following sections:

  • Reports
  • Report layouts
  • Chart library
  • Macro library
  • Report calendar
  • Advanced

Reports

FortiAnalyzer includes preconfigured reports and report templates for FortiGate, FortiMail, and FortiWeb log devices. These report templates can be used as is, or you can clone and edit the templates. You can also create new reports and report templates that can be customized to your requirements. For a list of preconfigured reports see “Report Templates” on page 207.

Predefined report templates are identified by a blue report icon,             , and custom report templates are identified by a green report icon,    . When a schedule has been enabled, the schedule icon,            , will appear to the left of the report template name.

 

In the Reports tab, go to Reports > [report] to view and configure the report configuration, advanced settings, and layout, and to view completed reports. The currently running reports and completed reports are shown in the View Report tab, see “View report tab” on page 173.

Figure 118:Report page

Right-clicking on a template in the tree menu opens a pop-up menu with the following options:

Report  
 Create New Create a new report. See “To create a new report:” on page 167.

Custom report templates are identified by the custom report icon,             , beside the report name. Predefined report templates are identified by the predefined report icon,           .

Rename              Rename a report.

 Clone Clone the selected report. See “To clone a report:” on page 167.
 Delete Delete the report. The default reports cannot be deleted. See “To delete a report:” on page 167.
 Import Import a report. See “Import and export” on page 167.

Export                Export a report. See “Import and export” on page 167.

Folder  
 Create New Create a new report folder. See “To create a new report folder:” on page 168.

Rename    Rename a report folder. See “To rename a report folder:” on page 168.

Delete                  Delete a report folder. Any report templates in the folder will be deleted. See “To delete a report folder:” on page 168.

Reports and report templates can be created, edited, cloned, and deleted. You can also import and export report templates. New content can be added to and organized on a template, including: new sections, three levels of headings, text boxes, images, charts, and line and page breaks.

To create a new report:

  1. In the Reports tab, right-click on Reports in the tree menu.
  2. Under the Report heading, select Create New.

The Create New Report dialog box opens.

  1. Enter a name for the new report and select OK.
  2. Configure report settings in the Configuration tab. The configuration tab includes time period, device selection, report type, schedule, and notifications.
  3. Select the Report layouts to configure the report template.
  4. Select the Advanced settings tab to configure report filters and other advanced settings.
  5. Select Apply to save the report template.

To clone a report:

  1. Right-click on the report you would like to clone in the tree menu and select Clone.

The Clone Report Template dialog box opens.

  1. Enter a name for the new template, then select OK.

A new template with the same information as the original template is created with the given name. You can then modify the cloned report as required.

To delete a report:

  1. Right-click on the report template that you would like to delete in the tree menu, and select Delete under the Report
  2. In the confirmation dialog box, select OK to delete the report template.

Import and export

Report templates can be imported from and exported to the management computer.

To import a report template:

  1. Right-click on Reports, and select Import.

The Import Report Template dialog box opens.

  1. Select Browse, locate the report template (.dat) file on your management computer, and select OK.

The report template will be loaded into the FortiAnalyzer unit.

To export a report template:

  1. Right-click on the report you would like to export in the tree menu and select Export.
  2. If a dialog box opens, select to save the file (.dat) to your management computer, and select OK.

The report template can now be imported to another FortiAnalyzer device.

Report folders

Report folders can be used to help organize your reports.

To create a new report folder:

  1. In the Reports tab, right-click on Reports in the tree menu.
  2. Under the Folder heading, select Create New.
  3. In the Create New Folder dialog box, enter a name for the folder, and select OK.

A new folder is created with the given name.

To rename a report folder:

  1. Right-click on the report folder that you need to rename in the tree menu.
  2. Under the Folder heading, select Rename.
  3. In the Rename Folder dialog box, enter a new name for the folder, and select OK.

To delete a report folder:

  1. Right-click on the report folder that you would like to delete in the tree menu, and select Delete under the Folder
  2. In the confirmation dialog box, select OK to delete the report folder.

Configuration tab

In FortiAnalyzer v5.2.0 and later, the Reports tab layout has changed. When creating a new report, the Configuration tab is the first tab that is displayed. In this tab you can configure the time period, select devices, enable schedules, and enable notification.

