Device Manager

Leave a reply

Device Manager

The Device Manager tab allows you to add and edit devices and VDOMs, and view completed reports for devices and VDOMs.

Figure 9 shows the Device Manager tab.

Figure 9: Device manager tab

The tree menu shows the devices and VDOMs within the selected ADOM. If ADOMs are disabled, the tree menu simply shows the devices. When ADOMs are enabled, the ADOM is selected using the drop-down list in the toolbar.

The device and VDOM list can be searched using the search box in the content pane toolbar. The columns shown in the list can be customized, and the list can be sorted by selecting a column header.

 

To change the column settings:

  1. Right-click on a column heading in the content pane.

Columns currently included in the content pane table have a green check mark next them.

Figure 10:Column right-click menu

  1. Select a column from the list to add or remove that column from the table.

Select Reset to Default to reset the table to its default state

Devices

Devices are organized by device type. VDOMs and model devices can be created and deleted.

Devices and VDOMs

Device models can be added and deleted, devices can be edited, and VDOMs can be deleted. The Add Device wizard is used to add model devices.

To add a model device:

  1. Right-click on a group in the tree menu or in the content pane and, from the right-click menu, select Add Device, or, if ADOMs are not enabled, select Add Device from the toolbar.

The Add Device wizard opens.

Figure 11:Add device wizard login screen

  1. Enter the device IP address, user name, and password in the requisite fields.
  2. Select Next to continue to the next page of the wizard: Add Device.

Figure 12:Add device wizard add device screen

  1. Enter the following information:
Name Enter a name for the device.
Description Enter a description for the device (optional).
Device Type Select the device type from the drop-down list. Select FortiGate for FortiGate ADOMs, FortiSwitch for FortiSwitch ADOMs, etc.
Device Model Select the device model from the drop-down list.
Firmware Version Select the firmware version from the drop-down list.
HA Cluster Select if the device is part of a high availability cluster.
Serial Number Enter the device serial number. This value must match the device model selected.

When HA Cluster is enabled, you can enter the serial numbers of all members of the cluster.
Disk Log Quota

(min. 100MB)

 Enter the disk log quota in MB.

This option is only available for certain device types.
When Allocated

Disk Space is Full

 Select to overwrite the oldest logs or to stop logging when the allocated disk space is full.
Device Permissions Select the device permissions from: Logs, DLP Archive, Quarantine, and IPS Packet Log.
Other Device

Information

 Enter other device information (optional), including:

Company/Organization, Contact, City, Province/State, and Country.
  1. Select Next to proceed to the next add device page.

Figure 13:Add device wizard add device screen two

  1. After the device has been created successfully, select Next to proceed to the summary page.

Figure 14:Add device wizard summary screen

  1. Select Finish to add the device model.

To edit a device:

  1. In the Device Manager tab, in the tree menu, select the group that contains the device you need to edit.
  2. In the content pane, right-click on the on the device and select Edit from the right-click menu.

The Edit Device dialog box opens.

Figure 15:Edit a device

  1. Edit the following information as needed:
Name The name of the device.
Description Descriptive information about the device.

Company/Organization Company or organization information.

Country Enter the country.
Province/State Enter the province or state.
City Enter the city.
Contact Enter the contact name.
IP Address The IP address of the device.
Admin User The administrator username.
Password The administrator password.
Device Information Information about the device, including serial number, device model, firmware version, connected interface.
HA Cluster Select if the device is part of a high availability cluster.
Serial No. When HA Cluster is enabled, you can enter the serial numbers of all members of the cluster.
Disk Log Quota (min.

100MB)

 The amount of space that the disk log is allowed to use, in MB.
When Allocated Disk

Space is Full

 The action for the system to take when the disk log quota is filled, either Overwrite Oldest Logs, or Stop Logging.
Secure Connection Select check box to enable this feature. Secure Connection secures Odette File Transfer Protocol (OFTP) traffic through an IPsec tunnel.
ID The device serial number.
Pre-Shared Key The pre-shared key for the IPsec connection between the FortiGate and FortiAnalyzer.
Device Permissions The device’s permissions. Select any of: Logs, DLP Archive, Quarantine, and IPS Packet Log.
  1. Select OK to finish editing the device.

