ADMINISTRATION GUIDE FortiAnalyzer Version 3.0 MR7 www.fortinet.
FortiAnalyzer Administration Guide Version 3.0 MR7 08 September 2008 05-30007-0082-20080908 © Copyright 2008 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc.
Contents Contents Introduction ........................................................................................ 9 About this document......................................................................................... 9 Fortinet documentation................................................................................... 10 Fortinet Tools and Documentation CD ........................................................ 10 Fortinet Knowledge Center ...............................................
Contents Viewing session information ................................................................. Filtering session information................................................................. Report Engine ............................................................................................. Log Receive Monitor ................................................................................... Intrusion Activity...................................................................................
Contents Hot swapping the FortiAnalyzer-2000/2000A and FortiAnalyzer-4000/4000A ................................................................................... 66 Configuring RAID on the FortiAnalyzer-400 and FortiAnalyzer-800/800B. 67 Configuring RAID on the FortiAnalyzer-2000/2000A and FortiAnalyzer-4000/4000A ................................................................................... 67 Configuring LDAP connections ...................................................................
Contents Customizing the content archive view ........................................................ 108 Displaying and arranging log columns ...................................................... 109 Filtering logs.............................................................................................. 110 Filtering tips ........................................................................................ 110 Searching full email content archives .................................................
Contents Searching the Network Analyzer logs ......................................................... 150 Search tips ................................................................................................ 152 Printing the search results......................................................................... 153 Downloading the search results ................................................................ 153 Rolling and uploading Network Analyzer logs ..........................................
Contents Appendix: FortiAnalyzer reports in 3.0 MR7 ............................... 185 FortiGate reports ........................................................................................... 185 Intrusion Activity........................................................................................ Antivirus Activity........................................................................................ Webfilter Activity ............................................................................
Introduction About this document Introduction FortiAnalyzer units are network appliances that provide integrated log collection and reporting tools. Reports analyze logs for email, FTP, web browsing, security events, and other network activity to help identify security issues and reduce network misuse and abuse.
Fortinet documentation Introduction • Reports describes how to configure report profiles for one-time or scheduled reports on your network devices, users, or groups. • Alert describes how define log message criteria that signify critical network events. As log messages arrive, if they meet those criteria, FortiAnalyzer units send alert messages using a method of your choice: email, SNMP, or Syslog. This chapter also lists SNMP traps that the FortiAnalyzer unit supports.
Introduction Customer service and technical support Fortinet Tools and Documentation CD All Fortinet documentation is available from the Fortinet Tools and Documentation CD shipped with your Fortinet product. The documents on this CD are current at shipping time. For up-to-date versions of Fortinet documentation, see the Fortinet Technical Documentation web site at http://docs.forticare.com.
Customer service and technical support 12 Introduction FortiAnalyzer Version 3.
What’s new for 3.0 MR7 What’s new for 3.0 MR7 This section lists and describes the new features and changes in FortiAnalyzer 3.0 MR7. The chapter, “Managing firmware versions” on page 169, provides detailed information about how to properly upgrade to FortiAnalyzer 3.0 MR7. New CLI commands, as well as changes to existing CLI commands, are found in the What’s new chapter of the FortiAnalyzer CLI Reference.
What’s new for 3.0 MR7 14 • Network Summary menu removed – The Network Summary menu was removed in FortiAnalyzer 3.0 MR7. This menu was removed because most of the information that previously displayed, now displays as widgets on the Dashboard. See “Dashboard” on page 25 for more information about these new widgets that have replaced the Network Summary menu.
What’s new for 3.0 MR7 3.0 MR7 new features and changes 3.0 MR7 new features and changes The following descriptions includes only menus containing new features, changes to features, or both. Additional information is provided within this document. Power supply monitoring for FortiAnlayzer-2000A and 4000A In FortiAnalyzer 3.0 MR7, the new feature power supply monitoring provides a notification when a power supply fails or an administrator adds a power supply to the system.
3.0 MR7 new features and changes What’s new for 3.0 MR7 For the Log Receive Monitor widget, a diagnose command will be introduced to provide information about total message rate, message rate per-protocol, and message rate per-device in the CLI. See “System” on page 25 for information about the new widgets for FortiAnalyzer 3.0 MR7. Custom fields for log messages In FortiAnalyzer 3.
What’s new for 3.0 MR7 3.0 MR7 new features and changes Fortinet recommends configuring a test report layout and report schedule to familiarize yourself with how reports are configured in FortiAnalyzer 3.0 MR7. See “Reports” on page 113 about how to configure reports in FortiAnalyzer 3.0 MR7. In Report > Config, new tabs were added: Layout, Data Filter, Output, and Language.
3.0 MR7 new features and changes What’s new for 3.0 MR7 Alert email configuration changes When configuring an alert email in Alert > Alert Event, you now are required to enter information in the following fields: • alert name • destination (or destinations) • device Another configuration change is a drop-down list, providing the destinations of syslog servers, mail servers and SNMP access lists. The Syslog servers and SNMP access lists only display in the list when configured in Alert > Output.
Administrative Domains (ADOMs) About administrative domains (ADOMs) Administrative Domains (ADOMs) Administrative Domains (ADOMs) enable the admin administrator to constrain other FortiAnalyzer unit administrators’ access privileges to a subset of devices in the device list. For FortiGate devices with virtual domains (VDOMs), ADOMs can further restrict access to only data from a specific FortiGate VDOM.
About administrative domains (ADOMs) Administrative Domains (ADOMs) Table 2: Configuration locations when ADOMs are enabled Within Global Configuration: Within each ADOM: System > Dashboard (includes tabs, if configured) System > Network > Interface System > Network > DNS System > Network > Routing System > Admin > Administrator System > Admin > Access Profile System > Admin > Auth Group System > Admin > RADIUS Server System > Admin > Settings System > Admin > Monitor System > Network Sharing > Windows
Administrative Domains (ADOMs) About administrative domains (ADOMs) • If ADOMs are enabled and you log in as any other administrator, you enter the ADOM assigned to your account. A subset of the typical menus or CLI commands appear, allowing access only to only logs, reports, quarantine files, content archives, IP aliases, and LDAP queries specific to your ADOM. You cannot access Global Configuration, or enter other ADOMs.
Configuring ADOMs Administrative Domains (ADOMs) Configuring ADOMs Administrative domains (ADOMs) are disabled by default. To use administrative domains, the admin administrator must first enable the feature, create ADOMs, and assign other FortiAnalyzer administrators to an ADOM. Figure 1: Administrative Domain Configuration Global Configuration The admin administrator can access the global configuration. Select Main Menu to return to the Admin Domain Configuration page.
Administrative Domains (ADOMs) Configuring ADOMs To add or edit an ADOM 1 Log in as admin. Other administrators cannot enable, disable, or configure ADOMs. 2 Select Create New, or select the check box next to an ADOM and select Edit. 3 Enter a Name for the ADOM. 4 Select which devices to associate with the ADOM from Available Devices, then select the right arrow to move them to Selected Devices. You can move multiple devices at once.
Accessing ADOMs as the admin administrator Administrative Domains (ADOMs) Accessing ADOMs as the admin administrator When ADOMs are enabled, additional ADOM items become available to the admin administrator and the structure of the web-based manager menu changes. After logging in, other administrators implicitly access the subset of the web-based manager that pertains only to their ADOM, while the admin administrator accesses the root of the web-based manager and can use all menus.
System Dashboard System The System menu contains basic FortiAnalyzer unit system settings, such as network interfaces, DNS, routing, local logging, administrators, and network shares, and displays system statistics and provides basic system operations from the Dashboard. From the System menu, you can also back up or restore a configuration, or update the firmware on the FortiAnalyzer unit.
Dashboard System Figure 1: Dashboard of a FortiAnalyzer-100A unit displaying one of the new widgets Log Receive Monitor and a tab, Branch Office To rearrange a Dashboard widget 1 Go to System > Dashboard. 2 Place your mouse cursor over the widget’s title bar area, but not over buttons such as Hide or Close. The cursor changes to a multidirectional arrow. 3 Select and drag the widget to its new location.
System Dashboard 3 Select Show or Hide. The widget toggles between showing the full widget and being minimized to show only its title bar. To include a Dashboard widget 1 Go to System > Dashboard. 2 Select “+ Widget”. 3 A widget selection overlay appears. 4 Select one or more widgets. Alternatively, to restore the default set of widgets, select Back to Default. The selected widgets appear on the Dashboard layout.
Dashboard System 3 Enter a new name and press Enter. To delete a tab 1 Go to System > Dashboard. 2 Double-click on the name of the tab and select the (X) symbol. RAID Monitor The RAID Monitor area of the Dashboard displays information about the status of RAID disks as well as what RAID level has been selected. The RAID Monitor also displays how much disk space is being used. The RAID Monitor layout is similar to the look of the front panel.
System Dashboard Figure 4: RAID Monitor displaying a disk that is being rebuilt Rebuilding icon Rebuild Status bar Array Status Displays the following icons and status text when the RAID disk is okay, failed or being rebuilt: • green checkmark (OK) – indicates that the RAID disk has no problems • warning symbol (Warning) – indicates that there is a problem with the RAID disk, such as a failure, and needs replacing.