Report schedules provide a way to schedule an hourly, daily, weekly, or monthly report so that the report will be generated at a specific time. You can also manually run a report schedule at any time, and enable or disable report schedules. Report schedules can also be edited and disabled from the Report Calendar. See “Report calendar” on page 198 for more information.

Figure 119:Configuration tab

The following settings are available in the Configuration tab:

Time Period The time period that the report will cover. Select a time period, or select Other to manually specify the start and end date and time.
Devices The devices that the report will include. Select either All Devices or Specify to add specific devices. Select the add icon,        , to select devices.
User or IP Enter the user name or the IP address of the user on whom the report will be based.

This field is only available for the three predefined report templates in the Detailed User Report folder.

Type Select either Single Report (Group Report) or Multiple Reports (Per-Device).

This option is only available if multiple devices are selected.

Enable Schedule Select to enable report template schedules.
Generate PDF

Report Every

Select when the report is generated.

Enter a number for the frequency of the report based on the time period selected from the drop-down list.

Starts On Enter a starting date and time for the file generation.
Ends Enter an ending date and time for the file generation, or set it for never ending.
Enable Notification Select to enable report notification.
Output Profile Select the output profile from the drop-down list, or select Create New, , to create a new output profile. See “Output profile” on page 203.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Event Management

Event Management

In the Event Management tab you can configure events handlers based on log type and logging filters. You can select to send the event to an email address, SNMP community, or syslog server. Events can be configured per device, for all devices, or for the local FortiAnalyzer. You can create event handlers for FortiGate and FortiCarrier devices. In v5.2.0 or later, Event Management supports local FortiAnalyzer event logs.

Events can also be monitored, and the logs associated with a given event can be viewed.

Events

The events page provides a list of the generated events. Right-clicking on an event in the table gives you the option of viewing event details including the raw log entries associated with that event, adding review notes, and acknowledging the event.

To view events, go to the Event Management tab and select Event Management > All Events. You can also view events by severity and by handler. When ADOMs are enabled, select the ADOM, and then select All Events.

Figure 112:Events page

 

The following information is displayed:

Time Period Select a time period from the drop-down list. Select one of: Last 30 mins, Last 1 hour, Last 4 hours, Last 12 hours, Last 1 day, Last 7 days, Last N hours, Last N days, All.

If applicable, enter the number of days or hours for N in the N text box.

Show

Acknowledged

Select to show or hide acknowledged events. Acknowledged events are greyed out in the list.
Search Search for a specific event.
Count The number of log entries associated with the event. Click the heading to sort events by count.
Event Name The name of the event. Click the heading to sort events by event name.
Severity The severity level of the event. Event severity level is a user configured variable. The severity can be Critical, High, Medium, or Low. Click the heading to sort events by severity.
Event Type The event type. For example, Traffic or Event. Click the heading to sort events by event type.
Additional Info Additional information about the event. Click the heading to sort events by additional information.
Last Occurrence The date and time that the event was created and added to the events page. Click the heading to sort events by last occurrence.
Pagination Adjust the number of logs that are listed per page and browse through the pages.

Right-click on an event in the list to open the right-click menu. The following options are available:

 View Details The Event Details page is displayed. See “Event details” on page 153.
 Acknowledge Acknowledge an event. If Show Acknowledge is not selected, the event will be hidden. See “Acknowledge events” on page 154.

Event details

Event details provides a summary of the event including the event name, severity, type, count, additional information, last occurrence, device, event handler, raw log entries, and review notes. You can also acknowledge and print events in this page.

To view log messages associated with an event:

  1. In the events list, either double-click on an event or right-click on an event then select View Details in the right-click menu.

The Event Details page opens.

