Fortianalyzer Admin 40 Mr3

FortiAnalyzer v4.
0 MR3
Administration Guide
February 29, 2012
05-432-164257-20120229
Copyright 2012 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, and
FortiGuard, are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be trademarks of Fortinet. All other product or company names may be
trademarks of their respective owners. Performance metrics contained herein were
attained in internal lab tests under ideal conditions, and performance may vary. Network
variables, different network environments and other conditions may affect performance
results. Nothing herein represents any binding commitment by Fortinet, and Fortinet
disclaims all warranties, whether express or implied, except to the extent Fortinet enters
a binding written contract, signed by Fortinets General Counsel, with a purchaser that
expressly warrants that the identified product will perform according to the performance
metrics herein. For absolute clarity, any such warranty will be limited to performance in
the same ideal conditions as in Fortinets internal lab tests. Fortinet disclaims in full any
guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this
publication without notice, and the most current version of the publication shall be
applicable.
Visit these links for more information and documentation for your Fortinet product:
Technical Documentation: http://docs.fortinet.com
Knowledge Base: http://kb.fortinet.com
Customer Service & Support: https://support.fortinet.com
Training Services Online Campus: http://training.fortinet.com
FortiAnalyzer v4.0 MR3 Patch Release 2 Administration Guide
05-432-164257-20120229 1
http://docs.fortinet.com/ Feedback
Table of Contents
Introduction.............................................................................................. 8
Scope................................................................................................................ 9
Conventions...................................................................................................... 9
IP addresses ............................................................................................... 9
Cautions, notes, & tips.............................................................................. 10
Typographical conventions....................................................................... 10
Command syntax conventions ................................................................. 11
Entering FortiAnalyzer configuration data ...................................................... 12
Resources............................................................................................... 14
Registering your Fortinet product................................................................... 14
Technical Forums ........................................................................................... 14
Customer Service & Support .......................................................................... 14
Training Services Online Campus................................................................... 15
Technical Documentation............................................................................... 15
Comments on Technical Documentation ....................................................... 15
Tools and Documentation CD ........................................................................ 15
Knowledge Base............................................................................................. 15
Whats New in v4.0 MR3........................................................................ 16
Report enhancements .................................................................................... 16
Web-based Manager changes ....................................................................... 17
Structured Query Language (SQL) database ................................................. 17
FortiWeb support............................................................................................ 18
FortiAnalyzer Virtual Machine (VM) support.................................................... 18
Logging enhancements .................................................................................. 18
Additional enhancements ............................................................................... 19
Key Concepts & Workflow.................................................................... 21
Administrative domains (ADOMs) ................................................................... 21
Operation mode.............................................................................................. 21
Log storage..................................................................................................... 22
Workflow......................................................................................................... 22
Setting up the unit ................................................................................. 23
Connecting to the Web-based Manager or CLI ............................................. 23
Connect to the Web-based Manager ....................................................... 24
Connect to the CLI.................................................................................... 25
Updating the firmware .................................................................................... 27
The operation mode ....................................................................................... 28
Standalone mode...................................................................................... 28
Analyzer and collector mode .................................................................... 28
Table of Contents
2 05-432-164257-20120229
Changing the admin administrator password ............................................. 31
Configuring the system time and date............................................................ 32
Configuring basic network settings ................................................................ 32
Configuring global settings............................................................................. 32
Configuring administrative domains (ADOMs)................................................ 33
Connecting to FortiGuard services................................................................. 33
Configuring scheduled updates................................................................ 35
Manually requesting updates.................................................................... 36
Collecting device logs..................................................................................... 37
Configuring FortiAnalyzer connection attempt handling .......................... 37
Configuring disk quota and device privileges for a FortiGate unit ........... 37
Configuring a FortiGate unit to send logs to the FortiAnalyzer unit.......... 38
Further reading ......................................................................................... 40
Testing the setup............................................................................................ 40
Troubleshooting tools ............................................................................... 41
Backing up the configuration.......................................................................... 47
Administrative Domains (ADOMs)........................................................ 48
Configuring ADOMs........................................................................................ 49
Accessing ADOMs as the admin administrator ............................................. 53
Assigning administrators to an ADOM........................................................... 54
System.................................................................................................... 56
Viewing the dashboard................................................................................... 56
Customizing the Dashboard ..................................................................... 57
System Information widget ....................................................................... 59
License Information widget....................................................................... 63
Unit Operation widget............................................................................... 64
System Resources widget ........................................................................ 65
Logs/Data Received widget...................................................................... 67
Statistics widget ....................................................................................... 68
Report Engine widget ............................................................................... 71
Disk Monitor widget .................................................................................. 71
Log Receive Monitor widget ..................................................................... 74
Alert Message Console widget ................................................................. 75
CLI Console widget .................................................................................. 76
Top Traffic widget ..................................................................................... 78
Top Web Traffic widget............................................................................. 79
Top Email Traffic widget ........................................................................... 81
Top FTP Traffic widget ............................................................................. 82
Top IM/P2P Traffic widget ........................................................................ 83
Virus Activity widget.................................................................................. 85
Intrusion Activity widget............................................................................ 86
Table of Contents
05-432-164257-20120229 3
Configuring network settings.......................................................................... 87
Configuring the network interfaces........................................................... 87
Configuring DNS....................................................................................... 93
Configuring static routes........................................................................... 94
Configuring network shares............................................................................ 95
Configuring share users............................................................................ 95
Configuring Windows shares.................................................................... 97
Configuring NFS shares............................................................................ 99
Configuring administrator-related settings................................................... 101
Configuring administrator accounts ....................................................... 101
Configuring the Web-based Managers global settings ............................... 109
Monitoring administrators............................................................................. 111
Configuring log storage & query features..................................................... 111
Configuring SQL database storage ........................................................ 111
Configuring alerts.................................................................................... 114
Configuring an email server for alerts & reports ..................................... 116
Configuring the SNMP agent .................................................................. 118
Configuring syslog servers ..................................................................... 122
Configuring log aggregation ................................................................... 123
Configuring log forwarding ..................................................................... 126
Configuring IP aliases ............................................................................. 127
Configuring RAID.................................................................................... 129
Configuring LDAP queries for reports..................................................... 134
Backing up the configuration & installing firmware ...................................... 137
Scheduling & uploading vulnerability management updates........................ 138
Migrating data from one FortiAnalyzer unit to another ................................. 141
Importing a local server certificate ............................................................... 145
Devices ................................................................................................. 146
Configuring connections with devices & their disk space quota.................. 146
Unregistered vs. registered devices ....................................................... 149
Maximum number of devices ................................................................. 150
Configuring IPSec secure connections .................................................. 151
Manually configuring a device or HA cluster .......................................... 152
Manually adding a FortiGate unit using the Fortinet Discovery Protocol 156
Configuring unregistered device options................................................ 157
Blocking unregistered device connection attempts ............................... 158
Configuring device groups ........................................................................... 160
Classifying FortiGate network interfaces...................................................... 161
Table of Contents
4 05-432-164257-20120229
Log & Archive....................................................................................... 163
Viewing log messages .................................................................................. 163
Viewing Log Details ................................................................................ 167
Customizing the log view........................................................................ 167
Searching the logs .................................................................................. 170
Viewing DLP archives ............................................................................. 173
Viewing quarantined files........................................................................ 176
Browsing log files ......................................................................................... 178
Importing a log file .................................................................................. 180
Downloading a log file ............................................................................ 180
Backing up logs and archived files............................................................... 182
Configuring rolling and uploading of devices logs ...................................... 182
Using eDiscovery.......................................................................................... 184
Reports ................................................................................................. 189
SQL based reports ....................................................................................... 189
Enable/disable SQL database ................................................................ 190
Enable/disable remote SQL database.................................................... 192
Left & right click menu tree..................................................................... 193
Default device reports............................................................................. 193
Email/upload remote output ................................................................... 199
Predefined Reports................................................................................. 201
Custom Report Filters............................................................................. 202
Custom Reports...................................................................................... 204
Advanced report settings........................................................................ 205
View report layout ................................................................................... 218
Indexer based reports................................................................................... 219
Viewing Scheduled Reports.................................................................... 219
Configuring report schedules ................................................................. 220
Configuring reports................................................................................. 224
Configuring data filter templates ............................................................ 232
Configuring report language................................................................... 236
Network Vulnerability Scan................................................................. 242
Platform Support .......................................................................................... 243
How to use Network Vulnerability Scan ....................................................... 243
Configuring host assets................................................................................ 243
Discovering network host assets.................................................................. 245
Preparing for authenticated scanning .......................................................... 246
Microsoft Windows hosts domain scanning........................................... 246
Microsoft Windows hosts local (non-domain) scanning......................... 247
Unix hosts............................................................................................... 248
Configuring vulnerability scans..................................................................... 248
Viewing scan results ..................................................................................... 252
Table of Contents
05-432-164257-20120229 5
Tools ..................................................................................................... 254
Network Analyzer.......................................................................................... 254
Connecting the FortiAnalyzer unit to analyze network traffic ................. 254
Viewing Network Analyzer log messages ............................................... 256
Browsing Network Analyzer log files ...................................................... 259
Customizing the Network Analyzer log view .......................................... 261
Searching the Network Analyzer logs..................................................... 265
Rolling and uploading Network Analyzer logs ........................................ 267
File Explorer .................................................................................................. 269
Maintaining Firmware.......................................................................... 271
Firmware upgrade path and general firmware upgrade steps ..................... 271
Backing up your configuration...................................................................... 272
Backing up your configuration through the Web-based Manager ......... 272
Backing up your configuration through the CLI...................................... 273
Backing up your log files ........................................................................ 273
Testing firmware before upgrading/downgrading ........................................ 273
Installing firmware from the BIOS menu in the CLI ..................................... 275
Upgrading your FortiAnalyzer unit ................................................................ 275
Upgrading/downgrading through the Web-based Manager .................. 276
Upgrading/downgrading through the CLI............................................... 277
Verifying the upgrade.............................................................................. 278
Troubleshooting................................................................................... 279
Troubleshooting Process.............................................................................. 279
Establish a baseline ................................................................................ 279
Define the problem................................................................................. 280
Gathering facts ....................................................................................... 280
Search for a solution............................................................................... 281
Create a troubleshooting plan ................................................................ 281
Providing supporting elements............................................................... 281
Gather system information ..................................................................... 281
Check port assignments......................................................................... 283
Troubleshoot connectivity issues ........................................................... 283
Run ping and traceroute............................................................................... 284
Check connections with ping ................................................................. 284
Check routes with traceroute ................................................................. 286
What traceroute can tell you................................................................... 286
How to use traceroute ............................................................................ 286
What can sniffing packets tell you................................................................ 287
Obtain any required additional equipment ............................................. 288
Ensure you have administrator access to required equipment .............. 288
Contact Customer Service & Support .......................................................... 288
Table of Contents
6 05-432-164257-20120229
Troubleshooting FortiAnalyzer issues........................................................... 289
File system issue..................................................................................... 290
Report issue............................................................................................ 290
Binary files issue ..................................................................................... 290
CPU usage issue .................................................................................... 291
HA log issue............................................................................................ 292
NFS server connection issue.................................................................. 292
Vulnerability management issues ........................................................... 292
Upgrade issue......................................................................................... 293
Web-based Manager issue..................................................................... 293
Disk usage issue..................................................................................... 294
Device IP issue........................................................................................ 295
Running an HQIP for hardware integrity control ..................................... 296
Packet capture (CLI sniffer) best practice .............................................. 296
No logs received with encryption enabled between a FortiGate unit and a
FortiAnalyzer unit .................................................................................... 297
Bootup issues ......................................................................................... 297
Appendix A ............................................................................................ 302
SNMP MIB support....................................................................................... 302
Appendix B............................................................................................ 303
Maximum values matrix................................................................................ 303
Appendix C............................................................................................ 305
Querying FortiAnalyzer SQL log databases.................................................. 305
Creating datasets.................................................................................... 305
SQL statement syntax errors.................................................................. 308
Connection problems ............................................................................. 308
SQL tables .............................................................................................. 309
Examples ................................................................................................ 346
Appendix D............................................................................................ 352
Port Numbers ............................................................................................... 352
Appendix E ............................................................................................ 354
FortiAnalyzer Compatibility with ConnectWise............................................. 354
05-432-164257-20120229 7
Change Log
Date Change Description
2012-02-29 Initial Release
2012-03-28 Reports chapter updated
2012-04-03 Added Custom Report Filer details
05-432-164257-20120229 8
1. Introduction
Welcome and thank you for selecting Fortinet products for your network protection.
FortiAnalyzer units are network appliances that provide integrated log collection and
reporting tools. Reports analyze logs for email, FTP, web browsing, security events,
and other network activity to help identify and mitigate security issues throughout your
network.
In addition to logging and reporting, FortiAnalyzer units also have several major
features that augment or enable certain FortiGate unit functionalities, such as DLP
archiving and quarantining, and improve your ability to stay informed about the state of
your network.
Logging and reporting: A FortiAnalyzer unit can aggregate and analyze log data
from Fortinet and other syslog-compatible devices. Using a comprehensive suite of
easily-customized reports, you can filter and review records, including traffic, event,
virus, attack, web content, and email data, mining the data to determine your
security stance and ensure regulatory compliance. For information about the
FortiAnalyzer logging, analyzing, and reporting workflow, see Figure 1 on page 22.
DLP archive / Data mining: Both FortiGate DLP (Data Leak Prevention) archive
logs and their associated copies of files or messages can be stored on and viewed
from a FortiAnalyzer unit, leveraging its storage capacity for large media files that
can be common with multimedia content. When DLP archives are received by the
FortiAnalyzer unit, you can use data filtering similar to other log files to track and
locate specific email or instant messages, or to examine the contents of archived
files.
Quarantine repository: A FortiAnalyzer unit can act as a central repository for files
that are suspicious or known to be infected by a virus, and have therefore been
quarantined by your FortiGate units.
Network vulnerability scan: A FortiAnalyzer unit can scan your designated target
hosts for known vulnerabilities and open TCP and/or UDP ports. When the
vulnerability scan is complete, the FortiAnalyzer unit generates a report that
describes the discovered security issues and their known solutions.
FortiAnalyzer units can utilize the FortiGuard subscription service to update their
vulnerability databases with new entries added as they are discovered.
Packet capture: FortiAnalyzer units can log observed packets to diagnose areas of
the network where firewall policies may require adjustment, or where traffic
anomalies occur.
File explorer: You can browse through the list of content archive/DLP, quarantine,
log, and report files on the FortiAnalyzer unit.
Network sharing: FortiAnalyzer units can use their hard disks as an NFS or
Windows-style network share for FortiAnalyzer reports and logs, as well as users
files.
FIPS support: Federal Information Processing Standards (FIPS) are supported in
some special releases of FortiAnalyzer firmware. Contact Customer Service &
Support for more information.
Introduction Scope
05-432-164257-20120229 9
Scope
This document describes how to use the Web-based Manger to set up and configure
the FortiAnalyzer unit. It assumes you have already successfully installed the
FortiAnalyzer unit by following the instructions in the FortiAnalyzer Install Guide.
At this stage:
You have administrative access to the Web-based Manger and/or CLI.
The FortiAnalyzer unit can connect to the Web-based Manger and CLI.
This document explains how to use the Web-based Manger to:
maintain the FortiAnalyzer unit, including backups
configure basic
such as system time, DNS settings, administrator password, and network
interfaces
configure advanced features, such as adding devices, DLP archiving, vulnerability
management, logging, and reporting
This document does not cover commands for the command line interface (CLI). For
information on the CLI, see the FortiAnalyzer CLI Reference.
Conventions
Fortinet technical documentation uses the conventions described below.
This topic includes:
IP addresses
Cautions, notes, & tips
Typographical conventions
Command syntax conventions
IP addresses To avoid publication of public IP addresses that belong to Fortinet or any other
organization, the IP addresses used in Fortinet technical documentation are fictional
and follow the documentation guidelines specific to Fortinet. The addresses used are
from the private IP address ranges defined in RFC 1918: Address Allocation for Private
Internets, available at:
http://ietf.org/rfc/rfc1918.txt?number-1918
Conventions Introduction
10 05-432-164257-20120229
Cautions, notes,
& tips
Fortinet technical documentation uses the following guidance and styles for cautions,
notes and tips.
Typographical
conventions
Fortinet documentation uses the following typographical conventions:
Caution: Warns you about commands or procedures that could have unexpected or undesirable
results including loss of data or damage to equipment.
Note: Presents useful information, usually focused on an alternative, optional method, such as a
shortcut, to perform a step.
Tip: Highlights useful additional information, often tailored to your workplace activity.
Table 1: Typographical conventions in Fortinet technical documentation
Convention Example
Button, menu, text box,
field, or check box label
From Minimum log level, select Notification.
CLI input config system dns
set primary <address_ipv4>
end
CLI output FGT-602803030703 # get system settings
comments : (null)
opmode : nat
Emphasis HTTP connections are not secure and can be intercepted by a
third party.
File content <HTML><HEAD><TITLE>Firewall
Authentication</TITLE></HEAD>
<BODY><H4>You must authenticate to use this
service.</H4>
Hyperlink Visit the Customer Service & Support web site,
https://support.fortinet.com.
Keyboard entry Type a name for the remote VPN peer or client, such as
Central_Office_1.
Navigation Go to VPN > IPSEC > Auto Key (IKE).
Publication For details, see the FortiAnalyzer Administration Guide.
Introduction Conventions
05-432-164257-20120229 11
Command syntax
conventions
The command line interface (CLI) requires that you use valid syntax, and conform to
expected input constraints. It will reject invalid commands.
Brackets, braces, and pipes are used to denote valid permutations of the syntax.
Constraint notations, such as <address_ipv4>, indicate which data types or string
patterns are acceptable value input.
Table 2: Command syntax notation
Convention Description
Square brackets [ ] A non-required word or series of words. For example:
[verbose {1 | 2 | 3}]
indicates that you may either omit or type both the verbose word
and its accompanying option, such as:
verbose 3
Angle brackets < > A word constrained by data type.
To define acceptable input, the angled brackets contain a
descriptive name followed by an underscore ( _ ) and suffix that
indicates the valid data type. For example:
<retries_int>
indicates that you should enter a number of retries, such as 5.
Data types include:
<xxx_name>: A name referring to another part of the
configuration, such as policy_A.
<xxx_index>: An index number referring to another part of the
configuration, such as 0 for the first static route.
<xxx_pattern>: A regular expression or word with wild cards
that matches possible variations, such as *@example.com to
match all email addresses ending in @example.com.
<xxx_fqdn>: A fully qualified domain name (FQDN), such as
mail.example.com.
<xxx_email>: An email address, such as
admin@mail.example.com.
<xxx_url>: A uniform resource locator (URL) and its
associated protocol and host name prefix, which together form
a uniform resource identifier (URL), such as
http://www.fortinet.com/.
<xxx_ipv4>: An IPv4 address, such as 192.168.1.99.
<xxx_v4mask>: A dotted decimal IPv4 netmask, such as
255.255.255.0.
<xxx_ipv4mask>: A dotted decimal IPv4 address and
netmask separated by a space, such as
192.168.1.99 255.255.255.0.
<xxx_ipv4/mask>: A dotted decimal IPv4 address and CIDR-
notation netmask separated by a slash, such as such as
192.168.1.99/24.
<xxx_ipv6>: A colon( : )-delimited hexadecimal IPv6 address,
such as 3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234.
<xxx_v6mask>: An IPv6 netmask, such as /96.
<xxx_ipv6mask>: An IPv6 address and netmask separated by
a space.
<xxx_str>: A string of characters that is not another data
type, such as P@ssw0rd. Strings containing spaces or special
characters must be surrounded in quotes or use escape
sequences. See the FortiWeb CLI Reference.
<xxx_int>: An integer number that is not another data type,
such as 15 for the number of minutes.
Entering FortiAnalyzer configuration data Introduction
12 05-432-164257-20120229
Entering FortiAnalyzer configuration data
The configuration of a FortiAnalyzer unit is stored as a series of configuration settings
in the FortiAnalyzer configuration database. To change the configuration you can use
the Web-based Manger or CLI to add, delete or change configuration settings. These
configuration changes are stored in the configuration database as they are made.
Individual settings in the configuration database can be text strings, numeric values,
selections from a list of allowed options, or on/off (enable/disable).
Entering text strings (names)
Text strings are used to name entities in the configuration. For example, the name of a
report chart, administrative user, and so on. You can enter any character in a
FortiAnalyzer configuration text string except, to prevent Cross-Site Scripting (XSS)
vulnerabilities, text strings in FortiAnalyzer configuration names cannot include the
following characters:
" (double quote), & (ampersand), ' (single quote), < (less than), and < (greater than)
You can determine the limit to the number of characters that are allowed in a text string
by determining how many characters the Web-based Manger or CLI allows for a given
name field. From the CLI, you can also use the tree command to view the number of
characters that are allowed. For example, report chart names can contain up to 64
Curly braces { } A word or series of words that is constrained to a set of options
delimited by either vertical bars or spaces.
You must enter at least one of the options, unless the set of
options is surrounded by square brackets [ ].
Options delimited
by vertical bars |
Mutually exclusive options. For example:
{enable | disable}
indicates that you must enter either enable or disable, but must
not enter both.
Options delimited
by spaces
Non-mutually exclusive options. For example:
{http https ping snmp ssh telnet}
indicates that you may enter all or a subset of those options, in any
order, in a space-delimited list, such as:
ping https ssh
Note: To change the options, you must re-type the entire list. For
example, to add snmp to the previous example, you would type:
ping https snmp ssh
If the option adds to or subtracts from the existing list of options,
instead of replacing it, or if the list is comma-delimited, the
exception will be noted.
