Fortinet FortiLog-100 Administration Manual
Fortinet FortiLog-100 Administration Manual

Fortinet FortiLog-100 Administration Manual

Fortinet administration guide network device fortilog-100, fortilog-400, fortilog-800
Hide thumbs Also See for FortiLog-100:
Table of Contents

Advertisement

Administration Guide
FortiLog
FortiLog-400
FortiLog-100
1
4
FortiLog-800
8
FortiLog Administration Guide
Version 1.6
January 15, 2004
05-16000-0082-20050115

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the FortiLog-100 and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Summary of Contents for Fortinet FortiLog-100

  • Page 1 Administration Guide FortiLog FortiLog-400 FortiLog-100 FortiLog-800 FortiLog Administration Guide Version 1.6 January 15, 2004 05-16000-0082-20050115...
  • Page 2 CAUTION: RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT TYPE. DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS. For technical support, please visit http://www.fortinet.com. Send information about errors or omissions in this document or any Fortinet technical documentation to techdoc@fortinet.com.
  • Page 3: Table Of Contents

    FortiManager documentation ... 12 FortiClient documentation ... 12 FortiMail documentation... 12 Fortinet Knowledge Center ... 12 Comments on Fortinet technical documentation... 12 Customer service and technical support... 13 Setting up the FortiLog unit... 15 Checking the package contents... 15 Hardware specifications... 16 Dimensions ...
  • Page 4 Adding and registering a device... 50 Editing device information... 50 Alert Email... 51 Server ... 51 Local ... 52 Device (Active mode)... 52 Creating a new device alert... 52 Alerts... 54 Network Sharing ... 55 Defining IP aliases ... 55 05-16000-0082-20050115 Fortinet Inc.
  • Page 5 Reports ... 57 Creating and generating a report ... 57 Configuring report parameters ... 58 Configuring a report query ... 59 Creating a query profile... 60 Selecting the devices for the report ... 60 Creating a device profile ... 61 Select filtering options...
  • Page 6 FTP Activity ... 114 Terminal Activity... 115 Mail Activity ... 115 Intrusion Activity ... 116 Antivirus Activity ... 116 Web Filter Activity ... 116 Mail Filter Activity ... 117 VPN Activity ... 118 Content Activity ... 118 Index ... 121 05-16000-0082-20050115 Fortinet Inc.
  • Page 7: Introduction

    FortiMail devices and generate reports based on log data. In Passive mode as a Network Attached Storage (NAS) server to act as an additional storage device. FortiLog-100, desktop model with one hard drive. FortiLog-400, desktop model with four hard drives. FortiLog-800, rackmount model with four hard drives.
  • Page 8: Operational Modes

    FortiLog unit as a means of backing up or storing important information or using the extra hard disk space as a file server or repository. Any computer using NFS or Windows sharing can mount the FortiLog hard drive to save and retrieve files. 05-16000-0082-20050115 Introduction Fortinet Inc.
  • Page 9: Passive Mode

    Introduction Figure 3: FortiLog Active mode network architecture Passive Mode Passive mode enables you to use the FortiLog unit solely as a Network Attached Server (NAS) storage device. The collection of device log files and the log reporting features are not available in passive mode. Figure 4: FortiLog unit in Passive mode FortiLog units running in Passive mode provide secure storage space.
  • Page 10: About This Guide

    Explains how to install and set up the FortiLog unit. 05-16000-0082-20050115 describes how to connect a FortiGate and describes how to use the FortiLog unit as a file provides an extensive list of the more than 130 log Introduction Fortinet Inc.
  • Page 11: Related Documentation

    Introduction Related documentation Additional information about Fortinet products is available from the following related documentation. FortiGate documentation Information about FortiGate products is available from the following guides: • • • • • • • • • FortiLog Administration Guide FortiGate QuickStart Guide Provides basic information about connecting and installing a FortiGate unit.
  • Page 12: Fortimanager Documentation

    Visit the Fortinet Knowledge Center at http://kc.forticare.com. Comments on Fortinet technical documentation You can send information about errors or omissions in this document, or any Fortinet technical documentation, to techdoc@fortinet.com. FortiManager QuickStart Guide Explains how to install the FortiManager Console, set up the FortiManager Server, and configure basic settings.
  • Page 13: Customer Service And Technical Support

    Fortinet technical support web site at http://support.fortinet.com. You can also register FortiGate Antivirus Firewalls from http://support.fortinet.com and change your registration information at any time. Fortinet email support is available from the following addresses: amer_support@fortinet.com For customers in the United States, Canada, Mexico, Latin...
  • Page 14 Customer service and technical support Introduction 05-16000-0082-20050115 Fortinet Inc.
  • Page 15: Setting Up The Fortilog Unit