Figure 113:Event details page

  1. The following information and options are available:
 Print Select the print icon to print the event details page. The log details pane is not printed.
 Return Select the return icon to return to the All Events page.
Event Name The name of the event, also displayed in the title bar.
Severity The severity level configured for the event handler.
Type The event category of the event handler.
Count The number of logged events associated with the event.
Additional Info This field either displays additional information for the event or a link to the FortiGuard Encyclopedia. A link will be displayed for AntiVirus, Application Control, and IPS event types.
Last Occurrence The date and time of the last occurrence.
Device The device hostname associated with the event.
Event Handler The name of the event handler associated with the event. Select the link to edit the event handler. See “Event handler” on page 155.
Text box Optionally, you can enter a 1023 character comment in the text field. Select the save icon, , to save the comment, or cancel, , to cancel your changes.
Logs The logs associated with the log event are displayed. The columns and log fields are dependent on the event type.
Pagination Adjust the number of logs that are listed per page and browse through the pages.
Log details Log details are shown in the lower content pane for the selected log. The details will vary based on the log type.
  1. Select the return icon, , to return to the All Events

Acknowledge events

You can select to acknowledge events to remove them from the event list. An option has been added to this page to allow you to show or hide these acknowledged events.

To acknowledge events:

  1. From the event list, select the event or events that you would like to acknowledge.
  2. Right-click and select Acknowledge in the right-click menu.

Select the Show Acknowledge checkbox in the toolbar to view acknowledged events.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiSwitch Standalone Mode Administration Guide

Introduction

Welcome and thank you for selecting Fortinet products for your network configuration.

This guide contains information about the administration of a FortiSwitch unit in standalone mode. In standalone mode, a FortiSwitch is managed by connected directly to the unit, either using the web-based manager (also known as the GUI) or the CLI.

If you will be managing your FortiSwitch unit using a FortiGate, please see the guide Managing a FortiSwitch unit with a FortiGate.

Supported Models

This guide is for all FortiSwitch models that are supported by FortiSwitchOS. This includes the following models:

FortiSwitch-28C, FortiSwitch-108D-POE, FortiSwitch-124D, FortiSwitch-124D-POE,

FortiSwitch Rugged-124D, FortiSwitch-224D-POE, FortiSwitch-324B-POE,

FortiSwitch-348B, FortiSwitch-448B, FortiSwitch-1024D, FortiSwitch-1048D, and

FortiSwitch-3032D

Before You Begin

Before you start administrating your FortiSwitch unit, it is assumed that you have completed the initial configuration of the FortiSwitch unit, as outlined in the QuickStart Guide for your FortiSwitch model and have administrative access to the FortiSwitch unit’s web-based manager and CLI.

How this Guide is Organized

This guide is organized into the following chapters:

  • System Settings contains information about the initial configuration of your FortiSwitch unit.
  • Ports contains information on configuring your FortiSwitch’s ports.
  • 1x contains information on using 802.1x protocol.
  • LACP Mode contains information on using a FortiSwitch in Link Aggregation Control Protocol (LACP) mode.
  • TACACS contains information on using TACACS authetication with your FortiSwitch unit.
  • Power over Ethernet contains information on using Power over Ethernet (PoE) with your FortiSwitch.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiView

FortiView

The FortiView tab allows you to access both FortiView drill down and Log view menus. FortiView in FortiAnalyzer collects data from FortiView in FortiGate. In order for information to appear in the FortiView dashboards in FortiGate, disk logging must be selected for the FortiGate unit. Select the FortiView tab and select the ADOM from the drop-down list.

FortiView

Use FortiView to drill down real-time and historical traffic from log devices by sources, applications, destinations, web sites, threats, and cloud applications. Each FortiView can be filtered by a variety of attributes, as well as by device and time period. These attributes can be selected using the right-click context menu. Results can also be filtered using the various columns.

The following FortiViews are available:

  • Top sources
  • Top applications
  • Top destinations
  • Top web sites
  • Top threats
  • Top cloud applications

Top sources

The Top Sources dashboard displays information about the sources of traffic on your unit. You can drill down the displayed information, and also select the device and time period, and apply search filters.

Figure 88:Top sources

 

The following information is displayed:

Source Displays the source IP address and/or user name, if applicable. Select the column header to sort entries by source. You can apply a search filter to the source (srcip) column.
Device Displays the device IP address or FQDN. Select the column header to sort entries by device. You can apply a search filter to the device (dev_src) column.
Threat Weight Displays the threat weight value. Select the column header to sort entries by threat weight.
Sessions Displays the number of sessions. Select the column header to sort entries by sessions.
Bandwidth

(Sent/Received)

Displays the bandwidth value for sent and received packets. Select the column header to sort entries by bandwidth.