To delete a device or VDOM:

  1. In the Device Manager tab, in the tree menu, select the group that contains the device or VDOM you need to delete.
  2. In the content pane, right-click on the on the device or VDOM and select Delete in the right-click menu.
  3. Select OK in the confirmation window to delete the device or VDOM.

Unregistered devices

In FortiAnalyzer v5.2.0 and later, the config system global set unregister-pop-up command is disabled by default. When a device is configured to send logs to FortiAnalyzer, the unregistered device table will not be displayed. Instead, a new entry named Unregistered Devices will appear in the Device Manager tab tree menu. You can then add devices to specific ADOMs or delete devices using the toolbar buttons or right-click menu.

Figure 16:Unregistered devices

Device reports

You can view, download, and delete device reports in the Device Manager content pane. Selecting a device or VDOM in the tree menu will display all reports associated with that device or VDOM in the content pane. For more information, see “View report tab” on page 173.

To view latest reports from the Device Manager tab:

  1. In the Device Manager tab select the ADOM that contains the device whose reports you would like to view from the drop-down list.
  2. Select the device or VDOM from the tree menu.
  3. The report history is shown in the content pane, showing a list of all the reports that have been run for that device or VDOM.

Figure 17:Report history

  1. In the Format column, select HTML to display the report in a browser window, or select PDF to download the report as a PDF file to your management computer.

Log forwarding

When your FortiAnalyzer device is configured in collector mode, you can configure log forwarding in the Device Manager tab. You can configure to forward logs for selected devices to another FortiAnalyzer, a syslog server, or a Common Event Format (CEF) server.

To put your FortiAnalyzer in collector mode:

  1. Go to System Settings > Dashboard.
  2. In the System Information widget, in the Operation Mode field, select [Change].
  3. In the Change Operation Mode dialog box, select Collector, and then select OK.

The Web-based Manager will refresh and the Device Manager, Log View, and System Settings tabs will be available. See “Changing the operation mode” on page 50 for more information.

To configure log forwarding:

  1. Go to the Device Manager tab and select Log Forwarding.
  2. Select Create New from the toolbar.

The Add log forwarding page is displayed.

Figure 18:Add log forwarding dialog box

  1. Configure the following settings:

Server Name             Enter a name to identify the remote server.

Remote Server Type Select the remote server type. Select one of the following: FortiAnalyzer, Syslog, Common Event Format (CEF).

Server IP Enter the server IP address.
Select Devices Select the add icon,       , to select devices. Select devices and select OK to add the devices.
Enable Log

Aggregation

 Select to enable log aggregation. This option is only available when Remote Server Type is set to FortiAnalyzer.
Password Enter the server password.
Confirm

Password

 Re-enter the server password.
Upload Daily at Select a time from the drop-down list.
Enable Real-time

Forwarding

 Select to enable real-time log forwarding.
Level Select the logging level from the drop-down list. Select one of the following: Emergency, Alert, Critical, Error, Warning, Notification, Information, or Debug.
Server Port Enter the server port. When Remote Server Type is FortiAnalyzer, the port cannot be changed. The default port is 514.
  1. Select OK to save the setting.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Administrative Domains

5 Replies

Administrative Domains

When ADOMs are enabled, you must select the ADOM from the drop-down list in the toolbar.

The Device Manager, FortiView, Event Management, and Reports tab are displayed per ADOM. The devices within each ADOM are shown in the default All FortiGate group. When ADOMs are disabled, the tree menu simply displays All FortiGates and Unregistered Devices, if there are any. Non-FortiGate devices are grouped into their own specific ADOMs.

ADOMs are not enabled by default, and enabling and configuring the domains can only be performed by the admin administrator. The maximum number of ADOMs you can add depends on the specific FortiAnalyzer system model. Please refer to the FortiAnalyzer data sheet for information on the maximum number of devices and ADOMs that your model supports.

The number of devices within each group is shown in parentheses next to the group name.

  1. Log in as admin.
  2. Go to System Settings > Dashboard.
  3. In the System Information widget, select Enable next to Administrative Domain.
  4. Select OK in the confirmation dialog box to enable ADOMs.

To disable the ADOM feature:

  1. Remove all log devices from all non-root ADOMs.
  2. Delete all non-root ADOMs, by right-clicking on the ADOM in the tree menu in the Device Manager tab and selecting Delete from the pop-up menu.
  3. Go to System Settings > Dashboard.
  4. In the system information widget, select Disable next to Administrative Domain.
  5. Select OK in the confirmation dialog box to disable ADOMs.