Table 2: Command syntax notation (Continued)
Introduction Entering FortiAnalyzer configuration data
05-432-164257-20120229 13
characters. When you add a report chart name to the Web-based Manger, you are
limited to entering 64 characters in the report chart name field. From the CLI you can
do the following to confirm that the firewall address name field allows 64 characters.
config report chart
edit <chart_name>
tree
--- [chart] --*name (64)
|- type
|- title (128 xss)
|- comment (1024)
|- dataset (64)
+- graph-type
Note that the tree command output also shows the number of characters allowed for
other report chart name settings. For example, the comment field can contain up to
1024 characters.
Selecting options from a list
If a configuration field can only contain one of a number of selected options, the Web-
based Manger and CLI present you a list of acceptable options and you can select one
from the list. No other input is allowed. From the CLI, you must spell the selection
name correctly.
Enabling or disabling options
If a configuration field can only be on or off (enabled or disabled), the Web-based
Manger shows a check box or other control that can only be enabled or disabled. From
the CLI, you can set the option to enable or disable.
05-432-164257-20120229 14
2. Resources
This chapter lists the following topics:
Registering your Fortinet product
Technical Forums
Customer Service & Support
Training Services Online Campus
Technical Documentation
Comments on Technical Documentation
Tools and Documentation CD
Knowledge Base
Registering your Fortinet product
Before you begin configuring and customizing features, take a moment to register your
Fortinet product at the Customer Service & Support web site,
https://support.fortinet.com
Many Fortinet customer services, such as firmware updates, technical support, and
FortiGuard Antivirus and other FortiGuard services, require product registration.
For more information, see the Knowledge Base article Registration Frequently Asked
Questions.
Technical Forums
Fortinet Technical Discussion forums provide a place for you to connect with your fel-
low IT professionals to discuss best practices and solutions. Visit the forums at:
http://support.fortinet.com/forum/
Customer Service & Support
Customer Service & Support provides services designed to make sure that your Forti-
net systems install quickly, configure easily, and operate reliably in your network.
Please visit the Customer Service & Support web site at https://support.fortinet.com to
learn about the support services that Fortinet provides.
Resources Training Services Online Campus
05-432-164257-20120229 15
Training Services Online Campus
raining Services provides classes that orient you quickly to your new equipment, and
certifications to verify your knowledge level. Fortinet provides a variety of training pro-
grams to serve the needs of our customers and partners world-wide.
To learn about the training services that Fortinet provides, visit the Training Services
web site at http://campus.training.fortinet.com
or email them at training@fortinet.com.
Technical Documentation
The Technical Documentation web site http://docs.fortinet.com provides the most up-
to-date versions of Fortinet publications, as well as additional technical documentation
such as technical notes.
Comments on Technical Documentation
Please send comments or information about errors or omissions in this document or
any Fortinet technical documents to techdoc@fortinet.com
Tools and Documentation CD
All Fortinet documentation is available from the Tools and Documentation CD shipped
with your Fortinet product. The documents on this CD are current at shipping time. For
up-to-date versions of Fortinet documentation, see the Technical Documentation web
site at http://docs.fortinet.com.
Knowledge Base
Additional Fortinet technical documentation is available from the Knowledge Base. The
knowledge base contains troubleshooting and how-to articles, FAQs, technical notes,
and example configurations. Visit the Knowledge Base at http://kb.fortinet.com
05-432-164257-20120229 16
3. Whats New in v4.0 MR3
This chapter lists and describes some of the key changes and new features added to
the FortiAnalyzer system. For upgrade information, see the Release Notes available at
https://support.fortinet.com, and Maintaining Firmware on page 271.
Report enhancements
The FortiAnalyzer system in v4.0 MR3 Patch Release 2 includes a number of changes
and improvements to the report settings, report sections, and reports contents. These
improve the user experience when generating and working with reports at both the
device and group levels. See Reports on page 189 for more information.
Default device reports
The FortiAnalyzer includes predefined report layouts at the device level. These report
layouts contains a selection of the most commonly used charts and datasets. Each
device report can be customized on a device-by-device basis. You can automatically
generate reports at a per device level, for all devices assigned to a device group, or for
multiple individual devices. See Default device reports on page 193 for more infor-
mation.
Per device report generation
Reports can now be generated per device.
Email report option at the device level
The email report option is now available at the device level. A report template created
for one device can be pushed to other connected devices. Reports will be emailed per
device, device group, or for multiple individual devices. See Email/upload remote
output on page 199 for more information.
Report and chart variables support
The following variables are now supported at both the report and chart levels:
Device
Time Period
VDOM
User (or Source IP)
Group (LDAP User Group).
You can define these variables from the Web-based Manager, or from the CLI at the
report layout level. The variables defined at the chart level will override the report level
Note: The following list is current as of FortiManager v4.0 MR3 Patch Release 2.
Whats New in v4.0 MR3 Web-based Manager changes
05-432-164257-20120229 17
values. If the same variable is defined at both levels, the chart level value will have a
higher priority. See Report settings on page 196 for more information.
PDF report improvements
The FortiAnalyzer PDF report has been redesigned with layout and design
improvements. The reports have an updated text style and size, headers and footers,
introduction pages, tables of contents, and appendix pages.
Web-based Manager changes
Menu layout enhancements
The reports section has been updated to improve the user experience. The report
menu includes the following sections:
Default Device Reports
Predefined Reports
Custom Reports
Advanced (chart, dataset, calendar, language).
Operation mode changes
You can now select the FortiAnalyzer operation mode - Standalone, Analyzer, and
Collector - based on your requirements. For more information, see System
Information widget on page 59.
Structured Query Language (SQL) database
SQL database compatibility
FortiAnalyzer units now save logs received by the default proprietary indexed file
storage system and the Structured Query Language (SQL) database for generating
reports. In this release, the SQL database is the default database for log storage.
Performance improvements on SQL report generation
The speed to read log files and insert them into the SQL database has been increased
to 10 000 logs per second on high end FortiAnalyzer units.
Local event logs in SQL database
The FortiAnalyzer local event logs are now supported by the SQL database.
Custom fields support in SQL database
In each FortiGate log type, you can define a maximum of five customized fields by
using any keyword as the field name. These custom fields can now be transferred into
the SQL database and are included in the reports created with them.
FortiWeb support Whats New in v4.0 MR3
18 05-432-164257-20120229
FortiWeb support
FortiWeb integration
You can add FortiWeb units to FortiAnalyzer units and view the FortiWeb logs on the
FortiAnalyzer units. You can also generate reports using the collected FortiWeb logs.
FortiMail, FortiWeb, and FortiClient logs in SQL database
In this release, similar to FortiGate logs, FortiMail, FortiWeb, and FortiClient logs can
be inserted into the SQL database and are supported by SQL-based reports.
FortiAnalyzer Virtual Machine (VM) support
VMware ESX/ESXi 5.0 Support
FortiAnalyzer-VM now supports VMware ESX/ESXi versions 4.0, 4.1 and 5.0.
Logging enhancements
Log file integrity validation
You can use the execute log-integrity command to query a log file's MD5
checksum and timestamp to ensure that the log file has not been modified. This
command only applies for:
rolled log files with MD5 hash recorded
a local log containing the MD5 hash of the log files downloaded from the
FortiAnalyzer Web-based Manager.
You cannot apply this command on an active log file.
For more information, see the FortiAnalyzer CLI Reference.
Retrieve FortiGate logs on demand
In addition to receiving logs sent from the devices, you can manually retrieve logs
stored on a FortiGate. For more information, see To edit a device and retrieve the
devices logs on page 155.
Log forwarding IP spoofing
You can select to retain a device's IP in the log packets when configuring log
forwarding in the CLI. For more information, see the config log forwarding
command in the FortiAnalyzer CLI Reference.
UTM logs consolidation
IPS (Attack), Application Control, Web Filter, AntiVirus, Data Leak (DLP), and Email
Filter logs are merged into a Unified Threat Management log when you enable the
option in System > Admin > Settings. For more information, see Viewing log
messages on page 163.
Whats New in v4.0 MR3 Additional enhancements
05-432-164257-20120229 19
Additional enhancements
Secure communication between devices
SSL FTP secure communications can be established between a FortiAnalyzer unit and
a FortiGate or FortiManager unit. In the FortiAnalyzer CLI, you can choose the
encryption algorithm for secure communications.
Network vulnerability scan
Network Vulnerability Scan replaces Vulnerability Management to configure
vulnerability scans and view the scan results. For more information, see Network
Vulnerability Scan on page 242.
SNMP v3 support
The FortiAnalyzer SNMP v3 implementation includes support for queries, traps,
authentication, and privacy. This is configured only with the CLI. For more information,
see config system snmp in the FortiAnalyzer CLI Reference.
TACACS+ server
You can configure the FortiAnalyzer unit to have a TACACS+ server perform the user
authentication. For more information, see Configuring TACACS+ servers on
page 107.
DNS log consolidation
The logs can be consolidated under a single domain instead of the specific uniform
resource identifier (URI) of the server when users visit websites that use multiple DNS
servers, such as google.com and yahoo.com. This leads to better report consolidation.
Email filters for reports
Email filters for senders and recipients are added to the report data filters. These new
filters behave similarly to the existing filters. Each new filter can support a list of email
addresses.
Compatibility with ConnectWise
The FortiAnalyzer unit integrates with the ConnectWise Management Services Platform
(MSP) by providing statistics from FortiGate logs and reports for the MSPs Executive
Summary report. The statistics include:
Top 10 web sites
Top 10 intrusions prevented
Top 10 web filter categories
Total bandwidth usage
Total number of events
For more information, see FortiAnalyzer Compatibility with ConnectWise on
page 354.
Additional enhancements Whats New in v4.0 MR3
20 05-432-164257-20120229
SMP support and large storage
The FortiAnalyzer units filesystem and kernel have been upgraded to support:
64-bit kernel.
ext4, enabling the FortiAnalyzer unit to utilize the storage more than the current
limit of 16TB (for information on enabling or disabling ext4, see the execute
formatlogdisk-ext4 command in the FortiAnalyzer CLI Reference. Backup log
and quarantine files before running this command, as this operation will erase all
data on the hard disk, including quarantine and log files.The ext4 formatting time
is longer than the ext3 formatting time).
SMP in kernel/build environment, enabling the FortiAnalyzer processing to scale
up when using multi-core CPUs.
Federal Information Processing Standard (FIPS)
A FIPS compliant firmware image is now available for FortiAnalyzer v4.0 MR3 Patch
Release 2.
05-432-164257-20120229 21
4. Key Concepts & Workflow
This chapter defines basic FortiAnalyzer concepts and terms.
If you are new to FortiAnalyzer, this chapter can help you to quickly understand this
document and your FortiAnalyzer platform.
Administrative domains (ADOMs)
Operation mode
Log storage
Workflow
Administrative domains (ADOMs)
FortiAnalyzer administrative domains (ADOMs) enable the admin administrator to
constrain other FortiAnalyzer unit administrators access privileges to a subset of
devices in the device list. For Fortinet devices with virtual domains (VDOMs), ADOMs
can further restrict access to only data from a specific devices VDOM.
For more information, see Administrative Domains (ADOMs) on page 48.
Operation mode
The FortiAnalyzer unit has three operation modes:
Standalone - The default mode that supports all FortiAnalyzer features.
Analyzer - The mode used for aggregating logs from one or more log collectors. In
this mode, the log aggregation configuration function is disabled.
Collector - The mode used for saving and uploading logs. For example, instead of
writing logs into the database, the collector can retain the logs in original (binary)
format for uploading. In this mode, the report function and some functions under
System and Tools are disabled.
The analyzer and collector modes are used together to increase the analyzers
performance. The collector provides a buffer to the analyzer by off-loading the log
receiving task from the analyzer. Since log collection from the connected devices is the
dedicated task of the collector, its log receiving rate and speed are maximized.
The mode of operation that you choose will depend on your network topology and
individual requirements.
For information about appropriate network topologies for each mode of operation, see
The operation mode on page 28.
Note: The FortiAnalyzer 100 and 400 models do not support the analyzer mode.
Log storage Key Concepts & Workflow
22 05-432-164257-20120229
Log storage
The FortiAnalyzer unit saves logs received to the default proprietary indexed file
storage system which is always ready to accept log data. It can also insert the log data
into the Structured Query Language (SQL) database for generating reports. Both local
and remote SQL database options are supported.
For more information, see Reports on page 189.
Workflow
Once you have successfully deployed the FortiAnalyzer platform in your network, using
and maintaining your FortiAnalyzer unit involves the following:
Configuration of optional features, and re-configuration of required features if
required by changes to your network
Backups
Updates
Monitoring reports, logs, and alerts
Figure 1 illustrates the process of data logging, data analyzing, and report generation
by the FortiAnalyzer unit in standalone or analyzer mode.
Figure 1: Logging, analyzing, and reporting workflow
05-432-164257-20120229 23
5. Setting up the unit
After physically installing your FortiAnalyzer unit, you need to set up the unit by
performing some basic configuration so that the FortiAnalyzer unit can receive logs
from Fortinet devices, analyze the logs, and generate reports.
You can set up your FortiAnalyzer unit in standalone, analyzer, or collector mode,
depending on your network topology and requirements. For more information, see
The operation mode on page 28.
This setup serves as a road map for making the FortiAnalyzer unit up and running.
Detailed configuration is described in the other chapters of this guide.
Only the configuration procedures through the Web-based Manager are provided. For
configuration procedures through the CLI, see the FortiAnalyzer CLI Reference.
This chapter includes:
Connecting to the Web-based Manager or CLI
Updating the firmware
The operation mode
Changing the admin administrator password
Configuring the system time and date
Configuring basic network settings
Configuring global settings
Configuring administrative domains (ADOMs)
Connecting to FortiGuard services
Collecting device logs
Testing the setup
Backing up the configuration
Connecting to the Web-based Manager or CLI
To configure, maintain, and administer your FortiAnalyzer unit, you need to connect to
it. There are two methods that you can use:
the Web-based Manager from within a web browser
the command line interface (CLI), an interface similar to DOS or UNIX commands,
from a Secure Shell (SSH) or Telnet terminal.
Access to the CLI and/or Web-based Manager will not yet be configured if:
you are connecting for the first time
you have just reset the configuration to its default state
you have just restored the firmware.
In these cases, you must access either interface using the default settings.
Connecting to the Web-based Manager or CLI Setting up the unit
24 05-432-164257-20120229
After you connect, you can use the Web-based Manager or CLI to configure basic
network settings and access the CLI and/or Web-based Manager through your
network. However, if you want to update the firmware, you may want to do so before
continuing. See Updating the firmware on page 27.
Connect to the
Web-based
Manager
To connect to the Web-based Manager using its default settings, you must have:
a computer with an RJ-45 Ethernet network port
a web browser such as Microsoft Internet Explorer or Mozilla Firefox
a crossover network cable
To connect to the Web-based Manager
1 On your management computer, configure the Ethernet port with the static IP
address 192.168.1.2 with a netmask of 255.255.255.0.
2 Using the Ethernet cable, connect your computers Ethernet port to the
FortiAnalyzer units port1.
3 Start your browser and enter the URL https://192.168.1.99. (Remember to include
the s in https://.)
To support HTTPS authentication, the FortiAnalyzer unit ships with a self-signed
security certificate, which it presents to clients whenever they initiate an HTTPS
connection to the FortiAnalyzer unit. When you connect, depending on your web
browser and prior access of the FortiAnalyzer unit, your browser might display two
security warnings related to this certificate:
The certificate is not automatically trusted because it is self-signed, rather than
being signed by a valid certificate authority (CA). Self-signed certificates cannot
be verified with a proper CA, and therefore might be fraudulent. You must
manually indicate whether or not to trust the certificate.
The certificate might belong to another web site. The common name (CN) field in
the certificate, which usually contains the host name of the web site, does not
exactly match the URL you requested. This could indicate server identity theft,
but could also simply indicate that the certificate contains a domain name while
you have entered an IP address. You must manually indicate whether this
mismatch is normal or not.
Both warnings are normal for the default certificate.
Note: If the above conditions do not apply, access the Web-based Manager using the IP
address, administrative access protocol, administrator account, and password already
configured, instead of the default settings.
Tip: Until the FortiAnalyzer unit is configured with an IP address and connected to your network,
you may prefer to connect the FortiAnalyzer unit directly to your management computer, or
through a switch, in a peer network that is isolated from your overall network. However,
isolation is not required.
Table 3: Default settings for connecting to the Web-based Manager
Network Interface port1
URL https://192.168.1.99/
Administrator Account admin
Password (none)
Setting up the unit Connecting to the Web-based Manager or CLI
05-432-164257-20120229 25
4 Verify and accept the certificate, either permanently (the web browser will not
display the self-signing warning again) or temporarily. You cannot log in until you
accept the certificate.
For details on accepting the certificate, see the documentation for your web
browser.
5 In the Name field, type admin, then click Login. (In its default state, there is no
password for this account.)
Login credentials entered are encrypted before they are sent to the FortiAnalyzer
unit. If your login is successful, the Web-based Manager appears.
To continue by updating the firmware, see Updating the firmware on page 27.
Otherwise, to continue by configuring the basic settings, see The operation mode
on page 28.
Connect to the
CLI
Using its default settings, you can access the CLI from your management computer in
two ways:
a local serial console connection
an SSH connection, either local or through the network
To connect to the CLI using a local serial console connection, you must have:
a computer with a serial communications (COM) port
the RJ-45-to-DB-9 serial or null modem cable included in your FortiAnalyzer
package
terminal emulation software, such as HyperTerminal for Microsoft Windows
To connect to the CLI using an SSH connection, you must have:
a computer with an RJ-45 Ethernet port
a crossover Ethernet cable
an SSH client, such as PuTTY
For more information on available CLI commands, see the FortiAnalyzer CLI Reference.
Table 4: Default settings for connecting to the CLI by SSH
Network Interface port1
IP Address 192.168.1.99
SSH Port Number 22
Administrator Account admin
Password (none)
Note: If you are not connecting for the first time, or have not just reset the configuration to its
default state or restored the firmware, administrative access settings may have already
been configured. In this case, access the CLI using the IP address, administrative access
protocol, administrator account and password already configured instead of the default
settings.
Connecting to the Web-based Manager or CLI Setting up the unit
26 05-432-164257-20120229
To connect to the CLI using a local serial console connection
1 Using the RJ-45-to-DB-9 or null modem cable, connect your computers COM port
to the FortiAnalyzer units console port.
2 Verify that the FortiAnalyzer unit is powered on.
3 On your management computer, start HyperTerminal.
4 On Connection Description, enter a Name for the connection and select OK.
5 On Connect To, from Connect using, select the COM port to which you connected
the FortiAnalyzer unit.
6 Select OK.
7 Select the following Port settings and select OK.
8 Press Enter.
The terminal emulator connects to the CLI and the CLI displays a login prompt.
9 Type admin and press Enter twice. (In its default state, there is no password for this
account.)
The CLI displays a prompt, such as:
FortiAnalyzer #
You can now enter commands.
Otherwise, to continue by configuring the basic settings, see The operation mode on
page 28. For information about how to use the CLI, see the FortiAnalyzer CLI
Reference.
To connect to the CLI using an SSH connection
1 On your management computer, configure the Ethernet port with the static IP
address 192.168.1.2 with a netmask of 255.255.255.0.
2 Using the Ethernet cable, connect your computers Ethernet port to the
FortiAnalyzer units port1.
3 Verify that the FortiAnalyzer unit is powered on.
4 On your management computer, start your SSH client.
5 In Host Name (or IP Address), type 192.168.1.99.
Note: The following procedure uses Microsoft HyperTerminal. Steps may vary with other
terminal emulators.
Bits per second 9600
Data bits 8
Parity None
Stop bits 1
Flow control None
Note: The following procedure uses PuTTY. Steps may vary with other SSH clients.
Setting up the unit Updating the firmware
05-432-164257-20120229 27
6 In Port, type 22.
7 From Connection type, select SSH.
8 Select Open.
The SSH client connects to the FortiAnalyzer unit.
The SSH client may display a warning if this is the first time you are connecting to
the FortiAnalyzer unit and its SSH key is not yet recognized by your SSH client, or if
you have previously connected to the FortiAnalyzer unit but it used a different IP
address or SSH key. If your management computer is directly connected to the
FortiAnalyzer unit with no network hosts between them, this is normal.
9 Click Yes to verify the fingerprint and accept the FortiAnalyzer units SSH key. You
cannot log in until you accept the key.
The CLI displays a login prompt.
10 Type admin and press Enter. (In its default state, there is no password for this
account.)
The CLI displays a prompt, such as:
FortiAnalyzer #
You can now enter commands.
Otherwise, to continue by configuring the basic settings, see The operation mode on
page 28. For information about how to use the CLI, see the FortiAnalyzer CLI
Reference.
Updating the firmware
Your new FortiAnalyzer appliance comes with the latest firmware when shipped.
However, if a new version has been released since your appliance was shipped, you
should install it before you continue the installation.
Fortinet periodically releases FortiAnalyzer firmware updates that include
enhancements and address issues. After you register your FortiAnalyzer unit,
FortiAnalyzer firmware is available for download at https://support.fortinet.com.
New firmware can also introduce new features which you must configure for the first
time.
For information specific to the firmware release version, see the Release Notes
available with that release.
For more information, see Maintaining Firmware on page 271.