    Checking the package contents Hardware specifications Planning the installation Connecting the FortiLog unit Configuring the FortiLog unit FortiLog-100, desktop model with one hard drive. FortiLog-400, desktop model with four hard drives. FortiLog-800, rackmount model with four hard drives. Type Speed...
  • Page 16: Hardware Specifications

    Connection Power Supplies Serial For Tape Drive Connection For Future Use FortiLog-100: 38 x 17 x 31 cm FortiLog-400: 54 x 33 x 44 cm FortiLog-800: 78 x 65 x 25 cm FortiLog-100: 2.5 kg FortiLog-400: 11 kg FortiLog-800:14 kg...
  • Page 17: Power Requirements

    To manage the FortiLog unit, you can use a computer within the local network or over the Internet. FortiLog Administration Guide FortiLog-100 • AC input voltage: 100 to 240 VAC • AC input current: 1.0 A •...
  • Page 18: Connecting The Fortilog Unit

    Turn on the power switch. FortiMail unit CONSOLE Internal Network FortiLog unit Management PC 05-16000-0082-20050115 Setting up the FortiLog unit FortiGate units Enter Enter FortiGate unit Enter Internet Enter Enter FortiGate unit FortiGate unit Management PC Enter FortiGate unit Fortinet Inc.
  • Page 19: Configuring The Fortilog Unit

    Setting up the FortiLog unit Configuring the FortiLog unit Use the web-based manager or the Command Line Interface (CLI) to configure the FortiLog unit IP address, netmask, DNS server IP address, and default gateway IP address. Table 2: Factory defaults Administrator account Using the web-based manager...
  • Page 20: Using The Command Line Interface

    <IP_address> <netmask> Confirm that the address is correct: get system interface Baud Rate (bps) 9600 Data bits 8, Parity None Stop bits 1 Flow Control None. 05-16000-0082-20050115 Setting up the FortiLog unit Fortinet Inc.
  • Page 21: Using The Front Panel Buttons And Lcd

    Setting up the FortiLog unit Set the primary DNS server IP address: set system dns primary <IP_address> Optionally set the secondary DNS server IP address: set system dns secondary <IP_address> Set the default gateway: set system route number <route_no> dst 0.0.0.0 0.0.0.0 gw1 <gw_ip>...
  • Page 22 Configuring the FortiLog unit Setting up the FortiLog unit 05-16000-0082-20050115 Fortinet Inc.
  • Page 23: Connecting To The Fortilog Unit

    Connecting to the FortiLog Unit In order for FortiLog to receive log files, you need to configure the FortiGate, FortiMail or syslog devices to send log files to the FortiLog unit. You also need to configure the FortiLog unit to accept the log files from these devices. This chapter explains how to set up your devices to send log files to the FortiLog unit running in Active mode.
  • Page 24: Configuring Fortigate Devices Running Fortios 2.5

    Enter an encryption key. You must also specify the identical value on the FortiLog unit. For security reasons, the encryption key should be more than six characters in length and contain a mixture of alpha and numeric characters. 05-16000-0082-20050115 Connecting to the FortiLog Unit “Log policy” on page Fortinet Inc.
  • Page 25: Configuring Fortimail Devices

    Connecting to the FortiLog Unit Figure 8: FortiGate 2.5 Log settings Select Log to Remote Host to send the logs to a syslog server. Enter the IP address of the FortiLog unit. Enter the port number of the FortiLog unit. Select the severity level for which you want to record log messages.
  • Page 26: Configuring The Fortilog Unit

    Displays a list of unregistered devices available to the FortiLog unit. This does not indicate that a FortiGate device is not registered with Fortinet. A tab is available for each device supported by the FortiLog unit.
  • Page 27: Defining Device Port Interfaces

    Connecting to the FortiLog Unit Enter a device name. For a FortiGate device, this is the same entry as entered as the Local ID set in the Log&Config settings for FortiLog. For example, FGT-500A. Select a group to add the device to if desired. For details on creating a group see “Creating Device Groups”...
  • Page 28: Creating Device Groups

    Edit to add or remove devices when required. In the selected devices tab, select the device and select Assign Selected. 05-16000-0082-20050115 Connecting to the FortiLog Unit Traffic Direction Unclassified Unclassified Incoming External Internal Outgoing Fortinet Inc.
  • Page 29: Managing The Fortilog Unit

    Managing the FortiLog unit Using the FortiLog system settings, you can view the operating status of the FortiLog unit and configure the FortiLog unit for your network. You can also use system settings to configure RAID (Redundant Arrays of Inexpensive Disks) settings for the FortiLog unit (for the FortiLog-400 and FortiLog-800), set email alerts and set system time.
  • Page 30 List the generated log reports, log reports being generated, and the scheduled time to generate next log report. 05-16000-0082-20050115 Managing the FortiLog unit “Changing the FortiLog “Operational Modes” on “To “Backing up system settings” on 40. Restore system “Downlading the Fortinet Inc.
  • Page 31: Changing The Fortilog Host Name

