Page 1 A D M I N I S T R A T I O N G U I D E FortiAnalyzer Version 3.0 MR7 www.fortinet.com...
Page 2: Regulatory Compliance
Version 3.0 MR7 08 September 2008 05-30007-0082-20080908 © Copyright 2008 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc.
Page 3: Table Of Contents
Contents Introduction ... 9 About this document... 9 Fortinet documentation... 10 Fortinet Tools and Documentation CD ... 10 Fortinet Knowledge Center ... 11 Comments on Fortinet technical documentation ... 11 Customer service and technical support ... 11 What’s new for 3.0 MR7 ... 13 3.0 MR7 new features and changes ...
Page 4 Top Traffic... 43 Top Web Traffic ... 44 Network ... 45 Interface ... 45 Changing interface settings ... 45 About Fortinet Discovery Protocol ... 47 DNS ... 47 Routing... 47 Adding a route ... 48 Admin ... 48 Adding or editing an administrator account... 49 Changing an administrator’s password ...
Page 5 Configuring unregistered device connection attempt handling ... 79 Manually adding a device ... 80 Classifying FortiGate network interfaces... 84 Manually adding a FortiGate unit using the Fortinet Discovery Protocol (FDP) Blocking device connection attempts ... 86 Configuring device groups ... 88 Log...
Page 6 Reports ... 113 Quarantine ... 131 Alert... 133 Network Analyzer... 141 Customizing the content archive view ... 108 Displaying and arranging log columns ... 109 Filtering logs... 110 Filtering tips ... 110 Searching full email content archives ... 111 Configuring reports... 113 Configuring report layout...
Page 7 Contents Searching the Network Analyzer logs ... 150 Search tips ... 152 Printing the search results... 153 Downloading the search results ... 153 Rolling and uploading Network Analyzer logs ... 153 Tools... 157 Preparing for the vulnerability scan job ... 157 Preparing Windows target hosts ...
Page 8 Appendix: FortiAnalyzer reports in 3.0 MR7 ... 185 Index... 213 FortiGate reports ... 185 Intrusion Activity... 186 Antivirus Activity... 186 Webfilter Activity ... 189 Antispam Activity... 190 IM Activity... 191 VoIP reports ... 192 Content Activity ... 193 Network Activity ... 194 Web Activity ...
Page 9: Fortinet Documentation
This chapter contains the following topics: • About this document • Fortinet documentation • Customer service and technical support About this document This document describes how to configure and use FortiAnalyzer units through their web-based manager.
Page 10: Fortinet Documentation
This appendix also includes what reports were removed and what were unchanged in FortiAnalyzer 3.0 MR7. The most up-to-date publications and previous releases of Fortinet product documentation are available from the Fortinet Technical Documentation web site at http://docs.forticare.com.
Page 11: Fortinet Tools And Documentation Cd
Fortinet Tools and Documentation CD All Fortinet documentation is available from the Fortinet Tools and Documentation CD shipped with your Fortinet product. The documents on this CD are current at shipping time. For up-to-date versions of Fortinet documentation, see the Fortinet Technical Documentation web site at http://docs.forticare.com.
Page 12 Customer service and technical support Introduction FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080908...
Page 13: What's New For 3.0 Mr7
This section lists and describes the new features and changes in FortiAnalyzer 3.0 MR7. The chapter, detailed information about how to properly upgrade to FortiAnalyzer 3.0 MR7. New CLI commands, as well as changes to existing CLI commands, are found in the What’s new chapter of the FortiAnalyzer CLI Reference.
Page 14 • Network Summary menu removed – The Network Summary menu was removed in FortiAnalyzer 3.0 MR7. This menu was removed because most of the information that previously displayed, now displays as widgets on the Dashboard. See “Dashboard” on page 25 new widgets that have replaced the Network Summary menu.
Page 15: 3.0 Mr7 New Features And Changes
CLI displays the tasks in the upload queue A new diagnose command, diagnose upload status, has been added in FortiAnalyzer 3.0 MR7 for displaying files that are in the upload queue. Previously, in FortiAnalyzer 3.0 MR6, a queue maintained the upload’s tasks but there was no way of verifying what was and what was not included in the queue.
Page 16: Custom Fields For Log Messages
FortiAnalyzer 3.0 MR7. In FortiAnalyzer 3.0 MR7, you can now enable custom fields for log messages so that when the FortiAnalyzer unit receives these types of log messages, it can index them properly for reports or searching logs.
Page 17: Voip Reports
What’s new for 3.0 MR7 Fortinet recommends configuring a test report layout and report schedule to familiarize yourself with how reports are configured in FortiAnalyzer 3.0 MR7. See “Reports” on page 113 In Report > Config, new tabs were added: Layout, Data Filter, Output, and Language.
Page 18: Alert Email Configuration Changes
3.0 MR7 new features and changes Alert email configuration changes When configuring an alert email in Alert > Alert Event, you now are required to enter information in the following fields: • alert name • destination (or destinations) • device Another configuration change is a drop-down list, providing the destinations of syslog servers, mail servers and SNMP access lists.
Page 19: Configuring Adoms
Administrative Domains (ADOMs) Administrative Domains (ADOMs) Administrative Domains (ADOMs) enable the admin administrator to constrain other FortiAnalyzer unit administrators’ access privileges to a subset of devices in the device list. For FortiGate devices with virtual domains (VDOMs), ADOMs can further restrict access to only data from a specific FortiGate VDOM. This section includes the following topics: •...
Page 20 About administrative domains (ADOMs) Table 2: Configuration locations when ADOMs are enabled Within Global Configuration: System > Dashboard (includes tabs, if configured) System > Network > Interface System > Network > DNS System > Network > Routing System > Admin > Administrator System >...
Page 21 Administrative Domains (ADOMs) • If ADOMs are enabled and you log in as any other administrator, you enter the ADOM assigned to your account. A subset of the typical menus or CLI commands appear, allowing access only to only logs, reports, quarantine files, content archives, IP aliases, and LDAP queries specific to your ADOM.
Page 22: Configuring Adoms
Configuring ADOMs Configuring ADOMs Administrative domains (ADOMs) are disabled by default. To use administrative domains, the admin administrator must first enable the feature, create ADOMs, and assign other FortiAnalyzer administrators to an ADOM. Figure 1: Administrative Domain Configuration Global Configuration The admin administrator can access the global configuration. Select Main Menu to return to the Admin Domain Configuration page.
Page 23 Administrative Domains (ADOMs) To add or edit an ADOM Log in as admin. Other administrators cannot enable, disable, or configure ADOMs. Select Create New, or select the check box next to an ADOM and select Edit. Enter a Name for the ADOM. Select which devices to associate with the ADOM from Available Devices, then select the right arrow to move them to Selected Devices.
Page 24: Accessing Adoms As The Admin Administrator
Accessing ADOMs as the admin administrator Accessing ADOMs as the admin administrator Assigning administrators to an ADOM When ADOMs are enabled, additional ADOM items become available to the admin administrator and the structure of the web-based manager menu changes. After logging in, other administrators implicitly access the subset of the web-based manager that pertains only to their ADOM, while the admin administrator accesses the root of the web-based manager and can use all menus.
Page 25: System Information
System System The System menu contains basic FortiAnalyzer unit system settings, such as network interfaces, DNS, routing, local logging, administrators, and network shares, and displays system statistics and provides basic system operations from the Dashboard. From the System menu, you can also back up or restore a configuration, or update the firmware on the FortiAnalyzer unit.
Page 26 Dashboard Figure 1: Dashboard of a FortiAnalyzer-100A unit displaying one of the new widgets Log Receive Monitor and a tab, Branch Office To rearrange a Dashboard widget Go to System > Dashboard. Place your mouse cursor over the widget’s title bar area, but not over buttons such as Hide or Close.
Page 27: Tabs
System Select Show or Hide. The widget toggles between showing the full widget and being minimized to show only its title bar. To include a Dashboard widget Go to System > Dashboard. Select “+ Widget”. A widget selection overlay appears. Select one or more widgets.
Page 28: Raid Monitor
Dashboard RAID Monitor Enter a new name and press Enter. To delete a tab Go to System > Dashboard. Double-click on the name of the tab and select the (X) symbol. The RAID Monitor area of the Dashboard displays information about the status of RAID disks as well as what RAID level has been selected.
Page 29: System Information
System Figure 4: RAID Monitor displaying a disk that is being rebuilt Rebuilding icon Array Status Disk space usage Used/Free/Total Rebuild Status progress bar Estimated rebuild time [start and end time] (For software RAID only) Rebuild Warning System Information The System Information area of the Dashboard displays basic information about the FortiAnalyzer unit, such as up time and firmware version.
Page 30: Setting The Time
The serial number of the FortiAnalyzer unit. The serial number is unique to the FortiAnalyzer unit and does not change with firmware updates. Use this number when registering your FortiAnalyzer unit with Fortinet. Uptime The time in days, hours and minutes since the FortiAnalyzer was started or last rebooted.
Page 31: Changing The Host Name
System Synchronize with NTP Server Server Sync Interval Changing the host name Change the FortiAnalyzer host name to differentiate the FortiAnalyzer from other FortiAnalyzer units or other devices on your network. To change the host name Go to System > Dashboard. In the System Information area, select Change for the Host Name.
Page 32: System Resources
Dashboard System Resources RVS Plug-ins The version of the RVS plug-in, and the date of its last update. This feature is not available on the FortiAnalyzer-100. A total of the number of each device type connecting or attempting Device License to connect to the FortiAnalyzer unit.
Page 33: System Operation
System To view the FortiAnalyzer operational history Go to System > Dashboard. Select History in the upper right corner of the System Resources area. CPU Usage Memory Usage Session Network Utilization System Operation Some basic operations can be performed directly from the Dashboard in the System Operation area.
Page 34: Resetting To The Default Configuration
Dashboard Alert Message Console Resetting to the default configuration You can reset the FortiAnalyzer unit to its default configuration. Resetting the configuration does not restore the original firmware. Configuration and firmware are distinct. Use the procedures in page 169 for managing firmware. Caution: Back up the configuration before resetting.
Page 35: Statistics