Dashboard System Figure 5: System Information Serial Number The serial number of the FortiAnalyzer unit. The serial number is unique to the FortiAnalyzer unit and does not change with firmware updates. Use this number when registering your FortiAnalyzer unit with Fortinet. Uptime The time in days, hours and minutes since the FortiAnalyzer was started or last rebooted. System Time The current time according to the FortiAnalyzer internal clock.
System Dashboard Synchronize with NTP Server Select to use an NTP server to automatically set the system date and time. You must specify the server and synchronization interval. Alternatively, select Set Time. Server Enter the IP address or domain name of an NTP server. See http://www.ntp.org to find an NTP server that you can use. Sync Interval Specify how often the FortiAnalyzer unit should synchronize its time with the NTP server.
Dashboard System RVS Plug-ins The version of the RVS plug-in, and the date of its last update. This feature is not available on the FortiAnalyzer-100. Device License A total of the number of each device type connecting or attempting to connect to the FortiAnalyzer unit. For more information about the maximum numbers of devices of each type and/or VDOMs that are permitted to connect to the FortiAnalyzer unit, see “Maximum number of devices” on page 76.
System Dashboard To view the FortiAnalyzer operational history 1 Go to System > Dashboard. 2 Select History in the upper right corner of the System Resources area. CPU Usage The CPU usages for the previous minute. Memory Usage The memory usages for the previous minute. Session The session history for the previous minute. Network Utilization The network use for the previous minute. System Operation Some basic operations can be performed directly from the Dashboard in the System Operation area.
Dashboard System Resetting to the default configuration You can reset the FortiAnalyzer unit to its default configuration. Resetting the configuration does not restore the original firmware. Configuration and firmware are distinct. Use the procedures in “Managing firmware versions” on page 169 for managing firmware. ! Caution: Back up the configuration before resetting.
System Dashboard Figure 10: Alert messages Page Select the page of alerts to view. Use the arrows to move forward and back through the pages or enter a page number and press Enter. Include...and higher Select an alert level to view. The level you select and those alert messages higher than selected will appear in the alert list. Keep Unacknowledged Alerts for Select the number of previous days of alert messages to display.
Dashboard System To view the session information 1 Go to System > Dashboard. 2 In the Statistics area, next to Connections, select Details. Resolve Host Name Select to display host names by a recognizable name rather than IP addresses. For more information about on configuring IP address host names see “Configuring IP aliases” on page 60. Resolve Service Select to display network service names rather than port numbers, such as HTTP rather than port 80.
System Dashboard Log Receive Monitor The Log Receive Monitor displays historical analysis of the rate at which logs are received. This widget displays this information in a graphical format. You can display information by the type of logs or by device and you can also specify the time period. A new diagnose command was also added to display this information in the CLI. You can edit the Log Receive Monitor to display specific information.
Dashboard System Intrusion Activity Intrusion Activity displays the top attacks that occurred on the network. This information is gathered from attack logs. You can edit the Intrusion Activity widget to display specific information by using the following procedure. Figure 14: Intrusion Activity widget To edit the information for Intrusion Activity 1 Go to System > Dashboard. 2 In Intrusion Activity, select Edit in the title bar area.
System Dashboard Figure 15: Virus Activity widget To edit the information for Virus Activity 1 Go to System > Dashboard. 2 In Virus Activity, select Edit in the title bar area. 3 Enter the appropriate information for the following: Device Select the registered device or device group from the drop-down list. Display by Select one of the following to filter the information: • Time Period – filters virus activity by time period Time Scope No.
Dashboard System To edit the information for Top FTP Traffic 1 Go to System > Dashboard. 2 In Top FTP Traffic, select Edit in the title bar area. 3 Enter the appropriate information for the following: Device Select the registered device or device group from the drop-down list. Display by Select one of the following to filter the information: • Top Sources (to any) – filters only the top sources Time Scope No.
System Dashboard 3 Enter the appropriate information for the following: Device Select the registered device or device group from the drop-down list.
Dashboard System 3 Enter the appropriate information for the following: Type Select the type of program you want displayed, either IM or P2P. Device Select the registered device or device group from the drop-down list.
System Dashboard 3 Enter the appropriate information for the following: Device Select the registered device or device group from the drop-down list. Display by Select one of the following to filter the information: • Top Sources (to any) – filters only the top sources Top Destinations (from any) – filters only the top destinations • Top Source and Destination (unique) – filters the top sources to unique destinations Filter Port Select the type of port, TCP or UDP, and then enter the port number.
Network System 3 Enter the appropriate information for the following: Device Select the registered device or device group from the drop-down list. Display by Select one of the following to filter the information: • Top Sources (to any) – filters only the top sources FIlter Source IP Address • Top Destinations (from any) – filters only the top destinations • Top Source and Destination (unique) – filters the top sources to unique destinations Enter the source IP address.
System Network Status The status of the network interface. • A green arrow indicates the interface is up. Select Bring Down to disable the port. • Modify A red arrow indicates the interface is down. Select Bring up to enable the port. Select Modify to change the interface settings. Changing interface settings To change the interface settings 1 Go to System > Network > Interface. 2 In the row corresponding to the interface you want to change, select Modify.
Network System About Fortinet Discovery Protocol FortiGate units running FortiOS version 3.0 or greater can use Fortinet Discovery Protocol (FDP), a UDP protocol, to locate a FortiAnalyzer unit. When a FortiGate administrator selects Automatic Discovery, the FortiGate unit attempts to locate FortiAnalyzer units on the network within the same subnet. If FDP has been enabled for its interface to that subnet, the FortiAnalyzer unit will respond.
System Admin Adding a route Static routes provide the FortiAnalyzer unit with the information it needs to forward a packet to a particular destination other than the default gateway. To add a static route 1 Go to System > Network > Routing. 2 Select Create New. 3 Configure the following options: 4 Destination IP Enter the destination IP address network mask of packets that the FortiAnalyzer unit has to intercept. Mask Enter a netmask to associate with the IP address.
Admin System Name The assigned name for the administrator. Trusted Hosts The IP address and netmask of acceptable locations for the administrator to log in to the FortiAnalyzer unit. If you want the administrator to be able to access the FortiAnalyzer unit from any address, use the IP address and netmask 0.0.0.0/0.0.0.0. To limit the administrator to only access the FortiAnalyzer unit from a specific network or host, enter that network’s IP and netmask.
System Admin Access Profile Select an access profile from the list. Access profiles define administrative access permissions to areas of the configuration by menu item. For more information, see “Access Profile” on page 50. Admin Domain Select an administrative domain (ADOM) from the list. ADOMs define administrative access permissions to areas of the configuration and device data by device or VDOM. For more information, see “Administrative Domains (ADOMs)” on page 19.
Admin System Figure 24: Access Profile Note: Administrator accounts can also be restricted to specific devices or VDOMs in the FortiAnalyzer device list. For more information, see “Administrative Domains (ADOMs)” on page 19. To create an access profile 1 Go to System > Admin > Access Profile. 2 Select Create New. 3 Enter a name for the profile. 4 Select a filter for each option: None The administrator has no access to the function.
System Admin RADIUS Server RADIUS servers authenticate administrators. The following procedure explains how to add a RADIUS server for authenticating administrators. To add a RADIUS server 1 Go to System > Admin > RADIUS Server. 2 Select Create New. 3 Configure the following and select OK: Name Enter a name to identify the server. Server IP/Name Enter the IP address for the server. Shared Secret Enter the password for the server.
Network Sharing System PIN Protection Enable then enter a Personal Identification Number (PIN) to secure the LCD access to FortiAnalyzer units with an LCD panel. The PIN must be six numbers. This option only appears on models with an LCD panel. Admin Domain Configuration Enable or disable administrative domains (ADOMs). For more information on ADOMs, see “Administrative Domains (ADOMs)” on page 19. This option does not appear if ADOMs are currently enabled and ADOMs other than the root ADOM exist.
System Network Sharing 3 Enter the following information for the user account and select OK: User name Enter a user name. The name cannot include spaces. UID (NFS only) Enter a user ID. Use this field only if you are using NFS shares. The NFS protocol uses the UID to determine the permissions on files and folders. Password Enter a password for the user. Description Enter a description of the user. For example, you might enter the users name or a position such as IT Manager.
Network Sharing System Permissions Permissions for the user or groups. This can be either Read Only or Read Write. Modify Select Edit to change any of the options for file sharing. Select Delete to remove the file share. To enable Windows shares 1 Go to System > Network Sharing > Windows Share. 2 Select Enable Windows Network Sharing. 3 Enter a Workgroup name. 4 Select Apply. 5 Configure a share folder and user permissions to access that share.
System Network Sharing 7 Select the type of access rights the users and groups will have and select the appropriate right arrow to move the user or group name to the Read-Only Access or Read-Write Access boxes. 8 Select Ok. Configuring NFS shares You can configure the FortiAnalyzer unit to provide folder and file sharing using NFS sharing. To view a list of users with NFS share access to the FortiAnalyzer unit, including access privileges, go to System > Network Sharing > NFS Export.