Note: If three incorrect login attempts occur in a row, you will be disconnected. Wait for one
minute, then reconnect to attempt the login again.
Note: Before you can download firmware updates for your FortiAnalyzer unit, you must first
register your FortiAnalyzer unit with Customer Service & Support. For details, go to
https://support.fortinet.com/ or contact Customer Service & Support.
The operation mode Setting up the unit
28 05-432-164257-20120229
The operation mode
Once the FortiAnalyzer unit is installed, powered on, physically connected to your
network, and you have connected to either the FortiAnalyzer units Web-based
Manager or CLI, you must configure the operation mode.
The FortiAnalyzer unit has three operation modes: standalone, analyzer, and collector.
performance. For more information, see Operation mode on page 21 and Selecting
the operation mode on page 62.
Standalone mode The standalone mode is the default mode that supports all FortiAnalyzer features. If
your network log volume is reasonable and does not compromise the performance of
your FortiAnalyzer unit, you can choose this mode.
Figure 2 illustrates the network topology of the FortiAnalyzer unit in standalone mode.
Figure 2: Topology of the FortiAnalyzer unit in standalone mode
Analyzer and
collector mode
In most cases, the volume of logs fluctuates dramatically during a day or week. You
can deploy a collector to receive and store logs during the high traffic periods and
transfer them to the analyzer during the low traffic periods. As a result, the
performance of the analyzer is guaranteed as it will only deal with log insertion and
reporting when the log transfer process is over.
LAN
FortiAnalyzer unit External SQL
database for log
storage
(optional)
Monitored devices that send logs to the FortiAnalyzer unit for analyzing and reporting.
Setting up the unit The operation mode
05-432-164257-20120229 29
As illustrated in Figure 3: company A has two remote branch networks protected by
multiple FortiGate units. The networks generate large volumes of logs which fluctuate
significantly during a day. It used to have a FortiAnalyzer-4000A in standalone mode to
collect logs from the FortiGate units and generate reports. To further boost the
performance of the FortiAnalyzer-4000A, the company deploys a FortiAnalyzer-400B in
collector mode in each branch to receive logs from the FortiGate units during the high
traffic period and transfer bulk logs to the analyzer during the low traffic period.
To set up the analyzer/collector configuration
1 On the FortiAnalyzer unit, go to System > Dashboard > Status.
2 In the System Information widget, in the Operation Mode row, click Change.
3 Select Analyzer and enter the password for the analyzer server and confirm it.
4 Select OK.
5 On the first collector unit, go to System > Dashboard > Status.
Note: The FortiAnalyzer 100 and 400 models do not support the analyzer mode.
Accept Real-time Log
Forwarding from Collectors
Select to allow collectors to forward logs in real-time to the
analyzer. Normally, logs are collected and uploaded on
schedule, but you may want some critical logs to be sent
immediately.
Automatically Delete
(Reconcile) Real-time Logs
During Collector Upload
After the logs are uploaded on schedule, those ones that
were forwarded in real-time become duplicate. Select this
option to automatically delete the duplicate logs.
The operation mode Setting up the unit
30 05-432-164257-20120229
7 Select Collector.
8 Click OK.
9 On the second collector unit, repeat step 5 to 8.
Remote IP Enter the IP address of the analyzer unit to which this log
collector uploads logs. For example, 100.10.1.2.
Password Enter the password of the analyzer unit.
Upload Daily at Select 00:00 to upload logs on a daily basis because network
traffic starts to drop from this time on.
During the uploading, if the connection with the analyzer fails,
the collector will keep trying to reconnect until the connection
restores.
The collector archives all logs that are uploaded.
Enable Real-time
Forwarding of Priority
Logs
Select to upload priority logs in real time, then set the priority
level to Critical in Minimum Severity. This action will upload
critical level logs and the logs of the levels before Critical in the
list.
Setting up the unit Changing the admin administrator password
05-432-164257-20120229 31
Figure 3: Topology of the FortiAnalyzer units in analyzer/collector mode
Changing the admin administrator password
The default administrator account, named admin, initially has no password.
Unlike other administrator accounts, the admin administrator account exists by default
and cannot be deleted. The admin administrator account is similar to a root
administrator account. This administrator account always has full permission to view
and change all FortiAnalyzer configuration options, including viewing and changing all
other administrator accounts. Its name and permissions cannot be changed.
Before you connect the FortiAnalyzer unit to your overall network, you should configure
the admin account with a password to prevent others from logging in to the
FortiAnalyzer and changing its configuration.
LAN
LAN
High-end FortiAnalyzer
unit in analyzer mode
External SQL
database for log
storage (optional)
FortiAnalyzer unit in
collector mode
(optimized for
storing &
forwarding
logs)
Monitored devices that send logs to collectors.
FortiAnalyzer unit in
collector mode
(optimized for
storing &
forwarding
logs)
Caution: Set a strong password for the admin administrator account, and change the password
regularly. Failure to maintain the password of the admin administrator account could
compromise the security of your FortiAnalyzer unit.
Configuring the system time and date Setting up the unit
32 05-432-164257-20120229
To change the admin administrator password
1 Go to System > Admin > Administrator.
2 Select the admin administrator account.
3 Select Change Password.
4 In the Old Password field, do not enter anything. (In its default state, there is no
password for the admin account.)
5 In the New Password field, enter a password with sufficient complexity and number
of characters to deter brute force and other attacks.
6 In the Confirm Password field, enter the new password again to confirm its spelling.
7 Click OK.
8 Click Logout.
The FortiAnalyzer appliance logs you out. To continue using the Web-based
Manager, you must log in again. The new password takes effect the next time that
administrator account logs in.
Configuring the system time and date
You can either manually set the FortiAnalyzer system time, or configure the
FortiAnalyzer unit to automatically keep its system time correct by synchronizing with a
Network Time Protocol (NTP) server.
For more information, see Configuring the time & date on page 60.
Configuring basic network settings
When shipped, each network interface associated with a physical network port of the
FortiAnalyzer unit has a default IP address and netmask.
These IP addresses and netmasks may not be compatible with the design of your
unique network. In addition, you must configure the FortiAnalyzer unit with the IP
address of your DNS servers and gateway router.
You can configure these basic network settings to ensure that your FortiAnalyzer unit is
connected to your network:
Network interfaces: See Configuring the network interfaces on page 87.
DNS settings: See Configuring DNS on page 93.
Default route: See Configuring static routes on page 94.
Configuring global settings
System > Config enables you to configure log storage databases and the mail server
for alerts and reports.
This option is available for standalone and analyzer mode only.
For more information, see Configuring SQL database storage on page 111 and
Configuring an email server for alerts & reports on page 116.
Setting up the unit Configuring administrative domains (ADOMs)
05-432-164257-20120229 33
Configuring administrative domains (ADOMs)
Administrative domains (ADOMs) enable the admin administrator to constrain other
FortiAnalyzer unit administrators access privileges to a subset of devices in the device
list. For Fortinet devices with virtual domains (VDOMs), ADOMs can further restrict
access to only data from a specific devices VDOM.
For more information, see Administrative Domains (ADOMs) on page 48.
Connecting to FortiGuard services
After the FortiAnalyzer unit is physically installed and configured to operate on your
network, if you have subscribed to FortiGuard services, connect the FortiAnalyzer unit
to the FortiGuard Distribution Network (FDN).
Connecting your FortiAnalyzer unit to the FDN or override server ensures that your
FortiAnalyzer unit can:
verify its FortiGuard Vulnerability Management license
download the latest FortiGuard Vulnerability Compliance Management definition
and engine packages in order to scan hosts and block attacks using the most up-
to-date protection
The FDN is a world-wide network of FortiGuard Distribution Servers (FDS). When a
FortiAnalyzer unit connects to the FDN to download FortiGuard engine and definition
updates, by default, it connects to the nearest FDS based on the current time zone
setting. You can also override the FDS to which the FortiAnalyzer unit connects.
Your FortiAnalyzer unit may be able to connect using the default settings. However,
you should confirm this by verifying connectivity.
To determine your FortiGuard license status
1 Go to System > Dashboard > Status.
2 In the License Information widget (Figure 4), look at the status icon to determine the
units license status:
Expired or Not Registered (orange X icon ) At the last attempt, the
FortiAnalyzer unit was able to contact the FDN. However, its FortiGuard license
was not valid. To purchase a license, click Subscribe.
Note: You must first register the FortiAnalyzer unit with the Customer Service & Support web
site, https://support.fortinet.com/, to receive service from the FDN. The FortiAnalyzer unit
must also have a valid support contract which includes service subscriptions, and be
able to connect to the FDN or the FDS that you will configure to override the default FDS
addresses. For port numbers required for license validation and update connections, see
the FortiAnalyzer Administration Guide.
Caution: Your FortiAnalyzer unit cannot detect the latest vulnerabilities and compliance
violations unless it is licensed and has network connectivity to download current
definitions from the FortiGuard service.
Connecting to FortiGuard services Setting up the unit
34 05-432-164257-20120229
Licensed (green check mark icon ) At the last attempt, the FortiAnalyzer
unit was able to successfully contact the FDN and validate its FortiGuard license.
Unreachable (grey X icon ) Unable to determine license status due to
network connection errors. Check the configuration of the FortiAnalyzer unit and
any NAT or firewall devices that exist between the FortiAnalyzer appliance and
the FDN or override server. For example, you may need to add static routes.
Figure 4: License Information Widget
To verify FortiGuard update connectivity
Before performing this procedure, if your FortiAnalyzer appliance connects to the
Internet using a proxy, configure the FortiAnalyzer appliance to connect to the FDN
through the proxy (go to System > Maintenance > FortiGuard).
1 Go to System > Maintenance > FortiGuard.
Figure 5: FortiGuard Distribution Network
Setting up the unit Connecting to FortiGuard services
05-432-164257-20120229 35
2 If you want your FortiAnalyzer appliance to connect to a specific FDS other than the
default for its time zone, enable Use override server address, and enter the fully
qualified domain name (FQDN) or IP address of the FDS.
3 Click Apply.
4 Click Request Update Now.
The FortiAnalyzer appliance tests the connection to the FDN and, if applicable, the
server you specified to override the default FDN server. The amount of time required
varies based on the speed of the FortiAnalyzer units network connection, and the
number of timeouts that occur before the connection attempt is successful or the
FortiAnalyzer appliance determines that it cannot connect. Test results are
indicated in the local logs in Log & Archive > Log Access > Event, such as this log
message:
VCM upgrade: no new update available
which indicates that the connection succeeded.
If the connection test did not succeed due to license issues, you would instead see
this log message:
VCM upgrade: Invalid VM license.
If the connection test did not succeed due to failed connectivity with the proxy, you
would instead see this log message:
VCM upgrade: failed connecting to 192.168.1.10:443
For more troubleshooting information, see the command diagnose debug
application fortiguard in the FortiAnalyzer CLI Reference.
Configuring
scheduled
updates
You can configure the FortiAnalyzer unit to periodically request FortiGuard Vulnerability
Compliance Management (VCM) engine and definition updates from the FDN or
override server.
You can manually initiate updates as alternatives or in conjunction with scheduled
updates. For additional/alternative update methods, see Manually requesting
updates on page 36.
For example, you might schedule updates every night at 2 AM, or weekly on Sunday,
when traffic volume is light.
To configure scheduled updates
Before scheduling updates, verify that the FortiAnalyzer unit has a valid license and
can connect to the FDN or override server. For details, see To determine your
FortiGuard license status on page 33 and To verify FortiGuard update connectivity
on page 34.
1 Go to System > Maintenance > FortiGuard (Figure 5 on page 34).
2 Under Vulnerability Management, enable Scheduled Update.
3 Select one of the following:
Every Select to request updates once per interval, in hours.
Daily Select to request updates once a day, then configure the time of day.
Weekly Select to request updates once a week, then configure the day of the
week and the time of day.
Connecting to FortiGuard services Setting up the unit
36 05-432-164257-20120229
4 Click Apply.
The FortiAnalyzer unit next requests an update according to the schedule. If you
have enabled logging, when the FortiAnalyzer unit requests an update, the event is
recorded in the local logs in Log & Archive > Log Access > Event, such as this log
message:
VM upgrade: no new update available
Manually
requesting
updates
You can manually trigger the FortiAnalyzer unit to connect to the FDN or override
server to request available updates for its FortiGuard packages.
You can manually initiate updates as an alternative or in addition to other update
methods. For details, see Configuring scheduled updates on page 35.
To manually request updates
Before manually initiating an update, first verify that the FortiAnalyzer appliance has a
valid license and can connect to the FDN or override server. For details, see To
determine your FortiGuard license status on page 33 and To verify FortiGuard update
connectivity on page 34.
1 Go to System > Maintenance > FortiGuard (Figure 5 on page 34).
2 Under Vulnerability Management, click Request Update Now.
The Web-based Manager displays the following message:
3 Click OK.
The page refreshes.
4 After a few minutes, click the FortiGuard submenu to refresh the page, or go to
System > Dashboard > Status and look at the License Information widget.
If an update was available, the packages that were updated have new version
numbers. If you have enabled logging, when the FortiAnalyzer unit requests an
update, the event is recorded in the local logs in Log & Archive > Log Access >
Event Log, such as this log message:
VCM upgrade: no new update available
Setting up the unit Collecting device logs
05-432-164257-20120229 37
Collecting device logs
The power of the FortiAnalyzer unit centers on reporting and network analysis
capability collated from log data. The FortiAnalyzer unit can collect log messages from
multiple FortiGate, FortiManager, FortiClient, FortiMail, and FortiWeb devices and
syslog servers, to enable you to generate many different report types from the log data.
If you have a analyzer/collector setup, your analyzer will collect logs from the collector,
which in turn collects logs from the devices and transfers them to the analyzer. In this
case, you need to configure the collector and the devices for log collection. For more
information on analyzer/collector setup, see Analyzer and collector mode on
page 28.
This section describes a simple example you can use to test the installation by
configuring the FortiAnalyzer unit and a FortiGate unit for log collection. For
information on collecting log data from other Fortinet products, see Devices on
page 146.
To collect logs from a FortiGate unit, you must do the following:
1 Configuring FortiAnalyzer connection attempt handling
2 Configuring disk quota and device privileges for a FortiGate unit
3 Configuring a FortiGate unit to send logs to the FortiAnalyzer unit
Configuring
FortiAnalyzer
connection
attempt handling
On the FortiAnalyzer unit, you can control how to deal with other devices connection
attempts. For more information, see Configuring unregistered device options on
page 157.
Configuring disk
quota and device
privileges for a
FortiGate unit
If you choose to allow and automatically register known devices when you configure
the FortiAnalyzers device connection attempt handling settings, once a FortiGate unit
begins sending log data to the FortiAnalyzer unit, the FortiGate unit will be
automatically added to the allowed device list. You can then configure the following
settings for the FortiGate unit.
To configure disk quota and privileges for a FortiGate unit
1 On the FortiAnalyzer unit, go to Devices > All Devices > Allowed.
Figure 6: Allowed Devices
2 Select the FortiGate device from the device list and click the Edit icon.
Collecting device logs Setting up the unit
38 05-432-164257-20120229
Figure 7: Edit Device Window
3 Configure the Disk Allocation quota to be used by the FortiGate device.
4 Configure the Device Privileges settings to allow the FortiGate unit to send and view
its log files, archived content, and quarantined files.
5 Select OK.
For more information, see Configuring connections with devices & their disk space
quota on page 146.
Configuring a
FortiGate unit to
send logs to the
FortiAnalyzer unit
A FortiGate unit must be configured to send log messages to a FortiAnalyzer unit. This
configuration can occur before or after the FortiAnalyzer units configuration to receive
those logs.
The following procedure uses the default options and configures a FortiGate unit
running FortiOS v4.0.
To send FortiGate logs to a FortiAnalyzer unit
1 On the FortiGate unit, go to Log&Report > Log Config > Log Setting.
2 Select the Expand Arrow for Remote Logging and Archiving to expand the options.
3 Select FortiAnalyzer and enter the IP Address of the FortiAnalyzer unit.
4 Select a security level to log.
5 Select Apply.
Note: Remotely accessing logs, content logs, and quarantined files is available on FortiGate
units running firmware v4.0 or later.
Note: Due to the nature of connectivity for certain HA modes, full content archiving and
quarantining may not be available for FortiGate units in an HA cluster. For details, see the
FortiOS Handbook.
Setting up the unit Collecting device logs
05-432-164257-20120229 39
For more information on the logging options, see the Log & Report chapter in the
FortiGate Administration Guide.
Configuring log types
You must also configure the FortiGate unit for the type of data that you want the
FortiGate unit to log and send to the FortiAnalyzer unit. There are two main locations
for configuring log types:
configure the event logs by going to Log&Report > Log Config > Event Log.
enable feature logs by going to Firewall > Protection Profile, and editing a profile.
Configuring IPSec secure connections between the FortiAnalyzer unit and a
device or an HA cluster
For secure transmission of logs, content archives, and quarantined files, you can
configure an IPSec VPN tunnel between the FortiAnalyzer unit and FortiGate devices or
HA clusters, and FortiManager devices.
For more information on the CLI commands used for secure connection, see the
FortiAnalyzer CLI Reference, FortiGate CLI Reference, and FortiManager CLI
Reference.
To configure a secure connection on a FortiAnalyzer unit
In the FortiAnalyzer CLI, enter the following commands:
config log device
edit <device_name>
set secure psk
set psk <preshared-key_str>
set id <fortigates_device_name_on_the_fortianalyzer
/fortimanager-serial-number_str>
end
To configure a secure connection on a FortiGate unit
On the FortiGate CLI, enter the following commands:
config log {fortianalyzer | fortianalyzer2 | fortianalyzer3}
settings
set encrypt enable
set psksecret <preshared-key_str>
set localid <fortigates_device_name_on_the_fortianalyzer>
end
Note: You must configure the secure tunnel on both ends of the tunnel: the FortiAnalyzer unit
and the device.
Note: Changing a devices FortiAnalyzer settings clears sessions to that IP address. If the
FortiAnalyzer unit is behind a NAT device, such as a FortiGate unit, this also resets
sessions to other hosts behind that same NAT.
To prevent disruption of other devices traffic, on the NAT device, create a separate virtual
IP for the FortiAnalyzer unit.
Note: To enable and configure secure connections on a FortiGate HA cluster, configure the
primary device in the cluster. The primary device will synchronize the configuration with
its members.
Testing the setup Setting up the unit
40 05-432-164257-20120229
To configure a secure connection on a FortiManager system
On the FortiManager CLI, enter the following commands:
config fmsystem log fortianalyzer
set secure_connection enable
set localid <fortianalyzer_serial_number_str>
end
Further reading The FortiGate unit and FortiAnalyzer unit are now configured to send and receive log
information. Using this log collection, you can view traffic and vulnerability statistics,
and run reports from a selection of over 200 reports in 15 categories.
To help you in further configuration and data analysis, see these other Fortinet
documents, available from the Technical Documentation web site
(http://docs.fortinet.com).
This guide includes further configuration and technical information on your
FortiAnalyzer unit.
FortiAnalyzer CLI Reference describes all the CLI commands you can use to
configure the FortiAnalyzer unit.
FortiAnalyzer Log Reference describes the FortiAnalyzer local log messages, which
can be used for analysis and troubleshooting purposes.
FortiOS Handbook includes steps for enabling the various logging options and
details on the logging levels.
FortiOS Log Message Reference describes what each log messages means and its
components.
Testing the setup
When the setup is complete, test it by forming connections between your FortiAnalyzer
unit and network hosts at various points within your network topology.
Devices in the device list such as FortiGate, FortiMail, or FortiWeb units;
FDN servers for FortiGuard services;
DNS server;
NTP server, if any;
Authentication servers, if any;
SMTP email server for alerts, if any;
LDAP servers for report queries, if any;
SNMP manager for traps and queries, if any;
Remote SQL database server, if any;
Syslog servers for alerts or log forwarding, if any;
FortiAnalyzer units acting as aggregators or collectors, if any.
To test connections with devices, you must configure each device to send logs, and
then cause some kind of event that will trigger a log.
Setting up the unit Testing the setup
05-432-164257-20120229 41
If the FortiAnalyzer unit is operating as a log aggregator, your test should include
receiving logs from other FortiAnalyzer units.
Troubleshooting
tools
To locate network errors and other issues that may prevent logs from passing to or
through the FortiAnalyzer unit, FortiAnalyzer units feature several troubleshooting
tools. You may also be able to perform additional tests from your management
computer or the computers of SMTP clients and servers.
This section includes the following topics:
Ping and traceroute
Log messages
Packet capture
Ping and traceroute
If your FortiAnalyzer unit cannot connect to other hosts, you may be able to use ICMP
(ping and traceroute) to determine if the host is reachable or locate the node of your
network at which connectivity fails, such as when static routes are incorrectly
configured. You can do this from the FortiAnalyzer unit using CLI commands.
For example, you might use ICMP ping to determine that 172.16.1.10 is reachable.
(Commands that you would type are highlighted in bold; responses from the
FortiAnalyzer unit are not bolded.)
FortiAnalyzer # execute ping 172.16.1.10
PING 172.16.1.10 (172.16.1.10): 56 data bytes
64 bytes from 172.16.1.10: icmp_seq=0 ttl=64 time=2.4 ms
--- 172.20.120.167 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.8/1.4/2.4 ms
or that 192.168.1.10 is not reachable:
FortiAnalyzer # execute ping 192.168.1.10
PING 192.168.1.10 (192.168.1.10): 56 data bytes
Timeout ...
Timeout ...
Timeout ...
Timeout ...
Timeout ...