System Figure 10: Alert messages Page Include...and higher Keep Unacknowledged Alerts for formatted | raw Device Event Severity Time Counter Delete Statistics The Statistics area of the Dashboard counts the numbers of sessions, logs, and reports handled by the FortiAnalyzer unit. Figure 11: Statistics Since Connections...
Page 36: Filtering Session Information
Dashboard Report Engine To view the session information Go to System > Dashboard. In the Statistics area, next to Connections, select Details. Resolve Host Name Select to display host names by a recognizable name rather than IP addresses. For more information about on configuring IP address host names see Resolve Service Select to display network service names rather than port numbers,...
Page 37: Log Receive Monitor
System Log Receive Monitor The Log Receive Monitor displays historical analysis of the rate at which logs are received. This widget displays this information in a graphical format. You can display information by the type of logs or by device and you can also specify the time period.
Page 38: Intrusion Activity
Dashboard Intrusion Activity Virus Activity Intrusion Activity displays the top attacks that occurred on the network. This information is gathered from attack logs. You can edit the Intrusion Activity widget to display specific information by using the following procedure. Figure 14: Intrusion Activity widget To edit the information for Intrusion Activity Go to System >...
Page 39: Top Ftp Traffic
System Figure 15: Virus Activity widget To edit the information for Virus Activity Go to System > Dashboard. In Virus Activity, select Edit in the title bar area. Enter the appropriate information for the following: Device Display by Time Scope No.
Page 40: Top Email Traffic
Dashboard Top Email Traffic To edit the information for Top FTP Traffic Go to System > Dashboard. In Top FTP Traffic, select Edit in the title bar area. Enter the appropriate information for the following: Device Select the registered device or device group from the drop-down list.
Page 41: Top Im/P2P Traffic
System Enter the appropriate information for the following: Device Display by FIlter Protocol Filter Domain Time Scope No. Entries Select OK. Top IM/P2P Traffic Top IM/P2P Traffic displays the top instant messaging and P2P programs used, using a bar chart. The information displays each IM and P2P program separately by user.
Page 42: Top Traffic
Dashboard Top Traffic Enter the appropriate information for the following: Type Select the type of program you want displayed, either IM or P2P. Device Select the registered device or device group from the drop-down list. Display by Select one of the following to filter the information: •...
Page 43: Top Web Traffic
System Enter the appropriate information for the following: Device Display by Filter Port Time Scope No. Entries Select OK. Top Web Traffic Top Web Traffic displays the total web traffic usage on the network. This information is displayed as a bart chart. Information for this widget is gathered from the Web Filter logs, if you selected By Requests, or, if you selected By Volume, from the traffic logs.
Page 44: Network
Discovery Protocol is enabled for an interface, a green check appears. For more information about FDP, see Discovery Protocol” on page 47 unit using the Fortinet Discovery Protocol (FDP)” on page “Administrative Access” on “About Fortinet “Manually adding a FortiGate FortiAnalyzer Version 3.0 MR7 Administration Guide...
Page 45: Changing Interface Settings
Select Modify to change the interface settings. The interface name is cannot be changed. Select Enabled to allow responses to Fortinet Discovery Protocol (FDP) on the interface, allowing FortiGate devices to find the FortiAnalyzer unit automatically. For more information about FDP, “About Fortinet Discovery Protocol”...
Page 46: About Fortinet Discovery Protocol
Network Routing About Fortinet Discovery Protocol FortiGate units running FortiOS version 3.0 or greater can use Fortinet Discovery Protocol (FDP), a UDP protocol, to locate a FortiAnalyzer unit. When a FortiGate administrator selects Automatic Discovery, the FortiGate unit attempts to locate FortiAnalyzer units on the network within the same subnet. If FDP has been enabled for its interface to that subnet, the FortiAnalyzer unit will respond.
Page 47: Adding A Route
System Adding a route Static routes provide the FortiAnalyzer unit with the information it needs to forward a packet to a particular destination other than the default gateway. To add a static route Go to System > Network > Routing. Select Create New.
Page 48: Adding Or Editing An Administrator Account
Admin Adding or editing an administrator account Name The assigned name for the administrator. Trusted Hosts The IP address and netmask of acceptable locations for the administrator to log in to the FortiAnalyzer unit. If you want the administrator to be able to access the FortiAnalyzer unit from any address, use the IP address and netmask 0.0.0.0/0.0.0.0.
Page 49: Changing An Administrator's Password
System Access Profile Admin Domain Changing an administrator’s password The admin administrator and administrators with read and write permissions can change their own account passwords. Administrators with read-only permissions cannot change their own password. Instead, the admin administrator must change the password for them. To change the administrator account password Go to System >...
Page 50: Auth Group
Admin Auth Group Figure 24: Access Profile Note: Administrator accounts can also be restricted to specific devices or VDOMs in the FortiAnalyzer device list. For more information, see page To create an access profile Go to System > Admin > Access Profile. Select Create New.
Page 51: Radius Server
System RADIUS Server RADIUS servers authenticate administrators. The following procedure explains how to add a RADIUS server for authenticating administrators. To add a RADIUS server Go to System > Admin > RADIUS Server. Select Create New. Configure the following and select OK: Name Server IP/Name Shared Secret...
Page 52: Monitor
Network Sharing Monitor Network Sharing Adding share users PIN Protection Enable then enter a Personal Identification Number (PIN) to secure the LCD access to FortiAnalyzer units with an LCD panel. The PIN must be six numbers. This option only appears on models with an LCD panel. Admin Domain Enable or disable administrative domains (ADOMs).
Page 53: Adding Share Groups
System Enter the following information for the user account and select OK: User name UID (NFS only) Enter a user ID. Password Description Adding share groups You can create network share user groups to maintain access privileges for a large number of users at once. To add a user group Go to System >...
Page 54: Assigning User Permissions
Network Sharing Permissions Permissions for the user or groups. This can be either Read Only or Read Write. Modify Select Edit to change any of the options for file sharing. Select Delete to remove the file share. To enable Windows shares Go to System >...
Page 55: Configuring Nfs Shares
System Select the type of access rights the users and groups will have and select the appropriate right arrow to move the user or group name to the Read-Only Access or Read-Write Access boxes. Select Ok. Configuring NFS shares You can configure the FortiAnalyzer unit to provide folder and file sharing using NFS sharing.
Page 56: Default File Permissions On Nfs Shares
Config Config Automatic file deletion and local log settings Note: The default permissions for files and folders is read and execute privileges. The owner of the document also has write privileges. To enable write access for users and groups, you must select the write permission for the folder and for the user and the group. For more information, see “Default file permissions on NFS shares”...
Page 57 System Figure 30: FortiAnalyzer unit log settings Log Locally Log Level Allocated Disk Space (MB) Log options when log disk is full Use System Device Log Settings Log file should not exceed FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080908 Select to save the FortiAnalyzer log messages on the FortiAnalyzer hard disk.
Page 58: Configuring Log Aggregation
Config Configuring log aggregation Log file should be Select the frequency of when the FortiAnalyzer unit renames the current log file and starts a new active log file. rolled... even if size is not exceeded • Daily: Roll log files daily, even if the log file has not yet reached maximum file size.
Page 59 FortiAnalyzer model, due to storage and resource requirements. FortiAnalyzer Model FortiAnalyzer-100A/100B FortiAnalyzer-400 FortiAnalyzer-800/800B FortiAnalyzer-2000/2000A FortiAnalyzer-4000/4000A FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080908 Traffic Types and TCP/UDP Ports used by Fortinet Aggregation Client Config Products. Aggregation Server...
Page 60: Configuring An Aggregation Client
Config Configuring log forwarding Configuring an aggregation client An aggregation client is a FortiAnalyzer unit that sends logs to a aggregation server. These include models such as the FortiAnalyzer-100A/100B and FortiAnalyzer-400. To configure the aggregation client Go to System > Config > Log Aggregation. Select Enable log aggregation TO remote FortiAnalyzer.
Page 61: Configuring Ip Aliases
System Enter the IP address of the external syslog server in Remote device IP. Select whether to Forward all incoming logs or Forward only authorized logs (authorized according to a device’s permissions in the device list). Select the Minimum Severity threshold. All log events of equal or greater servers will be transmitted.
Page 62: Ip Alias Ranges
RAID settings can be configured from the Dashboard, in the RAID Monitor widget as well as from System > Config > RAID. Caution: Fortinet recommends using RAID 10 if your FortiAnalyzer unit uses software RAID and redundancy is required. Using RAID 5 causes system performance issues.
Page 63 System Note: Fortinet recommends having an Uninterruptible Power Supply (UPS) in the event of a power failure. UPS is recommended because when a power failure occurs, data in the write cache is lost. Write cache is used to store data locally in memory before being written to the disk drive media, and then continuing on to the next task.
Page 64: Hot Swapping Hard Disks
In this situation, it is important to replace a failed drive as quickly as possible. Note: Fortinet recommends using RAID 10 for redundancy instead of RAID 5 on FortiAnalyzer units with software RAID. RAID 5 causes system performance issues.
Page 65 System You can use any brand of hard disk to replace a failed hard disk, as long as it has the same capacity or greater. For example, if replacing a 120 GB hard drive, you could use either a 120 GB or 250 GB hard drive. Caution: Do not replace a failed RAID hard disk with a smaller capacity hard disk.
Page 66: Hot Swapping The Fortianalyzer-2000/2000A And Fortianalyzer-4000/4000A
Config Hot swapping the FortiAnalyzer-2000/2000A and FortiAnalyzer-4000/4000A The following diagram indicates the drive number and their location in the FortiAnalyzer unit when you are looking at the front of the unit. Refer to this diagram before removing the disk drive to ensure you remove the correct one. You can use any brand of hard disk to replace a failed hard disk;...