Config System Note: The default permissions for files and folders is read and execute privileges. The owner of the document also has write privileges. To enable write access for users and groups, you must select the write permission for the folder and for the user and the group. For more information, see “Default file permissions on NFS shares” on page 56. 5 Select OK. 6 In Remote Clients, enter the IP address or domain name of the remote system or user ID.
System Config Figure 30: FortiAnalyzer unit log settings Log Locally Select to save the FortiAnalyzer log messages on the FortiAnalyzer hard disk. Log Level Select the severity level for the log messages recorded to the FortiAnalyzer hard disk. The FortiAnalyzer unit logs all levels of severity down to, but not less severe than, the level you select. For example, if you want to record emergency, critical, and error messages, select Error.
Config System Log file should be Select the frequency of when the FortiAnalyzer unit renames the rolled... even if size current log file and starts a new active log file. is not exceeded • Daily: Roll log files daily, even if the log file has not yet reached maximum file size. • Weekly: Roll log files weekly, even if the log file has not yet reached maximum file size. • Optional: Roll log files only when the log file reaches the maximum file size, regardless of time interval.
System Config For example, a company may have a headquarters and a number of branch offices. Each branch office has a FortiGate unit and a FortiAnalyzer-100A/100B to collect local log information. Those branch office FortiAnalyzer units are configured as log aggregation clients. The headquarters has a FortiAnalyzer-2000/2000A which is configured as a log aggregator.
Config System Configuring an aggregation client An aggregation client is a FortiAnalyzer unit that sends logs to a aggregation server. These include models such as the FortiAnalyzer-100A/100B and FortiAnalyzer-400. To configure the aggregation client 1 Go to System > Config > Log Aggregation. 2 Select Enable log aggregation TO remote FortiAnalyzer. 3 Set the following settings and select OK: Remote FortiAnalyzer IP Enter the IP address of the FortiAnalyzer unit acting as the aggregation server.
System Config 3 Enter the IP address of the external syslog server in Remote device IP. 4 Select whether to Forward all incoming logs or Forward only authorized logs (authorized according to a device’s permissions in the device list). 5 Select the Minimum Severity threshold. All log events of equal or greater servers will be transmitted. For example, if the selected Minimum Severity is Critical, all Emergency, Alert and Critical log events will be forwarded; other log events will not be forwarded.
Config System 3 Enter the path and file name or select Browse to locate the file. 4 Select OK. IP alias ranges When adding an IP alias you can include an IP address range as well as individual addresses. For example: • 10.10.10.1 - 10.10.10.50 • 10.10.10.1 - 10.10.20.100 Configuring RAID FortiAnalyzer units containing multiple hard disks can store data using a RAID array to provide redundant storage, data protection, faster hard disk access, or a larger storage capacity.
System Config Note: Fortinet recommends having an Uninterruptible Power Supply (UPS) in the event of a power failure. UPS is recommended because when a power failure occurs, data in the write cache is lost. Write cache is used to store data locally in memory before being written to the disk drive media, and then continuing on to the next task. Linear A linear RAID level combines all hard disks into one large virtual disk. It is also known as concatenation or JBOD (Just a Bunch of Disks).
Config System RAID 10 RAID 10 (or 1+0), includes nested RAID levels 1 and 0, or a stripe (RAID 0) of mirrors (RAID 1). The total disk space available is the total number of disks in the array (a minimum of 4) divided by 2. Any drive from a RAID 1 array can fail without loss of data. However, should the other drive in the RAID 1 array fail, all data will be lost. In this situation, it is important to replace a failed drive as quickly as possible.
System Config You can use any brand of hard disk to replace a failed hard disk, as long as it has the same capacity or greater. For example, if replacing a 120 GB hard drive, you could use either a 120 GB or 250 GB hard drive. ! Caution: Do not replace a failed RAID hard disk with a smaller capacity hard disk. Using a smaller capacity hard disk will reduce the RAID’s total capacity, resulting in data loss when the RAID is reconfigured for its smallest drive.
Config System Hot swapping the FortiAnalyzer-2000/2000A and FortiAnalyzer-4000/4000A The following diagram indicates the drive number and their location in the FortiAnalyzer unit when you are looking at the front of the unit. Refer to this diagram before removing the disk drive to ensure you remove the correct one. You can use any brand of hard disk to replace a failed hard disk; however, you must ensure that the hard disk size is the same size or larger as the remaining working drives.
System Config The options available here will depend on the RAID level selected. For most RAID levels, you can only add the new hard disk back into the RAID array. If you are running a RAID level with hot spare, you can also add the new hard disk as the hot spare. Configuring RAID on the FortiAnalyzer-400 and FortiAnalyzer-800/800B The FortiAnalyzer-400 and FortiAnalyzer-800/800B have four hot swappable hard disks. Hot swapping is available when running the FortiAnalyzer unit with RAID level 1 and 5.
Config System RAID settings can be configured from the Dashboard, in the RAID Monitor widget as well as from System > Config > RAID. ! Caution: Back up all data before changing the RAID level. If you change RAID levels, the FortiAnalyzer unit reformats the hard disks to support the new setting, which may result in data loss. Figure 33: FortiAnalyzer-2000/2000A RAID settings RAID Level Select a RAID level from the list. The current RAID level is shown as the first RAID level in the list.
System Config Figure 34: LDAP settings LDAP Distinguished Name Query To define an LDAP server query 1 Go to System > Config > LDAP. 2 Select Create New. Complete the following: Name Enter the name for the LDAP server query. Server Name/IP Enter the LDAP server domain name or IP address. Server Port Enter the port number. By default, the port is 389. Server Type Select whether to use anonymous or authenticated (regular) queries.
Maintenance System 3 Select OK. The LDAP query becomes an available option when configuring variables for report profiles. For more information, see “Configuring reports” on page 113. Maintenance Maintenance enables you to backup and restore configuration files for the FortiAnalyzer unit, to upload firmware, and to configure automatic RVS updates. Backup & Restore Backup & Restore displays the date and time of the last configuration backup and the last firmware upload.
System Maintenance Encrypt configuration file Select to encrypt the backup file. Enter a password in the Password field and enter it again in the Confirm field. You will need this password to restore the file. You must encrypt the backup file if you are using a secure connection to a FortiGate or FortiManager device. Backup Select to back up the configuration. Restore Restore the configuration from a file. Restore configuration from: Currently the only option is to restore from a PC.
Maintenance System Figure 36: FortiGuard Center FortiGuard Subscription Services The RVS (remote vulnerability scan) engine and module version number, date of last update, and status of the connection to the Fortinet Distribution Network (FDN). A green indicator means that the FortiAnalyzer unit can connect to the FDN or override server. A grey indicator means that the FortiAnalyzer unit cannot connect to the FDN or override server.
System Maintenance Port Enter the port number of the web proxy. This is usually 8080. Name If your web proxy requires a login, enter the user name that your FortiAnalyzer unit should use when connecting to the FDN through the web proxy. Password If your web proxy requires a login, enter the password that your FortiAnalyzer unit should use when connecting to the FDN through the web proxy. Scheduled Update Enable scheduled updates, then select the frequency of the update (Every, Daily or Weekly).
Maintenance 74 System FortiAnalyzer Version 3.
Device Viewing the device list Device The Device menu controls connection attempt handling, permissions, disk space quota, and other aspects of devices connecting to the FortiAnalyzer unit for remote logging, content archiving, quarantining, and/or remote management. For a diagram of traffic types, ports and protocols that FortiAnalyzer units use to communicate with other devices and services, see the Knowledge Center article Traffic Types and TCP/UDP Ports used by Fortinet Products.
Viewing the device list Device Devices may automatically appear on the device list when the FortiAnalyzer receives a connection attempt, according to your configuration of Unregistered Device Options, but devices may also automatically appear as a result of importing log files. For more information, see “Importing a log file” on page 95. To view the device list, go to Device > All. Figure 1: Devices list Add Edit Delete Block Add Device Select to manually add a new device to the device list.
Device Viewing the device list • Tx indicates logging access for all devices managed by the FortiManager system. • Rx indicates that the FortiManager system can remotely administer the FortiAnalyzer unit. For more information about on configuring device connection permissions, see “Devices Privileges” on page 82. Secure Connection Indicates whether an IPSec VPN tunnel has been enabled for secure transmission of logs, content and quarantined files.
Viewing the device list Device For unregistered devices, additional icons appear. Select Add to add the device to the device list and to configure the connection, or select Block to stop further connection attempts. For instructions on manually adding devices, see “Manually adding a device” on page 80. For more information about on blocking a device, see “Blocking device connection attempts” on page 86. To delete a device 1 Go to Device > All > Device.
Device Viewing the device list For networks with more demanding logging scenarios, an appropriate device ratio may be less than the allowed maximum. Performance will vary according to your network size, device types, logging thresholds, and many other factors. When choosing a FortiAnalyzer model, consider your network’s log frequency, and not only your number of devices. A VDOM or high availability (HA) cluster counts as a single “device” towards to maximum number of allowed devices.