    Managing the FortiLog unit CPU Usage Memory Usage Hard Disk Usage Active Sessions History System Command Restart or shutdown the FortiLog unit. Changing the FortiLog host name The FortiLog host name appears on the Status page and in the FortiLog CLI prompt. To change the FortiLog unit host name Go to System >...
  • Page 32: Viewing System Resources Information

    Note: If you revert to a previous firmware version, because the configuration is reset, you will need to reconfigure the IP address from the front panel of the FortiLog-100 and FortiLog-400, and the console for the FortiLog-800. To change the firmware using the web-based manager Copy the firmware image file to your management computer.
  • Page 33: Installing Firmware From A System Reboot

    Managing the FortiLog unit To change the firmware using the CLI Use the following procedure to upgrade the FortiLog unit to a newer firmware version or revert to a previous firmware version. To use the following procedure you must have a TFTP server that the FortiLog unit can connect to.
  • Page 34 Format boot device. [B]: Boot with backup firmware and set as default. [Q]: Quit menu and continue to boot with default firmware. [H]: Display this list of options. Enter G,F,B,Q,or H: 05-16000-0082-20050115 Managing the FortiLog unit execute reboot command. Fortinet Inc.
  • Page 35: Testing A New Firmware Image

    Managing the FortiLog unit Note: The local IP address is used only to download the firmware image. After the firmware is installed, the address of this interface is changed back to the default IP address for this interface. The following message appears: Enter File Name [image.out]: Enter the firmware image filename and press Enter.
  • Page 36: Installing A Backup Firmware Image

    [F]: Format boot device. [Q]: Quit menu and continue to boot with default firmware. [H]: Display this list of options. Enter G,F,Q,or H: Save as Default firmware/Run image without saving:[D/R] 05-16000-0082-20050115 Managing the FortiLog unit execute reboot command. Fortinet Inc.
  • Page 37 Managing the FortiLog unit To install a backup firmware image For all three FortiLog models, use a terminal emulation software to access the unit’s CLI. For the FortiLog-800 unit, you can also access the unit’s CLI by connecting the null-modem cable provided to the unit’s console port. Make sure that the TFTP server is running.
  • Page 38: Switching To A Backup Firmware Image

    Format boot device. Boot with backup firmware and set as default. Quit menu and continue to boot with default firmware. Display this list of options. 05-16000-0082-20050115 Managing the FortiLog unit to switch to a backup firmware execute reboot command. Fortinet Inc.
  • Page 39: Backing Up System Settings

    The system settings file is backed up to the management computer. Select Return to go back to the Status page. Downlading the FortiLog debug log Download a debug log to send debug information to Fortinet Tech Support to help diagnose a problem with the FortiLog unit. FortiLog Administration Guide Get firmware image from TFTP server.
  • Page 40: Restoring System Settings

    CLI. The cause may be a corrupted firmware image. To use the following procedure you must have a TFTP server that the FortiLog unit can connect to. The TFTP server IP address must be set to 192.168.1.168 05-16000-0082-20050115 Managing the FortiLog unit Fortinet Inc.
  • Page 41: Raid

    Managing the FortiLog unit To upload the firmware image to the FortiLog unit Make sure the TFTP server is running. Copy the firmware image file to the root directory of the TFTP server. Ensure the file name is image.out. Start the FortiLog unit. As the FortiLog unit starts, the following message appears: Immediately press any key to begin the automatic download.
  • Page 42: Config

    Drives used for data storage and are not trusted. Display color is red. Drives never used for data storage. Display color is yellow. Network RAID Log settings Time Options Admin 05-16000-0082-20050115 Managing the FortiLog unit “RAID” on page Fortinet Inc.
  • Page 43: Raid

    Managing the FortiLog unit IP Address Netmask Primary DNS Server Enter the primary DNS server IP address. Several FortiLog functions Second DNS Server Enter the secondary DNS server IP address. Default Gateway RAID To configure the FortiLog RAID level and check the RAID disk space, go to System > Config >...
  • Page 44: Log Settings

    The IP address of the remote syslog server. The port that the remote syslog server uses to receive log messages. The default port is 514. 05-16000-0082-20050115 Managing the FortiLog unit “Log “Log policy” on page 45 lists the log Fortinet Inc.
  • Page 45: Log Policy