--- 192.168.1.10 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
Note: If the device keeps a local log buffer for performance reasons, and only sends logs
periodically or when the buffer is full, you may need to generate multiple logs and/or wait
for the FortiAnalyzer unit to receive the log message from the remote device. For
information on periodic log uploads or buffering behavior, consult the documentation for
each device.
42 05-432-164257-20120229
If the host is not reachable, you can use traceroute to determine the router hop or host
at which the connection fails:
FortiAnalyzer # execute traceroute 192.168.1.10
traceroute to 192.168.1.10 (192.168.1.10), 32 hops max, 72
byte packets
1 192.168.1.2 2 ms 0 ms 1 ms
2 * * *
For more information on CLI commands, see the FortiAnalyzer CLI Reference.
Log messages
Log messages often contain clues that can aid you in determining the cause of a
problem. FortiAnalyzer units can record log messages when errors occur that cause
failures, upon significant changes, and upon processing events.
Depending on the type, log messages may appear in one of several log files. For
example:
To determine when and why a FortiGuard update connection failed, you might
examine the Message field in the event log.
To determine why an email was blocked by a firewall, you might examine logs
whose Type field is dlp in the UTM log.
During troubleshooting, you may find it useful to reduce the logging severity threshold
for more verbose logs to include more information on less severe events.
For example, when the FortiAnalyzer unit cannot reach the FDN or override server for
FortiGuard updates, the associated log message in the event log has a severity level of
Error. If your severity threshold is currently greater than Error (such as Critical or Alert),
the Alert Message Console widget in the Web-based Manager will not record that log
message, and you will not be notified of the error. Often this error might occur due to
temporary connectivity problems and is not critical. However, if you are frequently
encountering this issue, you may want to lower the severity threshold to determine
how often the issue is occurring and whether the cause of the problem is persistent.
Packet capture
Packet capture, also known as sniffing, records some or all of the packets seen by a
network interface. By recording packets, you can trace connection states to the exact
point at which they fail, which may help you to diagnose some types of problems that
are otherwise difficult to detect.
FortiAnalyzer units have a built-in sniffer. Packet capture on FortiAnalyzer units is
similar to that of FortiGate units. To use the built-in sniffer, connect to the CLI and enter
the following command:
diagnose sniffer packet [<interface_name>] [{none |
'<filter_str>'}] [{1 | 2 | 3}] [<count_int>]
where:
<interface_name> is the name of a network interface, such as port1,or any
for all interfaces.
Note: Both ping and traceroute require that network nodes respond to ICMP ping. If you have
disabled responses to ICMP on your network, hosts may appear to be unreachable to
ping and traceroute even if connections using other protocols can succeed.
05-432-164257-20120229 43
'<filter_str>' is the sniffer filter that specifies the protocols and port numbers
that you do or do not want to capture, such as 'tcp port 25',or none for no
filters.
{1 | 2 | 3} is an integer indicating the depth of packet headers and payloads to
display.
<count_int> is the number of packets the sniffer reads before stopping. Packet
capture output is printed to your CLI display until you stop it by pressing Ctrl + C, or
until it reaches the number of packets that you have specified to capture.
For example, you might capture all TCP port 443 (typically HTTPS) traffic occurring
through port1, regardless of its source or destination IP address. The capture uses a
high level of verbosity (indicated by 3).
A specific number of packets to capture is not specified. As a result, the packet
capture continues until the administrator presses Ctrl + C. The sniffer then confirms
that five packets were seen by that network interface.
(Verbose output can be very long. As a result, output shown below is truncated after
only one packet. Commands that you would type are highlighted in bold; responses
from the FortiAnalyzer appliance are not bolded.)
FortiAnalyzer# diagnose sniffer packet port1 'tcp port 443' 3
interfaces=[port1]
filters=[tcp port 443]
10.651905 192.168.0.1.50242 -> 192.168.0.2.443: syn 761714898
0x0000 0009 0f09 0001 0009 0f89 2914 0800 4500
..........)...E.
0x0010 003c 73d1 4000 4006 3bc6 d157 fede ac16
.<s.@.@.;..W....
0x0020 0ed8 c442 01bb 2d66 d8d2 0000 0000 a002 ...B..-
f........
0x0030 16d0 4f72 0000 0204 05b4 0402 080a 03ab
..Or............
0x0040 86bb 0000 0000 0103 0303
..........
Instead of reading packet capture output directly in your CLI display, you should
usually save the output to a plain text file using your CLI client. Saving the output
provides several advantages: packets can arrive more rapidly than you may be able to
read them in the buffer of your CLI display, and many protocols transfer data using
encodings other than US-ASCII. It is usually preferable to analyze the output by
loading it into in a network protocol analyzer application such as Wireshark
(http://www.wireshark.org/).
For example, you could use PuTTY or Microsoft HyperTerminal to save the sniffer
output. Methods may vary. See the documentation for your CLI client.
Note: Packet capture can be very resource intensive. To minimize the performance impact on
your FortiAnalyzer unit, use packet capture only during periods of minimal traffic, with a
serial console CLI connection rather than a Telnet or SSH CLI connection, and be sure to
stop the command when you are finished.
44 05-432-164257-20120229
Requirements
terminal emulation software such as PuTTY
a plain text editor such as Notepad
a Perl interpreter
network protocol analyzer software such as Wireshark
To view packet capture output using PuTTY and Wireshark
1 On your management computer, start PuTTY.
2 Use PuTTY to connect to the FortiAnalyzer appliance using either a local serial
console, SSH, or Telnet connection. For details, see the FortiAnalyzer CLI
Reference.
3 Type the packet capture command, such as:
diagnose sniffer packet port1 'tcp port 25' 3
but do not press Enter yet.
4 In the upper left corner of the window, click the PuTTY icon to open its drop-down
menu, then select Change Settings.
A dialog appears where you can configure PuTTY to save output to a plain text file.
5 In the Category tree on the left, go to Session > Logging.
6 In Session logging, select Printable output.
7 In Log file name, click the Browse button, then choose a directory path and file
name such as C:\Users\MyAccount\packet_capture.txt to save the packet
capture to a plain text file. (You do not need to save it with the .log file extension.)
8 Click Apply.
9 Press Enter to send the CLI command to the FortiAnalyzer unit, beginning packet
capture.
10 If you have not specified a number of packets to capture, when you have captured
all packets that you want to analyze, press Ctrl + C to stop the capture.
05-432-164257-20120229 45
11 Close the PuTTY window.
12 Open the packet capture file using a plain text editor such as Notepad.
13 Delete the first and last lines, which look like this:
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.07.25 11:34:40
=~=~=~=~=~=~=~=~=~=~=~=
FortiAnalyzer-2000 #
These lines are a PuTTY timestamp and a command prompt, which are not part of
the packet capture. If you do not delete them, they could interfere with the script in
the next step.
14 Convert the plain text file to a format recognizable by your network protocol
analyzer application.
You can convert the plain text file to a format (.pcap) recognizable by Wireshark
(formerly called Ethereal) using the fgt2eth.pl Perl script. To download fgt2eth.pl,
see the Knowledge Base article Using the FortiOS built-in packet sniffer.
To use fgt2eth.pl, open a command prompt, then enter a command such as the
following:
fgt2eth.pl -in packet_capture.txt -out packet_capture.pcap
where:
fgt2eth.pl is the name of the conversion script; include the path relative to
the current directory, which is indicated by the command prompt
packet_capture.txt is the name of the packet captures output file; include
the directory path relative to your current directory
packet_capture.pcap is the name of the conversion scripts output file;
include the directory path relative to your current directory where you want the
converted output to be saved.
Note: The fgt2eth.pl script is provided as-is, without any implied warranty or technical support,
and requires that you first install a Perl module compatible with your operating system.
Note: Methods to open a command prompt vary by operating system.
On Windows XP, go to Start > Run and enter cmd.
On Windows 7, click the Start (Windows logo) menu to open it, then enter cmd.
46 05-432-164257-20120229
Figure 8: Converting sniffer output to .pcap format
15 Open the converted file in your network protocol analyzer application. For further
instructions, see the documentation for that application.
Figure 9: Viewing sniffer output in Wireshark
For additional information on packet capture, see the Knowledge Base article Using
the FortiOS built-in packet sniffer.
For more information on CLI commands, see the FortiAnalyzer CLI Reference.
Setting up the unit Backing up the configuration
05-432-164257-20120229 47
Backing up the configuration
Once you have tested your basic setup and verified that it functions correctly, create a
backup. This clean backup can be used to:
troubleshoot a non-functional configuration by comparing it with this functional
baseline
rapidly restore your installation to a simple yet functional point.
Your deployments configuration is comprised of a few separate components. To make
a complete configuration backup, you must include all of the following:
core configuration file (see To back up the configuration file on page 47)
configuration files of the web servers on each virtual or physical host (for a suitable
backup method, see the documentation for the hosts operating system or your
preferred third-party backup software)
To back up the configuration file
1 Log in to the Web-based Manager as the admin administrator.
Other administrator accounts do not have the required permissions.
2 Go to System > Maintenance > Backup & Restore.
Figure 10: Backup and Restore Window
3 In the Backup area, click Backup.
Your browser downloads the configuration file and saves it to your local PC. Time
required varies by the size of the configuration and the specifications of the
appliances hardware as well as the speed of your network connection, but could
take several minutes.
For more information, see Backing up the configuration & installing firmware on
page 137.
Note: Configuration backups do not include data such as logs and reports.
05-432-164257-20120229 48
6. Administrative Domains (ADOMs)
Administrative domains (ADOMs) enable the admin administrator to constrain other
FortiAnalyzer unit administrators access privileges to a subset of devices in the device
list. For FortiGate devices with virtual domains (VDOMs), ADOMs can further restrict
access to only data from a specific FortiGate VDOM.
Enabling ADOMs alters the structure and available functionality of the Web-based
Manager and CLI according to whether or not you are logging in as the admin
administrator, and, if you are not logging in as the admin administrator, the
administrator accounts assigned access profile.
If ADOMs are enabled and you log in as admin, you first access the Global ADOM
where you have full access to the menus, except the Report menu, and can
configure other ADOMs in System > ADOM > ADOM. At the end of the menu list,
the Current ADOM menu appears, enabling you to enter into another ADOM or
return to the Global ADOM.
The Global ADOM contains settings used by the FortiAnalyzer unit itself, as well as
settings shared by ADOMs, such as the device list, RAID, and administrator
accounts. It does not include ADOM-specific settings or data, such as logs and
reports. When configuring other administrator accounts, an additional option
appears allowing you to restrict other administrators to an ADOM. For more
information, see Assigning administrators to an ADOM on page 54. The admin
administrator can further restrict other administrators access to specific
configuration areas within their ADOM by using access profiles. For more
information, see Configuring access profiles on page 104.
Note: ADOMs are not supported on FortiAnalyzer-100B, -100C models.
Table 5: Characteristics of the CLI and Web-based Manager when ADOMs are enabled
admin administrator
account
Other administrators
Access to Global Configuration Yes No
Access to Administrative
Domain Configuration (can
create ADOMs)
Yes No
Can create administrator
accounts
Yes No
Can enter all ADOMs Yes No
Note: By default, some menus are hidden. To make them visible, you can enable the menus in
System > Admin > Settings. See Enable ADOMs on page 49 for more information.
Administrative Domains (ADOMs) Configuring ADOMs
05-432-164257-20120229 49
If ADOMs are enabled and you log in as any other administrator, you enter the
ADOM assigned to your account. You can only access the menu items assigned to
you in your access profile. You cannot access the Global ADOM or enter other
ADOMs.
By default, administrator accounts other than the admin account are assigned to
the root ADOM, which includes all devices in the device list. By creating ADOMs
that contain a subset of devices in the device list, and assigning them to
administrator accounts, you can restrict other administrator accounts to a subset of
the FortiAnalyzer units total devices or VDOMs.
The maximum number of ADOMs varies by FortiAnalyzer model. For details, see
Appendix B on page 303.
This chapter includes the following:
Configuring ADOMs
Accessing ADOMs as the admin administrator
Assigning administrators to an ADOM
Configuring ADOMs
ADOMs are disabled by default.
To use ADOMs
1 Login as admin.
Other administrators cannot enable, disable, or configure ADOMs.
2 Enable the feature by going to System > Admin > Settings. See Enable ADOMs
on page 49.
3 Create ADOMs by going to System > ADOM > ADOM. See Add or edit an ADOM
on page 51.
4 Assign other FortiAnalyzer administrators to an ADOM by going to System >
Admin > Administrator. See To assign an administrator to an ADOM on page 54.
Enable ADOMs
1 Log in as admin.
Other administrators cannot enable, disable, or configure ADOMs.
2 Go to System > Admin > Settings.
3 Enable (select) Admin Domain Configuration.
Note: ADOMs are not supported on FortiAnalyzer-100B/100C models.
Caution: Enabling ADOMs moves non-global configuration items to the root ADOM. Back up
the configuration before beginning the following procedure. For more information
about backing up your configuration, see Backing up the configuration & installing
firmware on page 137.
Configuring ADOMs Administrative Domains (ADOMs)
50 05-432-164257-20120229
Figure 11: Enabling ADOM Configuration
4 Click Apply.
The following dialog box appears:
5 Click OK.
The FortiAnalyzer unit logs you out.
6 To confirm that ADOMs are enabled, log in again as admin.
System > ADOM should now be available. At the end of the menu list, the Current
ADOM menu also appears, enabling you to enter into an ADOM or return to the
Global ADOM. Continue with Add or edit an ADOM on page 51 to create ADOMs.
Note: If other administrators are also logged in at the same time, they will not be automatically
logged out. Notify them that ADOMs have been enabled, and that they may need to log
out and log in again for display changes to take effect.
Administrative Domains (ADOMs) Configuring ADOMs
05-432-164257-20120229 51
Add or edit an ADOM
Before you can add an ADOM, you must first enable the feature. For details, see
Enable ADOMs on page 49.
1 From Current ADOM in the lefthand navigation menu, select Global.
2 Go to System > ADOM > ADOM.
3 Click Create New, or, to modify an existing ADOM, mark its check box, then click
Edit.
4 In Name field, type a name for the ADOM.
This field cannot be modified if you are editing an existing entry. To modify the
name, delete the entry, then recreate it using the new name.
Configuring ADOMs Administrative Domains (ADOMs)
52 05-432-164257-20120229
5 From Available Devices, select which devices to associate with the ADOM, then
click the right arrow to move them to Selected Devices.
You can move multiple devices at once. To select multiple devices, click the first
device, then hold the Shift key while clicking the last device in a continuous range,
or hold the Ctrl key while clicking each additional device.
To remove a device from Selected Devices, select one or more devices, then click
the left arrow to move them to Available Devices.
6 If the ADOM includes a FortiGate unit, and you want to include only a specific
VDOM, enable Restrict to Virtual Domain(s), then enter the VDOM name. If the
ADOM includes a FortiMail unit and you want to include only a specific email
domain, enable and configure Restrict to Email Domain(s).
7 Click OK.
Continue with Assigning administrators to an ADOM on page 54.
Disable ADOMs
1 From Current ADOM in the left-hand navigation menu, select Global.
Figure 12: Switching to the Global ADOM
2 Go to System > ADOM > ADOM.
3 Mark the check boxes next to each ADOM except root (Management Administrative
Domain), then click Delete.
Caution: Back up the configuration before beginning this procedure. Deleting ADOMs, which
can occur when disabling the ADOM feature, removes administrator accounts
assigned to ADOMs other than the root ADOM. For more information, see Backing
up the configuration & installing firmware on page 137.

If you do not wish to delete these administrator accounts, assign them to the root
ADOM before disabling ADOMs.
Administrative Domains (ADOMs) Accessing ADOMs as the admin administrator
05-432-164257-20120229 53
If any other ADOMs except the root ADOM remain, the option to disable ADOMs
will not appear.
4 Go to System > Admin > Settings.
5 Disable (deselect) Admin Domain Configuration.
6 Click Apply.
The following dialog box appears:
7 Click OK.
The FortiAnalyzer unit logs you out.
Accessing ADOMs as the admin administrator
When ADOMs are enabled, additional ADOM items become available to the admin
administrator and the structure of the web-based manager menu changes. After
logging in, other administrators implicitly access the subset of the Web-based
Manager that pertains only to their ADOM, while the admin administrator accesses the
root of the Web-based Manager and can use all menus. The admin administrator must
explicitly enter the part of the Web-based Manager that contains an ADOMs settings
and data to configure items specific to an ADOM.
Note: You cannot delete an ADOM if an administrator is currently assigned to it. You must first
reassign the administrator to the root ADOM (see Assigning administrators to an ADOM
on page 54).
Assigning administrators to an ADOM Administrative Domains (ADOMs)
54 05-432-164257-20120229
To access an ADOM
1 Log in as admin.
Other administrators can access only the ADOM assigned to their account.
2 From Current ADOM in the lefthand navigation menu, select the name of the ADOM
that you want to enter.
The ADOM-specific menu subset appears. While in this menu subset, any changes
you make affect this ADOM only, and do not affect devices in other ADOMs or
global FortiAnalyzer unit settings.
You can return to global settings by selecting Global from Current ADOM.
Assigning administrators to an ADOM
The admin administrator can create other administrators and assign an ADOM to their
account, constraining them to configurations and data that apply only to devices in
their ADOM.
To assign an administrator to an ADOM
1 Log in as admin.
Other administrators cannot configure administrator accounts when ADOMs are
enabled.
2 From Current ADOM in the lefthand navigation menu, select Global (see Figure 12
on page 52).
Note: By default, when ADOMs are enabled, existing administrator accounts other than admin
are assigned to the root ADOM, which contains all devices in the device list. For more
information about creating other ADOMs, see Configuring ADOMs on page 49.
Note: The admin administrator account cannot be restricted to an ADOM.
Administrative Domains (ADOMs) Assigning administrators to an ADOM
05-432-164257-20120229 55
4 Configure the administrator account as described in Configuring administrator
accounts on page 101. In Admin Domain, select which ADOM the administrator
will be allowed to access.
05-432-164257-20120229 56
7. System
The System menu displays a dashboard with widgets that indicate statuses and
perform basic functions, such as rebooting the FortiAnalyzer unit.
This menu also contains submenus that enable you to make configuration backups,
and configure administrator accounts, system time, network and FortiGuard
connectivity, and other system-wide features such as RAID and log forwarding.
Viewing the dashboard
Configuring network settings
Configuring network shares
Configuring administrator-related settings
Configuring the Web-based Managers global settings
Monitoring administrators
Configuring log storage & query features
Backing up the configuration & installing firmware
Scheduling & uploading vulnerability management updates
Migrating data from one FortiAnalyzer unit to another
Importing a local server certificate
Viewing the dashboard
When you log in to the FortiAnalyzer Web-based Manager, it automatically opens at the
System > Dashboard > Status page; see Figure 13.
The Dashboard page displays widgets that provide performance and status
information, and enable you to configure basic system settings. The dashboard also
contains a CLI widget that enables you to use the command line through the
Web-based Manager. These widgets appear on a single dashboard.
System Viewing the dashboard
05-432-164257-20120229 57
Figure 13: FortiAnalyzer system dashboard
Customizing the
Dashboard
The dashboard is customizable. You can select which widgets to display, where they
are located on the page, and whether they are minimized or maximized. You can also
create additional dashboards.
To add a dashboard
To add a dashboard, click Dashboard, then select Add Dashboard and type its name.
The dashboard is added to the lefthand navigation menu. (For example, for a
dashboard named Summary Reports, System > Dashboard > Summary Reports
would be added to the menu.) The new dashboard is empty until you add the widgets
that you want to show on that new dashboard.
To move a widget
To move a widget, position your mouse cursor on the widgets title bar, then click and
drag the widget to its new location.
To show or hide a widget
To show widget, in the upper left hand corner, click Widget, then click the names of the
widgets that you want to show. To hide a widget, in its title bar, click Close.
Figure 14: Adding a widget
Viewing the dashboard System
58 05-432-164257-20120229
To see the available options for a widget, position your mouse cursor over the icons in
the widgets title bar. Options vary slightly from widget to widget, but always include
options to close or show/hide the widget.
Figure 15: Widget title bar
Table 6: Widget values
Note: When the SQL database is enabled, Top Traffic, Top Web Traffic, Top Email Traffic, Top
FTP Traffic, Top IM/P2PTraffic, Virus Activity, and Intrusion Activity will not appear in the
widget list. For information on enabling the SQL database, see Configuring SQL
database storage on page 111.
Web-based Manager
item
Description
Widget title The name of the widget.
Show/Hide arrow Click to show or hide the widget.
More alerts Show the Alert Messages dialog box.
This option appears only on the Alert Message Console widget.
Reset Reset the collected statistics. See Statistics widget on page 68.
This option appears only on the Statistics widget.
Detach Detach the CLI Console widget from the dashboard and open it in a
separate window. See CLI Console widget on page 76.
This option appears only on the CLI Console widget.
Console Preferences Show the Console Preferences window, which allows you to customize
the look of the CLI Console widget. See CLI Console widget on
page 76.
This option appears only on the CLI Console widget.
RAID settings Show the RAID Settings dialog box, which displays the current RAID
settings and allows for configuration of the RAID level if available. See
Disk Monitor widget on page 71.
This option appears only on the RAID Monitor widget.
Edit Click to change settings for the widget.
Refresh Click to update the displayed information.
Close Click to hide the widget on the dashboard. You will be prompted to
confirm the action. To show the widget again, click Widget near the top
of the dashboard.