Page 67: Configuring Raid On The Fortianalyzer-400 And Fortianalyzer-800/800B
System The options available here will depend on the RAID level selected. For most RAID levels, you can only add the new hard disk back into the RAID array. If you are running a RAID level with hot spare, you can also add the new hard disk as the hot spare.
Page 68: Configuring Ldap Connections
Config Configuring LDAP connections RAID settings can be configured from the Dashboard, in the RAID Monitor widget as well as from System > Config > RAID. Caution: Back up all data before changing the RAID level. If you change RAID levels, the FortiAnalyzer unit reformats the hard disks to support the new setting, which may result in data loss.
Page 69 System Figure 34: LDAP settings To define an LDAP server query Go to System > Config > LDAP. Select Create New. Complete the following: Name Server Name/IP Server Port Server Type Bind DN Bind Password Common Name Identifier Base DN LDAP Distinguished Name Query FortiAnalyzer Version 3.0 MR7 Administration Guide...
Page 70: Maintenance
Maintenance Maintenance Backup & Restore Select OK. The LDAP query becomes an available option when configuring variables for report profiles. For more information, see Maintenance enables you to backup and restore configuration files for the FortiAnalyzer unit, to upload firmware, and to configure automatic RVS updates. Backup &...
Page 71: Fortiguard Center
• configure the FortiAnalyzer unit to periodically request updates from the Fortinet Distribution Network (FDN) You must first register the FortiAnalyzer unit with the Fortinet Technical Support web site, FortiAnalyzer unit must also have a valid Fortinet Technical Support contract, which includes RVS update subscriptions, and be able to connect to the FDN or the IP address that you have configured to override the default FDN addresses.
Page 72 Maintenance Figure 36: FortiGuard Center FortiGuard The RVS (remote vulnerability scan) engine and module version number, date of last update, and status of the connection to the Fortinet Subscription Distribution Network (FDN). Services A green indicator means that the FortiAnalyzer unit can connect to the FDN or override server.
Page 73 System Port Name Password Scheduled Update Every Daily Weekly Request Update FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080908 Enter the port number of the web proxy. This is usually 8080. If your web proxy requires a login, enter the user name that your FortiAnalyzer unit should use when connecting to the FDN through the web proxy.
Page 74 Maintenance System FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080908...
Page 75: Device
For a diagram of traffic types, ports and protocols that FortiAnalyzer units use to communicate with other devices and services, see the Knowledge Center article Traffic Types and TCP/UDP Ports used by Fortinet This section includes the following topics: •...
Page 76 Viewing the device list Devices may automatically appear on the device list when the FortiAnalyzer receives a connection attempt, according to your configuration of Unregistered Device Options, but devices may also automatically appear as a result of importing log files. For more information, see To view the device list, go to Device >...
Page 77 Device Secure Connection Disk Space (MB) Used/Allocated Action FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080908 • Tx indicates logging access for all devices managed by the FortiManager system. • Rx indicates that the FortiManager system can remotely administer the FortiAnalyzer unit. For more information about on configuring device connection permissions, see “Devices Privileges”...
Page 78: Maximum Number Of Devices
Viewing the device list Maximum number of devices For unregistered devices, additional icons appear. Select Add to add the device to the device list and to configure the connection, or select Block to stop further connection attempts. For instructions on manually adding devices, see adding a device”...
Page 79: Unregistered Vs. Registered Devices
Device For networks with more demanding logging scenarios, an appropriate device ratio may be less than the allowed maximum. Performance will vary according to your network size, device types, logging thresholds, and many other factors. When choosing a FortiAnalyzer model, consider your network’s log frequency, and not only your number of devices. A VDOM or high availability (HA) cluster counts as a single “device”...
Page 80: Configuring Unregistered Device Connection Attempt Handling
Configuring unregistered device connection attempt handling Configuring unregistered device connection attempt handling You can configure the FortiAnalyzer unit to accept and handles connection attempts automatically, or to allow connections only from devices that you have manually added. Allowing the connection and registering the device enables certain FortiAnalyzer features.
Page 81 Device Figure 2: Unregistered Device Options To configure device connection attempt handling Go to Device > All > Device. Select Unregistered Devices Options. Select from the following options for known device types: Ignore connection and log data Allow connection, add to unregistered table, but ignore log data Allow connection, register...
Page 82: Manually Adding A Device
Manually adding a device Manually adding a device You can add devices to the FortiAnalyzer unit’s device list either manually or automatically. If you have configured Unregistered Device Options to automatically register known-type devices, you may only need to manually add unknown-type devices such as a generic Syslog server.
Page 83 Device Figure 3: Configuring a device Device Type Device Name IP Address Device ID Mode Member IDs Description Allocated Disk Space (MB) FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080908 Select the device type. The type is automatically pre-selected if you are adding an unregistered device from the device list, or if you are editing an existing device.
Page 84 Manually adding a device Amounts following the disk space allocation field indicate the amount of disk space currently being used by the device, and the total amount of disk space currently available on the FortiAnalyzer unit. When Allocated Disk Select to either overwrite older files or stop logging to indicate what the FortiAnalyzer unit should do when the allocated disk Space is All Used space has been used.
Page 85: Classifying Fortigate Network Interfaces
Device Select the blue arrow to expand Group Membership. This option does not appear if Device Type is FortiClient. In that case, also skip the following step. From the Available Groups area, select a device group or groups, if any, to which you want to assign the device, then select the right arrow button to move the group name into the Membership area.
Page 86: Manually Adding A Fortigate Unit Using The Fortinet Discovery Protocol (Fdp)
Select OK. If you configure the FortiAnalyzer unit to respond to Fortinet Discovery Protocol (FDP) packets, FortiGate units running FortiOS version 3.0 or greater can use FDP to locate a FortiAnalyzer unit. To use FDP, both units must be on the same subnet, and they must be able to connect using UDP.
Page 87 Internet or through other firewalls, this may fail to locate the FortiAnalyzer unit, and you may need to configure an IPSec VPN tunnel to facilitate the connection. For more information and examples, see the Fortinet Knowledge Center article behind a local FortiGate From the Connect To list, select a FortiAnalyzer unit.
Page 88: Blocking Device Connection Attempts
Blocking device connection attempts Blocking device connection attempts Test Connectivity does not verify connectivity by Syslog. Syslog is required to send log messages. To verify Syslog connectivity, trigger FortiGate logs, then go to Log&Report > Log Access > Remote. Steps required to trigger sending log messages from the FortiGate unit varies by the log type.
Page 89: Configuring Device Groups
Device To block a device Go to Device > All > Device. From Show, select Unregistered. If the device is currently registered, you must first delete the device before you can block it. For more information, see In the row corresponding to the device that you want to block, in the Action column, select Block.
Page 90 Configuring device groups Figure 5: List of device groups Create New Select to configure a new device group. Show Select the type of device groups to display, such as FortiGate, FortiManager, FortiMail or Syslog groups. Group Name The name of the device group. Members The device names of devices that are members of the device group.
Page 91: Log
FortiAnalyzer units collect logs from network hosts such as FortiGate, FortiMail, FortiClient, FortiManager, and Syslog devices. By using the Log menu, you can view both device and FortiAnalyzer log files and messages, as well as content archive summaries. The FortiAnalyzer unit can display device logs in real-time, enabling you to view log messages as the FortiAnalyzer unit receives them.
Page 92: Viewing Historical Log Messages
Viewing log messages Viewing historical log messages Figure 1: Viewing current logs Column Settings Devices Select the type of device you want to view logs from. If you select All FortiGates, all log messages from all registered FortiGate units appear. Log types Select to view a different device’s logs, or a different log type.
Page 93 Figure 2: Viewing historical logs Devices Log Types Formatted | Raw View n per page Page n of n Column Settings Search Printable Version Download Current View FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080908 Column Printable Version Settings Select the type of device you want to view logs from. If you select All FortiGates, all log messages from all registered FortiGate units appear.
Page 94: Browsing Log Files
Browsing log files Browsing log files To view historical logs Go to Log > Log Viewer > Historical. From Devices, select the device whose logs you want to view. Unregistered devices will not appear in the list. To view a device’s logs, you must register the device first.
Page 95: Viewing Log File Contents
Log files Last Modified Size (bytes) Action Viewing log file contents The Log Browser tab enables you to view all log messages within local or device log files. If you display the log messages in Formatted view, you can display and arrange columns and/or filter log messages by column contents.
Page 96: Importing A Log File
Browsing log files Importing a log file Formatted | Raw Select a view of the log file. Selecting Formatted (the default) displays the log files in columnar format. Selecting Raw, displays the log information as it actually appears in the log file. Resolve Host Name Select to display host names by a recognizable name rather than IP addresses.
Page 97: Downloading A Log File
In Filename, enter the path and file name of the log file, or select Browse. Select OK. A message appears, stating that the upload is beginning, but will be cancelled if you leave the page. Select OK. Upload time varies by the size of the file and the speed of the connection. After the log file successfully uploads, the FortiAnalyzer unit inspects the log file.
Page 98: Customizing The Log View