    Managing the FortiLog unit Level Config Policy CSV format Log policy Levels 0 - Emergency 1 - Alert 2 - Critical 3 - Error 4 - Warning 5 - Notice 6 - Information Select Config Policy to configure the FortiLog unit to send event log messages to a local or remote syslog server.
  • Page 46: Time

    The recommend idle time out is 5 minutes. The maximum idle time out is 480 minutes (8 hours). Select a language for the web-based manager to use. You can choose English, Simplified Chinese, Japanese, Korean, or Traditional Chinese. “Devices (Active mode)” on page 05-16000-0082-20050115 Managing the FortiLog unit Fortinet Inc.
  • Page 47: Configure Administrator Access

    Managing the FortiLog unit Figure 19: Admin Create New Name Trusted host Netmask Permission Modify Administrative Access HTTPS PING HTTP SNMP TELNET Configure Administrator access Configure administrative access to allow remote administration of the FortiLog unit. However, allowing remote administration could compromise the security of your FortiLog unit.
  • Page 48: Administrator Account Levels

    - and _. Other special characters and spaces are not allowed. The password for the administrator account. For improved security, the password should be at least 6 characters long. The password can contain any characters except spaces. 05-16000-0082-20050115 Managing the FortiLog unit Fortinet Inc.
  • Page 49: Changing The Administrator Password

    Managing the FortiLog unit Trusted host Netmask Permission To add an administrator account Go to System > Config > Admin. Select New. Enter a login name for the administrator account. Enter and confirm a password for the administrator account. Optionally type a Trusted Host IP address and netmask for the location from which the administrator can log into the web-based manager.
  • Page 50: Device List

    Editing device information After adding a FortiGate, FortiMail or Syslog device to the FortiLog unit, you can modify the device information as required. Figure 22: Editing a device 05-16000-0082-20050115 Managing the FortiLog unit “Configuring the FortiLog unit” on Fortinet Inc.
  • Page 51: Alert Email

    Managing the FortiLog unit To edit a device Go to System > Devices. For the device you want to edit, select Edit. Modify the device information and select an Interface Type for each interface, as required. Select OK. Alert Email Use Alert Email to configure the FortiLog unit to monitor logs for specific alert messages, and to send an email to inform an Administrator of the problem encountered.
  • Page 52: Local

    Select the wait time for the number of events to occur within before sending an alert email for the specified level log messages. Use this setting in conjunction with the setting above. 05-16000-0082-20050115 Managing the FortiLog unit Fortinet Inc.
  • Page 53 Managing the FortiLog unit Figure 25: Device alert settings Alert Name Devices to Monitor Select the device logs the FortiLog unit monitors. Expand the device Level Level wait interval Set the number of events and the time frame. The FortiLog unit will send Attack Type Attack Type Entry and listing...
  • Page 54: Alerts

    IP. A single source virus attack can indicate a targeted attack on the network. messages. For multiple addresses, separate each address with either a semi-colon, comma or a space. 05-16000-0082-20050115 Managing the FortiLog unit Fortinet Inc.
  • Page 55: Network Sharing

    Managing the FortiLog unit Figure 26: Device alert messages Alert Inclusion Keep unacknowledge alerts for Acknowledge check box Device Event Severity Time Network Sharing Use Network Sharing to configure the FortiLog unit to use file sharing (Windows workgroups or NFS) to view and share log reports and other files. You can define the users, groups and file access privileges.
  • Page 56 Enter a name of the host, network or IP address range in the Alias text box. Enter the IP address of the host, network or the IP range. For example: • • • • Select OK. 10.1.1.1 10.1.1.1/24 10.1.1.0/24 10.1.0.0/16-10.9.0.0 10.1.0.0/16-10.9.0.0/16. 05-16000-0082-20050115 Managing the FortiLog unit Fortinet Inc.
  • Page 57: Reports

    Reports The FortiLog unit collates information collected from device log files and presents the information in tables and graphs. There are over 130 different reports, in 11 categories. The reports provide detailed information on the type of traffic, attacks and preventative actions occurred during a specific period on your network.
  • Page 58: Configuring Report Parameters

    Last N days. When you select this setting, a text box appears. Enter the numeric value for N. Select the year, month, day and hour for the start of the reporting period. Select the year, month, day and hour for the ending of the reporting period. 05-16000-0082-20050115 Reports Fortinet Inc.
  • Page 59: Configuring A Report Query

    Reports Per Virtual Domain For all devices Select to generate the report for all devices. Per device Resolve Host Names Resolve Service Names In 'Ranked Reports' show Select Apply. Configuring a report query Select the specific information you need to generate a more concise report. Each report category includes a refined list of sub-categories that reports specific information.
  • Page 60: Creating A Query Profile

    Go to Reports > Config. Select a report from the list. Select Devices. Select These to select specific devices or groups of devices. Select the Plus sign to expand the list of devices for a specific group. 05-16000-0082-20050115 Reports Fortinet Inc.
  • Page 61: Creating A Device Profile