05-432-164257-20120229 59
The available dashboard widgets are:
System Information widget
License Information widget
Unit Operation widget
System Resources widget
Logs/Data Received widget
Statistics widget
Report Engine widget
Disk Monitor widget
Log Receive Monitor widget
Alert Message Console widget
CLI Console widget
Top Traffic widget
Top Web Traffic widget
Top Email Traffic widget
Top FTP Traffic widget
Top IM/P2P Traffic widget
Virus Activity widget
Intrusion Activity widget
System
Information
widget
The System Information widget (System > Dashboard > Status) displays the serial
number and basic system statuses, such as the firmware version, system time, host
name, and up time.
In addition to displaying basic system information, the System Information widget
enables you to configure the system time, host name, operation mode, and to update
the firmware.
Figure 16: System Information widget
Serial Number The serial number of the FortiAnalyzer unit. The serial number is specific
to the FortiAnalyzer units hardware and does not change with firmware
upgrades. Use this number when registering the hardware with
Customer Service & Support.
Uptime The time in days, hours, and minutes since the FortiAnalyzer unit was
started.
60 05-432-164257-20120229
Configuring the time & date
You can either manually set the FortiAnalyzer system time, or configure the
FortiAnalyzer unit to automatically keep its system time correct by synchronizing with a
Network Time Protocol (NTP) server.
To configure the date and time
1 Go to System > Dashboard > Status. In the System Information widget, in the
System Time row, click Change.
2 From Time Zone, select the time zone in which the FortiAnalyzer unit is located.
3 Configure the following to either manually configure the system time, or
automatically synchronize the FortiAnalyzer units clock with an NTP server:
System Time The current date and time according to the FortiAnalyzer units internal
clock.
Click Change to change the time or configure the FortiAnalyzer unit to
get the time from an NTP server. See Configuring the time & date on
page 60.
Host Name The host name of the FortiAnalyzer unit.
Click Change to change the host name. See Configuring the
FortiAnalyzer units host name on page 61.
Firmware Version The version of the firmware currently installed on the FortiAnalyzer unit.
Click Update to install firmware. See Maintaining Firmware on
page 271.
Operation Mode The current operation mode of the FortiAnalyzer unit.
Click Change to switch to another operation mode. See Selecting the
operation mode on page 62.
This option is not available on FortiAnalyzer-100B, -100C models.
Note: For many features to work, including scheduling, logging, and SSL-dependent features,
the FortiAnalyzer system time must be accurate.
05-432-164257-20120229 61
4 Click OK.
Configuring the FortiAnalyzer units host name
The host name of the FortiAnalyzer unit is used in several places.
It appears in the System Information widget on the Status tab. For more information
about the System Information widget, see System Information widget on page 59.
It is used in the command prompt of the CLI.
It is used as the SNMP system name. For information about SNMP, see
Configuring the SNMP agent on page 118.
The System Information widget and the get system status CLI command will
display the full host name. However, if the host name is longer than 16 characters, the
CLI and other places display the host name in a truncated form ending with a tilde (~)
to indicate that additional characters exist, but are not displayed.
For example, if the host name is FortiAnalyzer1234567890, the CLI prompt would be
FortiAnalyzer123456~#.
To change the host name
2 In the System Information widget, in the Host Name row, click Change.
System Time The date and time according to the FortiAnalyzer units clock at the
time that this tab was loaded, or when you last clicked the Refresh
button.
Refresh Click to update the System Time field with the current time according
to the FortiAnalyzer units clock.
Time Zone Select the time zone in which the FortiAnalyzer unit is located.
Set Time Select this option to manually set the date and time of the
FortiAnalyzer units clock, then select the Hour, Minute, Second,
Year, Month and Day fields before you click OK.
Synchronize with
NTP Server
Select this option to automatically synchronize the date and time of
the FortiAnalyzer units clock with an NTP server, then configure the
Server and Sync Interval fields before you click OK.
Server Enter the IP address or domain name of an NTP server. To find an
NTP server that you can use, go to http://www.ntp.org.
Sync Interval Enter how often in minutes the FortiAnalyzer unit should synchronize
its time with the NTP server. For example, entering 1440 causes the
FortiAnalyzer unit to synchronize its time once a day.
62 05-432-164257-20120229
3 In the Host Name field, type a new host name.
The host name may be up to 35 characters in length. It may include US-ASCII
letters, numbers, hyphens, and underscores. Spaces and special characters are not
allowed.
4 Click OK.
Selecting the operation mode
The FortiAnalyzer unit has three operation modes:
Standalone - The default mode that supports all FortiAnalyzer features.
Analyzer - The mode used for aggregating logs from one or more log collectors.
Collector - The mode used for saving and uploading logs. For example, instead of
writing logs into the database, the collector can retain the logs in original (binary)
format for uploading.
Which mode of operation you choose will vary by its appropriateness to your network
topology and other requirements.
For more information, see The operation mode on page 28.
To select the operation mode
Note: The FortiAnalyzer 100 series and 400 series models do not have the analyzer mode.
Table 7. Unavailable features in each operation mode
Mode Unavailable feature in Web-based Manager
Standalone N/A
Analyzer System > Config > Log aggregation
Collector System > Config
Report
Tools > Network Analyzer
05-432-164257-20120229 63
3 Click OK.
License
Information
widget
The License Information widget displays information on features that vary by a
purchased license or contract, such as FortiGuard subscription services.
It also displays how many devices are connected or attempting to connect to the
FortiAnalyzer unit.
Figure 17: License Information widget
Standalone The default operation mode.
Analyzer If you choose this mode, enter the password for the analyzer server and
confirm it.
Select Accept Real-time Log Forwarding from Collectors to allow collectors to
forward logs in real-time to the analyzer. Normally, logs are collected and
uploaded on schedule, but users may want some critical logs to be sent
immediately.
After the logs are uploaded on schedule, those ones that were forwarded in
real-time become duplicate. You can select Automatically Delete (Reconcile)
Real-time Logs During Collector Upload to automatically delete the duplicate
logs.
Collector If you choose this mode, configure the following:
Remote IP - Enter the IP address of the FortiAnalyzer unit to which this log
collector uploads logs.
Password - Enter the password of the FortiAnalyzer unit to which this log
collector uploads logs.
Upload Daily at - Select the time to upload logs on a daily basis.
Enable Real-time Forwarding of Priority Logs - Select to upload priority logs
in real time, then set the priority level in Minimum Severity.
64 05-432-164257-20120229
Unit Operation
widget
The Unit Operation widget indicates the connectivity status for each physical network
port. It also enables administrators to perform basic system operations such as
rebooting the FortiAnalyzer unit.
Color indicates whether or not a port has detected a physical connection. If a ports
color is gray, there is no connectivity, but if a ports color is green, it is connected.
Additional system-wide operations, such as formatting the log disk or resetting the
configuration to the firmwares default values, are available from the CLI. For details,
see the FortiAnalyzer CLI Reference.
Figure 18: Unit Operation widget
Vulnerability
Management
Indicates whether or not this FortiAnalyzer unit is licensed for FortiGuard
Vulnerability Management Service. If it is not, you can click Subscribe to
register for the service.
VCM Plugins The version of the vulnerability compliance management plug-in, and the
date of its last update. Click Update to upload a new version of the
plug-in. For more information on vulnerability management, see
Scheduling & uploading vulnerability management updates on
page 138.
Device Registration
Summary
A total of the number of each device type connecting or attempting to
connect to the FortiAnalyzer unit. For more information about the
maximum numbers of devices of each type and/or VDOMs that are
permitted to connect to the FortiAnalyzer unit, see Maximum number of
devices on page 150 and Appendix B on page 303.
The Registered column is the number of devices that you have added to
the FortiAnalyzer units device list, either manually or automatically.
The Unregistered column is the number of devices attempting to connect
to the FortiAnalyzer unit that are not yet registered. To configure the
FortiAnalyzer unit to accept data from a device, see Manually
configuring a device or HA cluster on page 152.
For more information about registered and unregistered device, see
Unregistered vs. registered devices on page 149.
Note: These operations are available only to users with the read and write access profile.
Reboot Click to halt and restart the operating system of the FortiAnalyzer unit.
ShutDown Click to halt the operating system of the FortiAnalyzer unit, preparing its hardware
to be powered off.
05-432-164257-20120229 65
System
Resources
widget
The System Resources widget displays the CPU and memory usage levels over time.
Figure 19: System Resources widget
Memory Usage The current memory (RAM) usage displayed as a dial gauge or graph.
The web-based manager displays memory usage for core processes only.
Memory usage for management processes (for example, for HTTPS
connections to the web-based manager) is excluded.
Session The number of sessions over the specified historical time period. Sessions
are the current communications sessions on the FortiAnalyzer unit which
includes devices that connect to send logs or quarantine files.
This item does not appear when viewing current (Real Time) system
resources.
66 05-432-164257-20120229
To configure settings for the widget, in its title bar, click Edit to open the Edit System
Resources Settings window.
Network Utilization The network utilization over the specified historical time period.
This item does not appear when viewing current (Real Time) system
resources.
CPU Usage The current CPU usage displayed as a dial gauge or graph.
The web-based manager displays CPU usage for core processes only.
CPU usage for management processes (for example, for HTTPS
connections to the web-based manager) is excluded.
The FortiAnalyzer CPU utilization can appear to be continually high due to
the amount of work the FortiAnalyzer is tasked to perform.
There are two key CPU-intensive operations on a FortiAnalyzer unit:
indexing log messages
report generation and other enhanced features
Log indexing
A FortiAnalyzer unit deployed in a network can receive hundreds of log
messages per second throughout the day. The FortiAnalyzer unit indexes
nearly all fields in a log message to include in the database. This process
can be very CPU intensive, as the indexing component is continually
running to keep up with the incoming log messages.
Report generation and other enhanced features
The FortiAnalyzer unit has many reporting functions. Various report
generations can be running at any time during the day including:
security event reports
traffic summary reports
regular reports whose complexity can vary depending on the
requirements
quota checking with log rolling
network sniffing
vulnerability scan.
All these tasks can be CPU intensive, especially when several occur at the
same time. This can cause the CPU to stay at 90% or more a lot of the
time. It is important to note that the indexing operation is set to the lowest
priority, so as to not affect the critical processes, such as receiving log
messages. These operation will take all the available CPU cycles, it is
normal to expect high CPU utilization at times.
On smaller devices, such as the FortiAnalyzer-100C, where the CPU and
disk speed are not as fast as the higher-end models, the CPU usage can
appear more pronounced.
05-432-164257-20120229 67
To view only the most current information about system resources, from View Type,
select Real Time.
To view historical information about system resources, from View Type, select
History.
To change the time range, from Time Period, select one of the following: Last 10
Minutes, Last Hour, or Last Day.
To automatically refresh the widget at intervals, in Refresh Interval, type a number
between 10 and 240 seconds. To disable the refresh interval feature, type 0.
Logs/Data
Received widget
The Logs/Data Received widget displays the rate over time of the logs and data, such
as DLP archives and quarantined files, received by the FortiAnalyzer unit.
This widget display varies on different models.
Figure 20: Logs/Data Received widget
To configure settings for the widget, in its title bar, click Edit to open the Edit Logs/Data
Received Settings window.
To view only the most current information about system resources, from View Type,
select Real Time.
To view historical information about system resources, from View Type, select
History.
To change the time range, from Time Period, select one of the following: Last 10
Minutes, Last Hour, or Last Day.
To automatically refresh the widget at intervals, in Refresh Interval, type a number
between 10 and 240 seconds. To disable the refresh interval feature, type 0.
Logs Received Number of logs received per second.
Data Received Volume of data received.
68 05-432-164257-20120229
For information on how much disk space is currently consumed, see Disk Monitor
widget on page 71.
Statistics widget The Statistics widget displays the numbers of sessions, volume of log files, and
number of reports handled by the FortiAnalyzer unit.
Figure 21: Statistics widget
To view session details
2 In the Statistics widget, next to Sessions, click Details.
(Since
yyyy-mm-dd
hh:mm:ss)
The date and time when the statistics were last reset.
To rest the date and time, hover your mouse cursor over the widgets title
bar area, then click Reset.
Sessions The number of communication sessions occurring on the FortiAnalyzer
unit, including those with devices that connect to send logs or quarantine
files. Click Details for more information on the connections. For more
information, see To view session details on page 68.
Logs & Reports
Logs The number of new log files received from a number of devices since the
statistics were last reset. For more information, see To view log details on
page 69.
Log Volume The average log file volume received per day over the past seven days.
Click Details to view the log file volume received per day. For information on
total disk space consumption, see Disk Monitor widget on page 71.
Reports The number of reports generated for a number of devices. Click Details for
more information on the reports.
05-432-164257-20120229 69
When viewing sessions, you can search or filter to find specific content. For more
information about filtering information, see Filtering logs on page 169.
To view log details
2 In the Statistics widget, next to Logs, click Details.
Refresh Click to refresh the page with current, updated session information.
Search Enter a word or words to find specific information. Press Enter to initiate the
search process.
Protocol The protocol used during that session.
Source The sessions source IP address.
Source Port The sessions source port number.
Destination The sessions destination IP address.
Destination Port The sessions destination port number.
Expires(secs) The number of seconds before the session expires.
70 05-432-164257-20120229
Display Mark the check box of a log file whose messages you want to view, then click
this button. Only one log file can be selected each time. For more information
about viewing log details, see Viewing log messages on page 163.
Download Mark the check box of a log file that you want to download, click this button,
then select one of the following.
Log file format: Downloads the log file in text (.txt), comma-separated
value (.csv), or standard .log (native) file format.
Compress with gzip: Compress the downloaded log file with GZIP
compression. Downloading a log-formatted file with GZIP compression
results in a download with the file extension .log.gz.
Import Click to import a devices log files. This can be useful when restoring data or
loading log data for temporary use.
From the Device field, select the device to which the imported log file belongs,
or select Take From Imported File to read the device ID from the log file.
If you select Take From Imported File, your log file must contain a device_id
field in its log messages.
In Filename, click Browse to find the log file.
For more information, see Importing a log file on page 180.
Device Type Select the type of devices whose log files you want to view.
Show Log File
Names
Enable to show the log file names under each log type.
Log Files A list of available log files for each device or device group. Click the group
name to expand the list of devices within the group, and to view their log files.
The current, or active, log file appears as well as rolled log files. Rolled log
files include a number in the file name, such as vlog.1267852112.log.
If you configure the FortiAnalyzer unit to delete the original log files after
uploading rolled logs to an FTP server, only the current log will exist.
# Number of log files for each type.
From The date and time when the FortiAnalyzer unit starts to generate the log file.
To The date and time when the FortiAnalyzer unit completes generating the log
file when the file reaches its maximum size or the scheduled time. For more
information, see Configuring rolling and uploading of devices logs on
page 182.
Size (bytes) The size of the log file.
05-432-164257-20120229 71
Report Engine
widget
You can only add a Report Engine widget when you select the proprietary indexed file
storage system. For information on switching file storage systems, see Configuring
SQL database storage on page 111.
This widget indicates report generation activity. Report engine activities include
whether the report engine is active or inactive, what reports are running when active,
and the percentage completed.
When a report is being generated as scheduled, the report engine status changes from
inactive to active.
To generate a report, click the Generate report icon in the title bar, and then configure a
new report schedule. For more information, see Configuring report schedules on
page 220.
Figure 22: Report Engine widget
Disk Monitor
widget
The Disk Monitor widget displays information about the status of RAID disks as well as
what RAID level has been selected. It also displays how much disk space is currently
consumed.
To configure settings for the widget, in its title bar, click RAID Settings. For more
information, see Configuring RAID on page 129.
Figure 23: Disk Monitor widget
Note: The RAID Settings icon does not appear on FortiAnalyzer 100B, and 100C units, because
RAID is not supported on these models. Only disk space usage information is displayed
on these models.
72 05-432-164257-20120229
FortiAnalyzer units allocate most of their total disk space for the FortiAnalyzer units
own logs, as well as logs and quarantined files from connecting devices. Disk space
quota is assigned to each device and the FortiAnalyzer unit itself. If the quota is
consumed, the FortiAnalyzer unit will either overwrite the oldest files saved or stop
collecting new logs, depending on your settings. For devices disk space quota
settings, see Manually configuring a device or HA cluster on page 152. For the
FortiAnalyzer units local log disk space quota settings, see the FortiAnalyzer CLI
Reference.
Remaining disk space is reserved for devices, FortiAnalyzer reports, and any
temporary files, such as configuration backups and log files that are currently queued
for upload to a server. The size of the reserved space varies by the total RAID/hard disk
capacity. For more information, see Disk space usage on page 72.
For more information about RAID, see Configuring RAID on page 129. For more
information on the volume of logs being received, see Logs/Data Received widget on
page 67.
RAID Status Icons and text indicate one of the following RAID disk statuses:
(OK): Indicates that the RAID disk has no problems
(Warning): Indicates that there is a problem with the RAID
disk, such as a failure, and needs replacing. The RAID disk is also
in reduced reliability mode when this status is indicated in the
widget.
(Rebuilding): Indicates that a drive has been replaced and
the RAID array is being rebuilt; it is also in reduced reliability mode.
(Failure): Indicates that one or more drives have failed, the
RAID array is corrupted, and the drive must be reinitialized. This is
displayed by both a failure symbol and text. The text appears when
you hover your mouse over the warning symbol; the text also
indicates the amount of space in GB.
Rebuild Status A percentage bar indicating the progress of the rebuilding of a RAID
array. The bar appears only when a RAID array is being rebuilt.
Estimated rebuild time
[start and end time]
The time remaining to rebuild the RAID array, and the date and time the
rebuild is expected to end. This time period appears only when an
array is being rebuilt.
This time period will not display in hardware RAID, such as
FortiAnalyzer-2000/2000A/2000B, and FortiAnalyzer-4000A/4000B.
Rebuild Warning Text reminding you the system has no redundancy protection until the
rebuilding process is complete. This text appears only when an array is
being rebuilt.
Disk space usage The amount of disk used, displayed as a percentage and a percentage
bar.
The FortiAnalyzer unit reserves some disk space for compression files,
upload files, and temporary reports files.
The total reserved space is:
25% of total disk space if total < 500G, with MAX at 100G
20% of total disk space if 500G< total <1000G, with MAX at 150G
15% of total disk space if 1000G < total < 3000G, with MAX at
300G
10% of total disk space if total > 3000G
This is therefore to be deducted from the total capacity.
05-432-164257-20120229 73
Swapping hard disks
If a hard disk on a FortiAnalyzer unit fails, it must be replaced.
Figure 24: Status of a failed hard disk on a FAZ-800 unit as shown in the Disk Monitor widget
To replace a hard disk
2 In the Unit Operation widget, click Shutdown.
3 Click OK.
4 Remove the faulty hard disk and replace it with a new one.
5 Restart the FortiAnalyzer unit.
The FortiAnalyzer unit will automatically add the new disk to the current RAID array.
The status appears on the console. After the FortiAnalyzer unit boots, the widget
will display a green check mark icon for all disks and the RAID Status area will
display the progress of the RAID resynchronization/rebuild.
Adding new disks for FortiAnalyzer 2000B/4000B
The FortiAnalyzer 2000B unit is shipped with 2 hard disks. You can add up to 4 more
disks to increase the storage capacity. The FortiAnalyzer 4000B unit is shipped with 6
hard disks. You can add up to 18 more disks to increase the storage capacity.
Caution: Electrostatic discharge (ESD) can damage FortiAnalyzer equipment. Only perform the
procedures described in this document from an ESD workstation. If no such station is
available, you can provide some ESD protection by wearing an anti-static wrist or
ankle strap and attaching it to an ESD connector or to a metal part of a FortiAnalyzer
chassis.
When replacing a hard disk, you need to first verify that the new disk has the same size
as those supplied by Fortinet and has at least the same capacity as the old one in the
FortiAnalyzer unit. Installing a smaller hard disk will affect the RAID setup and may
cause data loss. Due to possible differences in sector layout between disks, the only
way to guarantee that two disks have the same size is to use the same brand and
model.
The size provided by the hard drive manufacturer for a given disk model is only an
approximation. The exact size is determined by the number of sectors present on the
disk.
Note: Once a RAID array is built, adding another disk with the same capacity will not affect the
array size until you rebuild the array by restarting the FortiAnalyzer unit.
74 05-432-164257-20120229
To add more hard disks
1 Obtain the same disks as those supplied by Fortinet.
2 Back up the log data on the FortiAnalyzer 2000B/4000B unit. You can also migrate
the data to another FortiAnalyzer unit if you have one. Data migration reduces
system down time and risk of data loss.
For information on data backup, see Backing up the configuration & installing
firmware on page 137. For information on data migration, see Migrating data from
one FortiAnalyzer unit to another on page 141.
3 Install the disks in the FortiAnalyzer unit. You can do so while the FortiAnalyzer unit
is running.
4 Configure the RAID level. See Configuring RAID on page 129.
5 If you have backed up the log data, restore the data. For more information, see
Backing up the configuration & installing firmware on page 137.
Log Receive
Monitor widget
The Log Receive Monitor widget displays the rate at which logs are received over time.
Figure 25: Log Receive Monitor widget
To configure settings for the widget, in its title bar, click Edit.
Figure 26: Editing Log Receive Monitor Settings
Note: Fortinet recommends that you use the same disks as those supplied by Fortinet. Disks of
other brands will not be supported by Fortinet. For information on purchasing extra hard
disks, contact your Fortinet reseller.
05-432-164257-20120229 75
Alert Message
Console widget
The Alert Message Console widget displays log-based alert messages for both the
FortiAnalyzer unit itself and connected devices.