Customizing the log view Customizing the log view Displaying and arranging log columns Select Download Current View. Configure the following: Convert to CSV Downloads the log format as a comma-separated value (.csv) file instead of a standard .log file. Each log element is separated by format a comma.
Page 99: Filtering Logs
Figure 5: Displaying and arranging log columns To display or hide columns Go to a page which displays log messages, such as Log > Log Viewer > Real- time. Select Column Settings. Lists of available and displayed columns for the log type appear. Select which columns to hide or display.
Page 100: Filtering Tips
Customizing the log view Note: Filters do not appear in Raw view, or for unindexed log fields in Formatted view. When viewing real-time logs, you cannot filter on the time column: by definition of the real- time aspect, only current logs are displayed. Figure 6: Filter icons Filter icon Filter in use...
Page 101: Searching The Logs
• 1.1.1.1 or 2.2.2.1-2.2.2.10 Most column filters require that you enter the column’s entire contents to successfully match and filter contents; partial entries do not match the entire contents, and so will not create the intended column filter. For example, if the column contains a source or destination IP address (such as 192.168.2.5), to create a column filter, enter the entire IP address to be matched.
Page 102 Searching the logs Device/Group Select to search logs from the FortiAnalyzer unit (LocalLogs), a device, or a device group. Date Select to search logs from a time frame, or select Specify and define a custom time frame by selecting the From and To date and times. From Enter the date and select the time of the beginning of the custom time range.
Page 103: Search Tips
To search the logs Go to Log > Search. From Device/Group, select which device or device group’s logs you want to search. From Date, select Any time to search log messages from all time periods, select a predefined time period, or select Specify and then define the starting and ending time of your custom time period.
Page 104: Printing The Search Results
Searching the logs Printing the search results Downloading the search results • Some keywords will not match unless you include both the log field name and its value (type=webfilter). • Remove unnecessary keywords and search filters which can exclude results. In More Options, if All Words is selected, for a log message to be included in the search results, all keywords must match;...
Page 105: Rolling And Uploading Logs
To download log search results Go to Log > Search. Perform a search using either basic or advanced search. If your search finds one or more matching log events, a Download Current View button appears next to the Printable Version button. Select Download Current View.
Page 106 Rolling and uploading logs Figure 8: Device Log Settings Log file should not Enter the maximum size of each device log file. exceed When the log file reaches the specified maximum size, the FortiAnalyzer unit saves the current log file with an incremental number and starts a new active log file.
Page 107 Upload rolled files in gzipped format Delete files after uploading FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080908 Select to compress the log files in gzipped format before uploading to the server. Select to remove the log file from the FortiAnalyzer hard disk after the FortiAnalyzer unit completes the upload.
Page 108 Rolling and uploading logs FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080908...
Page 109: Content Archive
Content Archive Content Archive Content archiving provides a method of simultaneously logging and archiving copies of content transmitted over your network, such as email and web pages. FortiGate units can log metadata for common user content-oriented protocols. Content logs include information such as the senders, recipients, and the content of messages and files.
Page 110 Viewing content archives • whether the FortiAnalyzer unit has the copy of the file or message associated with the summary log message (that is, full content archives do not appear if you have deleted the associated copy of the file or message) For more information about requirements and configuration of content archiving, see the FortiGate Administration...
Page 111: Customizing The Content Archive View
Content Archive Note: Content Archive allows you to both view logged details and to download the archived files. If you want to display only the content archive log file, instead go to Log > Browse and select the device’s clog.log file. For more information, see By default, Content Archive >...
Page 112: Filtering Logs
Customizing the content archive view Filtering logs Select which columns to hide or display. • In the Available Fields area, select the names of individual columns you want to display, then select the single right arrow to move them to the Display Fields area.
Page 113: Filtering Tips
Content Archive Enter the text that matching log messages must contain. Matching log messages will be excluded or included in your view based upon whether you have selected or deselected NOT. Select OK. A column’s filter icon is green when the filter is currently enabled. To disable a filter In the heading of the column whose filter you want to disable, select the filter icon.
Page 114: Searching Full Email Content Archives
Searching full email content archives Searching full email content archives You can search full email content archives to quickly locate and view messages, such as those whose body contains a specific term. Full email content archive searches create a focused content archive view that contains only full content archives.
Page 115 Content Archive Last activity Subject Size FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080908 The recipient’s email address. The date and time that the FortiAnalyzer unit received the content archive. The subject line of the email. Select the subject line of the email to view the email and its attachment, if any, in a pop-up window.
Page 116 Searching full email content archives Content Archive FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080908...
Page 117: Reports
FortiAnalyzer reports are also flexible, offering administrators a choice to compile a report layout based on variables (which can be reused) or based on specific information. Fortinet recommends a report layout based on variables and then reuse them. This section includes the following topics: •...
Page 118: Configuring Report Layout
Configuring reports Configuring report layout Note: Reports cannot be created for devices that are of an unknown type, such as generic Syslog devices, nor for devices that are not registered with the FortiAnalyzer unit’s device list. For more information about on registering devices, see page The Layout tab enables you to configure and define multiple report layouts, which can then be applied to report schedules or generated immediately.
Page 119 Reports Figure 2: Layout There are also default report layouts for you to choose from as well, and they appear in the report layout list with the report layouts you created. The default layouts are: • Bandwidth_Analysis – is an overview of bandwidth consuming applications and users •...
Page 120 Configuring reports Title Page Logo Select the Browse logo files icon to choose a logo that will appear on the title page of the report. You need to select a logo file format that is compatible with your selected file format outputs.
Page 121: Editing Charts In A Report Layout
Reports Editing charts in a report layout You can edit charts at any time as well as rearrange the charts from within the Chart List. You can also edit Text and Section as well. The following procedure assumes you have already selected the report layout that you want to edit charts, Text and Section in Layout.
Page 122 Configuring reports To edit a chart Select Edit beside the chart name. Enter the appropriate information for the following: Chart Output Select one of the following to display chart information: • Table & Graph – displays both a table and graph •...
Page 123: Configuring Report Schedules
Reports Select OK. If you want to rearrange the charts so that they are presented in a different order, select and drag a chart (using your mouse) to above or below another chart. The order is reflected in the generated report. To edit text Select Edit beside the text name.
Page 124 Configuring reports Create New Select to create a new report schedule and configure the settings. Delete Select to remove report schedules whose check boxes are selected. • To delete one or more report schedules, select the check box next to their report name, then select Delete. •...
Page 125 Reports Log Data Filtering Data Filter Time Period Output Select OK. FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080908 Monthly Select to generate the report on a specific day or days of the month. Enter the days with a comma to separate the days. For example, you want to generate the report on the first day, the 21st day and 30th day: 1, 21, 30.
Page 126: Configuring Data Filter Templates
Configuring reports Configuring data filter templates You can configure multiple data filter templates for reports in Report > Config > Data Filter. These templates can be applied to any report schedule you want. Figure 4: Data filter templates Create New Select to create a new data filter template and configure its settings.
Page 127 Reports Figure 5: Configuring a data filter template To configure data filters for a report Go to Report > Config > Data Filter. Select Create New. Enter and/or select the appropriate information for the fields and check boxes for the following: Name Description Filter logic...
Page 128 Configuring reports Alias Select the appropriate alias from the drop-down list. See Configuring IP alias on page 50 for more information about configuring IP aliases. You can filter on IP ranges or subnets. For example: • 172.20.110.0-255 matches all IP addresses in the 172.20.110.0/255.255.255.0 or 172.20.120.110/24 •...
Page 129: Configuring Report Output Templates
Reports Web Category Category List Priority Generic Filter(s) Select OK. Configuring report output templates You can configure the FortiAnalyzer unit to output the report in one or more file formats, save the reports of selected file formats to the FortiAnalyzer hard disk, and email the report to recipients.
Page 130 Configuring reports E-Mail Destination The route the email will take when sent, in the format, <recipient_email address> (from <sender_email address> through <email server>). FTP/SFTP/SCP Server The type of server that the report will be uploaded to in the format, <ipv4>(typeofserver). For example, 10.10.20.15(FTP). Action Select Edit to view or modify the report output.
Page 131 Reports Send Report by Mail Verify this check box is selected. If you do not want to send a Email Output Email Attachment Name Email From Email Server Email To Email List Email Subject Email Body Upload Report to FTP Server FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080908...
Page 132: Configuring Language
Configuring reports Configuring language Username Password Directory Upload report(s) in gzipped format Delete file(s) after uploading Select OK. When creating a report layout, you can select which language the report will be written in. If your preferred languages require modification, you can create your own report language customization, which then becomes available for selection in the report layout.