Adding an ADOM

You can create both FortiGate and FortiCarrier ADOMs for versions 5.2, 5.0, and 4.3. FortiAnalyzer has default ADOMs for all non-FortiGate devices. When one of these devices is promoted to the DVM table, the device is added to their respective default ADOM and will be visible in the tree menu.

To add an ADOM:

  1. Go to System Settings > All ADOMs and select Create New in the toolbar.

Alternatively, in the Device Manager tab, from the ADOM drop-down list, select Manage ADOMs. In the Manage ADOMs window that opens, select Create New.

The Create ADOM dialog box opens.

Figure 7: Create an ADOM

  1. Enter the following information:
Name Enter an unique name that will allow you to distinguish this ADOM from your other ADOMs.
Device Type Select the device type from the drop-down list.
Version Select the firmware version of the devices that will be in the ADOM. Select one the following: 5.2, 5.0, or 4.3.
Search Enter a search term to find a specific device (optional).
Devices

Groups

 Transfer devices, VDOMs, and groups from the available member list on the left to the selected member list on the right to assign those devices to the ADOM.
  1. Select OK to create the ADOM.

To edit an ADOM:

  1. Go to System Settings > All ADOMs, right-click on the ADOM you need to edit, and select Edit in the right-click menu.

Alternatively, in the Device Manager tab, from the ADOM drop-down list, select Manage ADOMs. In the Manage ADOMs window that opens, right-click on the ADOM you need to edit, and select Edit in the right-click menu.

The Edit ADOM dialog box opens.

Figure 8: Edit an ADOM

  1. Edit the following information as required:
Name Edit the ADOM name.
Device Type This field cannot be edited.
Version This field cannot be edited.
Search Enter a search term to find a specific device (optional).
Devices

Groups

 Transfer devices VDOMs, and groups from the available member list on the left to the selected member list on the right to assign those devices to the ADOM.
Status Enable or disable the ADOM.
  1. Select OK to finish editing the ADOM.

To delete an ADOM:

  1. Go to System Settings > All ADOMs, right-click on the ADOM you need to delete, and select Delete in the right-click menu.
  2. Alternatively, in the Device Manager tab, from the ADOM drop-down list, select Manage ADOMs. In the Manage ADOMs window that opens, right-click on the ADOM you need to delete, and select Delete in the right-click menu.
  3. Select OK in the confirmation dialog box to delete the ADOM.

Assigning devices to an ADOM

The admin administrator selects the devices to be included in an ADOM. You cannot assign the same device to two different ADOMs.

To assign devices to an ADOM:

  1. Open the Edit ADOM dialog box (see “To edit an ADOM:” on page 29).
  2. From the Available member list, select which devices you want to associate with the ADOM and select the right arrow to move them to the Selected member

If the administrative device mode is Advanced, you can add separate FortiGate VDOMs to the ADOM as well as FortiGate units.

  1. When done, select OK. The selected devices appear in the device list for that ADOM.

Assigning administrators to an ADOM

The admin administrator can create other administrators and assign an ADOM to their account, constraining them to configurations and data that apply only to devices in their ADOM.

By default, when ADOMs are enabled, existing administrator accounts other than admin are assigned to the root domain, which contains all devices in the device list. For more information about creating other ADOMs, see “Adding an ADOM” on page 28.

To assign an administrator to an ADOM:

  1. Log in as admin.

Other administrators cannot configure administrator accounts when ADOMs are enabled.

  1. Go to System Settings > Admin > Administrator.
  2. Configure the administrator account, and select the Admin Domains that the administrator account will be able to use to access the FortiManager system.

See “Administrator” on page 75 for more information.

ADOM device modes

An ADOM has two device modes: normal and advanced. In normal mode, you cannot assign different FortiGate VDOMs to multiple FortiManager ADOMs. The FortiGate unit can only be added to a single ADOM.

In advanced mode, you can assign different VDOMs from the same FortiGate unit to multiple

ADOMs.

Advanced ADOM mode will allow users to assign VDOMs from a single device to different ADOMs, but will result in a reduced operation mode and more complicated management scenarios. It is recommended for advanced users only.

To change the ADOM mode, go to System Settings > Advanced > Advanced Settings and change the selection in the ADOM Mode field.