The following options are available:

 Refresh Refresh the displayed information.
Search Click the search field to add a search filter for user (user), source IP (srcip), source device (dev_src), source interface (srcintf), destination interface (dstintf), policy ID (policyid), security action (utmaction), or virtual domain (vd). Select the GO button to apply the search filter. Alternatively, you can right-click the column entry to add the search filter. Select the clear icon, , to remove the search filter.
Devices Select the device from the drop-down list or select All Devices. Select the GO button to apply the device filter.
Time Period Select the time period from the drop-down list. Select Custom from the list to specify the start and end date and time. Select the GO button to apply the time period filter.
N When selecting a time period with last N in the entry, you can enter the value for N in this text field.
 Custom When Custom is selected the custom icon will be displayed. Select the icon to change the custom time period.
 Go Select the GO button to apply the filter.
Pagination Select the number of entries to display per page and browse pages.
Right-click menu  

 

 Application Select to drill down by application to view application related information including the application, number of sessions, and bandwidth (sent/received).

You can select to sort entries displayed by selecting the column header. You can apply a search filter in the application (app) column to further filter the information displayed. Select the GO button to apply the search filter.

Select the return icon, , to return to the Top Sources page.

 Destination Select to drill down by destination to view destination related information including the destination IP address and geographic region, the threat weight value, number of sessions, and bandwidth (sent/received).

You can select to sort entries displayed by selecting the column header. You can apply a search filter in the destination (dstip) column to further filter the information displayed. Select the GO button to apply the search filter.

Select the return icon, , to return to the Top Sources page.

 Threat Select to drill down by threat to view threat related information including the threat type, category, threat level, threat weight, and number of incidents.

You can select to sort entries displayed by selecting the column header. You can apply a search filter in the threat (threat) or category

(threattype) columns to further filter the information displayed. Select the GO button to apply the search filter.

Select the return icon, , to return to the Top Sources page.

 Domain Select to drill down by domain to view domain related information including domain, category, browsing time, threat weight, number of sessions, and bandwidth (sent/received).

You can select to sort entries displayed by selecting the column header. Select the GO button to apply the search filter.

Select the return icon, , to return to the Top Sources page.

 Category Select to drill down by category to view category related information including category, browsing time, threat weight, number of sessions, and bandwidth (sent/received).

You can select to sort entries displayed by selecting the column header. Select the GO button to apply the search filter.

Select the return icon, , to return to the Top Sources page.

 Sessions Select to drill down by sessions to view session related information including date/time, source/device, destination IP address and geographic region, service, bandwidth (sent/received), user, application, and security action.

You can select to sort entries displayed by selecting the column header. You can apply a search filter in the destination (dstip), service

(service), user (user), or application (app) columns to further filter the information displayed. Select the GO button to apply the search filter.

Select the return icon, , to return to the Top Sources page.

 Search Add a search filter by source IP (srcip) or source device (dev_src). Select the GO button to apply the filter. Select the clear icon,    , to remove the search filter.

Top applications

The Top Applications dashboard shows information about the applications being used on your network, including the application name, category, and risk level. You can drill down the displayed information, also select the device and time period, and apply search filters.

Figure 89:Top applications

The following information is displayed:

Application Displays the application port and service. Select the column header to sort entries by application. You can apply a search filter to the application (app) column.
Category Displays the application category. Select the column header to sort entries by category. You can apply a search filter to the category (appcat) column.
Risk Displays the application risk level. Hover the mouse cursor over the entry in the column for additional information. Select the column header to sort entries by category. Risk uses a new 5-point risk rating. The rating system is as follows:

•      Critical: Applications that are used to conceal activity to evade detection.

•      High: Applications that can cause data leakage, are prone to vulnerabilities, or downloading malware.

•      Medium: Applications that can be misused.

•      Elevated: Applications that are used for personal communications or can lower productivity.

•      Low: Business related applications or other harmless applications.

Sessions Displays the number of sessions. Select the column header to sort entries by sessions.
Bandwidth

(Sent/Received)

Displays the bandwidth value for sent and received packets. Select the column header to sort entries by bandwidth.