Page 133 Comment lines are optional; you can add them throughout the file to provide notes on your work. If you require further format file customization, including adjustments to PDF objects, contact Fortinet Technical Support. FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080908...
Page 134 Configuring reports Note: Both format and string files use Unix-style line endings (LF characters, not CR-LF). Figure 8: Languages Download Format File Download String File Create New Select to create a new report language customization. Language The name of the report language customization. Description The description of the report language customization.
Page 135 Reports If you changed the encoding of the string file, open the format file using a plain text editor that supports Unix-style line endings, such as jEdit, and edit the encoding and character set values for each file format. If you have switched between a single-byte and a double-byte encoding, also set the doublebytes value to true (1) or false (0).
Page 136: Browsing Reports
Browsing reports Browsing reports Note: The string file contains many keys, and each report type uses a subset of those keys. If your language modification does not appear in your report, verify that you have modified the string of a key used by that report type. To change a report language customization Go to Report >...
Page 137 Reports Figure 9: Viewing reports in Report > Browse Refresh Delete Device Type Page Navigation Report Files Started Finished Size (bytes) Other Formats Action FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080908 Select to refresh the list. If the FortiAnalyzer unit is in the process of generating a report, use Refresh to update the status of the report generation.
Page 138 Browsing reports Reports FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080908...
Page 139: Quarantine
Quarantine Quarantine FortiAnalyzer units can act as a central repository for files that are suspicious or known to be infected by a virus, and have therefore been quarantined by your FortiGate units. This section describes how to view quarantined files. If a secure connection has been established with the device, the communication between the two units is the same IPSec tunnel that the FortiGate unit uses when sending log files.
Page 140 Viewing quarantined files Date & Time The date and time the FortiGate quarantined the file, in the format yyyy/mm/dd hh:mm:ss. The time and date indicates the time that the first file was quarantined, if duplicate files are quarantined. Service The service by which the quarantined file was attempting to be transmitted, such as SMTP.
Page 141: Alert
Alert Alert Alerts provide a method of informing you of issues arising on a FortiGate unit, FortiClient installation, or the FortiAnalyzer unit itself, such as system failures or network attacks, enabling you to react in a timely manner to the event. You can configure the FortiAnalyzer unit alert conditions, instructing the FortiAnalyzer unit what devices and what log messages to monitor, and what to do in the event a log message appears meeting the alert conditions.
Page 142: Adding An Alert Event
Alert Events Adding an alert event Adding an alert event enables you to receive notification when certain types of log messages are received. To add a new alert event Go to Alert > Alert Event. Select Create New. Configure the following options: Alert Name Enter a name indicating the type of alert the FortiAnalyzer is monitoring for.
Page 143: Output
Alert From Email Address When configuring the FortiAnalyzer unit to send an email alert To Email Address Delete Include Alert Severity Select the alert severity value to include in the outgoing alert Select OK. Output When the FortiAnalyzer unit receives a log messages meeting the alert event conditions, it sends an alert message as an email, syslog message or SNMP Trap, informing an administrator of the issue and where it is occurring.
Page 144: Testing The Mail Server Configuration
Output Configuring SNMP traps and alerts To add a mail server for alerts Go to Alert > Output > Mail Server. Select Create New. Configure the following options: SMTP Server The name/address of the SMTP email server. Enable Select the Authentication Enable check box to enable SMTP authentication.
Page 145 Alert Figure 3: SNMP Access List Expand arrow SNMP Agent Description Location Contact Trap Type Trigger Threshold Sample Period(s) Sample Frequency(s) Enter a number for the frequency of triggers. The number can be Apply Create New Community Name FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080908 Select to enable the SNMP agent.
Page 146: Adding An Snmp Server
The Fortinet MIB contains support for all Fortinet devices, and includes some generic SNMP traps; information responses and traps that FortiAnalyzer units send are a subset of the total number supported by the Fortinet proprietary MIB. fnTrapFlgEventCount is associated with alerts, which arise from log messages received by the FortiAnalyzer unit from devices in the device list.
Page 147 Fortinet MIB Administrator Accounts • fnAdminNumber • fnAdminIndex • fnAdminName • fnAdminAddr Fortinet MIB Options • fnOptIdleTimeout • fnOptLanguage Fortinet MIB Active IP Sessions • fnIpSessIndex • fnIpSessProto • fnIpSessFromAddr • fnIpSessFromPort • fnIpSessToAddr • fnIpSessToPort • fnIpSessExp •...
Page 148: Configuring Alerts By Syslog Server
Output Configuring alerts by Syslog server RFC-1213 (MIB II) • mib-2.system • mib-2.interface • mib-2.at • mib-2.ip • mib-2.icmp • mib-2.tcp • mib-2.udp • mib-2.ifMIB RFC-2665 (Ethernet-like MIB) • .dot3StatsTable • .dot3CollTable • .dot3ControlTable • .dot3PauseTable You can configure Syslog servers where the FortiAnalyzer unit can send alerts.You must add the syslog server before you can select it as a way for the FortiAnalyzer unit to communicate an alert.
Page 149 Alert Configure the following options, and select OK. Name IP address (or FQDN) Enter the IP address or fully qualified domain name for the SNMP Port FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080908 Enter a name for the SNMP server. server.
Page 150 Output Alert FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080908...
Page 151: Network Analyzer
Network Analyzer Network Analyzer Network Analyzer can be used as an enhanced local network traffic sniffer to diagnose areas of the network where firewall policies may require adjustment, or where traffic anomalies occur. Network Analyzer logs all traffic seen by the interface for which it is enabled. If that network interface is connected to the span port of a switch, observed traffic will include all traffic sent through the switch by other hosts.
Page 152 Connecting the FortiAnalyzer unit to analyze network traffic Figure 1: Example network topology for Network Analyzer use Internal network Hub or switch To connect the FortiAnalyzer unit for use with Network Analyzer Connect an Ethernet cable to a port on the FortiAnalyzer unit other than the port used to collect device logs.
Page 153: Viewing Network Analyzer Log Messages
Network Analyzer Viewing Network Analyzer log messages After attaching a FortiAnalyzer unit interface to the network and enabled the Network Analyzer for that interface, traffic information displays. The Network Analyzer’s log viewers display logs of traffic seen by the network interface you have configured for use with Network Analyzer, focusing on specific time frames.
Page 154: Viewing Historical Network Analyzer Log Messages
Viewing Network Analyzer log messages Viewing historical Network Analyzer log messages Protocol The protocol used when sending the traffic. Message Information payload of the traffic sent through the switch. The Historical tab in Tools > Network Analyzer displays Network Analyzer logs for a specific time range.
Page 155: Browsing Network Analyzer Log Files
Network Analyzer Destination Port Protocol Message Browsing Network Analyzer log files The Browse tab in Tools > Network Analyzer enables you to see all stored Network Analyzer log files, view the Network Analyzer logs, download log files to your hard disk or delete unneeded files. When a log file reaches its maximum size, the FortiAnalyzer unit saves the log files with an incremental number, and starts a new log file with the same name.
Page 156 Browsing Network Analyzer log files Figure 5: Viewing Network Analyzer logs Column Settings Type The type of log you are viewing and the device where it originated. Change Select to view a different log file. Formatted | Raw Select a view of the log file. Selecting Formatted (the default) displays the network traffic log files in columnar format.
Page 157: Downloading A Network Analyzer Log File
Network Analyzer Downloading a Network Analyzer log file You can download a log file to save it as a backup or for use outside the FortiAnalyzer unit. You can choose to download either the entire file or only log messages selected by filtering. To download a whole log file Go to Tools >...
Page 158: Customizing The Network Analyzer Log View
Customizing the Network Analyzer log view Customizing the Network Analyzer log view Displaying and arranging log columns Log messages can be displayed in either Raw or Formatted view. • Raw view displays log messages exactly as they appear in the log file. •...
Page 159: Filtering Logs
Network Analyzer Select which columns to hide or display. • In the Available Fields area, select the names of individual columns you want to display, then select the single right arrow to move them to the Display Fields area. Alternatively, to display all columns, select the double right arrow. •...
Page 160: Filtering Tips
Customizing the Network Analyzer log view If you want to exclude log messages with matching content in this column, select NOT. If you want to include log messages with matching content in this column, deselect NOT. Enter the text that matching log messages must contain. Matching log messages will be excluded or included in your view based upon whether you have selected or deselected NOT.
Page 161: Searching The Network Analyzer Logs
Network Analyzer Searching the Network Analyzer logs You can search the Network Analyzer log files for matching text using two search types: Quick Search and Full Search. You can use Quick Search to find results more quickly if your search terms are relatively simple and you only need to search indexed log fields.
Page 162: Search Tips
Searching the Network Analyzer logs Search tips More Options Select the blue arrow to hide or expand additional search options. Other Specify additional criteria, if any, that can be used to further restrict the search criteria. • Source IP: Enter an IP address to include only log messages containing a matching source IP address.
Page 163: Printing The Search Results
Network Analyzer • You can search for IP ranges, including subnets. For example: • • • The search returns results that match all of the search terms. For example, consider two similar keyword entries: 172.20.120.127 tcp and 172.20.120.127 udp. If you enter the keywords 172.20.120.127 tcp, UDP traffic would not be included in the search results, since although the first keyword (the IP address) matches, the second keyword, tcp, does not match.