Configuring unregistered device connection attempt handling Device Configuring unregistered device connection attempt handling You can configure the FortiAnalyzer unit to accept and handles connection attempts automatically, or to allow connections only from devices that you have manually added. Allowing the connection and registering the device enables certain FortiAnalyzer features.
Device Configuring unregistered device connection attempt handling Figure 2: Unregistered Device Options To configure device connection attempt handling 1 Go to Device > All > Device. 2 Select Unregistered Devices Options. 3 Select from the following options for known device types: Ignore connection and log data Do not accept connection attempts, and do not add devices to the device list.
Manually adding a device Device Manually adding a device You can add devices to the FortiAnalyzer unit’s device list either manually or automatically. If you have configured Unregistered Device Options to automatically register known-type devices, you may only need to manually add unknown-type devices such as a generic Syslog server. If you have configured Unregistered Device Options to require it, you may be required to add all devices manually.
Device Manually adding a device Figure 3: Configuring a device Device Type Select the device type. The type is automatically pre-selected if you are adding an unregistered device from the device list, or if you are editing an existing device. Other device options vary by the device type. Device Name Enter a name to represent the FortiGate unit, such as FG-10001.This can be any descriptive name that you want assign to it, and does not need to be its host name.
Manually adding a device Device Amounts following the disk space allocation field indicate the amount of disk space currently being used by the device, and the total amount of disk space currently available on the FortiAnalyzer unit. When Allocated Disk Select to either overwrite older files or stop logging to indicate what the FortiAnalyzer unit should do when the allocated disk Space is All Used space has been used.
Device Manually adding a device 13 Select the blue arrow to expand Group Membership. This option does not appear if Device Type is FortiClient. In that case, also skip the following step. 14 From the Available Groups area, select a device group or groups, if any, to which you want to assign the device, then select the right arrow button to move the group name into the Membership area. Devices can belong to multiple groups. You can also add the device to a group later, or change the assigned group.
Manually adding a device Device To classify network interfaces and VLAN subinterfaces of a FortiGate unit 1 Go to Device > All > Device. 2 Configure the FortiGate device. For more information, see “Manually adding a device” on page 80. 3 Select the blue arrow to expand FortiGate Interface Specifications. This area may be automatically pre-configured with default classifications. In this case, verify that the network interface classifications match your network topology.
Device Manually adding a device To enable the FortiAnalyzer unit to reply to FDP packets 1 On the FortiAnalyzer unit, go to Device > All. 2 Go to System > Network. 3 Select Modify for the network interface that should reply to FDP packets. 4 Enable Fortinet Discovery Protocol. 5 Select OK. The FortiAnalyzer unit is now configured to respond to FDP packets on that network interface, including those from FortiGate units’ Automatic Discovery feature.
Blocking device connection attempts Device Test Connectivity does not verify connectivity by Syslog. Syslog is required to send log messages. To verify Syslog connectivity, trigger FortiGate logs, then go to Log&Report > Log Access > Remote. Steps required to trigger sending log messages from the FortiGate unit varies by the log type. For example, event logs are not configured in the same location as logs resulting from firewall policies and protection profiles.
Device Configuring device groups To block a device 1 Go to Device > All > Device. 2 From Show, select Unregistered. If the device is currently registered, you must first delete the device before you can block it. For more information, see “Viewing the device list” on page 73. 3 In the row corresponding to the device that you want to block, in the Action column, select Block. The device appears in the list of blocked devices. To unblock a device 1 Go to Device > All > Blocked Device.
Configuring device groups Device Figure 5: List of device groups Delete Edit Create New Select to configure a new device group. Show Select the type of device groups to display, such as FortiGate, FortiManager, FortiMail or Syslog groups. Group Name The name of the device group. Members The device names of devices that are members of the device group. Modify Select Delete to remove the device group. Select Edit to reconfigure the device group.
Log Viewing log messages Log FortiAnalyzer units collect logs from network hosts such as FortiGate, FortiMail, FortiClient, FortiManager, and Syslog devices. By using the Log menu, you can view both device and FortiAnalyzer log files and messages, as well as content archive summaries. The FortiAnalyzer unit can display device logs in real-time, enabling you to view log messages as the FortiAnalyzer unit receives them.
Viewing log messages Log Figure 1: Viewing current logs Column Settings Devices Select the type of device you want to view logs from. If you select All FortiGates, all log messages from all registered FortiGate units appear. Log types Select to view a different device’s logs, or a different log type. Stop Select to stop refreshing the log view. This option appears only when refreshing is started. Start Select to start refreshing the log view. This option appears only when refreshing is stopped.
Log Viewing log messages Figure 2: Viewing historical logs Column Settings Printable Version Devices Select the type of device you want to view logs from. If you select All FortiGates, all log messages from all registered FortiGate units appear. Log Types Select to view a different device’s logs, or a different log type. Formatted | Raw Select a view of the log file. Selecting Formatted (the default) displays the log files in columnar format.
Browsing log files Log To view historical logs 1 Go to Log > Log Viewer > Historical. 2 From Devices, select the device whose logs you want to view. Unregistered devices will not appear in the list. To view a device’s logs, you must register the device first. 3 From Log types, select the type of log file. Log types options vary by device type. If you have reason to expect log messages to appear for the selected log type, but none appear, verify connectivity and the device’s logging configuration.
Log Browsing log files Log files A list of available log files for each device or device group. Select the group name to expand the list of devices within the group, and to view their log files. The current, or active, log file appears as well as rolled log files. Rolled log files include a number in the file name (alog.2.log). If you configure the FortiAnalyzer unit to upload rolled logs to an FTP site, only the current log will appear in the log browser.
Browsing log files Log Formatted | Raw Select a view of the log file. Selecting Formatted (the default) displays the log files in columnar format. Selecting Raw, displays the log information as it actually appears in the log file. Resolve Host Name Select to display host names by a recognizable name rather than IP addresses. For more information about on configuring IP address host names see “Configuring IP aliases” on page 61.
Log Browsing log files 5 In Filename, enter the path and file name of the log file, or select Browse. 6 Select OK. A message appears, stating that the upload is beginning, but will be cancelled if you leave the page. 7 Select OK. Upload time varies by the size of the file and the speed of the connection. After the log file successfully uploads, the FortiAnalyzer unit inspects the log file. • If the device_id field in the uploaded log file does not match the device, the import will fail.
Customizing the log view Log 5 Select Download Current View. 6 Configure the following: Convert to CSV format Downloads the log format as a comma-separated value (.csv) file instead of a standard .log file. Each log element is separated by a comma. CSV files can be viewed in spreadsheet applications. Compress with gzip Compress the .log or .csv file with gzip compression. For example, downloading a log-formatted file with gzip compression would result in a download with the file extension .log.gz.
Log Customizing the log view Figure 5: Displaying and arranging log columns To display or hide columns 1 Go to a page which displays log messages, such as Log > Log Viewer > Realtime. 2 Select Column Settings. Lists of available and displayed columns for the log type appear. 3 4 Select which columns to hide or display. • In the Available Fields area, select the names of individual columns you want to display, then select the single right arrow to move them to the Display Fields area.
Customizing the log view Log Note: Filters do not appear in Raw view, or for unindexed log fields in Formatted view. When viewing real-time logs, you cannot filter on the time column: by definition of the realtime aspect, only current logs are displayed. Figure 6: Filter icons Filter icon Filter in use To filter log messages by column contents 1 In the heading of the column that you want to filter, select the filter icon. 2 Select Enable.
Log Searching the logs • 1.1.1.1 or 2.2.2.1-2.2.2.10 Most column filters require that you enter the column’s entire contents to successfully match and filter contents; partial entries do not match the entire contents, and so will not create the intended column filter. For example, if the column contains a source or destination IP address (such as 192.168.2.5), to create a column filter, enter the entire IP address to be matched.
Searching the logs Log Device/Group Select to search logs from the FortiAnalyzer unit (LocalLogs), a device, or a device group. Date Select to search logs from a time frame, or select Specify and define a custom time frame by selecting the From and To date and times. From Enter the date and select the time of the beginning of the custom time range. This option appears only when Date is Specify. To Enter the date and select the time of the end of the custom time range.
Log Searching the logs • Destination IP: Enter an IP address to include only log messages containing a matching destination IP address. For example, entering 192.168.2.1 would cause search results to include only log messages containing dst=192.168.2.1 and/or content log messages containing a server IP address of 192.168.2.1. • User Name: Enter a user name to include only log messages containing a matching authenticated firewall user name.
Searching the logs Log • Some keywords will not match unless you include both the log field name and its value (type=webfilter). • Remove unnecessary keywords and search filters which can exclude results. In More Options, if All Words is selected, for a log message to be included in the search results, all keywords must match; if any of your keywords do not exist in the message, the match will fail and the message will not appear in search results. If you cannot remove some keywords, select Any Words.