    Reports Select the group or individual devices to use in the report. Select Apply. Creating a device profile You can save the selections as a device profile. After creating a device profile, you can select the profile for use in other reports. To create a device profile Select New.
  • Page 62: Creating A Filter Profile

    Go to Reports > Config. Select a report from the list. Select Any to find any matches for the criteria specified. Select All to find all criteria. All criteria must match to display in the results. “Log policy” on page 05-16000-0082-20050115 Reports Fortinet Inc.
  • Page 63: Creating A Report Schedule Profile

    Reports Select Schedule. Select a day from the following: Not Scheduled Select to not run a daily report. Use this setting when you only want to run Daily These Days These Dates Select a specified time of the day to run the report, up to three times per day. Select Apply.
  • Page 64: Creating A Report Destination And Format Profile

    Select the file formats for the generated reports that the FortiLog unit sends as an email attachment. Enter the email addresses of the recipients of the report. Add multiple recipients by pressing Enter after each email address. 05-16000-0082-20050115 Reports “Viewing reports” on Fortinet Inc.
  • Page 65: Viewing Reports

    Reports Viewing reports Use the FortiLog web-based manager to view a list of the generated reports. The generated reports are available in HTML, PDF, RTF and ASCII text formats, depending on the output configuration. For details on setting output options see “Choosing the report destination and format”...
  • Page 66: Roll Up Report

    Individual reports have the same look and functionality as the roll up reports when viewing the HTML file format. When you view the report in one of the alternate formats, only the right frame with the report information is included. 05-16000-0082-20050115 Reports Report title Report information compiled from device logs. Fortinet Inc.
  • Page 67: Vulnerability Reports

    Reports Figure 36: VPN activity report in PDF Vulnerability reports Vulnerability reports show any potential weaknesses to attacks that may exist for selected devices by displaying the available ports on a FortiGate device. Rather than using the device logs for this report, the FortiLog unit queries for open ports and where possible and gathers information about the services running.
  • Page 68: Selecting Report Result Parameters

    Select to display host names by name rather than IP addresses. For details on configuring IP address host names see Select to display network service names rather than port numbers. For example, HTTP rather than port 80. 05-16000-0082-20050115 Reports “Defining IP aliases” on page Fortinet Inc.
  • Page 69: Creating A Plug-In Profile

    Reports Figure 38: Vulnerability plugin options To select the plug-ins Go to Reports > Config > Vulnerabilities. Select a report from the list. Select Plug-ins. Select the plug-ins to include in the report. Select Apply. Creating a plug-in profile You can save the selections as a plug-in profile. After creating a plug-in profile, you can select the profile for use in other vulnerability reports.
  • Page 70: Creating A Scan Target Profile

    To create a scan target profile Select New. Enter a name for the profile and select OK. Select the devices to include in the profile. 05-16000-0082-20050115 Reports Fortinet Inc.
  • Page 71: Choosing The Report Destination And Format

    Reports Select Apply. Choosing the report destination and format Select destination and format for the vulnerability report. Configure the FortiLog unit to either save the reports to the FortiLog hard disk or email the report to any number of recipients or both. The default is to save the report to the FortiLog hard disk in HTML format.
  • Page 72: Viewing The Vulnerability Report

    ASCII text. Select the checkbox to select all reports in the list to quickly delete all reports from the list. Select Delete to delete the reports you selected to delete by selecting the report’s check box. 05-16000-0082-20050115 Reports Fortinet Inc.
  • Page 73: Using Logs

    Using Logs The FortiLog unit collects log files from various sources and stores them on its hard disk. With the log viewer you can: • • • • • • • This chapter includes: • • • • • • FortiLog Administration Guide FortiLog Administration Guide Version 1.6 view log files collected from FortiGate, FortiManager, FortiMail and syslog devices...
  • Page 74: The Log View Interface

    “Viewing logs” on page Select Watch to view the log file updates in real time. For details on watching log files see “Log watch (Active mode)” on page Provides quick access to a specific device’s logs. 05-16000-0082-20050115 Using Logs Fortinet Inc.
  • Page 75: Finding Log Information

    Using Logs Figure 43: Viewing a device log To view the device log files Go to File Browse > Logs. Select a device tab. Expand the group name and device name to see the list of available logs. In the Action column, select Display for the desired log file. Do one of the following to change the views of the log information”...
  • Page 76 Lines per page Enter the number of entries of the log you want to see on each page. Select the columns of information you want to view in the log. Enter the words you want to find in the log. Select the columns of information you want to view in the log. 05-16000-0082-20050115 Using Logs Fortinet Inc.
  • Page 77: Importing Log Files