The following options are available:

 Refresh Refresh the displayed information.
Search Click the search field to add a search filter by application (app), source interface (srcintf), destination interface (dstintf), policy ID

(policyid), security action (utmaction), or virtual domain (vd). Select the GO button to apply the search filter. Alternatively, you can right-click the column entry to add the search filter. Select the clear icon, , to remove the search filter.

Devices Select the device from the drop-down list or select All Devices. Select the GO button to apply the device filter.
Time Period Select the time period from the drop-down list. Select Custom from the list to specify the start and end date and time. Select the GO button to apply the time period filter.
N When selecting a time period with last N in the entry, you can enter the value for N in this text field.
 Custom When Custom is selected the custom icon will be displayed. Select the icon to change the custom time period.
 Go Select the GO button to apply the filter.
Pagination Select the number of entries to display per page and browse pages.
Right-click menu  

 

 Source Select to drill down by source to view source related information including the source IP address, device MAC address or FQDN, threat weight, number of sessions, and bandwidth (sent/received).

You can select to sort entries displayed by selecting the column header. You can apply a search filter in the source (srcip) and device

(dev_src) columns to further filter the information displayed. Select the GO button to apply the search filter.

Select the return icon, , to return to the Top Applications page.

 Destination Select to drill down by destination to view destination related information including the destination IP address and geographic region, the threat weight value, number of sessions, and bandwidth (sent/received).

You can select to sort entries displayed by selecting the column header. You can apply a search filter in the destination (dstip) column to further filter the information displayed. Select the GO button to apply the search filter.

Select the return icon, , to return to the Top Applications page.

 Threat Select to drill down by threat to view threat related information including the threat type, category, threat level, threat weight, and number of incidents.

You can select to sort entries displayed by selecting the column header. You can apply a search filter in the threat (threat) or category

(threattype) columns to further filter the information displayed. Select the GO button to apply the search filter.

Select the return icon, , to return to the Top Applications page.

 Sessions Select to drill down by sessions to view session related information including date/time, source/device, destination IP address and geographic region, service, bandwidth (sent/received), user, application, and security action.

You can select to sort entries displayed by selecting the column header. You can apply a search filter in the destination (dstip), service

(service), user (user), or application (app) columns to further filter the information displayed. Select the GO button to apply the search filter.

Select the return icon, , to return to the Top Applications page.

 Search Add a search filter by application or category. Select the GO button to apply the filter. Select the clear icon,    , to remove the search filter.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

System Settings

System Settings

The System Settings tab enables you to manage and configure system options for the FortiAnalyzer unit. This includes the basic network settings to connect the device to the corporate network, the configuration of administrators and their access privileges, and managing and updating firmware for the device

The System Settings tab provides access to the following menus and sub-menus:

 Dashboard Select this menu to configure, monitor, and troubleshoot your

FortiAnalyzer device. Dashboard widgets include: System Information,

License Information, Unit Operation, System Resources, Alert Message Console, CLI Console, Log Receive Monitor, Logs/Data Received, and Statistics.

 All ADOMs Select this menu to create new ADOMs and monitor all existing

ADOMs.

 RAID management Select this menu to configure and monitor your Redundant Array of Independent Disks (RAID) setup. This page displays information about the status of RAID disks as well as what RAID level has been selected.

It also displays how much disk space is currently consumed.

 Network Select this menu to configure your FortiAnalyzer interfaces. You can also view the IPv4/IPv6 Routing Table and access Diagnostic Tools.
 Admin Select this menu to configure administrator user accounts, as well as configure global administrative settings for the FortiAnalyzer unit.

•       Administrator

•       Profile

•       Remote authentication server

•       Administrator settings

 Certificates Select this menu to configure the following:

•       Local certificates

•       CA certificates

•       Certificate revocation lists

 

 Event log Select this menu to view FortiAnalyzer event log messages. On this page you can:

•      Download the logs in .log or .csv formats

•      View raw logs or logs in a formatted table

•      Browse the event log, FDS upload log, and FDS download log

 Task monitor Select this menu to monitor FortiAnalyzer tasks.
 Advanced Select to configure advanced settings.

•       SNMP v1/v2c

•       Mail server

•       Syslog server

•       Meta fields

•       Device log settings

•       File management

•       Advanced settings


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!