Log Rolling and uploading logs To download log search results 1 Go to Log > Search. 2 Perform a search using either basic or advanced search. If your search finds one or more matching log events, a Download Current View button appears next to the Printable Version button. 3 Select Download Current View. Options appear for the download’s file format and compression. 4 Configure the following: Convert to CSV format Downloads the log format as a comma-separated value (.
Rolling and uploading logs Log Figure 8: Device Log Settings Log file should not exceed Enter the maximum size of each device log file. When the log file reaches the specified maximum size, the FortiAnalyzer unit saves the current log file with an incremental number and starts a new active log file. For example, if the maximum size is reached, the current alog.log is renamed to alog.n.log, then a new alog.log is created to receive new log messages.
Log Rolling and uploading logs Upload rolled files in Select to compress the log files in gzipped format before uploading to the server. gzipped format Delete files after uploading FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080908 Select to remove the log file from the FortiAnalyzer hard disk after the FortiAnalyzer unit completes the upload.
Rolling and uploading logs 108 Log FortiAnalyzer Version 3.
Content Archive Viewing content archives Content Archive Content archiving provides a method of simultaneously logging and archiving copies of content transmitted over your network, such as email and web pages. FortiGate units can log metadata for common user content-oriented protocols. Content logs include information such as the senders, recipients, and the content of messages and files.
Viewing content archives Content Archive • whether the FortiAnalyzer unit has the copy of the file or message associated with the summary log message (that is, full content archives do not appear if you have deleted the associated copy of the file or message) For more information about requirements and configuration of content archiving, see the FortiGate Administration Guide. To view content archives, go to Content Archive, then select the content archive type. Each type has similar controls.
Content Archive Customizing the content archive view Note: Content Archive allows you to both view logged details and to download the archived files. If you want to display only the content archive log file, instead go to Log > Browse and select the device’s clog.log file. For more information, see “Log” on page 91. By default, Content Archive > MMS is hidden. To display this content archive, see the show_mms_archive variable in the FortiAnalyzer CLI Reference.
Customizing the content archive view 3 4 Content Archive Select which columns to hide or display. • In the Available Fields area, select the names of individual columns you want to display, then select the single right arrow to move them to the Display Fields area. Alternatively, to display all columns, select the double right arrow. • In the Display Fields area, select the names of individual columns you want to hide, then select the single left arrow to move them to the Available Fields area.
Content Archive Customizing the content archive view 4 Enter the text that matching log messages must contain. Matching log messages will be excluded or included in your view based upon whether you have selected or deselected NOT. 5 Select OK. A column’s filter icon is green when the filter is currently enabled. To disable a filter 1 In the heading of the column whose filter you want to disable, select the filter icon. A column’s filter icon is green when the filter is currently enabled.
Searching full email content archives Content Archive Searching full email content archives You can search full email content archives to quickly locate and view messages, such as those whose body contains a specific term. Full email content archive searches create a focused content archive view that contains only full content archives. Summary content archives are omitted. To search full email content archives, go to Content Archive > Email Archive > Search.
Content Archive Searching full email content archives To The recipient’s email address. Last activity The date and time that the FortiAnalyzer unit received the content archive. Subject The subject line of the email. Select the subject line of the email to view the email and its attachment, if any, in a pop-up window. Size The file size of the email, including any attachments. FortiAnalyzer Version 3.
Searching full email content archives 114 Content Archive FortiAnalyzer Version 3.
Reports Configuring reports Reports FortiAnalyzer units can collate information collected from device log files and present the information in tabular and graphical reports, which provides quick analysis of what is occurring on the network.
Configuring reports Reports Note: Reports cannot be created for devices that are of an unknown type, such as generic Syslog devices, nor for devices that are not registered with the FortiAnalyzer unit’s device list. For more information about on registering devices, see “Manually adding a device” on page 80. Configuring report layout The Layout tab enables you to configure and define multiple report layouts, which can then be applied to report schedules or generated immediately.
Reports Configuring reports Figure 2: Layout Browse logo files There are also default report layouts for you to choose from as well, and they appear in the report layout list with the report layouts you created.
Configuring reports Reports Title Page Logo Select the Browse logo files icon to choose a logo that will appear on the title page of the report. You need to select a logo file format that is compatible with your selected file format outputs. The logo will not appear if it is incompatible with the chosen file format. You can choose JPG, PNG, and GIF logo formats for PDFs and HTMLS; WMF are also supported for RTF.
Reports Configuring reports Editing charts in a report layout You can edit charts at any time as well as rearrange the charts from within the Chart List. You can also edit Text and Section as well. The following procedure assumes you have already selected the report layout that you want to edit charts, Text and Section in Layout. FortiAnalyzer Version 3.
Configuring reports Reports To edit a chart 1 Select Edit beside the chart name. 2 Enter the appropriate information for the following: Chart Output Select one of the following to display chart information: • Table & Graph – displays both a table and graph 118 • Table – displays only a table • Graph – displays only a graph Chart Style Select a style for the chart. You can choose a bar style, column style or pie style.
Reports Configuring reports 3 Group Enter a group’s name that you want to use in the report. You can enter multiple names in the field, using commas to separate the group names. LDAP Query Select the LDAP Query check box and then select the LDAP directory or Windows Active Directory group from the dropdown list. This is useful if you want to restrict report scope using a list of user names from the LDAP directory or Windows Active Directory group, instead of a group name configured on a device.
Configuring reports Reports Create New Select to create a new report schedule and configure the settings. Delete Select to remove report schedules whose check boxes are selected. • To delete one or more report schedules, select the check box next to their report name, then select Delete. • To delete all reports, select the column heading check box. All report schedules’ check boxes are selected, and then select Delete.
Reports Configuring reports Monthly Log Data Filtering You can specify the variables that were selected in the charts when configuring the report layout. If you did not specify any variables in the charts added to report layout, proceed to Data Filter. Device/Group Select a device or device group from the list. Virtual Domain Select to create a report based on virtual domains. Enter a specific virtual domain to include in the report. User Select to create a report based on a network user.
Configuring reports Reports Configuring data filter templates You can configure multiple data filter templates for reports in Report > Config > Data Filter. These templates can be applied to any report schedule you want. Figure 4: Data filter templates Create New Select to create a new data filter template and configure its settings. Delete Select to remove data filter templates whose check boxes are selected.
Reports Configuring reports Figure 5: Configuring a data filter template To configure data filters for a report 1 Go to Report > Config > Data Filter. 2 Select Create New. 3 Enter and/or select the appropriate information for the fields and check boxes for the following: Name Enter a name for the new data filter configuration. This name only concerns this particular data filter configuration, not the report itself. Description Enter a description for the report. This is optional.
Configuring reports Reports Alias not Destination(s) not 124 172.16.0.0-20.255.255 matches all IP addresses from 172.16.0 to 172.20.255.255 Select to instead include only log messages that do not match this criterion. For example, you might include logs except those matching a specific source IP address. Select the appropriate alias. Select the appropriate alias from the drop-down list. See Configuring IP alias on page 50 for more information about configuring IP aliases.
Reports Configuring reports Web Category Category List Select the categories you want to filter logs by selectively including web filtering logs that match your criteria, then indicate included categories by selecting one or more category check box. Select “not” to instead include only logs that do not match the criterion. You can select a whole category by selecting the check box beside the blue arrow of the category.
Configuring reports Reports E-Mail Destination The route the email will take when sent, in the format, (from through ). FTP/SFTP/SCP Server The type of server that the report will be uploaded to in the format, (typeofserver). For example, 10.10.20.15(FTP). IP Action Select Edit to view or modify the report output. Select Delete to remove the report output.
Reports Configuring reports Send Report by Mail Verify this check box is selected. If you do not want to send a report by email, unselect the check box. If the check box is unselected, the available options under Send Report by Mail are hidden.
Configuring reports Reports Username Enter the user name the FortiAnalyzer unit will use when connecting to the upload server. Password Enter the password the FortiAnalyzer unit will use when connecting to the upload server. Directory Enter the directory path that the FortiAnalyzer unit will upload the report to. Upload report(s) Select to compress the report files using gzip in gzipped format before uploading to the server.
Reports Configuring reports Keys are required and must not be removed or changed. Keys map a string to a location in the report, and are the same in each language file. If you change or remove keys, the FortiAnalyzer unit cannot associate your string with a location in the report, string file validation will fail, and the string file upload will not succeed. String values may be changed to customize report text.
Configuring reports Reports Note: Both format and string files use Unix-style line endings (LF characters, not CR-LF). Figure 8: Languages Delete Edit Download Format File Download String File Download Font File Create New Select to create a new report language customization. Language The name of the report language customization. Description The description of the report language customization. Font If you uploaded a font file with your report language customization, the name of the font.
Reports Configuring reports 6 If you changed the encoding of the string file, open the format file using a plain text editor that supports Unix-style line endings, such as jEdit, and edit the encoding and character set values for each file format. If you have switched between a single-byte and a double-byte encoding, also set the doublebytes value to true (1) or false (0). For specifications on how to indicate encoding and character set, refer to each file format’s specifications: • W3C HTML 4.