Alternatively, use the following command in the CLI:

config system global set adom-mode {normal | advanced}

end

Normal mode is the default setting. To change from advanced back to normal, you must ensure no FortiGate VDOMs are assigned to an ADOM.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Web Based Manager

Leave a reply

Web-based Manager

This section describes general information about using the Web-based Manager to access the FortiAnalyzer system with a web browser.

This section includes the following topics:

  • System requirements
  • Connecting to the Web-based Manager
  • Web-based Manager overview
  • Web-based Manager configuration

System requirements

Web browser support

The FortiAnalyzer Web-based Manager supports the following web browsers:

  • Microsoft Internet Explorer versions 10 and 11
  • Mozilla Firefox versions 30 and 31
  • Google Chrome version 36

Other web browsers may function correctly, but are not supported by Fortinet.

Screen resolution

Fortinet recommends setting your monitor to a screen resolution of 1280×1024. This allows for all the objects in the Web-based Manager to be properly viewed.

 

 

Connecting to the Web-based Manager

The FortiAnalyzer unit can be configured and managed using the Web-based Manager or the CLI. This section will step you through connecting to the unit via the Web-based Manager.

For more information on connecting your specific FortiAnalyzer unit, read that device’s QuickStart guide.

To connect to the Web-based Manager:

  1. Connect the unit to a management computer using an Ethernet cable.
  2. Configure the management computer to be on the same subnet as the internal interface of the FortiAnalyzer unit:
    • IP address: 192.168.1.2
    • Netmask: 255.255.255.0.
  3. On the management computer, start a supported web browser and browse to https://192.168.1.99.
  4. Type admin in the User Name field, leave the Password field blank, and select Login.

You should now be able to use the FortiAnalyzer Web-based Manager.

For information on enabling administrative access protocols and configuring IP addresses, see “To edit a network interface:” on page 71.

Web-based Manager overview

The FortiAnalyzer Web-based Manager consists of four primary parts: the tab bar, the main menu bar, the tree menu, and the content pane. The content pane includes a toolbar and, in some tabs, is horizontally split into two sections. The main menu bar is only visible in certain tabs when ADOMs are disabled (see “System Information widget” on page 46).

You can use the Web-based Manager menus, lists, and configuration pages to configure most FortiAnalyzer settings. Configuration changes made using the Web-based Manager take effect immediately without resetting the FortiAnalyzer system or interrupting service.

The Web-based Manager also includes online help, accessed by selecting the help icon in the right side of the tab bar.

Tab bar

The Web-based Manager tab bar contains the device model, the available tabs, the Help button and the Log Out button.

Figure 3: The tab bar

Device Manager Manage groups, devices, and VDOMs, and view real-time monitor data.

See “Device Manager” on page 32.
FortiView Drill down top sources, top applications, top destinations, top web sites, top threats, and top cloud applications. This tab was implemented to match the FortiView implementation in FortiGate.

The Log View tab is found in the FortiView tab. View logs for managed devices. You can display, download, import, and delete logs on this page.

See “FortiView” on page 115.
Event Management Configure and view events for managed log devices.

See “Event Management” on page 151.

This tab is not available when the unit is in Collector mode. See “Operation modes” on page 15 for more information.
Reports Configure report templates, schedules, and output profiles, and manage charts and datasets.

See “Reports” on page 165.

This tab is not available when the unit is in Collector mode. See “Operation modes” on page 15 for more information.
System Settings Configure system settings such as network interfaces,

administrators, system time, server settings, and others. You can also perform maintenance and firmware operations.

See “System Settings” on page 42.
 Change Password Select to change the password. Restricted_User and Standard_User admin profiles do not have access to the System Settings tab. An administrator with either of these admin profiles will see the change password icon in the navigation pane.
 Help Open the FortiAnalyzer online help.
 Log Out Log out of the Web-based Manager.

Tree menu

The Web-based Manager tree menu is on the left side of the window. The content in the menu varies depending on which tab is selected and how your FortiAnalyzer unit is configured.

Some elements in the tree menu can be right-clicked to access different configuration options.

Content pane

The content pane is on the right side of the window. The information changes depending on which tab is being viewed and what element is selected in the tree menu. The content pane of the Log View and Reports tabs are split horizontally into two frames.

Web-based Manager configuration

Global settings for the Web-based Manager apply regardless of which administrator account you use to log in. Global settings include the idle timeout, TCP port number on which the Web-based Manager listens for connection attempts, the network interface(s) on which it listens, and the language of its display.