Alert messages help you track system events on your FortiAnalyzer unit, such as
firmware changes, and network events, such as detected attacks. Each message
shows the date and time that the event occurred.
Figure 27: Alert Message Console widget
The widget displays only the most current alerts. For a complete list of
unacknowledged alert messages, in the widgets title bar, click More alerts. To sort the
columns by either ascending or descending order, click the column headings.
Widget Name The current widget name.
Type Select either:
Log Type: Display the type of logs that are received from all registered
devices and separates them into categories, such as top 5 traffic logs or
antivirus logs.
Device: Display the logs that received by each registered device and
separates the devices into the top number of devices.
No. Entries Select the number of either log types or devices in the widgets graph,
depending on your selection in the Type field.
Time Period Select one of the following time ranges over which to monitor the rate at
which log messages are received:
Hour
Day
Week
Refresh Interval To automatically refresh the widget at intervals, in Refresh Interval, type a
number between 10 and 240 seconds. To disable the refresh interval
feature, type 0.
Tip: Alert messages can also be delivered by email, syslog or SNMP. For more information, see
Configuring alerts on page 114.
76 05-432-164257-20120229
Figure 28: List of all alert messages
CLI Console
widget
The CLI Console widget enables you to enter command lines through the Web-based
Manager, without making a separate Telnet, SSH, or local console connection to
access the CLI.
To use the console, first click within the console area. Doing so will automatically log
you in using the same administrator account you used to access the Web-based
Manager. You can then enter commands by typing them. Alternatively, you can copy
and paste commands from or into the CLI Console.
For information on available commands, see the FortiAnalyzer CLI Reference.
Acknowledge Mark the check boxes of alert messages that you want to remove from
the list of alerts, then click Acknowledge.
Include...and higher Select a severity threshold. Log messages equal to or greater than that
severity will appear in the list of alerts.
Remove
unacknowledged
alerts older than [n
days]
Select a number of days to remove the alert messages older than that
number.
formatted | raw Select either:
formatted: Display the alert messages in columnar format.
raw: Display the information without formatting, as it actually
appears in the log messages.
Device The device where the log message originated.
Event The Message (msg=) field of the log message, which usually contains
a description of the event.
Level The severity level of the log message.
Time The date and time when the log message was generated. To sort in
ascending or descending order, click the arrow in the column heading.
Counter The number of occurrences of the event.
Note: The CLI Console widget requires that your web browser support JavaScript.
Note: The prompt, by default the model number such as FortiAnalyzer-800B #, contains
the host name of the FortiAnalyzer unit. To change the host name, see Configuring the
FortiAnalyzer units host name on page 61.
05-432-164257-20120229 77
Figure 29: CLI Console widget
To configure settings for the widget, in its title bar, click Console Preferences.
Figure 30: CLI Console widget settings
Preview A preview of your changes to the CLI Console widgets appearance.
Text Click the current color swatch to the left of this label, then click a color
from the color palette to the right to change the color of the text in the
CLI Console.
Background Click the current color swatch to the left of this label, then click a color
from the color palette to the right to change the color of the
background in the CLI Console.
Use external
command input box
Enable to display a command input field below the normal console
emulation area. When this option is enabled, you can enter commands
by typing them into either the console emulation area or the external
command input field.
78 05-432-164257-20120229
Top Traffic widget You can only add a Top Traffic widget when you select the proprietary indexed file
This widget displays a bar chart of the total volume of traffic handled by FortiGate
units, based on their traffic logs.
Figure 31: Top Traffic widget
To expand details for one of the widgets items, click its + button, then select which log
field you want to use to categorize its results.
For example, for one of the items, you might select Device to display and categorize
that items results by which devices recorded those log messages. To further
subcategorize one of the devices results by protocol, you could then click its + button
and select Service. The resulting widget display would show reflect traffic volume for
each service on that one device, from that source IP address.
To collapse details and return to higher-level items, click a parent items X button.
Figure 32: Top Traffic widget settings
Console buffer length Enter the number of lines the console buffer keeps in memory. The
valid range is from 20 to 9999.
Font Select a font type from the list. There are only three font types to
choose from: Lucida Console, Courier New, and the default font.
Size Select a font from the list to change the display font of the CLI
Console.
Reset Defaults Select the size in points of the font. The default size is 10 points.
05-432-164257-20120229 79
Top Web Traffic
widget
You can only add a Top Web Traffic widget when you select the proprietary indexed file
This widget displays a bar chart of the total volume of web traffic handled by FortiGate
units, based on either their traffic logs (if you select By Volume in the widgets settings)
or web filtering logs (if you select By Request in the widgets settings).
Figure 33: Top Web Traffic widget
subcategorize one of the devices results by protocol, you could then click its + button,
then select Service. The resulting widget display would show reflect web traffic volume
for each service on that one device, from that source IP address.
Widget Name Type a name for the widget. It will appear in the widgets title bar.
Device Select the name of either a device or device group for which you want to
display traffic volumes.
Display by Select which attribute to use in order to rank the top results:
Top Sources (to any): Rank results according to the total volume for each
source IP address.
Top Destinations (from any): Rank results according to the total volume
for each destination IP address.
Filter Port Select whether to include TCP or UDP protocols, then type the port number.
The valid range is from 1 to 65,535.
Time Scope Select one of the following time ranges:
Hour
Day
Week
Month
No. Entries Select the number of entries to display.
80 05-432-164257-20120229
Figure 34: Top Web Traffic widget settings
Device Select the name of either a device or device group for which you
want to display traffic volumes.
Top Sources (to any): Rank results according to the total
volume for each source IP address.
Top Destinations (from any): Rank results according to the
total volume for each destination IP address.
FIlter Source IP Address or
User
Type the traffics source IP address or user name.
Filter Destination IP Address Type the traffics destination IP address.
By Volume Select to gather the information for this widget from the traffic
logs.
By Requests Select to gather the information for this widget from the Web
Filter logs.
Hour
Day
Week
Month
05-432-164257-20120229 81
Top Email Traffic
widget
You can only add a Top Email Traffic widget when you select the proprietary indexed
file storage system. For information on switching file storage systems, see
Configuring SQL database storage on page 111.
This widget displays a bar chart of the total volume of email traffic handled by
FortiGate units, based on either their traffic logs (if you select By Volume in the widgets
settings) or content logs (if you select By Request in the widgets settings).
Figure 35: Top Email Traffic widget
then select Service. The resulting widget display would show reflect email traffic
volume for each service on that one device, from that source IP address.
Figure 36: Top Email Traffic widget settings
82 05-432-164257-20120229
Top FTP Traffic
widget
You can only add aTop FTP Traffic widget when you select the proprietary indexed file
This widget displays a bar chart of the total volume of FTP traffic handled by FortiGate
units, based on their traffic logs.
Figure 37: Top FTP Traffic widget
then select Service. The resulting widget display would show reflect FTP traffic volume
source IP address.
Filter Protocol Select a protocol to filter by email protocol.
Filter Address Enter the email server IP address for filtering the information.
By Volume Select to gather the total amount of email traffic for this widget from the traffic
logs.
By Requests Select to gather the total amount of email traffic for this widget from the
content logs.
Hour
Day
Week
Month
05-432-164257-20120229 83
Figure 38: Top FTP Traffic widget settings
Top IM/P2P
Traffic widget
You can only add a Top IM/P2P Traffic widget when you select the proprietary indexed
This widget displays a bar chart of, depending on your selection in the widgets
settings, either the total number of instant message (IM) or peer-to-peer (P2P) sessions
handled by FortiGate units, based on their DLP logs.
Figure 39: Top IM/P2P Traffic widget
source IP address.
Hour
Day
Week
Month
84 05-432-164257-20120229
then select Service. The resulting widget display would show reflect IM/P2P traffic
volume for each service on that one device, from that source IP address.
Figure 40: Top IM/P2P Traffic widget settings
Type Select either instant messaging (IM) or peer-to-peer (P2P) traffic.
source IP address.
Protocol Select a protocol for filtering the traffic. If you select All, all of the protocols will
be included.
Hour
Day
Week
Month
05-432-164257-20120229 85
Virus Activity
widget
You can only add a Virus Activity widget when you select the proprietary indexed file
This widget displays a bar chart of the total number of virus detections in traffic
handled by FortiGate units, based on their antivirus logs.
Figure 41: Virus Activity widget
then select Service. The resulting widget display would show reflect detected viruses
Figure 42: Virus Activity widget settings
86 05-432-164257-20120229
Intrusion Activity
widget
You can only add an Intrusion Activity widget when you select the proprietary indexed
This widget displays a bar chart of the total number of attack attempts in traffic
handled by FortiGate units, based on their attack logs.
Figure 43: Intrusion Activity widget
then select Service. The resulting widget display would show reflect detected intrusion
attempts for each service on that one device, from that source IP address.
Time Period: Rank results according to the total number of incidents for
each 24-hour time period, from 00:00:00 to 23:59:59.
Top Viruses: Rank results according to the total number of incidents for
each virus.
Top Sources (to any): Rank results according to the total number of
incidents for each source IP address.
Top Destinations (from any): Rank results according to the total number of
incidents for each destination IP address.
Protocol break down for virus incidents: Rank results according to the
total number of incidents for each protocol.
Hour
Day
Week
Month
System Configuring network settings
05-432-164257-20120229 87
Figure 44: Intrusion Activity widget settings
Configuring network settings
The Network menu allows you to configure the FortiAnalyzer unit to operate on your
network. You can configure basic network settings, including configuring interfaces,
DNS settings, and static routes.
Configuring the
network
interfaces
To view a list of the FortiAnalyzer units network interfaces, go to System > Network >
Interface. See Figure 45.
You must configure at least one of the FortiAnalyzer units network interfaces for you to
connect to the CLI and Web-based Manager, which require an IP address.
Depending on your network topology and other considerations, to enable the
FortiAnalyzer unit to connect to your network and to the devices whose logs it
receives, you may need to configure one or more of the FortiAnalyzer units other
Device Select the name of either a device or device group for which you want to display
traffic volumes.
Time Period: Rank results according to the total number of incidents for
each 24-hour time period, from 00:00:00 to 23:59:59.
Top Intrusions: Rank results according to the total number of incidents for
each virus.
Top Sources (to any): Rank results according to the total number of
incidents for each source IP address.
Top Destinations (from any): Rank results according to the total number of
incidents for each destination IP address.
Hour
Day
Week
Month
No, Entries Select the number of entries to display.
Configuring network settings System
88 05-432-164257-20120229
network interfaces. You can configure each network interface separately, with its own
IP address, netmask, and accepted administrative access protocols.
Unlike other administrative protocols, SNMP access is not configured individually for
each network interface. Instead, see Configuring the SNMP agent on page 118.
Figure 45: Interface list
To edit a network interface
1 Go to System > Network > Interface.
2 Mark the check box next to the interface whose settings you want to modify, then
click Edit.
Caution: Enable administrative access only on network interfaces connected to trusted private
networks or directly to your management computer. If possible, enable only secure
administrative access protocols such as HTTPS or SSH. Failure to restrict
administrative access could compromise the security of your FortiAnalyzer unit.
Note: You can restrict which IP addresses are permitted to log in as a FortiAnalyzer
administrator through the network interfaces. For details, see Configuring administrator
accounts on page 101.
Bring Up Mark the check box of the network interface that you want to enable, then click
Bring Up. The new status appears in Status.
Bring Down Mark the check box of the network interface that you want to disable, then click
Bring Down. The new status appears in Status.
Name The name of the network interface, usually directly associated with one physical
link as indicated by its name, such as port1.
IP/Netmask The IP address and netmask of the network interface, separated by a slash ( / ).
Access The administrative access services that are enabled on the network interface,
such as HTTPS for the Web-based Manager.
FDP Indicates whether Fortinet Discovery Protocol (FDP) is enabled. When FDP is
enabled for an interface, a green check appears. For more information about
FDP, see About Fortinet Discovery Protocol on page 91 and Manually adding
a FortiGate unit using the Fortinet Discovery Protocol on page 156.
Status Indicates the up (available) or down (unavailable) administrative status of the
network interface.
Green up arrow: The network interface is up and permitted to receive or
transmit traffic.
Red down arrow: The network interface is down and not permitted to
receive or transmit traffic.
05-432-164257-20120229 89
3 Configure the following:
Interface Name The name (such as port2) and media access control (MAC) address of
this network interface.
Fortinet Discovery
Protocol
Select Enabled to respond to Fortinet Discovery Protocol (FDP) on
this interface, allowing FortiGate devices to find the FortiAnalyzer unit
automatically. For more information about FDP, see About Fortinet
Discovery Protocol on page 91 and Manually adding a FortiGate
unit using the Fortinet Discovery Protocol on page 156.
IP/Netmask Enter the IP address/subnet mask. The IP address must be on the
same subnet as the network to which the interface connects.
Administrative
Access
Enable the types of administrative access that you want to permit on
this interface.
HTTPS Enable to allow secure HTTPS connections to the web-based
manager through this network interface.
For information on configuring the port number on which the
FortiAnalyzer listens for these connections, see Configuring the
Web-based Managers global settings on page 109.
PING Enable to allow ICMP ping responses from this network interface.
HTTP Enable to allow HTTP connections to the web-based manager
through this network interface.
For information on configuring the port number on which the
FortiAnalyzer listens for these connections, see Configuring the
Web-based Managers global settings on page 109.
Caution: HTTP connections are not secure, and can be intercepted
by a third party. If possible, enable this option only for network
interfaces connected to a trusted private network, or directly to your
management computer. Failure to restrict administrative access
through this protocol could compromise the security of your
FortiAnalyzer unit.
SSH Enable to allow SSH connections to the CLI through this network
interface.
90 05-432-164257-20120229
4 Click OK.
If you were connected to the Web-based Manager through this network interface,
you are now disconnected from it.
5 To access the Web-based Manager again, in your web browser, modify the URL to
match the new IP address of the network interface. For example, if you configured
the network interface with the IP address 172.16.1.20, you would browse to
https://172.16.1.20.
If the new IP address is on a different subnet than the previous IP address, and your
computer is directly connected to the FortiAnalyzer unit, you may also need to
modify the IP address and subnet of your computer to match the FortiAnalyzer
units new IP address.
TELNET Enable to allow Telnet connections to the CLI through this network
interface.
Caution: Telnet connections are not secure, and can be intercepted
by a third party. If possible, enable this option only for network
interfaces connected to a trusted private network, or directly to your
management computer. Failure to restrict administrative access
through this protocol could compromise the security of your
FortiAnalyzer unit.
AGGREGATOR Enable to allow sending and receiving log aggregation transmissions.
For more information about aggregation, see Configuring log
aggregation on page 123.
WEBSERVICES Enable to allow web service (SOAP) connections.
FortiManagerunits require web service connections for remote
management of FortiAnalyzer units. If this option is not enabled, the
FortiManager unit cannot install a configuration on the FortiAnalyzer
unit. For more information, see Configuring and using FortiAnalyzer
web services on page 91.
Web services can also be used by third-party tools to access logs and
reports stored on the FortiAnalyzer unit. For more information about
web services, see the FortiAnalyzer CLI Reference.
MTU Enable Override default MTU value (1500) to change the maximum
transmission unit (MTU) value, then enter the maximum packet size in
bytes.
To improve network performance, adjust the MTU so that it equals the
smallest MTU of all devices between this interface and the traffics
final destinations.
If the MTU is larger than other devices MTU, other devices through
which the traffic travels must spend time and processing resources to
break apart large packets to meet their smaller MTU. This process
slows down transmission.
The default value is 1500 bytes. The MTU size must be between 576
and 1500 bytes.
05-432-164257-20120229 91
About Fortinet Discovery Protocol
FortiGate units running FortiOS v4.0 or greater can use Fortinet Discovery Protocol
(FDP), a UDP protocol, to locate a FortiAnalyzer unit.
When a FortiGate administrator selects Automatic Discovery, the FortiGate unit
attempts to locate FortiAnalyzer units on the network within the same subnet. If FDP
has been enabled for the FortiAnalyzer units network interface to that subnet, the
FortiAnalyzer unit will respond. After discovering the FortiAnalyzer unit, the FortiGate
unit automatically enables logging to the FortiAnalyzer and begins sending log data.
Depending on its configuration, the FortiAnalyzer unit may then automatically register
the device and save its data, add the device but ignore its data, or ignore the device
entirely. For more information, see Configuring unregistered device options on
page 157.
Configuring and using FortiAnalyzer web services
To manage FortiAnalyzer v4.0 MR1 or later, FortiManager v4.0 or later requires that you
enable web services on the FortiAnalyzer unit and obtain the Web Services Description
Language (WSDL) file that defines the XML requests you can make and the responses
that the FortiAnalyzer unit can provide. If web services are not enabled, the
FortiManager unit cannot send a configuration to the FortiAnalyzer unit.
In addition to enabling web services, you must also register the devices with each
other. When registering the FortiAnalyzer with the FortiManager unit, to guarantee full
access to the FortiAnalyzer units entire configuration, you must provide the login for
the FortiAnalyzer units admin administrator account. When registering the
FortiManager with the FortiAnalyzer units device list, you must set connection
permissions to allow remote management.
Web services can also be used by third-party tools to access logs and reports stored
on the FortiAnalyzer unit. For more information, see the FortiAnalyzer CLI Reference.
Web services are automatically encrypted with SSL (HTTPS). For information on the
certificate used to do so, see Importing a local server certificate on page 145.
To configure web services
1 On the FortiAnalyzer unit, log in as admin.
3 Mark the check box of the network interface which will accept web services
connections, then click Edit.
4 In the Administrative Access area, enable WEBSERVICES.
Note: Due to design changes, FortiManager v4.0 MR3 or later can not manage FortiAnalyzer
units.
92 05-432-164257-20120229
If it is not already enabled, also enable HTTPS.
5 Click OK.
7 Mark the check box of the admin administrator account, then click Edit.
8 In Trusted Host, include the FortiManager unit's IP address. For additional security,
restrict the Trusted Host entry to include only the FortiManager unit's IP address
(that is, a subnet mask of 255.255.255.255) and your computer's IP address.
9 Click OK.
10 Go to Devices > All Devices > Allowed.
11 If the FortiManager unit appears as an unregistered device, mark its check box,
then click Register to complete the device registration.
If the FortiManager unit does not appear in the device list, click Create New to add
the device registration.
12 Click OK.
13 Register the FortiAnalyzer unit with the FortiManager units device list. For details,
see the FortiManager Administration Guide.
To obtain the WSDL file
Download the WSDL file directly from the following URL:
https://<FortiAnalyzer_ip_address>:8080/FortiAnalyzerWS?wsdl
The following is a section of the WSDL file:
<definitions name="FortiAnalyzerWS"
targetNamespace="http://localhost:8080/FortiAnalyzerWS.wsdl">
<types>
<schema targetNamespace="urn:FortiAnalyzerWS"
elementFormDefault="qualified"
attributeFormDefault="qualified">
05-432-164257-20120229 93
<import
namespace="http://schemas.xmlsoap.org/soap/encoding/
"/>
<element name="FortiRequestEl" type="ns:FortiRequest"/>
<element name="FortiResponseEl" type="ns:FortiResponse"/>

<simpleType name="SearchContent">
<restriction base="xsd:string">
<enumeration value="Logs"/>
<enumeration value="ContentLogs"/>
<enumeration value="LocalLogs"/>
</restriction>
</simpleType>
<simpleType name="ReportType">
<restriction base="xsd:string">
<enumeration value="FortiGate"/>
<enumeration value="FortiClient"/>
<enumeration value="FortiMail"/>
</restriction>
</simpleType>
<service name="FortiAnalyzerWS">
<documentation>gSOAP 2.7.7 generated service
definition</documentation>
<port name="FortiAnalyzerWS"
binding="tns:FortiAnalyzerWS">
<SOAP:address location="https://localhost:8080/
FortiAnalyzerWS"/>
</port>
</service>
</definitions>
Configuring DNS System > Network > DNS enables you to configure the FortiAnalyzer unit with the IP
addresses of the domain name system (DNS) servers that the FortiAnalyzer unit will
query to resolve domain names such as www.example.com into IP addresses.
Figure 46: DNS Configuration
FortiAnalyzer units require connectivity to DNS servers for DNS lookups. Your Internet
service provider (ISP) may supply IP addresses of DNS servers, or you may want to
use the IP addresses of your own DNS servers.
Note: For improved performance, use DNS servers on your local network. Features such as
NFS shares can be impacted by poor DNS connectivity.
94 05-432-164257-20120229
Configuring static
routes
The route list displays the static routes on the FortiAnalyzer unit. Static routes provide
the FortiAnalyzer unit with the information it needs to forward a packet to a particular
destination other than the default gateway.
To view the routing list, go to System > Network > Routing.
Figure 47: Route list
To add a static route
1 Go to System > Network > Routing.
2 Select Create New.
3 Enter the applicable information, and click OK.
Move Select to change the routes order in the route list.
Insert Select to add a route before the selected one in the list.
Destination IP/Netmask Displays the destination IP address and netmask of packets that the
FortiAnalyzer unit wants to send to.
Gateway Displays the IP address of the router where the FortiAnalyzer unit
forwards packets.
Interface Displays the names of the FortiAnalyzer interfaces through which
intercepted packets are received and sent.
Destination IP/Mask Enter the destination IP address network mask of packets that the
FortiAnalyzer unit has to intercept.
Enter a netmask to associate with the IP address.
Gateway Enter the IP address of the gateway where the FortiAnalyzer unit
will forward intercepted packets.