Browsing reports Reports Note: The string file contains many keys, and each report type uses a subset of those keys. If your language modification does not appear in your report, verify that you have modified the string of a key used by that report type. To change a report language customization 1 Go to Report > Config > Language. 2 Locate the customized language whose font, string, or format file you want to change and in that language’s row, select Edit from the Action column.
Reports Browsing reports Figure 9: Viewing reports in Report > Browse Refresh Select to refresh the list. If the FortiAnalyzer unit is in the process of generating a report, use Refresh to update the status of the report generation. Delete Select the reports from the listing by selecting the check box next to the report name. Device Type Select the reports based on the type of device included in the report.
Browsing reports 134 Reports FortiAnalyzer Version 3.
Quarantine Viewing quarantined files Quarantine FortiAnalyzer units can act as a central repository for files that are suspicious or known to be infected by a virus, and have therefore been quarantined by your FortiGate units. This section describes how to view quarantined files. If a secure connection has been established with the device, the communication between the two units is the same IPSec tunnel that the FortiGate unit uses when sending log files.
Viewing quarantined files 132 Quarantine Date & Time The date and time the FortiGate quarantined the file, in the format yyyy/mm/dd hh:mm:ss. The time and date indicates the time that the first file was quarantined, if duplicate files are quarantined. Service The service by which the quarantined file was attempting to be transmitted, such as SMTP. Checksum A 32-bit checksum the FortiGate unit created from the file.
Alert Alert Events Alert Alerts provide a method of informing you of issues arising on a FortiGate unit, FortiClient installation, or the FortiAnalyzer unit itself, such as system failures or network attacks, enabling you to react in a timely manner to the event. You can configure the FortiAnalyzer unit alert conditions, instructing the FortiAnalyzer unit what devices and what log messages to monitor, and what to do in the event a log message appears meeting the alert conditions.
Alert Events Alert Adding an alert event Adding an alert event enables you to receive notification when certain types of log messages are received. To add a new alert event 1 Go to Alert > Alert Event. 2 Select Create New. 3 Configure the following options: Alert Name Enter a name indicating the type of alert the FortiAnalyzer is monitoring for. Device Selection Select the devices the FortiAnalyzer unit monitors for the alert event.
Alert Output From Email Address When configuring the FortiAnalyzer unit to send an email alert message, enter the sender’s email address. To Email Address When configuring the FortiAnalyzer unit to send an email alert message, enter the recipients’ email address. Add Select Add to add the destination for the alert message. Add as many recipients as required. Delete Select a recipient from the Destination list and select Delete to remove a recipient.
Output Alert To add a mail server for alerts 1 Go to Alert > Output > Mail Server. 2 Select Create New. 3 Configure the following options: 4 SMTP Server The name/address of the SMTP email server. Enable Authentication Select the Authentication Enable check box to enable SMTP authentication. When set, you must enter an email user name and password for the FortiAnalyzer to send an email with the account. Email Account Enter the user name for logging on to the SMTP server to send alert mails.
Alert Output Figure 3: SNMP Access List Expand arrow Delete Edit Test SNMP Agent Select to enable the SNMP agent. Description Enter a descriptive name for this FortiAnalyzer unit. Location Enter the physical location of the FortiAnalyzer unit, such as a city or floor number. Contact Enter a contact, such as an administrator’s name. Trap Type The type of available SNMP trap. Trigger Enter a number (percent) that will trigger a trap. The number can be between 1 to 100.
Output Alert Enable Select to disable the SNMP community. Action Select Delete to remove the SNMP server configuration. Select Edit to change the SNMP server configuration. Select Test to verify the SNMP server configuration by sending a test SNMP trap. This option does not appear if the IP or FQDN is 0.0.0.0. Adding an SNMP server You can add an SNMP server to define a destination IP address that can be selected as the recipient of FortiAnalyzer unit SNMP alerts.
Alert Output Fortinet MIB System Traps • fnTrapCpuHigh • fnTrapMemLow • fnTrapIpChange Fortinet MIB Logging Traps • fnTrapLogFull Fortinet MIB VPN Traps • fnTrapVpnTunUp • fnTrapVpnTunDown • fnTrapFlgEventCount Fortinet MIB System fields • fnSysModel • fnSysSerial • fnSysVersion • fnSysCpuUsage • fnSysMemUsage • fnSysSesCount • fnSysDiskCapacity • fnSysDiskUsage • fnSysMemCapacity Fortinet MIB Administrator Accounts • fnAdminNumber • fnAdminIndex • fnAdminName • fnAd
Output Alert RFC-1213 (MIB II) • mib-2.system • mib-2.interface • mib-2.at • mib-2.ip • mib-2.icmp • mib-2.tcp • mib-2.udp • mib-2.ifMIB RFC-2665 (Ethernet-like MIB) • .dot3StatsTable • .dot3CollTable • .dot3ControlTable • .dot3PauseTable Configuring alerts by Syslog server You can configure Syslog servers where the FortiAnalyzer unit can send alerts.You must add the syslog server before you can select it as a way for the FortiAnalyzer unit to communicate an alert.
Alert Output 3 Configure the following options, and select OK. Name Enter a name for the SNMP server. IP address (or FQDN) Enter the IP address or fully qualified domain name for the SNMP server. Port FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080908 Enter the Syslog server port number. The default Syslog port is 514.
Output 142 Alert FortiAnalyzer Version 3.
Network Analyzer Connecting the FortiAnalyzer unit to analyze network traffic Network Analyzer Network Analyzer can be used as an enhanced local network traffic sniffer to diagnose areas of the network where firewall policies may require adjustment, or where traffic anomalies occur. Network Analyzer logs all traffic seen by the interface for which it is enabled.
Connecting the FortiAnalyzer unit to analyze network traffic Network Analyzer Figure 1: Example network topology for Network Analyzer use Internal network Hub or switch Internet Span/mirror port is connected to Network Analyzer port To connect the FortiAnalyzer unit for use with Network Analyzer 1 Connect an Ethernet cable to a port on the FortiAnalyzer unit other than the port used to collect device logs.
Network Analyzer Viewing Network Analyzer log messages Viewing Network Analyzer log messages After attaching a FortiAnalyzer unit interface to the network and enabled the Network Analyzer for that interface, traffic information displays. The Network Analyzer’s log viewers display logs of traffic seen by the network interface you have configured for use with Network Analyzer, focusing on specific time frames.
Viewing Network Analyzer log messages Network Analyzer Protocol The protocol used when sending the traffic. Message Information payload of the traffic sent through the switch. Viewing historical Network Analyzer log messages The Historical tab in Tools > Network Analyzer displays Network Analyzer logs for a specific time range. When viewing log messages, you can filter the information to find specific traffic information.
Network Analyzer Browsing Network Analyzer log files Destination Port The destination port of the traffic. Protocol The protocol used when sending the traffic. Message Information payload on the traffic sent through the switch. Browsing Network Analyzer log files The Browse tab in Tools > Network Analyzer enables you to see all stored Network Analyzer log files, view the Network Analyzer logs, download log files to your hard disk or delete unneeded files.
Browsing Network Analyzer log files Network Analyzer Figure 5: Viewing Network Analyzer logs Column Settings 146 Printable Version Type The type of log you are viewing and the device where it originated. Change Select to view a different log file. Formatted | Raw Select a view of the log file. Selecting Formatted (the default) displays the network traffic log files in columnar format. Selecting Raw, displays the network traffic log information as it actually appears in the log file.
Network Analyzer Browsing Network Analyzer log files Downloading a Network Analyzer log file You can download a log file to save it as a backup or for use outside the FortiAnalyzer unit. You can choose to download either the entire file or only log messages selected by filtering. To download a whole log file 1 Go to Tools > Network Analyzer > Browse. 2 In the Log Files column, locate a log file. 3 In the Action column, select Download. 4 Select any download options you want and select OK.
Customizing the Network Analyzer log view Network Analyzer Customizing the Network Analyzer log view Log messages can be displayed in either Raw or Formatted view. • Raw view displays log messages exactly as they appear in the log file. • Formatted view displays log messages in a columnar format. Each log field in a log message appears in its own column, aligned with the same field in other log messages, for rapid visual comparison.
Network Analyzer Customizing the Network Analyzer log view 3 4 Select which columns to hide or display. • In the Available Fields area, select the names of individual columns you want to display, then select the single right arrow to move them to the Display Fields area. Alternatively, to display all columns, select the double right arrow. • In the Display Fields area, select the names of individual columns you want to hide, then select the single left arrow to move them to the Available Fields area.
Customizing the Network Analyzer log view 3 Network Analyzer If you want to exclude log messages with matching content in this column, select NOT. If you want to include log messages with matching content in this column, deselect NOT. 4 Enter the text that matching log messages must contain. Matching log messages will be excluded or included in your view based upon whether you have selected or deselected NOT. 5 Select OK. A column’s filter icon is green when the filter is currently enabled.
Network Analyzer Searching the Network Analyzer logs Searching the Network Analyzer logs You can search the Network Analyzer log files for matching text using two search types: Quick Search and Full Search. You can use Quick Search to find results more quickly if your search terms are relatively simple and you only need to search indexed log fields.