    Using Logs Match Up and Down arrows Select each row in the Filter column. Each row of information provides criteria for the search: Device time Log time Level Service Source Destination Sent Received The row criteria available reflect the content within the selected log file. Select Enable for each row you want the search criteria to use.
  • Page 78: Log Search

    Select the columns of information you want to view in the log. Select a row and select the up and down arrows to reposition the column within the display. 05-16000-0082-20050115 Using Logs Fortinet Inc.
  • Page 79: Event Correlation (Active Mode)

    Using Logs Select Apply. Event correlation (Active mode) Event correlation is a data mining feature that provides a way of reviewing attacks on multiple devices in one location. The FortiLog unit collates attack events from all submitted logs and displays the information in a table. With even Correlation you can view: •...
  • Page 80 The IP address of the device subjected to the attack. The attack message logged for the device. The message also includes a link to the FortiProtect web site for further details on the type of attack. 05-16000-0082-20050115 Using Logs Fortinet Inc.
  • Page 81: Using The Fortilog Unit As A Nas

    Using the FortiLog unit as a NAS Users can save, store and access information on the FortiLog hard disk as an alternate means of storing important files and work. To provide users with access to the FortiLog file system you must: •...
  • Page 82: Providing Access To The Fortilog Hard Disk

    Use this field only if you are using the NFS protocol. The NFS protocol uses the UID to determine the permissions on files and folders. Enter a password for the user. You can include spaces in this field. 05-16000-0082-20050115 Using the FortiLog unit as a NAS “Configure Administrator Fortinet Inc.
  • Page 83: Adding And Modifying Group Accounts

    Using the FortiLog unit as a NAS Adding and modifying group accounts Create user groups to assign directory access to many users at once rather than individually. To add a user group Go to Network Sharing > Groups. Select Create New. Enter the following information for the group account: Group Select the users from the Available members area and select the Right arrow to add...
  • Page 84 Read-Only Access or Read-Write Access boxes. Select Ok. To add a new NFS share configuration Go to Network Shares > Access > NFS Exports. Select Create New. 05-16000-0082-20050115 Using the FortiLog unit as a NAS Local Path Button Fortinet Inc.
  • Page 85: Modifying The User Or Group Folder Access

    Using the FortiLog unit as a NAS Figure 50: NFS share configuration Select the Local Path button to select the folder for the users or groups to access. Note: The default permissions for files and folders is read and execute privileges. The owner of the document also has write privileges.
  • Page 86: Setting Folder And File Properties

    All other users that are not otherwise the owner of the file or within a group. Select the user name or Admin and Read, Write, Execute Select Finance from the list and select Read No selections 05-16000-0082-20050115 Using the FortiLog unit as a NAS Fortinet Inc.
  • Page 87: Fortilog Cli Reference

    FortiLog CLI reference This chapter explains how to connect to and use the FortiLog command line interface (CLI). You can use CLI commands to view all system information and to change all system configuration settings. • • • CLI documentation conventions This guide uses the following conventions to describe CLI command syntax.
  • Page 88: Connecting To The Cli

    The FortiLog-800 model has serial port and you can use the null modem cable to connect it to your management computer. The FortiLog-100 and 400 models do not support serial cable connections. You can use a erminal emulation software such as HyperTerminal for Windows •...
  • Page 89: Setting Administrative Access For Ssh Or Telnet

    FortiLog CLI reference Type the password for this administrator and press Enter. The following prompt appears: Welcome! You have connected to the FortiLog CLI, and you can enter CLI commands. Setting administrative access for SSH or Telnet To configure the FortiLog unit to accept SSH or Telnet connections, you must set administrative access to SSH or Telnet for the FortiLog interface to which your management computer connects.
  • Page 90: Connecting To The Fortilog Cli Using Ssh

    Connect to the FortiLog port1 interface that is configured for Telnet connections. Type a valid administrator name and press Enter. Type the password for this administrator and press Enter. You have connected to the FortiLog CLI, and you can enter CLI commands. get system interface 05-16000-0082-20050115 FortiLog CLI reference Fortinet Inc.
  • Page 91: Cli Commands

    FortiLog CLI reference CLI commands The FortiLog CLI commands include: • • • • execute branch Use execute to run static commands, to reset the FortiLog unit to factory defaults, to back up or restore FortiLog configuration files, and to reboot or shut down the FortiLog system.
  • Page 92: Get Branch

    {syslog | local | console} <return> event <return> table <return> time <return> ntp <return> Description Display alert email configuration. Display alert email setting status. Display system configuration. Display console information, including page number, mode and baudrate. 05-16000-0082-20050115 FortiLog CLI reference Fortinet Inc.
  • Page 93 FortiLog CLI reference get report resolve get report aliases get log client get log elog get log logsetting get log query get log report get log report name <string> get log report querysets get log report devicesets get log report filters get log report schedules get log report outputs get log raid...
  • Page 94: Set Branch