This section includes the following topics:

  • Language support
  • Administrative access
  • Restricting access by trusted hosts
  • Idle timeout

Language support

The Web-based Manager supports multiple languages; the default language setting is Auto Detect. Auto Detect uses the language configured on your management computer. If that language is not supported, the Web-based Manager will default to English.

You can change the Web-based Manager language to English, Simplified Chinese, Traditional Chinese, Japanese, or Korean. For best results, you should select the language that the management computer operating system uses.

To change the Web-based Manager language:

  1. Go to System Settings > Admin > Admin Settings.

Figure 4: Administration settings

  1. In the Language field, select a language from the drop-down list, or select Auto Detect to use the same language as configured for your management computer.
  2. Select Apply.

The following table lists FortiAnalyzer language support information.

Table 3: Language support

Language Web-based Manager Reports Documentation
English a a a
French   a  
Spanish   a  
Portuguese   a  
Korean a a  
Chinese (Simplified) a a  
Chinese (Traditional) a a  
Japanese a a  
Russian   a  
Hebrew   a  
Hungarian   a  

To change the FortiAnalyzer language setting, go to System Settings > Admin > Admin Settings, in Administrative Settings > Language select the desired language on the drop-down menu. The default value is Auto Detect.

Russian, Hebrew, and Hungarian are not included in the default report languages. You can import language translation files for these languages via the command line interface using one of the following commands:

execute sql-report import-lang <language name> <ftp> <server IP address> <user name> <password> <file name> execute sql-report import-lang <language name> <sftp <server IP address> <user name> <password> <file name> execute sql-report import-lang <language name> <scp> <server IP address> <user name> <password> <file name> execute sql-report import-lang <language name> <tftp> <server IP address> <file name>

For more information, see the FortiAnalyzer CLI Reference available from the Fortinet Document Library.

Administrative access

Administrative access enables an administrator to connect to the system to view and change configuration settings. The default configuration of your system allows administrative access to one or more of the interfaces of the unit as described in the QuickStart and installation guides for your device.

Administrative access can be configured in IPv4 or IPv6 and includes settings for: HTTPS, HTTP, PING, SSH (Secure Shell), TELNET, SNMP, Web Service, and Aggregator.

To change administrative access:

  1. Go to System Settings > Network.

By default, port1 settings will be presented. To configure administrative access for a different interface, select All Interfaces, and then select the interface from the list.

  1. Set the IPv4 IP/Netmask or the IPv6 Address, select one or more Administrative Access types for the interface, and set the default gateway and Domain Name System (DNS) servers.

Figure 5: Network management interface

  1. Select Apply to finish changing the access settings.

For more information, see “Network” on page 69.

Restricting access by trusted hosts

To prevent unauthorized access to the Web-based Manager you can configure administrator accounts with trusted hosts. With trusted hosts configured, the admin user can only log in to the Web-based Manager when working on a computer with the trusted host as defined in the admin account.

For more information, see “Administrator” on page 75.

Idle timeout

By default, the Web-based Manager disconnects administrative sessions if no activity takes place for fifteen minutes. This idle timeout is recommended to prevent someone from using the Web-based Manager from a PC that is logged in and then left unattended.

To change the Web-based Manager idle timeout:

  1. Go to System Settings > Admin > Admin Settings (see Figure 4 on page 22).
  2. Change the Idle Timeout minutes as required.
  3. Select Apply to save the setting.

For more information, see “Administrator settings” on page 86.

Reboot and shutdown the FortiAnalyzer unit

Always reboot and shutdown the FortiAnalyzer system using the unit operation options in the Web-based Manager or the CLI to avoid potential configuration problems.

Figure 6: Unit operation actions in the Web-based Manager

To reboot the FortiAnalyzer unit:

  1. In the Web-based Manager, go to System Settings > Dashboard.
  2. In the Unit Operation widget, select Reboot or, in the CLI Console widget, enter: execute reboot The system will be rebooted.

Do you want to continue? (y/n)

  1. Select y to continue. The FortiAnalyzer system will be rebooted.

To shutdown the FortiAnalyzer unit:

  1. In the Web-based Manager, go to System Settings > Dashboard.
  2. In the Unit Operation widget, select Shutdown or, in the CLI Console widget, enter: execute shutdown The system will be halted.