Searching the Network Analyzer logs Network Analyzer More Options Select the blue arrow to hide or expand additional search options. Other Specify additional criteria, if any, that can be used to further restrict the search criteria. • Source IP: Enter an IP address to include only log messages containing a matching source IP address. For example, entering 192.168.2.1 would cause search results to include only log messages containing src=192.168.2.1.
Network Analyzer Searching the Network Analyzer logs • You can search for IP ranges, including subnets. For example: • • • 172.168.1.1/24 or 172.168.1.1/255.255.255.0 matches all IP addresses in the subnet 172.168.1.1/255.255.255.0 172.168.1.1-140.255 matches all IP addresses from 172.168.1.1 to 172.168.140.255 The search returns results that match all of the search terms. For example, consider two similar keyword entries: 172.20.120.127 tcp and 172.20.120.127 udp. If you enter the keywords 172.20.
Rolling and uploading Network Analyzer logs 4 5 Network Analyzer Select the download options that you want, then select OK. Convert to CSV format Downloads the log format as a comma-separated value (.csv) file instead of a standard .log file. Each log element is separated by a comma. CSV files can be viewed in spreadsheet applications. Compress with gzip Compress the .log or .csv file with gzip compression.
Network Analyzer Rolling and uploading Network Analyzer logs Figure 9: Traffic Log Settings Enable Network Analyzer on Select the port on which Network Analyzer observes traffic. If you disable this option and log out, Network Analyzer will be hidden in the web-based manager menu. For more information about on re-enabling Network Analyzer and making it visible again, see “Connecting the FortiAnalyzer unit to analyze network traffic” on page 141.
Rolling and uploading Network Analyzer logs Network Analyzer Enable log uploading Select to upload log files to an server when a log file rolls. Server type Select the protocol to use when uploading to the server: • File Transfer Protocol (FTP) • Secure File Transfer Protocol (SFTP) • Secure Copy Protocol (SCP) Server IP address Enter the IP address of the log upload server. Username Enter the user name required to connect to the upload server.
Tools Preparing for the vulnerability scan job Tools The Tools menu provides vulnerability scanning as well as viewing the files that are on your FortiAnalyzer unit. These tools help administrators either when issues appear or when trying to determine if there are any vulnerabilities on targeted hosts. The Vulnerability Scan feature scans for open TCP and/or UDP ports on your designated target hosts.
Preparing for the vulnerability scan job Tools authenticating without root or administrator credentials are typically not able to view sensitive areas of the system software or configuration; scans involving those parts cannot be accurately assessed without administrator credentials. You may also be required to modify the target host’s security policy to allow the connections and to ensure that the account uses administrator account privileges when authenticating remotely.
Tools Preparing for the vulnerability scan job Some vulnerability scan modules, such as those that test file permissions or check installed patch and software versions, require full access to the target host. Vulnerability scan modules for Microsoft Windows hosts specifically require an administrator account with access to not only the file system but also the registry.
Preparing for the vulnerability scan job Tools Figure 1: Configuring the security model for local accounts authenticating remotely 4 Select Local Computer Policy. 5 Select Computer Configuration. 6 Select Windows Settings. 7 Select Security Settings. 8 Select Local Policies. 9 Select Security Options. 10 Double-click Network access: Sharing and security model for local accounts. (Alternatively, right-click and select Properties.) 11 Select Class - local users authenticate as themselves.
Tools Viewing vulnerability scan modules 9 Select OK. 10 Select OK. 11 Select Close. 12 After the vulnerability scan job completes, revert the NetBIOS settings configured in this procedure. Preparing Unix target hosts Vulnerability scan modules targeting Unix variant hosts, including Linux and Apple Mac OS X, require the ability to log in to the target host using the secure shell (SSH) protocol.
Viewing vulnerability scan modules Tools When configuring a full vulnerability scan, you can restrict the scan job to use only those modules for vulnerabilities that meet or exceed your specified severity threshold. For more information, see “Configuring vulnerability scan jobs” on page 162. Supported operating systems and other details are located in each module’s details.
Tools Configuring vulnerability scan jobs Name The name of the module group or module. Select the blue arrow to expand a module group. Module groups are organized by the type of vulnerability or the software which is susceptible. Severity The severity level of the vulnerability tested by the module. Description A brief description of the test performed by the module.
Configuring vulnerability scan jobs Tools Configuring a custom scan allows you to provide the user name and password of an administrator or root account for modules that require full access, and to specify the severity threshold of vulnerabilities for which you want to scan, giving you greater control over which modules will be used to probe the target host. By providing login credentials and a low severity threshold, you can perform a full scan, using all available modules.
Tools Configuring vulnerability scan jobs To configure a vulnerability scan job 1 Go to Tools > Vulnerability Scan > Job. 2 Select Create New. 3 Complete the following: Job Name Enter a name for the vulnerability scan job. This name will also be used for the report generated from scan results. Scan Targets Enter the IP addresses, or range of addresses, of the device or hosts you want the FortiAnalyzer to scan, then select Add. The target host(s) appears in the Scan Targets area.
Configuring vulnerability scan jobs Tools Enable UDP scan Select to run a port scan on UDP ports. This option is availably only after selecting Custom Scan. UDP Ports Range Enter the UDP port numbers, or port ranges, the FortiAnalyzer unit will port scan. Separate each port number or range of numbers with a comma. This option is availably only after selecting Custom Scan. 6 Select the blue arrow to expand Schedule Option. 7 From Schedule, select either Run Now or Run Later.
Tools Viewing vulnerability scan reports 10 Email server Select which email server to use when the FortiAnalyzer unit sends reports as an email. This option becomes available only if at least one option in Email output is enabled. To define a new email server, see “Configuring alerts by email server” on page 135. Email to Enter the email addresses of the recipients of the report. Add multiple recipients by pressing the Enter key after each email address. The addresses appear in Email list.
File Explorer Tools End Time The time the FortiAnalyzer unit completed the vulnerability scan job. Formats Select to view the vulnerability scan report in a file format other than HTML, if any. In addition to HTML, the generated vulnerability scan reports may also be available in PDF and MSWord (RTF) formats, depending on your output configuration. For more information about on setting output options, see “Configuring vulnerability scan jobs” on page 162. Action Select Delete to remove the report.
Tools File Explorer Figure 5: File Explorer Figure 6: File Explorer with Storage directory expanded FortiAnalyzer Version 3.
File Explorer 170 Tools FortiAnalyzer Version 3.
Managing firmware versions Backing up your configuration Managing firmware versions Before upgrading to FortiAnalyzer 3.0, it is recommended to review this chapter so you can be fully aware of the procedures and issues when upgrading to FortiAnalyzer 3.0. This chapter includes upgrading issues for all FortiAnalyzer 3.0 firmware versions and how to revert back to a previous firmware version, either to FortiLog 1.6 or an earlier FortiAnalyzer 3.0 firmware version.
Backing up your configuration Managing firmware versions Backing up your configuration using the web-based manager The following procedures describe how to back up your current configuration using the web-based manager. To back up your configuration file in FortiLog 1.6 using the web-based manager 1 Go to Maintenance > Backup & Restore. 2 Select the Backup icon for the configuration that you want to back up. 3 Save the file to the local directory on the management computer.
Managing firmware versions Backing up your configuration 5 Select OK. 6 Select a location when prompted by your web browser to save the file. To back up log files using the CLI Enter the following to back up all log files: execute backup logs all {ftp | sftp | scp| tftp} If you are using a TFTP server, you do not need to enter a user name, password or directory.
Testing firmware before upgrading Managing firmware versions Testing firmware before upgrading You may want to test the firmware you want to install before upgrading to a new firmware version, maintenance or patch release. By testing the firmware image, you can familiarize yourself with the new features and changes to existing features, as well as understand how your configuration works with the firmware. You can test a firmware image by installing it from a system reboot and saving it to system memory.
Managing firmware versions 8 Testing firmware before upgrading Type G to get the new firmware image from the TFTP server. The following message appears: Enter TFTP server address [192.168.1.168]: 9 Type the address of the TFTP server and press Enter. The following message appears: Enter Local Address [192.168.1.188]: 10 Type the internal IP address of the FortiAnalyzer unit. This IP address connects the FortiAnalyzer unit to the TFTP server.
Upgrading your FortiAnalyzer unit Managing firmware versions Upgrading your FortiAnalyzer unit After backing up your current configuration, you can now upgrade the firmware on your FortiAnalyzer unit. The following procedures are used every time you are upgrading the firmware that is associated with the firmware version FortiAnalyzer 3.0, whether it is a maintenance release or patch release. You can also use the following procedure when installing a patch release.
Managing firmware versions Upgrading your FortiAnalyzer unit To upgrade to FortiAnalyzer 3.0 using the web-based manager 1 Copy the firmware image file to your management computer. 2 Log into the web-based manager as the administrative user. 3 Go to System > Dashboard. 4 In the System Information area, select Update. 5 Enter the path and filename of the firmware image file, or select Browse and locate the file. 6 Select OK.