Page 164: Rolling And Uploading Network Analyzer Logs
Rolling and uploading Network Analyzer logs Rolling and uploading Network Analyzer logs Select the download options that you want, then select OK. Convert to CSV Downloads the log format as a comma-separated value (.csv) file instead of a standard .log file. Each log element is separated format by a comma.
Page 165 Network Analyzer Figure 9: Traffic Log Settings Enable Network Analyzer on Allocated Disk Space (MB) When Allocated Disk Space is All Used Reuse settings from standard logs Log rolling settings Log file should not exceed Log file should be rolled... even if size is not exceeded FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080908...
Page 166 Rolling and uploading Network Analyzer logs Enable log uploading Select to upload log files to an server when a log file rolls. Server type Select the protocol to use when uploading to the server: • File Transfer Protocol (FTP) • Secure File Transfer Protocol (SFTP) •...
Page 167: Tools
Tools Tools The Tools menu provides vulnerability scanning as well as viewing the files that are on your FortiAnalyzer unit. These tools help administrators either when issues appear or when trying to determine if there are any vulnerabilities on targeted hosts.
Page 168: Preparing Windows Target Hosts
Preparing for the vulnerability scan job Preparing Windows target hosts authenticating without root or administrator credentials are typically not able to view sensitive areas of the system software or configuration; scans involving those parts cannot be accurately assessed without administrator credentials. You may also be required to modify the target host’s security policy to allow the connections and to ensure that the account uses administrator account privileges when authenticating remotely.
Page 169 Tools Some vulnerability scan modules, such as those that test file permissions or check installed patch and software versions, require full access to the target host. Vulnerability scan modules for Microsoft Windows hosts specifically require an administrator account with access to not only the file system but also the registry. You must configure the vulnerability scan job with the user name and password of an administrator account to perform a full scan using all modules,.
Page 170 Preparing for the vulnerability scan job Figure 1: Configuring the security model for local accounts authenticating remotely Select Local Computer Policy. Select Computer Configuration. Select Windows Settings. Select Security Settings. Select Local Policies. Select Security Options. Double-click Network access: Sharing and security model for local accounts. (Alternatively, right-click and select Properties.) Select Class - local users authenticate as themselves.
Page 171: Preparing Unix Target Hosts
Tools Select OK. Select OK. Select Close. After the vulnerability scan job completes, revert the NetBIOS settings configured in this procedure. Preparing Unix target hosts Vulnerability scan modules targeting Unix variant hosts, including Linux and Apple Mac OS X, require the ability to log in to the target host using the secure shell (SSH) protocol.
Page 172: Configuring Vulnerability Scan Jobs
Modules and engine updates are provided by the RVS subscription service, through the Fortinet Distribution Network (FDN). For more information about RVS updates, see “FortiGuard Center” on page To view available vulnerability scan modules, go to Tools >...
Page 173: Configuring Vulnerability Scan Jobs
Quick scans perform port scan on certain standard TCP and UDP ports for services with known vulnerabilities. For a list of port numbers probed by a quick scan, see the Fortinet Knowledge Center article Remote Vulnerability Scan Quick Scan FortiAnalyzer Version 3.0 MR7 Administration Guide...
Page 174: Viewing Vulnerability Scan Reports
Configuring vulnerability scan jobs Configuring a custom scan allows you to provide the user name and password of an administrator or root account for modules that require full access, and to specify the severity threshold of vulnerabilities for which you want to scan, giving you greater control over which modules will be used to probe the target host.
Page 175: Remote Authentication
Tools To configure a vulnerability scan job Go to Tools > Vulnerability Scan > Job. Select Create New. Complete the following: Job Name Scan Targets Select the blue arrow to expand Scan Option. Complete the following: Remote Authentication User Name Password Quick Scan Custom Scan...
Page 176 Configuring vulnerability scan jobs Enable UDP scan Select to run a port scan on UDP ports. This option is availably only after selecting Custom Scan. UDP Ports Range Enter the UDP port numbers, or port ranges, the FortiAnalyzer unit will port scan. Separate each port number or range of numbers with a comma.
Page 177: Viewing Vulnerability Scan Reports
Tools Email server Email to Email list Select OK. Viewing vulnerability scan reports The Report tab in Tools > Vulnerability Scan displays a list of the finished vulnerability scan reports. Vulnerability scan reports reflect the results of the vulnerability scan job, and include both summaries and detailed module test results for each target host.
Page 178: File Explorer
File Explorer File Explorer End Time The time the FortiAnalyzer unit completed the vulnerability scan job. Formats Select to view the vulnerability scan report in a file format other than HTML, if any. In addition to HTML, the generated vulnerability scan reports may also be available in PDF and MSWord (RTF) formats, depending on your output configuration.
Page 179 Tools Figure 5: File Explorer Figure 6: File Explorer with Storage directory expanded FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080908 File Explorer...
Page 180 File Explorer Tools FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080908...
Page 181: Managing Firmware Versions
• Reverting to a previous firmware version Note: Fortinet recommends upgrading the FortiAnalyzer unit during a low traffic period, for example at night, to re-index log data. Generating reports before the log index is complete results in incorrect data in reports. The FortiAnalyzer unit will take time to complete the index if there is a lot of log data.
Page 182: Backing Up Your Configuration Using The Web-Based Manager
This may take a few minutes. Backing up your log files uses the same procedure as downloading log files. You can back up log files using either the web-based manager or CLI. Fortinet recommends backing up all log files before upgrading/downgrading, resetting to factory defaults or when testing a new firmware image.
Page 183 Managing firmware versions Select OK. Select a location when prompted by your web browser to save the file. To back up log files using the CLI Enter the following to back up all log files: execute backup logs all {ftp | sftp | scp| tftp} <server_ipv4>...
Page 184: Testing Firmware Before Upgrading
Testing firmware before upgrading Testing firmware before upgrading You may want to test the firmware you want to install before upgrading to a new firmware version, maintenance or patch release. By testing the firmware image, you can familiarize yourself with the new features and changes to existing features, as well as understand how your configuration works with the firmware.
Page 185 Managing firmware versions Type G to get the new firmware image from the TFTP server. The following message appears: Enter TFTP server address [192.168.1.168]: Type the address of the TFTP server and press Enter. The following message appears: Enter Local Address [192.168.1.188]: Type the internal IP address of the FortiAnalyzer unit.
Page 186: Upgrading Your Fortianalyzer Unit
FortiAnalyzer 3.0 does not support upgrading from earlier FortiLog firmware versions. When upgrading your FortiAnalyzer unit, Fortinet recommends upgrading to the EXT3 file system. This is done by using the execute formatlogdisk command in the CLI. The file system changes from Reiser to EXT3. The EXT3 file system provides better stability.
Page 187: Upgrading Using The Cli
Managing firmware versions To upgrade to FortiAnalyzer 3.0 using the web-based manager Copy the firmware image file to your management computer. Log into the web-based manager as the administrative user. Go to System > Dashboard. In the System Information area, select Update. Enter the path and filename of the firmware image file, or select Browse and locate the file.
Page 188: Verifying The Upgrade
Upgrading your FortiAnalyzer unit Verifying the upgrade This operation will replace the current firmware version! Do you want to continue? (y/n) Type y. The FortiAnalyzer unit uploads the firmware image file, upgrades to the new firmware version, and restarts. This process takes a few minutes. Reconnect to the CLI.
Page 189: Reverting To A Previous Firmware Version
Restoring your configuration You can use the procedure, and higher using the web-based manager” on page 170 FortiAnalyzer 3.0 configuration. Fortinet recommends backing up your configuration file when upgrading, downgrading, reverting to factory defaults, or installing a patch release. Downgrading to FortiLog 1.6 When downgrading to FortiLog 1.6, no settings are carried forward.
Page 190: Verifying The Downgrade
Reverting to a previous firmware version Verifying the downgrade Downgrading to FortiLog 1.6 using the CLI After successfully downgrading to FortiLog 1.6, verify your connections and settings. If you are unable to connect to the web-based manager, make sure your administration access settings and internal network IP address are correct.
Page 191 Managing firmware versions Reconnect to the CLI. Enter the following command to confirm the firmware image installed successfully: get system status “Restoring your configuration” on page 180 configuration settings. FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080908 Reverting to a previous firmware version to restore you FortiLog 1.6...
Page 192: Restoring Your Configuration
Restoring your configuration Restoring your configuration Restoring configuration settings on a FortiAnalyzer unit Your configuration settings may not carry forward after downgrading to FortiLog 1.6. You can restore your configuration settings for FortiLog 1.6 with the configuration file(s) you saved before upgrading to FortiAnalyzer 3.0. During a firmware restoration, the TFTP server IP address must be on the same network as the FortiAnalyzer unit’s IP address: the FortiAnalyzer unit uses a 255.255.255.0 net mask when connecting to a TFTP server for firmware.
Page 193 Managing firmware versions When this message appears: Press any key to display configuration menu... immediately press a key to interrupt the system startup. If you successfully interrupt the startup process, the following messages appears: [G]: Get firmware image from TFTP server. [F]: Format boot device.
Page 194: Restoring Your Configuration Settings Using The Web-Based Manager
Restoring your configuration Restoring your configuration settings using the web-based manager Restoring your configuration settings using the CLI The following restores your FortiLog 1.6 configuration settings using the web-based manager. To restore configuration settings using the web-based manager Log into the web-based manager. Go to System >...