    {1 | 5 | 10 | 20 | 50 | 100 | 500 | 1000} <return> attacktime {0.5 | 1.0 | 3.0 | 6.0 |12.0 | 24.0 | 72.0 | 168.0} <return> attackdevice {all | per } <return> attacksingle {y | n} <return> Fortinet Inc.
  • Page 95 FortiLog CLI reference Table 6: set alertemail command architecture device {enable | alertemail disable} Commands set alertemail configuration auth {enable | disable} set alertemail configuration mailto <string> <string> <string> set alertemail configuration mailto none set alertemail configuration passwd <string> set alertemail configuration server <server_address>...
  • Page 96 Set to the FortiLog unit send and alert email only when the defined virus settings originate from a singe source IP. Set the email addresses of the recipients to receive the alert warning messages. 05-16000-0082-20050115 FortiLog CLI reference Fortinet Inc.
  • Page 97: Set Console

    FortiLog CLI reference set console Use set console to set console configuration. Table 7: set console command architecture baudrate {9600 | 19200 | 38400 | 57600 | 115200} <return> console mode page <integer/0> <return> Commands set console baudrate {9600 | 19200 | 38400 | 57600 | 115200} set console mode {batch | line} set console page <integer/0>...
  • Page 98: Set Log

    <return> <return> csv {enable | disable} port loglevel <port_integer> <severity {enable | <return> _integer> disable} <return> loglevel <severity_integ {enable | er> <return> disable} category configura ipsec tion login ipmac system routegate none spacefull {overwrite _oldest | stop_ logging} Fortinet Inc.
  • Page 99 FortiLog CLI reference Table 8: set log command architecture devtype report <string> FortiLog Administration Guide period results name <report name><Return> resolve queryset <string> deviceset <string> filters<return> <string> queryset <name of <qry_indexes> queryset><return> deviceset <string><return> {all | 0,4,5} filters<return> <string><return> schedule <string><return>...
  • Page 100 • <server_ip> is the IP address of the remote server. Configure the port that the remote syslog server uses to receive log messages. • <port_integer> is the port number of the server. The default port is 514. 05-16000-0082-20050115 FortiLog CLI reference Fortinet Inc.
  • Page 101 FortiLog CLI reference set log setting syslog remote server <server_ip> port <port_integer> loglevel <severity_level> set log setting syslog remote server <server_ip> port <port_integer> loglevel <severity_level> csv {enable | disable} set log policy destination <syslog | local | console> set log policy destination <syslog | local | console>event status <enable | disable>...
  • Page 102 Select the type of output the FortiLog unit generates for the reports and whether to save to a file on the FortiLog hard disk or send the results via email to set recipients. Store the settings as a profile for later use in other reports. 05-16000-0082-20050115 FortiLog CLI reference Fortinet Inc.
  • Page 103: Set Nas

    FortiLog CLI reference set NAS Use set NAS to configure the FortiLog NAS server settings when using the FortiLog unit in Passive mode. Table 9: set NAS command architecture protocol user <user name> group <group name> <return> share <share name> Commands set nas protocol {nfs | share} set nas protocol share workgroup...
  • Page 104: Set Report

    <enable | disable> primary {xxx.xxx.xxx.xxx | none} <return> secondary {xxx.xxx.xxx.xxx | none} <return> config allowaccess 05-16000-0082-20050115 FortiLog CLI reference <xxx.xxx.xxx.xxx> or <0.0.0.0> for anynet mask <return> ping <return> https <return> ssh <return> snmp <return> http <return> telnet <return> Fortinet Inc.
  • Page 105 FortiLog CLI reference Table 11: set system command architecture interface <intf_str> set system session_ttl mainregpage FortiLog Administration Guide denyaccess wins <xxx.xxx.xxx.xxx> <return> macaddr {xxx.xxx.xxx.xxx | factorydefault} <return> log {enable | disable} <return> mtu <mtu_integer> <return> speed <speed_str> <return> status {down | up} <return>...
  • Page 106 <xxx.xxx.xxx.xxx> (netmask of secondary ip) <return> ping <return> https <return> ssh <return> snmp <return> http <return> telnet <return> ping <return> https <return> ssh <return> snmp <return> http <return> telnet <return> ip <xxx.xxx.xxx.xxx> <xxx.xxx.xxx.xxx> (interface ip) (ip netmask) <return> Fortinet Inc.
  • Page 107 FortiLog CLI reference Table 11: set system command architecture opmode option alert_table route <number> set system time FortiLog Administration Guide active <return> passive <return> admintimeout <timeout_integer> <return> authtimeout <<timeout_integer> <return> language <language_str> <return> refresh {interval | none} <return> alert_severity <serverity_integer> alert_period <period_integer>...
  • Page 108 • <xxx.xxx.xxx.xxx> is the secondary IP address of the interface. Select management access to the port1 interface with a secondary IP. Select the management access with a secondary IP that you want to deny to the port1 interface. 05-16000-0082-20050115 FortiLog CLI reference Fortinet Inc.
  • Page 109 FortiLog CLI reference set system interface config stp_passthrough set system interface <intf_str> config mode static set system mainregpage hide set system session_ttl port <port_num> timeout <timeout_int> set system session_ttl port <port_num> default <default_val> set system mainregpage show set system opmode active set system opmode passive set system option admintimeout <timeout_integer>...
  • Page 110: Unset Branch