Upgrading your FortiAnalyzer unit Managing firmware versions This operation will replace the current firmware version! Do you want to continue? (y/n) 6 Type y. The FortiAnalyzer unit uploads the firmware image file, upgrades to the new firmware version, and restarts. This process takes a few minutes. 7 Reconnect to the CLI.
Managing firmware versions Reverting to a previous firmware version Reverting to a previous firmware version You may need to revert to a previous firmware version if the upgrade did not install successfully. The following sections will help you to backup your current FortiAnalyzer 3.0 configuration, downgrade to FortiLog 1.6, and restore your FortiLog 1.6 configuration.
Reverting to a previous firmware version Managing firmware versions Verifying the downgrade After successfully downgrading to FortiLog 1.6, verify your connections and settings. If you are unable to connect to the web-based manager, make sure your administration access settings and internal network IP address are correct. The downgrade may change your configuration settings to default settings. Downgrading to FortiLog 1.6 using the CLI The following procedure enables you to downgrade to FortiLog 1.
Managing firmware versions Reverting to a previous firmware version 8 Reconnect to the CLI. 9 Enter the following command to confirm the firmware image installed successfully: get system status See “Restoring your configuration” on page 180 to restore you FortiLog 1.6 configuration settings. FortiAnalyzer Version 3.
Restoring your configuration Managing firmware versions Restoring your configuration Your configuration settings may not carry forward after downgrading to FortiLog 1.6. You can restore your configuration settings for FortiLog 1.6 with the configuration file(s) you saved before upgrading to FortiAnalyzer 3.0. During a firmware restoration, the TFTP server IP address must be on the same network as the FortiAnalyzer unit’s IP address: the FortiAnalyzer unit uses a 255.255.255.
Managing firmware versions 6 Restoring your configuration When this message appears: Press any key to display configuration menu... immediately press a key to interrupt the system startup. If you successfully interrupt the startup process, the following messages appears: [G]: [F]: [B]: [Q]: [H]: Get firmware image from TFTP server. Format boot device. Boot with backup firmware and set as default. Quit menu and continue to boot with default firmware. Display this list of options.
Restoring your configuration Managing firmware versions Restoring your configuration settings using the web-based manager The following restores your FortiLog 1.6 configuration settings using the web-based manager. To restore configuration settings using the web-based manager 1 Log into the web-based manager. 2 Go to System > Maintenance > Backup & Restore. 3 Select the Restore icon for All Configuration Files. 4 If required, enter your password for the configuration file.
Managing firmware versions 6 Restoring your configuration Type y. The FortiAnalyzer unit uploads the backup configuration file. After the file uploads, a message, similar to the following, is displayed: Getting file confall from tftp server 192.168.1.168 ## Restoring files... All done. Rebooting... This may take a few minutes. Use the show shell command to verify your settings are restored, or log into the web-based manager. FortiAnalyzer Version 3.
Restoring your configuration 184 Managing firmware versions FortiAnalyzer Version 3.
Appendix: FortiAnalyzer reports in 3.0 MR7 FortiGate reports Appendix: FortiAnalyzer reports in 3.0 MR7 Reports have changed dramatically in FortiAnalyzer 3.0 MR7, from how you configure them to the default naming scheme given when generated. Fortinet recommends reviewing the FortiAnalyzer Administration Guide for FortiAnalyzer 3.0 MR7 to help you understand and familiarize yourself with the changes.
FortiGate reports Appendix: FortiAnalyzer reports in 3.0 MR7 Intrusion Activity The following table explains what Intrusion Activity reports have changed and what they were changed to in FortiAnalyzer 3.0 MR7.
Appendix: FortiAnalyzer reports in 3.
FortiGate reports Appendix: FortiAnalyzer reports in 3.
Appendix: FortiAnalyzer reports in 3.
FortiGate reports Appendix: FortiAnalyzer reports in 3.
Appendix: FortiAnalyzer reports in 3.
FortiGate reports Appendix: FortiAnalyzer reports in 3.
Appendix: FortiAnalyzer reports in 3.
FortiGate reports Appendix: FortiAnalyzer reports in 3.
Appendix: FortiAnalyzer reports in 3.
FortiGate reports Appendix: FortiAnalyzer reports in 3.
Appendix: FortiAnalyzer reports in 3.
FortiGate reports Appendix: FortiAnalyzer reports in 3.
Appendix: FortiAnalyzer reports in 3.
FortiGate reports Appendix: FortiAnalyzer reports in 3.
Appendix: FortiAnalyzer reports in 3.0 MR7 Summary Reports Summary Reports The following table explains what Summary reports have changed and what they were changed to in FortiAnalyzer 3.0 MR7, including the category, if applicable, of where the re-named FortiAnalyzer 3.0 MR6 reports were moved to.
Forensic Reports Appendix: FortiAnalyzer reports in 3.0 MR7 • Top Spam Destinations is now found in AntiSpam Activity • Top Spam Sources is now found in the AntiSpam Activity Forensic Reports The following forensic reports explain what was changed for FortiAnalyzer 3.0 MR7. These reports are now merged within the other report categories. Audit The following table explains what Audit Forensic reports have changed and what they were changed to in FortiAnalyzer 3.0 MR7.
Appendix: FortiAnalyzer reports in 3.0 MR7 FortiMail Reports Summary The following table explains what Summary Forensic reports have changed and what they were changed to in FortiAnalyzer 3.0 MR7, including the category, if applicable, of where the re-named FortiAnalyzer 3.0 MR6 reports were moved to.
FortiMail Reports Appendix: FortiAnalyzer reports in 3.
Appendix: FortiAnalyzer reports in 3.
FortiMail Reports Appendix: FortiAnalyzer reports in 3.
Appendix: FortiAnalyzer reports in 3.
FortiMail Reports Appendix: FortiAnalyzer reports in 3.
Appendix: FortiAnalyzer reports in 3.
FortiMail Reports Appendix: FortiAnalyzer reports in 3.
Appendix: FortiAnalyzer reports in 3.
FortiClient Reports Appendix: FortiAnalyzer reports in 3.0 MR7 Table 37: Virus Recipient reports Top Remote Virus Recipient by Day of Month Top Remote Virus Recipient Top Remote Virus Recipient by Week Top Remote Virus Recipient of Year Top Remote Virus Recipient by Month Top Remote Virus Recipient Virus Destination IP The following table explains what Virus Destination IP reports have changed and what they were changed to in FortiAnalyzer 3.0 MR7.
Index Index A access administrative ports 46 profile, administrator 48, 50 access privileges 19 accounts administrator 48 share users 53 Active Directory. See LDAP ActiveX.
Index deleting tabs 27 denial of service (DoS) 158 device add 80 alerts 133 blocked 77, 79, 86 group 88 HA See also high availability (HA) 76, 82 license 31, 76 maximum allowed 76 permissions 73, 74, 82, 83 registration and reports 79, 91, 114, 131 unregistered 77, 79, 91, 114 secure connection.
Index Fortinet MIB 138 Fortinet Technical Support 11, 138 FTP content archive 107 upload to 105, 155 IP alias 35, 60 importing from file 61 resolve host names 108 IPSec VPN tunnel 74, 86 log 57 G K gateway 47 gid 54 Global Configuration 20 group device 83, 88 share users 54 group ID (gid) 161 Group Policy Object Editor 159 gzip 96, 97, 104, 105, 147, 153, 155, 170 known device type 79 H halt 33 hard disk controller 64 format 33 hot spare 64 hot swap 64 replace failed 65 status 32 usage 32 See also RA
Index M O mail server 135 Main Menu 20 managing firmware backing up configuration using the CLI 170 backing up configuration using web-based manager 170 backing up log files 170 downgrading to FortiLog 1.6 177 downgrading to FortiLog 1.6 using the CLI 178 patch releases 169 restoring configuration using CLI 180 restoring configuration using the CLI 182 restoring configuration using web-based manager 182 testing firmware before upgrading 172 upgrading to FortiAnalyzer 3.
Index SFTP 105, 155 SNMP 73 SOAP 46 SSH 46, 58, 160 telnet 46 TFTP 180 UDP 47, 85 VoIP 107 PSK 75 See also IPSec VPN tunnel Q quarantine 131 duplicate count 132 from device 73 ticket number 131 quota.
Index sniffer 141, 144 See also network analyzer SNMP 73 manager 138 MIB 138 server, test 137 traps 136 SOAP 46 span port 141 SSH 46, 160 See also protocol stop logging 82 string file 126 striping 63 See also RAID subject 165 subnet 47, 85, 102, 152 subscription service 71 suspicious events 34 sync interval 29 syntax 127 Syslog add 80 device 81 group 83 log to server 57 server 140 See also log forwarding system settings restore default 33 time 29 T tabs adding tabs to dashboard 27 deleting 27 renaming 27
Index registered device’s hard limits 15 report configuration enhancements 16 voip reports 17 Windows AD. See LDAP FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080908 Windows shares 53, 54 X XML.
Index 220 FortiAnalyzer Version 3.
www.fortinet.
www.fortinet.