Page 195 Managing firmware versions Type y. The FortiAnalyzer unit uploads the backup configuration file. After the file uploads, a message, similar to the following, is displayed: Getting file confall from tftp server 192.168.1.168 Restoring files... All done. Rebooting... This may take a few minutes. Use the show shell command to verify your settings are restored, or log into the web-based manager.
Page 196 Restoring your configuration Managing firmware versions FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080908...
Page 197: Appendix: Fortianalyzer Reports In 3.0 Mr7
Appendix: FortiAnalyzer reports in 3.0 MR7 Appendix: FortiAnalyzer reports in 3.0 MR7 Reports have changed dramatically in FortiAnalyzer 3.0 MR7, from how you configure them to the default naming scheme given when generated. Fortinet recommends reviewing the FortiAnalyzer Administration Guide for FortiAnalyzer 3.0 MR7 to help you understand and familiarize yourself with the changes.
Page 198: Intrusion Activity
Antivirus Activity FortiAnalyzer Version 3.0 MR7 Administration Guide 005-30007-0082-20080908 The following table explains what Intrusion Activity reports have changed and what they were changed to in FortiAnalyzer 3.0 MR7. Table 10: Intrusion Activity reports MR6 reports MR7 reports Attacks by Direction and Type...
Page 199 Appendix: FortiAnalyzer reports in 3.0 MR7 Table 11: Antivirus Activity reports Top Infected Files by Date Top Infected Files by Month Top Infected Files by Day of Week Top Infected Files by Hour of Day Top Virus Sources by File Name Top Virus Destinations by File Name Top Infected Files for Most Common Sources Total AV Events by Type and Date Total AV Events by Type and Month...
Page 200 FortiGate reports FortiAnalyzer Version 3.0 MR7 Administration Guide 005-30007-0082-20080908 Table 11: Antivirus Activity reports Top Virus Destinations over IMAP by Top Virus Destinations over IMAP Date Top Virus Destinations over IMAP by Top Virus Destinations over IMAP Month Top Infected File Extensions over Top Infected File Extensions over POP3 POP3 by Month Top Virus Sources over POP3 by...
Page 201: Webfilter Activity
• Top Infected Files Webfilter Activity The following table explains what WebFilter Activity reports have changed and what they were changed to in FortiAnalyzer 3.0 MR7. Table 12: WebFilter Activity reports MR6 reports Web Hits by Status Blocked Web Hits by Date...
Page 202: Antispam Activity
Top Web Sources to Overridden Web Top Users for Web Overrides Sites (Hits) The following table explains what Antispam Activity reports have changed and what they were changed to in FortiAnalyzer 3.0 MR7. Table 13: Antispam Activity reports MR6 reports MR7 reports...
Page 203: Im Activity
• Top Spam Receivers by Blocking Criteria IM Activity The following table explains what IM reports have changed and what they were changed to in FortiAnalyzer 3.0 MR7. Table 14: IM reports MR6 reports IM Activity by Action and Date...
Page 204: Voip Reports
Top BLocked Local IM Users for Top Blocked Local IM Users per IM Protocol each Protocol The following table contains the new VoIP reports that are available in FortiAnalyzer 3.0 MR7. Table 15: VoIP reports MR7 reports VoIP Traffic by Date...
Page 205: Content Activity
Top SIP Callers by Called Numbers Top SCCP Callers by Called Numbers Content Activity The following table explains what Content Activity reports have changed and what they were changed to in FortiAnalyzer 3.0 MR7. FortiAnalyzer Version 3.0 MR7 Administration Guide 005-30007-0082-20080908 FortiGate reports...
Page 206: Network Activity
Volume of Filtered Content by Number of Inspected Messages per Application Service and Month The following table explains what Network Activity reports have changed and what they were changed to in FortiAnalyzer 3.0 MR7. Table 17: Network Activity reports MR6 reports MR7 reports...
Page 207: Web Activity
Web Activity The following table explains what Web Activity reports have changed and what they were changed to in FortiAnalyzer 3.0 MR7. This table also includes the category that the reports were moved to, if applicable. Table 18: Web Activity reports...
Page 208: Mail Activity
Top Web Clients (Browse Time) • Top Web Users (Browse Time) The following table explains what Mail Activity reports have changed and what they were changed to in FortiAnalyzer 3.0 MR7. Table 19: Mail Activity reports MR6 reports MR7 reports...
Page 209: Terminal Activity
(Traffic) Terminal Activity The following table explains what Terminal Activity reports have changed and what they were changed to in FortiAnalyzer 3.0 MR7. Table 21: Terminal Activity reports MR6 reports Terminal Traffic by Service and Date Terminal Traffic Volume per Service...
Page 210: Event Activity
Top VPN Tunnels (Traffic) Top VPN Tunnels (Traffic) Top VPN Tunnels The following table explains what Event Activity reports have changed and what they were changed to in FortiAnalyzer 3.0 MR7. Table 23: Event Activity reports MR6 reports MR7 reports Top Events...
Page 211: P2P Activity
The report, Top Event Categories by Status, was removed. P2P Activity The following table explains what P2P Activity reports have changed and what they were changed to in FortiAnalyzer 3.0 MR7. Table 24: P2P Activity reports MR6 reports P2P Activity by Protocol...
Page 212: Audit Activity
Top Blocked WinNY Local Peers by Top Blocked WinNY Local Peers Month The following reports for Audit Activity are unchanged but were moved to a new category in FortiAnalyzer 3.0 MR7. • System Administration Summary – is now in the Event Activity category •...
Page 213: Summary Reports
Summary Reports The following table explains what Summary reports have changed and what they were changed to in FortiAnalyzer 3.0 MR7, including the category, if applicable, of where the re-named FortiAnalyzer 3.0 MR6 reports were moved to. Table 25: Summary reports...
Page 214: Forensic Reports
Sites by Access Time All Requested Web Sites by Time Period The following table explains what Detailed Forensic reports have changed and what they were changed to in FortiAnalyzer 3.0 MR7. Table 27: Detailed Forensic reports MR6 reports MR7 reports...
Page 215: Summary
Summary The following table explains what Summary Forensic reports have changed and what they were changed to in FortiAnalyzer 3.0 MR7, including the category, if applicable, of where the re-named FortiAnalyzer 3.0 MR6 reports were moved to. Table 28: Detailed Forensic reports...
Page 216 FortiMail Reports FortiAnalyzer Version 3.0 MR7 Administration Guide 005-30007-0082-20080908 Table 29: Mail High Level reports Top Client IP by Hour of Day Top Client IP Top Client IP by Day of Week Top Client IP Top Client IP by Day of Month Top Client IP Top Client IP by Week of Year Top Client IP...
Page 217: Mail Sender
Top Client MSISDN by Week of Year Top Client MSISDN Top Client MSISDN by Month Mail Sender The following table explains what Mail Sender reports have changed and what they were changed to in FortiAnalyzer 3.0 MR7. Table 30: Mail Sender reports MR6 reports Top Sender by Date...
Page 218: Mail Recipient Activity
Top Remote Recipient The following table explains what Mail Destination IP reports have changed and what they were changed to in FortiAnalyzer 3.0 MR7. All Mail Destination IP reports were moved to the Mail Activity category. Appendix: FortiAnalyzer reports in 3.0 MR7...
Page 219: Spam Sender
Top Mail Destination IP by Month Spam Sender The following table explains what Spam Sender reports have changed and what they were changed to in FortiAnalyzer 3.0 MR7. Table 33: Spam Sender reports MR6 reports Top Spam Sender by Date...
Page 220: Spam Recipient
Top Spam MSISDN by Week of Year Top Spam MSISDN Top Spam MSISDN by Month Top Spam MSISDN The following table explains what Spam Recipient reports have changed and what they were changed to in FortiAnalyzer 3.0 MR7. Table 34: Spam Recipient reports MR6 reports MR7 reports...
Page 221: Spam Destination Ip
Top Remote Spam Recipient by Month Spam Destination IP The following table explains what Spam Destination IP reports have changed and what they were changed to in FortiAnalyzer 3.0 MR7. Table 35: Spam Destination IP reports MR6 reports Top Spam Destination IP by Date...
Page 222 FortiMail Reports FortiAnalyzer Version 3.0 MR7 Administration Guide 005-30007-0082-20080908 Table 36: Virus Sender reports MR6 reports MR7 reports Top Virus Sender by Date Top Virus Sender Top Virus Sender by Hour of Day Top Virus Sender Top Virus Sender by Day of Week Top Virus Sender Top Virus Sender by Day of Month Top Virus Sender...
Page 223: Virus Recipient
Top Virus MSISDN by Week of Year Top Virus MSISDN by Month Virus Recipient The following table explains what Virus Recipient reports have changed and what they were changed to in FortiAnalyzer 3.0 MR7. Table 37: Virus Recipient reports MR6 reports Top Virus Recipient by Date...
Page 224: Virus Destination Ip
Top Remote Virus Recipient by Top Remote Virus Recipient Month The following table explains what Virus Destination IP reports have changed and what they were changed to in FortiAnalyzer 3.0 MR7. Table 38: Virus Destination IP reports MR6 reports MR7 reports...
Page 225: Index
Index Index access administrative ports 46 profile, administrator 48, 50 access privileges 19 accounts administrator 48 share users 53 Active Directory. See LDAP ActiveX. See web filtering adding tabs 27 admin access 46 authentication 51 disconnect 52 idle timeout 52 password 49, 50 privileges 50 administrative access 45...
Page 226 162 export, NFS 47, 53 factory default configuration 33 connecting through a web proxy 71 connection 71 Fortinet Distribution Network 70, 71, 162 Fortinet Discovery Protocol 47, 85 icon 45 file extension 96, 97, 104, 147, 153, 165, 170...
Page 227 Index Fortinet MIB 138 Fortinet Technical Support 11, 138 content archive 107 upload to 105, 155 gateway 47 gid 54 Global Configuration 20 group device 83, 88 share users 54 group ID (gid) 161 Group Policy Object Editor 159 gzip 96, 97, 104, 105, 147, 153, 155, 170...
Page 228 mail server 135 Main Menu 20 managing firmware backing up configuration using the CLI 170 backing up configuration using web-based manag- er 170 backing up log files 170 downgrading to FortiLog 1.6 177 downgrading to FortiLog 1.6 using the CLI 178 patch releases 169 restoring configuration using CLI 180 restoring configuration using the CLI 182...
Page 229 Index SFTP 105, 155 SNMP 73 SOAP 46 SSH 46, 58, 160 telnet 46 TFTP 180 UDP 47, 85 VoIP 107 PSK 75 See also IPSec VPN tunnel quarantine 131 duplicate count 132 from device 73 ticket number 131 quota. See disk space RADIUS 49, 51 RAID 62, 64 hot swap 64...
Page 230 sniffer 141, 144 See also network analyzer SNMP 73 manager 138 MIB 138 server, test 137 traps 136 SOAP 46 span port 141 SSH 46, 160 See also protocol stop logging 82 string file 126 striping 63 See also RAID subject 165 subnet 47, 85, 102, 152 subscription service 71...
Page 231 Index registered device’s hard limits 15 report configuration enhancements 16 voip reports 17 Windows AD. See LDAP FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080908 Windows shares 53, 54 XML. See WEBSERVICES...
Page 232 Index FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080908...
Page 233 www.fortinet.com...
Page 234 www.fortinet.com...