Interface Select a port through which intercepted packets are received and
sent.
System Configuring network shares
05-432-164257-20120229 95
Configuring network shares
The FortiAnalyzer hard disk can be used as an NFS or Windows network share to store
users files and/or FortiAnalyzer reports and logs.
By default, this option is not available. To make it appear, select Show Network Sharing
in System > Admin > Settings.
When selecting a network share style, consider the access methods available to your
users:
Microsoft Windows users could connect to a FortiAnalyzer Windows network share
by mapping a drive letter to a network folder
Apple Mac OS X, Unix or Linux users:
could mount a FortiAnalyzer Windows network share using smbfs
could mount a FortiAnalyzer NFS network share
Before a user can access files on the FortiAnalyzer network share:
network share user accounts and groups must be created (for Windows share only)
network sharing (Windows or NFS) must be enabled
the share folder and its file permissions (user access) must be set
Configuring share
users
You can create Windows network share user accounts to provide non-administrative
access to the log, reports and hard disk storage of the FortiAnalyzer unit.
Users that are added will not have administrative access to the FortiAnalyzer hard disk
or FortiAnalyzer unit. For information about how to add administrative users, see
Configuring administrator-related settings on page 101.
To view the network user list, go to System > Network Sharing > User.
Figure 48: Network share user list
Create New Select to create a Windows network share user. See To add a user account on
page 96.
Edit Change a selected users current settings.
Delete Remove a selected users current settings.
Username The name of the user.
UID The users identification. This is useful for NFS shares only.
Description A comment about the user account.
Configuring network shares System
96 05-432-164257-20120229
To add a user account
1 Go to System > Network Sharing > User.
3 Enter the appropriate information for the network share user account and select
OK.
Configuring share user groups
You can create Windows network share user groups to maintain access privileges for a
large number of users at once. You need to add users before you can create groups.
To view the user group list, go to System > Network Sharing > Group.
Figure 49: User group list
Username Enter a user name.
The name cannot include spaces.
UID (NFS only) Leave this field empty.
This field is for NFS shares only. The NFS protocol uses the UID to
determine the permissions on files and folders.
Password Enter a password for the user.
Description Enter a description of the user. For example, you might enter the users
name or a position such as IT Manager.
Group The name of the group. For example, Finance. The name cannot include spaces.
GID The group ID. This is useful for NFS shares only.
Members The users that are members of that group.
05-432-164257-20120229 97
To add a user group
1 Go to System > Network Sharing > Group.
3 Enter the information for the group account and select OK.
Configuring
Windows shares
You can configure the FortiAnalyzer unit to provide folder and file sharing using
Windows sharing.
To view users with Windows share access to the FortiAnalyzer unit, go to System >
Network Sharing > Windows Share.
Figure 50: Windows network share user list
Group Enter the name of the group.
GID (NFS only) Leave this field empty.
This field is for NFS shares only. The GID is the numerical unique
identification for a group. The NFS protocol uses the GID to determine the
permissions on files and folders.
Available Users The available users that you can add to the group. Select a user and then
select the right arrow to move that user to the Members area.
Members The users that are included in the group. If you do not want a user
included as a member, select a user and then click the left arrow to move
that user back to the Available Users area.
98 05-432-164257-20120229
To configure Windows share
1 Go to System > Network Sharing > Windows Share.
3 Enter the information for the Windows share and select OK.
Enable Windows
Network Sharing
Select the check box to enable Windows network sharing.
Workgroup Enter the name of the work group and then select Apply.
Local Path The shared file or folder path.
Share as The share name.
Read Only User A list of users or groups that have read-only access to the folder or
files.
Read Write User A list of users or groups that have read-write access to the folder or
files.
Local Path Type a folder directory, such as /Storage/Mail, or select the local path
icon to choose a folder to share on the FortiAnalyzer hard disk. If you type a
directory, you must start with /Storage.
The default permission for files and folders is read and execute privileges.
The owner of the document also has write privileges. You must select the
write permission for the folder, user and the group to enable write
permissions. For more information, see Default file permissions on NFS
shares on page 100.
Share Name The name of the share configuration.
05-432-164257-20120229 99
Configuring NFS
shares
You can configure the FortiAnalyzer unit to provide folder and file sharing using NFS
sharing.
To view a list of users with NFS share access to the FortiAnalyzer unit, including access
privileges, go to System > Network Sharing > NFS Export.
Figure 51: List of users with NFS share access
To add a new NFS share configuration
1 Configure DNS and a default route. For information, see Configuring network
settings on page 87.
NFS exports are file system-level mounts. Bad DNS or routing connectivity can
cause very slow access or 'hangs' when trying to write a file using NFS.
2 Go to System > Network Sharing > NFS Export.
3 Select Enable NFS Exports and select Apply.
Available Users
& Group
The list of users and groups that are available for Windows network shares.
For information on adding users and groups, see Configuring share users
on page 95.
Select a user and then select the right arrow that points to the permission
list that you want that user or group to be under, either Read-Only Access
or Read-Write Access.
Ready-Only
Access
Users or groups that do not have permission to edit or change settings.
To remove a user or group from either access list, select the user or group
and then select the left arrow to move it back to the Available Users &
Groups list.
Read-Write
Access
Users or groups that have permission to edit or change settings.
To remove a user or group from either access list, select the user or group
and then select the left arrow to move it back to the Available Users &
Groups list.
Enable NFS Exports Select the check box beside Enable NFS Exports and then select Apply
to enable NFS shares.
Local Path The path the user has permission to connect to.
Remote Clients A list of users that have access to the folder or files.
Read Only User A list of users or groups that have read-only access to the folder or files.
Read Write User A list of users or groups that have read-write access to the folder or files.
100 05-432-164257-20120229
5 Select OK.
6 Configure the NFS client to connect to the FortiAnalyzer unit and mount the share.
Default file permissions on NFS shares
By default, when a user adds a new file or folder, the permissions are:
read, write, and execute for the owner (user)
read and execute for the Admin group and Others group.
Local Path Type a folder directory, such as /Storage/Mail, or select the local
path icon to choose a folder to share on the FortiAnalyzer hard disk. If
you type a directory, you must start with /Storage.
The default permissions for files and folders is read and execute
privileges. The owner of the document also has write privileges. You
must select the write permission for the folder and for the user and
the group to enable write access for users and groups. For more
information, see Default file permissions on NFS shares on
page 100.
Remote Client:
(Host, subnet,
FQDN)
Enter the IP address or domain name of an NFS client, such as a
FortiMail unit configured for NFS storage. This client can access the
NFS share folder.
Permissions Select the type of permissions. The type of permission selected
determines which list the NFS client will be put in.
Read Only users connecting to the share can list and read files.
Read Write users connecting to the share can list, read, create,
modify, and delete files.
Add Select to add the NFS client to either the Read-only Access list or the
Read Write Access list, depending on the permission selected.
Delete Select the check box beside the NFS client in either the Read Only
Access list or the Read Write Access list, and then select Delete to
remove it.
Read-Only Access The list of remote clients that have read-only access.
Read-Write Access The list of remote clients that have both read and write access.
System Configuring administrator-related settings
05-432-164257-20120229 101
You can set file permissions in the CLI. For more information, see the config nas
share command in the FortiAnalyzer CLI Reference.
Configuring administrator-related settings
The Admin menu manages administrator accounts, access profiles, and RADIUS
authentication. It also controls settings for the Web-based Manager that apply to all
administrator accounts, and enables you to monitor which administrator accounts are
currently logged in.
Configuring
administrator
accounts
System > Admin > Administrator displays the list of FortiAnalyzer administrator
accounts.
In its factory default configuration, a FortiAnalyzer unit has one administrator account,
named admin. The admin administrator has permissions that grant full access to the
FortiAnalyzer configuration and firmware. After connecting to the Web-based Manager
or the CLI using the admin administrator account, you can configure additional
administrator accounts with various levels of access to different parts of the
FortiAnalyzer configuration.
Administrators may be able to access the Web-based Manager and/or the CLI through
the network, depending on administrator accounts trusted hosts, and the
administrative access protocols enabled for each of the FortiAnalyzer units network
interfaces. For details, see Configuring the network interfaces on page 87 and
Trusted Host on page 103.
To determine which administrators are currently logged in, see Monitoring
administrators on page 111.
Figure 52: Administrator account list
Configuring administrator-related settings System
102 05-432-164257-20120229
To add an administrator account
3 Enter the appropriate information and select OK.
Change
Password
Change the account password. For more information, see Changing an
administrators password on page 103.
Update Column
Settings
Define log columns for an administrator account. You can revert the column
settings to the system default one if they have been customized, or copy the
settings from another administrator account.
For information about configuring column settings, see Displaying and
arranging log columns on page 168.
Name The assigned name for the administrator.
Trusted Hosts The IP address and netmask of acceptable locations for the administrator to
log in to the FortiAnalyzer unit.
If you want the administrator to have access the FortiAnalyzer unit from any
address, use the IP address and netmask 0.0.0.0/0.0.0.0. To limit the
administrator to only access the FortiAnalyzer unit from a specific network or
host, enter that networks IP and netmask.
Profile The access profile assigned to the administrator. For more information, see
Configuring access profiles on page 104.
Type Type can be either Local, as a configured administrator on the FortiAnalyzer
unit, or Remote Auth if you are using a RADIUS or TACACS+ server on your
network.
Administrator Enter the administrator name.
You can add the @ symbol in the name. For example,
admin_1@headquarters, could identify an administrator that will access
the FortiAnalyzer unit from the headquarters office of their organization.
The @ symbol is also useful to those administrators who require RADIUS
authentication. You can also configure an administrator account for
remote authentication and associate an authentication group as well.
Remote Auth Select if you are authenticating a specific account on a RADIUS or
TACACS+ server.
Wild Card This option appears only if Remote Auth is enabled. Select if you do not
want to set a password for the account on a RADIUS or TACACS+ server.
05-432-164257-20120229 103
Changing an administrators password
The admin administrator and administrators with read and write permissions can
change their own account passwords. Administrator passwords should be at least six
characters long, use both numbers and letters, and be changed regularly.
Administrators with read-only permissions cannot change their own password.
Instead, the admin administrator must change the password for them.
To change the administrator account password
2 Select an administrator account.
Auth Group This option appears only if Remote Auth is enabled. You also need to
create an authentication group so that you can select it from the list. For
more information about creating an authentication group, see Configuring
authentication groups on page 105.
Select which RADIUS server group to use when authenticating this
administrator account.
Backup
Password
This option appears only if Remote Auth is enabled and Wildcard is not
selected.
Optionally, enter a password for the account on a RADIUS or TACACS+
server.
Password Enter a password for the administrator account. For security reasons, a
password should be a mixture of letters and numbers and longer than six
characters.
If a user attempts to log in and mis-types the password three times, the
user is locked out of the system from that IP address for a short period of
time.
This option does not appear if you select Wildcard and when editing the
account.
Confirm
Password
Re-enter the password for the administrator account to confirm its
spelling.
This option does not appear if you select Wildcard and when editing the
account.
Trusted Host Enter the IP address and netmask of acceptable locations for the
administrator to log in to the FortiAnalyzer unit.
If you want the administrator to have access to the FortiAnalyzer unit from
any address, use the IP address and netmask 0.0.0.0/0.0.0.0. To
limit the administrator to only access the FortiAnalyzer unit from a specific
network, enter that networks IP and netmask.
Access Profile Select an access profile from the list. Access profiles define administrative
access permissions to areas of the configuration by menu item. For more
information, see Configuring access profiles on page 104.
This option does not appear for the admin administrator.
Admin Domain Select an administrative domain (ADOM) from the list. ADOMs define
administrative access permissions to areas of the configuration and
device data by device or VDOM. For more information, see Administrative
Domains (ADOMs) on page 48.
This option does not appear when ADOMs are disabled, nor for the admin
administrator.
104 05-432-164257-20120229
3 Select Change Password.
4 Enter the old password for confirmation.
5 Enter the new password and confirm the spelling by entering it again.
6 Select OK.
Configuring access profiles
Access profiles define administrator privileges to parts of the FortiAnalyzer
configuration. For example, you can have a profile where the administrator only has
read and write access to the reports, or assign read-only access to the DLP archive
logs.
Only the admin administrator has access to all configuration areas of a FortiAnalyzer
unit by default. Every other administrator must be assigned an access profile.
You can create any number of access profiles. For each profile, you can define what
access privileges are granted. Administrator accounts can only use one access profile
at a time.
To view the list of access profiles, go to System > Admin > Access Profile.
Figure 53: Access profile list
To create an access profile
1 Go to System > Admin > Access Profile.
Profile Name The name of the access profile.
05-432-164257-20120229 105
3 Enter the information for the new access profile, and select OK.
Configuring authentication groups
Auth Group enables you to group RADIUS servers into logical arrangements for
administrator authentication.
You must first configure at least one RADIUS server before you can create an
authorization group. For information on creating RADIUS servers, see Configuring
RADIUS servers on page 106.
To view the list of auth groups, go to System > Admin > Auth Group.
Profile Name Enter a name for the new access profile.
Access Control Lists the FortiAnalyzer configuration components to which you can set
administrator access.
None The administrator has no access to the function.
Read Only The administrator can view pages, menus and information, but cannot
modify any settings.
Read-Write The administrator can view pages, menus and information as well as
change configurations.
Note: Administrator accounts can also be restricted to specific devices or FortiGate units with
VDOMs in the FortiAnalyzer device list. For more information, see Administrative
Domains (ADOMs) on page 48.
106 05-432-164257-20120229
Figure 54: Authentication group list
To add a group
1 Go to System > Admin > Auth Group.
3 Enter a name for the group.
4 Select the servers from Available Auth Servers to add to the group and select the
right arrow.
5 Select OK.
Configuring RADIUS servers
If you already have a RADIUS server for authentication, you can configure the
FortiAnalyzer unit to have it perform the authentication. RADIUS servers authenticate
administrators.
To view the RADIUS server list, go to System > Admin > RADIUS Server.
Group Name The name of the authentication group.
Members RADIUS servers in the group.
05-432-164257-20120229 107
Figure 55: RADIUS server list
To add a RAIDUS server
1 Go to System > Admin > RADIUS Server, select Create New.
2 Enter the appropriate information for the server and select OK.
Configuring TACACS+ servers
If you already have a TACACS+ server for authentication, you can configure the
FortiAnalyzer unit to have it perform the user authentication. TACACS+ servers
authenticate administrators.
Name The name that identifies the server.
Server Name/IP The server name or IP address of that server.
Name Enter a name to identify the server.
Primary Server
Name/IP
Enter the primary IP address for the server.
Primary Server Secret Enter the password for the primary server.
Secondary Server
Name/IP
Enter the secondary IP address for the server. This is in case the
primary one goes out of service.
Secondary Server
Secret
Enter the password for the secondary server.
Authentication
Protocol
Select which protocol the FortiAnalyzer unit will use to
communicate with the RADIUS server.
108 05-432-164257-20120229
Terminal Access Controller Access-Control System (TACACS+) is a remote
authentication protocol that provides access control for routers, network access
servers, and other networked computing devices via one or more centralized servers.
TACACS+ allows a client to accept a user name and password and send a query to a
TACACS+ authentication server. The server host determines whether to accept or deny
the request and sends a response back that allows or denies network access to the
user.
There are several different authentication protocols that TACACS+ can use during the
authentication process:
ASCII
This machine-independent technique that uses representations of English
characters. It requires user to type a user name and password that are sent in clear
text (unencrypted) and matched with an entry in the user database stored in ASCII
format.
PAP (password authentication protocol)
PAP is used to authenticate PPP connections. It transmits passwords and other
user information in clear text.
CHAP (challenge-handshake authentication protocol)
CHAP provides the same functionality as PAP, but is more secure as it does not
send the password and other user information over the network to the security
server.
MS-CHAP (Microsoft challenge-handshake authentication protocol v1)
This is the Microsoft-specific version of CHAP.
The default protocol configuration, Auto, uses PAP, MS-CHAP, and CHAP, in that order.
To view the TACACS+ server list, go to System > Admin > TACACS+ Server.
Figure 56: TACACS+ server list
To add a TACACS+ server
1 Go to System > Admin > TACACS+ Server, select Create New.
Name The name that identifies the server.
Server The IP address of that server.
Authentication Type The authentication protocol that a TACACS+ server uses during the
authentication process.
System Configuring the Web-based Managers global settings
05-432-164257-20120229 109
2 Enter the appropriate information for the server and select OK.
Configuring the Web-based Managers global settings
Administrators settings allows you to configure some common settings for all
administrator accounts, including the idle timeout (how much time must pass without
activity before the FortiAnalyzer unit logs out an administrator), the language for the
Web-based Manager, and the Web-based Manager menu customization (showing or
hiding the menu items). You can also enable or disable administrative domains
(ADOMs).
To configure administrators, go to System > Admin > Settings.
Name Enter a name to identify the server.
Server Name/IP Enter the server domain name or IP address of the TACACS+ server.
Server Key Enter the key to access the TACACS+ server.
Authentication Type Select the authentication type to use for the TACACS+ server.
Note: Only the admin administrator can change administrators settings.
Configuring the Web-based Managers global settings System
110 05-432-164257-20120229
Figure 57: Administrators settings
Idle Timeout Set the idle timeout to control the amount of inactive time before the
administrator must log in again. For better security, keep the idle
timeout to a low value (for example, five minutes).
When viewing real-time logs, a pop-up window appears 60 seconds
before the set idle timeout value is reached, prompting you to keep or
cancel the value. If you choose to cancel the set idle timeout value, you
will not be logged out after the idle timeout value is reached.
Web Administration
[Language]
Select the language for the Web-based Manager.
Web-based Manager
Menu Customization
Be default, these menu items are hidden. Select one to make it appear
in the menu list.
System Monitoring administrators
05-432-164257-20120229 111
Monitoring administrators
The Monitor page enables the admin administrator to view a list of other
administrators that are currently logged in to the FortiAnalyzer unit. The admin
administrator can disconnect other administrators sessions, should the need arise.
To monitor current administrators, go to System > Admin > Monitor.
Figure 58: Monitoring administrators
To disconnect an administrator, mark the check box next to an administrators account
name, then click Disconnect.
Configuring log storage & query features
System > Config allows you to configure features such as SQL database, log based
alerts, log aggregation, log forwarding, remote syslog, SNMP, and RAID.
Configuring SQL
database storage
The FortiAnalyzer unit saves logs received to the default proprietary indexed file
storage system which is always ready to accept log data. It can also insert the log data
into the Structured Query Language (SQL) database for generating reports. Both local
and remote SQL database options are supported. The advantages of using the SQL
database are:
Flexibility: Through the use of standard SQL queries, more flexible reporting
capabilities can be offered.
Admin Domain
Configuration
Enable or disable administrative domains (ADOMs). For more
information on ADOMs, see Administrative Domains (ADOMs) on
page 48.
This option does not appear if ADOMs are currently enabled and
ADOMs other than the root ADOM exist.
This option does not appear on FortiAnalyzer-100B/100C models.
Login Disclaimer Select Enable to enter a login disclaimer message and click Apply.
When you log in next time, you will be asked to accept or decline the
disclaimer.
Configuring log storage & query features System
112 05-432-164257-20120229
Scalability: Through the use of a remote SQL database, any upper limit on the
amount of available log storage is removed. Furthermore, the hardware of an
external SQL database server can be more easily upgraded to support growing
performance needs.
The FortiAnalyzer unit inserts logs into a remote SQL database but is not responsible
for deleting logs from that database nor for enforcing any type of size quotas. These
tasks are the responsibility of the remote SQL database administrator.
The FortiAnalyzer unit stores the log data into the SQL database according to a
pre-determined structure called the SQL schema. The schema contains all the
possible log fields of every log type and allows the extraction of log data on a
per-device and/or per-VDOM basis for any continuous time period.
For each FortiAnalyzer model, the storage limit of the remote SQL database is the
same as the size of its local disk, as shown in Remote SQL database storage limit on
page 112. When the log storage level reaches 75, 90, and 95% of the total database
capacity, an event alert will appear in the Alert Message Console on the dashboard
respectively. For more information, see Alert Message Console widget on page 75.
Table 8: Remote SQL database storage limit
To configure the SQL database
1 Go to System > Config > SQL Database.
Figure 59: SQL database
FortiAnalyzer Model Remote SQL database storage limit
100B/100C 1TB
400B 2TB
800/800B 4TB
1000B/1000C 4TB
2000/2000A/2000B 6TB
4000A/4000B 24TB
System Configuring log storage & query features
05-432-164257-20120229 113
2 Complete the fields and click Apply.
Upgrade notice
If you choose the proprietary indexed file system for log storage, an upgrade notice
appears when you log in to the Web-based Manager, asking if you want to switch to
the SQL database and migrate all logs to the SQL database.
Figure 60: Database upgrade notice
Location Select Disabled to save log data to the proprietary indexed file storage
system instead of the SQL database, Local Database to save log data into
the local SQL database, and Remote Database to save log data into the
remote MySQL database.
By default, the local SQL database is PostgreSQL.
The selection of location affects the way to configure reports. For more
information, see Reports on page 189.
Start Time Select the time when the FortiAnalyzer unit can start to insert log data into
the SQL database.
This field activates when Local Database or Remote Database is selected.
Type Select the remote SQL database from the supported list of databases.
This field only appears when Remote Database is selected.
Server Enter the IP address or FQDN of the server on which the remote SQL
database is installed.
Database
Name
Enter the name for the database in which log tables will be stored. This
database should already exist on the MySQL server. If it does not, the
FortiAnalyzer unit cannot connect.