Do you want to continue? (y/n)

  1. Select y to continue. The FortiAnalyzer system will be shut down.

To reset the FortiAnalyzer unit:

  1. In the CLI Console widget, enter:

execute reset all-settings This operation will reset all settings to factory defaults

Do you want to continue? (y/n)

  1. Select y to continue. The device will reset to factory default settings and reboot.

To reset logs and re-transfer all logs into the database:

  1. In the CLI Console widget, enter:

execute reset-sqllog-transfer WARNING: This operation will re-transfer all logs into database.

Do you want to continue? (y/n)

  1. Select y to continue.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Key Concepts

Leave a reply

Key Concepts

This chapter defines basic FortiAnalyzer concepts and terms.

If you are new to FortiAnalyzer, this chapter can help you to quickly understand this document and your FortiAnalyzer platform.

This topic includes:

  • Administrative domains
  • Operation modes
  • Log storage
  • Workflow

Administrative domains

Administrative domains (ADOMs) enable the admin administrator to constrain other

FortiAnalyzer unit administrators’ access privileges to a subset of devices in the device list. For Fortinet devices with virtual domains (VDOMs), ADOMs can further restrict access to only data from a specific device’s VDOM.

Enabling ADOMs alters the structure of and the available functions in the Web-based Manager and CLI, according to whether or not you are logging in as the admin administrator, and, if you are not logging in as the admin administrator, the administrator account’s assigned access profile. See “System Information widget” on page 46 for information on enabling and disabling

ADOMs.

For information on working with ADOMs, see “Administrative Domains” on page 27. For information on configuring administrators and administrator settings, see“Admin” on page 73.

Operation modes

The FortiAnalyzer unit has two operation modes:

  • Analyzer: The default mode that supports all FortiAnalyzer features. This mode used for aggregating logs from one or more log collectors. In this mode, the log aggregation configuration function is disabled.
  • Collector: The mode used for saving and uploading logs. For example, instead of writing logs to the database, the collector can retain the logs in their original (binary) format for uploading. In this mode, the report function and some functions under the System Settings tab are disabled.

The analyzer and collector modes are used together to increase the analyzer’s performance. The collector provides a buffer to the FortiAnalyzer by off-loading the log receiving task from the analyzer. Since log collection from the connected devices is the dedicated task of the collector, its log receiving rate and speed are maximized.

The mode of operation that you choose will depend on your network topology and individual requirements. For information on how to select an operation mode, see “Changing the operation mode” on page 50.

Feature comparison between analyzer and collector mode

The operation mode options have been simplified to two modes, Analyzer and Collector. Standalone mode has been removed.

Table 2: Feature comparison between Analyzer and Collector modes

  Analyzer Mode Collector Mode
Event Management Yes No
Monitoring (drill-down/charts) Yes No
Reporting Yes No
FortiView/Log View Yes Yes
Device Manager Yes Yes
System Settings Yes Yes
Log Forwarding No Yes

Analyzer mode

The analyzer mode is the default mode that supports all FortiAnalyzer features. If your network log volume does not compromise the performance of your FortiAnalyzer unit, you can choose this mode.

Figure 1 illustrates the network topology of the FortiAnalyzer unit in analyzer mode.

Figure 1: Topology of the FortiAnalyzer unit in analyzer mode

 

Analyzer and collector mode

The analyzer and collector modes are used together to increase the analyzer’s performance. The collector provides a buffer to the analyzer by off-loading the log receiving task from the analyzer. Since log collection from the connected devices is the dedicated task of the collector, its log receiving rate and speed are maximized.

In most cases, the volume of logs fluctuates dramatically during a day or week. You can deploy a collector to receive and store logs during the high traffic periods and transfer them to the analyzer during the low traffic periods. As a result, the performance of the analyzer is guaranteed as it will only deal with log insertion and reporting when the log transfer process is over.

As illustrated in Figure 2: company A has two remote branch networks protected by multiple FortiGate units. The networks generate large volumes of logs which fluctuate significantly during a day. It used to have a FortiAnalyzer 4000B in analyzer mode to collect logs from the FortiGate units and generate reports. To further boost the performance of the FortiAnalyzer 4000B, the company deploys a FortiAnalyzer 400C in collector mode in each branch to receive logs from the FortiGate units during the high traffic period and transfer bulk logs to the FortiAnalyzer 4000B during the low traffic period.