Fortinet FortiAnalyzer 3.0 MR7 Administration Manual

Introduction

About this Document

Fortinet Documentation

Customer Service and Technical Support

What's New for 3.0 MR7

3.0 MR7 New Features and Changes

Administrative Domains (Adoms)

About Administrative Domains (Adoms)

Configuring Adoms

Accessing Adoms as the Admin Administrator

Assigning Administrators to an ADOM

System

Dashboard

Network

Admin

Network Sharing

Config

Maintenance

Device

Viewing the Device List

Configuring Unregistered Device Connection Attempt Handling

Manually Adding a Device

Blocking Device Connection Attempts

Configuring Device Groups

Log

Viewing Log Messages

Browsing Log Files

Customizing the Log View

Searching the Logs

Rolling and Uploading Logs

Content Archive

Viewing Content Archives

Customizing the Content Archive View

Searching Full Email Content Archives

Reports

Configuring Reports

Browsing Reports

Quarantine

Viewing Quarantined Files

Alert

Alert Events

Output

Network Analyzer

Connecting the Fortianalyzer Unit to Analyze Network Traffic

Viewing Network Analyzer Log Messages

Browsing Network Analyzer Log Files

Customizing the Network Analyzer Log View

Searching the Network Analyzer Logs

Rolling and Uploading Network Analyzer Logs

Tools

Preparing for the Vulnerability Scan Job

Viewing Vulnerability Scan Modules

Configuring Vulnerability Scan Jobs

Viewing Vulnerability Scan Reports

File Explorer

Managing Firmware Versions

Backing up Your Configuration

Testing Firmware before Upgrading

Upgrading Your Fortianalyzer Unit

Reverting to a Previous Firmware Version

Restoring Your Configuration

Appendix: Fortianalyzer Reports in 3.0 MR7

Fortigate Reports

Summary Reports

Forensic Reports

Fortimail Reports

Forticlient Reports

Index

Quick Links

Need help?

Questions and answers

Related Manuals for Fortinet FortiAnalyzer 3.0 MR7

Summary of Contents for Fortinet FortiAnalyzer 3.0 MR7