    Enter the system hostname that you want to remove. Remove the system time-to-live session timeout. Remove a client added to the FortiLog unit. • <string> is the name of the client. Remove alert email configuration. Remove the nas configuration settings. 05-16000-0082-20050115 FortiLog CLI reference Fortinet Inc.
  • Page 111 FortiLog CLI reference unset nas user <user name> unset nas group <group name> unset nas share <share name> unset nas nfs path <local path> unset report resolve unset report alias <alias> FortiLog Administration Guide Remove a user name. Remove a group name. Remove a Windows-shared folder setting.
  • Page 112 CLI commands FortiLog CLI reference 05-16000-0082-20050115 Fortinet Inc.
  • Page 113: Appendix A: Log Report Types

    Appendix A: Log Report Types Your FortiLog unit is can generate over 130 different types of log reports. Listed here are the log reports and a short description. Network Activity Network activity log reports record total network traffic activities by a specific time and direction as well as top traffic activities.
  • Page 114: Ftp Activity

    Most popular FTP sites by traffic in kilobytes. FTP source IP connections by FTP events. FTP source IP connections by volume in kilobytes. Top source IP by destination IP by volume in kilobytes. 05-16000-0082-20050115 Appendix A: Log Report Types Fortinet Inc.
  • Page 115: Terminal Activity

    Appendix A: Log Report Types Terminal Activity Terminal activity reports record total Terminal/CLI access activities. Report Terminal Traffic By Date And Service Terminal activity by service for a specific day or range of Terminal Traffic By Day Of Week And Service Terminal Traffic By Hour Of Day And Service...
  • Page 116: Intrusion Activity

    Daily antivirus events and number of events for a specified week. Hourly antivirus events by antivirus event and number of antivirus events for a specified period. Antivirus events by Fortinet device and number of antivirus events. Antivirus events by Internet service and number of antivirus events.
  • Page 117: Mail Filter Activity

    Daily mail filter events by top email for the specified week. Hourly mail events by top email addresses for a specified period. Mail filter events by Fortinet device and top email addresses. Mail filter events by Fortinet device and top recipient email address.
  • Page 118: Vpn Activity

    And Direction (traffic) VPN Activity By Top Devices (tunnels) VPN activity by Fortinet device by VPN events. VPN Activity By Top Devices (traffic) VPN activity by Fortinet device by traffic in megabytes. VPN Activity By Top Devices And Top Peers (tunnels)
  • Page 119 Appendix A: Log Report Types Content Traffic By Hour Of Day And Service Content Traffic By Hour Of Day And Status Content Traffic By Hour Of Day And Top Viruses Content Traffic By Status And Service Content traffic by status and Internet service in kilobytes. Content Traffic By Service And Status Content traffic by Internet service and status in kilobytes.
  • Page 120 Appendix A: Log Report Types 05-16000-0082-20050115 Fortinet Inc.
  • Page 121: Index

    Index access to files 82 account levels 48 active and passive mode 8 administrator account 48 read & write access 48 read only access 48 settings 46 administrator account netmask 108 trusted host 49 Adobe Acrobat files 65 alerts 30, 54 attack correlation 79 backup installing firmware image 36...
  • Page 122 TFTP server 40 traffic direction 27 trusted host 49 administrator account 49 user accounts 82 user groups 83 Using the CLI 87 viewing logs 74 reports 65 system resources 32 virtual domain 59 vulnerability reports 67 watching logs 78 05-16000-0082-20050115 Fortinet Inc.
  • Page 123 web-based manager connecting 19 idle timeout 46 introduction 19 language 46, 109 FortiLog Administration Guide windows shares 81 05-16000-0082-20050115 Index...
  • Page 124 Index 05-16000-0082-20050115 Fortinet Inc.

This manual is also suitable for:

Fortilog-400Fortilog-800

Table of Contents

Save PDF