Figure 2: Topology of the FortiAnalyzer units in analyzer/collector mode

FortiAnalyzer v5.2.0 Administration Guide

To set up the analyzer/collector configuration:

  1. On the FortiAnalyzer unit, go to System Settings > Dashboard.
  2. In the System Information widget, in the Operation Mode field, select Change.
  3. Select Analyzer in the Change Operation Mode dialog box.
  4. Select OK.
  5. On the first collector unit, go to System Settings > Dashboard.
  6. In the System Information widget, in the Operation Mode field, select Change.
  7. Select Collector the Change Operation Mode dialog box.
  8. Select OK.

For more information on configuring log forwarding, see “Log forwarding” on page 40.

Log storage

The FortiAnalyzer unit supports Structured Query Language (SQL) logging and reporting. The log data is inserted into the SQL database for generating reports. Both local and remote SQL database options are supported.

For more information, see “Reports” on page 165.

Workflow

Once you have successfully deployed the FortiAnalyzer platform in your network, using and maintaining your FortiAnalyzer unit involves the following:

  • Configuration of optional features, and re-configuration of required features if required by changes to your network
  • Backups
  • Updates
  • Monitoring reports, logs, and alerts

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

What’s New in FortiAnalyzer V5.2

Leave a reply

What’s New in FortiAnalyzer v5.2

FortiAnalyzer v5.2 includes the following new features and enhancements.

FortiAnalyzer v5.2.0

FortiAnalyzer v5.2.0 includes the following new features and enhancements.

Event Management

  • Event Handler for local FortiAnalyzer event logs
  • FortiOS v4.0 MR3 logs are now supported.
  • Support subject customization of alert email.

FortiView

  • New FortiView module

Logging

  • Updated compact log v3 format from FortiGate • Explicit proxy traffic logging support
  • Improved FortiAnalyzer insert rate performance
  • Log filter improvements
  • FortiSandbox logging support
  • Syslog server logging support

Reports

  • Improvements to report configuration
  • Improvements to the Admin and System Events Report template
  • Improvements to the VPN Report template
  • Improvements to the Wireless PCI Compliance Report template
  • Improvements to the Security Analysis Report template
  • New Intrusion Prevention System (IPS) Report template
  • New Detailed Application Usage and Risk Report template
  • New FortiMail Analysis Report template
  • New pre-defined Application and Websites report templates
  • Macro library support
  • Option to display or upload reports in HTML format
  • FortiCache reporting support

 

Other


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Introduction

Leave a reply

Introduction

FortiAnalyzer platforms integrate network logging, analysis, and reporting into a single system, delivering increased knowledge of security events throughout your network. The FortiAnalyzer family minimizes the effort required to monitor and maintain acceptable use policies, as well as identify attack patterns to help you fine-tune your policies. Organizations of any size will benefit from centralized security event logging, forensic research, reporting, content archiving, data mining and malicious file quarantining.

FortiAnalyzer offers enterprise class features to identify threats, while providing the flexibility to evolve along with your ever-changing network. FortiAnalyzer can generate highly customized reports for your business requirements, while aggregating logs in a hierarchical, tiered logging topology.

You can deploy FortiAnalyzer physical or virtual appliances to collect, correlate, and analyze geographically and chronologically diverse security data. Aggregate alerts and log information from Fortinet appliances and third-party devices in a single location, providing a simplified, consolidated view of your security posture. In addition, FortiAnalyzer platforms provide detailed data capture for forensic purposes to comply with policies regarding privacy and disclosure of information security breaches.

Feature support

The following table lists FortiAnalyzer feature support for log devices.

Table 1: Feature support per platform

Platform Logging FortiView Event Management Reports
FortiGate a a a a
FortiCarrier a a a a
FortiMail a     a
FortiWeb a     a
FortiCache a     a
FortiClient a      
FortiSandbox a      
Syslog a      

FortiAnalyzer documentation

The following FortiAnalyzer product documentation is available:

                                 •    FortiAnalyzer Administration Guide

This document describes how to set up the FortiAnalyzer system and use it with supported Fortinet units.

                                 •   FortiAnalyzer device QuickStart Guides

These documents are included with your FortiAnalyzer system package. Use this document to install and begin working with the FortiAnalyzer system and FortiAnalyzer Web-based Manager.

                                 •   FortiAnalyzer Online Help

You can get online help from the FortiAnalyzer Web-based Manager. FortiAnalyzer online help contains detailed procedures for using the FortiAnalyzer Web-based Manager to configure and manage FortiGate units.

                                 •   FortiAnalyzer CLI Reference

This document describes how to use the FortiAnalyzer Command Line Interface (CLI) and contains references for all FortiAnalyzer CLI commands.

                                 •   FortiAnalyzer Release Notes

This document describes new features and enhancements in the FortiAnalyzer system for the release, and lists resolved and known issues. This document also defines supported platforms and firmware versions.

                                 •   FortiAnalyzer Log Message Reference

This document describes the structure of FortiAnalyzer log messages and provides information about the log messages that are generated by the FortiAnalyzer system.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

The Red Coats Are Coming!

Leave a reply

Nah…not really. The E models of Fortinet hardware ARE COMING though as they are starting to trickle out if you haven’t noticed already. Pretty cool stuff too as the E models I have seen are substantially stronger in several fronts when it comes to hardware and capabilities. Pretty fun time to be a Fortinet vendor if you ask me!


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Setup for Email Users

Leave a reply

Setup for email users

This section contains information that you may need to inform or assist your email users so that they can use FortiMail features.

This information is not the same as what is included in the help for FortiMail webmail. It is included in the Administration Guide because:

  • Email users may require some setup before they can access the help for FortiMail webmail.
  • Some information may be too technical for some email users.
  • Email users may not be aware that their email has been scanned by a FortiMail unit, much less where to get documentation for it.
  • Email users may not know which operation mode you have configured.
  • Email users may be confused if they try to access a feature, but you have not enabled it (such as Bayesian scanning or their personal quarantine).
  • You may need to tailor some information to your network or email users.

This section includes:

  • Training Bayesian databases
  • Managing tagged spam
  • Accessing the personal quarantine and webmail
  • Sending email from an email client (gateway and transparent mode)

Training Bayesian databases

Bayesian scanning can be used by antispam profiles to filter email for spam. In order to be accurate, the Bayesian databases that are at the core of this scan must be trained. This is especially important when the databases are empty.

Administrators can provide initial training. For details, see “Training the Bayesian databases” on page 645. If you have enabled it (see “Configuring the Bayesian training control accounts” on page 654 and “Accept training messages from users” on page 511), email users can also contribute to training the Bayesian databases.

To help to improve the accuracy of the database, email users selectively forward email to the FortiMail unit. These email are used as models of what is or is not spam. When it has seen enough examples to become more accurate at catching spam, a Bayesian database is said to be well-trained.

For example, if the local domain is example.com, and the Bayesian control email addresses are the default ones, an administrator might provide the following instructions to his or her email users.

Page 719

To train your antispam filters

  1. Initially, forward a sample set of spam and non-spam messages.
    • If you have collected spam, such as in a junk mail folder, and want to train your personal antispam filters, forward them to learn-is-spam@example.com from your email account. Similar email will be recognized as spam.
    • If you have collected non-spam email, such as your inbox or archives, and want to train your personal spam filters, forward them to learn-is-not-spam@example.com from your email account. Similar email will be recognized as legitimate email.
  2. On an ongoing basis, to fine-tune your antispam filters, forward any corrections — spam that was mistaken for legitimate email, or email that was mistaken for spam.
    • Forward undetected spam to is-spam@example.com from your email account.
    • Forward legitimate email that was mistaken for spam to is-not-spam@example.com from your email account.
    • If you belong to an alias and receive spam that was sent to the alias address, forward it to is-spam@example.com to train the alias’s database. Remember to enter the alias, instead of your own email address, in the From:

This helps your antispam filters to properly distinguish similar email/spam in the future.

Managing tagged spam

Instead of detaining an email in the system or personal quarantine, the administrator can configure the FortiMail unit to tag the subject line or header of an email that is detected as spam. For details, see “Configuring antispam action profiles” on page 516.

Once spam is tagged, the administrator notifies email users of the text that comprises the tag. Email users can then set up a rule-based folder in their email clients to automatically collect the spam based on tags.

For example, if spam subject lines are tagged with “SPAM”, email users can make a spam folder in their email client, then make filter rules in their email clients to redirect all email with this tag from their inbox into the spam folder.

Methods to create mailbox folders and filter rules vary by email client. For instructions, see your email client’s documentation.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Pages: 1 2 3