User Name
Password
Enter the login information for a user on the database that has permissions to
read and write data, and to create tables.
Log Type Select the log type(s) that you want to save to the SQL database.
This field activates when Local Database or Remote Database is selected.
114 05-432-164257-20120229
If you want to switch to the SQL database, click Upgrade Now and select local or
remote SQL database, then click OK. For more information about SQL database
configuration, see To configure the SQL database on page 112.
Your logs stored in the proprietary indexed file system will still be kept after the switch.
Database switch affects report configuration. For more information, see Reports on
page 189.
Configuring
alerts
Log-based alerts define log message types, severities, and sources which trigger
administrator notification. For example, you could configure a trigger on the attack logs
with an SMTP server output, if you want to receive an alert by email when your network
detects an attack attempt.
You can notify administrators by email, SNMP, or syslog, as well as the Alert Message
Console widget. For information on viewing alerts through the Web-based Manager,
see Alert Message Console widget on page 75.
To view configured log-based alerts, go to System > Config > Log-based Alerts.
Figure 61: Alert events list
Name The name given to the log-based alert configuration.
Devices The devices the FortiAnalyzer unit is monitoring for the log-based alerts.
Triggers The log message packets the FortiAnalyzer unit is monitoring for the
log-based alerts.
Destination The location where the FortiAnalyzer unit sends the alert message. This can
be an email address, SNMP Trap or syslog server.
05-432-164257-20120229 115
To add a log-based alert
1 Go to System > Config > Log-based Alerts, select Create New, enter the
appropriate information, then select OK.
Alert Name Enter a name indicating the type of alert the FortiAnalyzer is monitoring
for.
Device Selection Select the devices the FortiAnalyzer unit monitors for the alert event.
Select from the Available Devices list and select the right arrow to move
the device name to the Selected Devices list. Hold the SHIFT or CTRL
keys while selecting to select multiple devices.
Trigger(s) Select the triggers that the FortiAnalyzer unit uses to indicate when to
send an alert message. Select the following:
a log type to monitor, such as Event Log or Attack Log
the severity level to monitor for within the log messages, such as >=
the severity of the log message to match, such as Critical
For example, selecting Event Log >= Warning, the FortiAnalyzer unit will
send alerts when an event log message has a level of Warning, Error,
Critical, Alert and Emergency.
These options are used in conjunction with Generic Text (located under
Log Filters) and Device Selection to specify which log messages will
trigger the FortiAnalyzer unit to send an alert message.
116 05-432-164257-20120229
Configuring an
email server for
alerts & reports
When the FortiAnalyzer unit receives a log message meeting the alert event conditions,
it can send an alert message to an email address via SMTP, informing an administrator
of the issue and where it is occurring.
You must first configure an SMTP server so that the FortiAnalyzer unit can send email
alert messages.
Log Filters
(Generic Text)
Select Generic Text to enable log filters, and then enter log message
filter text.
This text is used in conjunction with Trigger(s) and Device Selection to
specify which log messages will trigger the FortiAnalyzer unit to send
an alert message.
Enter an entire word, which is delimited by spaces, as it appears in the
log messages that you want to match. Inexact or incomplete words or
phrases may not match. For example, entering log_i or log_it may
not match; entering log_id=0100000075 will match all log messages
containing that whole word.
Do not use special characters, such as quotes () or asterisks (*). If the
log message that you want to match contains special characters,
consider entering a substring of the log message that does not contain
special characters. For example, instead of entering, User 'admin'
deleted report 'Report_1', you might enter admin.
Threshold Set the threshold or log message level frequency that the FortiAnalyzer
unit monitors before sending an alert message. For example, set the
FortiAnalyzer unit to send an alert only after it receives five emergency
messages in an hour.
Destination(s) Select where the FortiAnalyzer unit sends the alert message.
Send Alert To Select an email address, SNMP trap or syslog server from the list. You
must configure the SNMP traps or syslog server, before you can select
them from the list.
For the FortiAnalyzer unit to send an email message, you must
configure a DNS server and mail server account. For information, see
Configuring an email server for alerts & reports on page 116.
For information on configuring SNMP traps, see Configuring the
SNMP agent on page 118.
For information on configuring syslog servers, see Configuring syslog
servers on page 122.
From When configuring the FortiAnalyzer unit to send an email alert message,
enter the senders email address.
This option only appears after you populate the Send Alert To field.
To When configuring the FortiAnalyzer unit to send an email alert message,
enter the recipients email address.
This option only appears after you populate the Send Alert To field.
Add Select to add the destination for the alert message. Add as many
recipients as required.
Delete Select a recipient from the Destination list and select Delete to remove a
recipient.
Include Alert
Severity
Select the alert severity value to include in the outgoing alert message
information.
05-432-164257-20120229 117
If the mail server is defined by a domain name, the FortiAnalyzer unit will query the
DNS server to resolve the IP address of that domain name. In this case, you must also
define a DNS server. For details, see Configuring DNS on page 93.
If sending an email by SMTP fails, the FortiAnalyzer unit will re-attempt to send the
message every 10 seconds, and never stop until it succeeds in sending the message,
or the administrator reboots the FortiAnalyzer unit.
To view the mail server list, go to System > Config > Mail Server.
Figure 62: Mail server list
To add a mail server for alerts
1 Go to System > Config > Mail Server and select Create New.
2 Enter the appropriate information and select OK.
Test Verify if the email server is correctly configured. For more information, see To
verify mail server connectivity on page 118.
SMTP Server The name of the email server.
E-Mail Account The email address used for accessing the account on the email server.
Password The password used in authentication of that server. The password appears as
******.
SMTP Server The name/address of the SMTP email server.
Enable Authentication Select to enable SMTP authentication. When set, you must enter
an email user name and password for the FortiAnalyzer unit to
send an email with the account.
E-Mail Account Enter the user name for logging in to the SMTP server to send alert
mails. You only need to do this if you have enabled the SMTP
authentication. The account name must be in the form of an email
address, such as user@example.com.
Password Enter the password for logging in to the SMTP server to send alert
email. You only need to do this if you enabled the SMTP
authentication.
118 05-432-164257-20120229
To verify mail server connectivity
1 Go to System > Config > Mail Server.
2 Select the mail server that you want to verify, then select Test.
3 Enter an email address in the Send test email to field.
To verify complete connectivity from the FortiAnalyzer unit to the administrators
inbox, this should be the administrators email address.
4 Select Test.
A message appears, indicating the success or failure of sending email to the SMTP
server. If the message was successfully sent, verify that it reached the email
address.
Configuring the
SNMP agent
Simple Network Management Protocol (SNMP) allows you to monitor hardware on
your network. You can configure the hardware, such as the FortiAnalyzer SNMP agent,
to report system information and send traps (alarms or event messages) to SNMP
managers. An SNMP manager, or host, is typically a computer running an application
that can read the incoming trap and event messages from the agent and send out
SNMP queries to the SNMP agents. A FortiManager unit can act as an SNMP
manager, or host, to one or more FortiAnalyzer units.
By using an SNMP manager, you can access SNMP traps and data from any
FortiAnalyzer interface configured for SNMP management access. Part of configuring
an SNMP manager is to list it as a host in a community on the FortiAnalyzer unit it will
be monitoring. Otherwise the SNMP monitor will not receive any traps from that
FortiAnalyzer unit, or to query that unit.
You can configure the FortiAnalyzer unit to respond to traps and send alert messages
to SNMP managers that were added to SNMP communities. When you are configuring
SNMP, you need to first download and install both the FORTINET-CORE-MIB.mib and
FORTINET-FORTIANALYZER-MIB.mib files so that you can view these alerts in a
readable format. The Fortinet MIB contains support for all Fortinet devices, and
includes some generic SNMP traps; information responses and traps that
FortiAnalyzer units send are a subset of the total number supported by the Fortinet
proprietary MIB.
Your SNMP manager may already include standard and private MIBs in a compiled
database which is all ready to use; however, you still need to download both the
FORTINET-CORE-MIB.mib and FORTINET-FORTIANALYZER-MIB.mib files regardless.
FortiAnalyzer SNMP is read-only: SNMP v1 and v2 compliant SNMP managers have
read-only access to FortiAnalyzer system information and can receive FortiAnalyzer
Note: Mail servers configured to send FortiAnalyzer alerts can also be selected when
configuring report profiles and vulnerability scan jobs to email report output. For
more information, see Configuring vulnerability scans on page 248 andIndexer
based reports on page 219.
05-432-164257-20120229 119
traps. RFC support includes most of RFC 2665 (Ethernet-like MIB) and most of
RFC 1213 (MIB II). FortiAnalyzer units also use object identifiers from the Fortinet
proprietary MIB.
For more information about the MIBs and traps that are available for the FortiAnalyzer
unit, see Appendix A on page 302.
SNMP traps alert you to events that happen, such as an a log disk being full or a virus
being detected.
SNMP fields contain information about your FortiAnalyzer unit, such as percent CPU
usage or the number of sessions. This information is useful to monitor the condition of
the unit, both on an ongoing basis and to provide more information when a trap
occurs.
To configure the SNMP agent, go to System > Config > SNMP.
Figure 63: SNMP Access List
SNMP Agent Select to enable the SNMP agent.
Description Enter a descriptive name for this FortiAnalyzer unit.
Location Enter the physical location of the FortiAnalyzer unit, such as a city or
floor number.
Contact Enter the contact information for the person responsible for this
FortiAnalyzer unit.
Trap Type The type of available SNMP trap.
Trigger Enter a number (percent) for the trap type usage that will trigger a trap.
The number can be between 1 to 100.
Threshold Enter the number of times a trigger value is reached before triggering a
trap.The number can be between 1 and 100.
120 05-432-164257-20120229
Configuring an SNMP community
An SNMP community is a grouping of devices for network administration purposes.
Within that SNMP community, devices can communicate by sending and receiving
traps and other information. One device can belong to multiple communities, such as
one administrator terminal monitoring both a firewall SNMP community and a printer
SNMP community.
You can add an SNMP community to define a destination IP address that can be
selected as the recipient (SNMP manager) of FortiAnalyzer unit SNMP alerts. Defined
SNMP communities are also granted permission to request FortiAnalyzer unit system
information using SNMP traps.
Each community can have a different configuration for SNMP queries and traps. Each
community can be configured to monitor the FortiAnalyzer unit for a different set of
Sample Period(s) Enter a time period, in seconds. The number can be between 1 and
28800. The default number is 600 seconds, which is 10 minutes.
During the configured time period, the SNMP agent evaluates the trap
type, for example, CPU, at every same frequency. For example, during
600 seconds (10 minutes), the SNMP agent evaluates memory every 60
seconds (1 minute).
Sample Frequency(s) Enter a number for the frequency of triggers. The number can be
between 1 and 100.
Apply Select to save the configured settings. Selecting Apply will not save the
SNMP communities because they are automatically saved after being
configured.
Communities The list of SNMP communities added to the FortiAnalyzer configuration.
Create New Select to add a new SNMP community. See Configuring an SNMP
community on page 120.
Edit Change the selected SNMP community configuration.
Delete Remove the selected SNMP community configuration. You cannot
delete a community if it is used in an alert event. For more information,
see Configuring alerts on page 114.
Test Verify the selected SNMP community configuration by sending a test
SNMP trap to the SNMP manager. This option only shows if the test
SNMP trap is successfully sent by the FortiAnalyzer unit. You need to
go to the SNMP manager to check if the trap has been successfully
received. If the test fails, you need to reconfigure the SNMP community
that you want to verify.
This option is inactive if the SNMP agent configuration is not saved.
See Apply on page 120.
# The sequential order of the communities.
Community Name The name of the SNMP community.
Queries The status of SNMP queries for each SNMP community. The query
status can be enabled (green check mark) or disabled (gray cross).
Traps The status of SNMP traps for each SNMP community. The trap status
can be enabled (green check mark) or disabled (gray cross)
Enable Select to enable the SNMP community. By default, an SNMP
community is enabled when it is configured.
05-432-164257-20120229 121
events. You can also add the IP addresses of up to 10 SNMP managers to each
community.
To add an SNMP community
1 Go to System > Config > SNMP.
2 Under Communities, select Create New.
3 Enter the appropriate information and then select OK.
Community Name Enter a name to identify the SNMP community.
Hosts Enter the IP address and Identify the SNMP managers that can use the
settings in this SNMP community to monitor the FortiAnalyzer unit.
Host Name The IP address of an SNMP manager than can use the settings in this
SNMP community to monitor the FortiAnalyzer unit. You can also set
the IP address to 0.0.0.0 to so that any SNMP manager can use this
SNMP community.
Interface Optionally select the name of the interface that this SNMP manager
uses to connect to the FortiAnalyzer unit. You only have to select the
interface if the SNMP manager is not on the same subnet as the
FortiAnalyzer unit. This can occur if the SNMP manager is on the
Internet or behind a router.
Delete Select a Delete icon to remove an SNMP manager.
Add Add a blank line to the Hosts list. You can add up to 10 SNMP
managers to a single community.
122 05-432-164257-20120229
Configuring
syslog servers
By default, this option is not available. To make it appear, you need to enable it in
System > Admin > Settings.
You can configure syslog servers where the FortiAnalyzer unit can send alerts by the
syslog protocol. You must add the syslog server before you can select it as a way for
the FortiAnalyzer unit to communicate an alert.
To view the syslog servers, go to System > Config > Remote Syslog.
Figure 64: Syslog server list
To add a syslog server
1 Go to System > Config > Remote Syslog.
2 Click Create New, enter the appropriate information, then click OK.
Queries Enter the port number (161 by default) that the SNMP managers in this
community use for SNMP v1 and SNMP v2c queries to receive
configuration information from the FortiAnalyzer unit. Select the Enable
check box to activate queries for each SNMP version.
Note: The SNMP client software and the FortiAnalyzer unit must use
the same port for queries.
Traps Enter the local and remote port numbers (port 162 for each by default)
that the FortiAnalyzer unit uses to send SNMP v1 and SNMP v2c traps
to the SNMP managers in this community. Select Enable to activate
traps for each SNMP version.
Note: The SNMP client software and the FortiAnalyzer unit must use
the same port for traps.
SNMP Events Enable each SNMP event for which the FortiAnalyzer unit should send
traps to the SNMP managers in this community.
Test Verify the syslog server configuration by sending a test message to the
server. See To verify a syslog server configuration on page 123.
Name The name of the syslog server.
IP or FQDN: Port The IP address or fully qualified domain name (FQDN) for the SNMP server,
and port number.
05-432-164257-20120229 123
To verify a syslog server configuration
1 Go to System > Config > Remote Syslog.
2 Select the syslog server configuration you want to verify.
3 Select Test.
4 In the Syslog Message field, enter a syslog message such as This is a test.
5 Select Test.
You need to go to the syslog server to check if the message has been successfully
received. If the test fails, reconfigure the syslog server.
Configuring log
aggregation
Log aggregation is a method of collecting log data from one or more FortiAnalyzer
units to a central FortiAnalyzer unit.
Log aggregation involves one or more FortiAnalyzer units configured to act as
aggregation clients, and a FortiAnalyzer unit configured to act as an aggregation
server. The aggregation client sends all of its device logs, including quarantined or
archived files, to the aggregation server. The transfer includes the active log to the
point of aggregation (for example, tlog.log) and all rolled logs stored on the
aggregation client (tlog.1.log, tlog.2.log, tlog.3.log ). Subsequent log
aggregations include only changes; the aggregation client does not re-send previously
aggregated logs.
For example, a company may have a headquarters and a number of branch offices.
Each branch office has a FortiGate unit and a FortiAnalyzer-100B to collect local log
information. Those branch office FortiAnalyzer units are configured as log aggregation
clients. The headquarters has a FortiAnalyzer-2000/2000A which is configured as a log
Name Enter a name for the SNMP server.
IP address (or FQDN) Enter the IP address or fully qualified domain name for the SNMP
server.
Port Enter the syslog server port number. The default syslog port is 514.
124 05-432-164257-20120229
aggregator. The log aggregator collects logs from each of the branch office log
aggregation clients, enabling headquarters to run reports that reflect all offices.
All FortiAnalyzer models can be configured as a log aggregation client, but log
aggregation server support varies by FortiAnalyzer model, due to storage and resource
requirements.
A device logging to a log aggregator client cannot send its logs to the aggregation
server since the server will refuse them. This device will appear in the device list of the
aggregation server. You can easily identify these devices as they do not have Rx and
Tx permissions.
Configuring an aggregation client
An aggregation client is a FortiAnalyzer unit that sends logs to an aggregation server.
By default, log aggregation is disabled on the FortiAnalyzer unit.
To configure the aggregation client, go to System > Config > Log Aggregation, select
Enable log aggregation TO remote FortiAnalyzer and enter the appropriate information.
Select Apply.
Note: For more information about log aggregation port numbers, see the Knowledge Base
article Traffic Types and TCP/UDP Ports used by Fortinet Products.
Table 9: FortiAnalyzer models that support either an aggregation client or server, or both
FortiAnalyzer Model Aggregation Client Aggregation Server
FortiAnalyzer-100B/100C Yes No
FortiAnalyzer-400B Yes No
FortiAnalyzer-800/800B Yes Yes
FortiAnalyzer-1000B/1000C Yes Yes
FortiAnalyzer-2000/2000A/2000B Yes Yes
FortiAnalyzer-4000A/4000B Yes Yes
Note: On the aggregation server, configure the device quotas to be equal to or more than those
on the aggregation client to avoid log data loss.
When using log aggregation, all the FortiAnalyzer units must be running the same
firmware release and their system time must be synchronized.
05-432-164257-20120229 125
Figure 65: Log aggregation client configuration
Configuring an aggregation server
An aggregation server is a FortiAnalyzer unit that receives the logs sent from an
aggregation client. FortiAnalyzer-800/800B and higher can be configured as
aggregation servers.
By default, log aggregation is disabled on the FortiAnalyzer unit.
Enable log aggregation
TO remote
FortiAnalyzer
Select to enable log aggregation to a remote FortiAnalyzer unit.
Remote
FortiAnalyzer IP
Enter the IP address of the FortiAnalyzer unit acting as the aggregation
server.
Password Enter the password for the aggregation server. This password is set
when configuring the aggregation server. See Password on
page 126.
Confirm Password Enter the password again for the aggregation server.
Aggregation daily
at [hh:mm]
Select the time of the day when the aggregation client uploads the logs
to the aggregation server.
Aggregation Now Select to start a log aggregation operation.
Depending on the amount of new logs since the previous
sychronization, the aggregation operation can take some time. It is
recommended to perform the aggregation during off-peak hours.
Caution: The aggregration server needs to have device quotas at least as large as the
aggregation client. If the device quotas are not correctly configured, log data will be
lost.
126 05-432-164257-20120229
To configure the aggregation server, go to System > Config > Log Aggregation, select
Enable log aggregation TO this FortiAnalyzer, enter the password and confirm it, and
then select Apply.
Figure 66: Log Aggregation server configuration
Configuring log
forwarding
Log forwarding sends duplicates of log messages received by the FortiAnalyzer unit to
a separate syslog server. This can be useful for additional log storage or processing.
The log forwarding destination (remote device IP) may receive either a full duplicate or
a subset of those log messages that are received by the FortiAnalyzer unit. Log
messages are forwarded only if they meet or exceed the Minimum Severity threshold.
Log forwarding is similar to log uploading or log aggregation, but log-forwards are sent
as individual syslog messages, not whole log files over FTP, SFTP, or SCP, and not as
batches of log files.
By default, log forwarding is disabled on the FortiAnalyzer unit.
To forward logs
1 Go to System > Config > Log Forwarding.
2 Select Enable log forwarding to remote log server.
Enable log aggregation
TO this FortiAnalyzer
Select to enable log aggregation to this FortiAnalyzer unit.
Password Enter a password for access to this FortiAnalyzer unit.
Confirm Password Enter the password again to confirm it.
05-432-164257-20120229 127
Figure 67: Log forwarding
3 Enter the appropriate information, and click Apply.
Configuring IP
aliases
Use IP Alias to assign meaningful names to IP addresses. When configuring reports, or
viewing logs and DLP archives, select Resolve Host Name to view the alias rather than
the IP address.
IP aliases can make logs and reports easier to read and interpret. For example, you
could create an IP alias to display the label mailserver1 instead of its IP address,
10.10.1.54.
When adding an IP alias, you can also include an IP address range. For example:
10.10.10.1 - 10.10.10.50
10.10.10.1 - 10.10.20.100
To view the IP Alias list, go to System > Config > IP Alias.
Enable log forwarding
to remote log server
Select to enable log forwarding to a syslog server.
Remote device IP Enter the IP address of the external syslog server.
Forward all
incoming logs
Select to forward all incoming logs.
Forward only
authorized logs
Select to forward only authorized logs (authorized according to a
devices permissions).
Minimum Severity Select the minimum severity threshold. All log events of equal or
greater severity will be transmitted. For example, if the selected
minimum severity is Critical, all Emergency, Alert and Critical log
events will be forwarded; other log events will not be forwarded.
128 05-432-164257-20120229
Figure 68: List of IP aliases
To add an IP alias
1 Go to System > Config > IP Alias.
3 Enter a nickname for the IP address in Alias.
4 Enter the IP address or range in Host(Subnet / IP Range).
5 Select OK.
Importing IP aliases
If you have a text file with IP addresses and aliases mapping, you can import the file
instead of mapping them one by one on the FortiAnalyzer unit. This is a quick way to
add the mappings to the FortiAnalyzer unit.
The contents of the text file should be in the following format:
<alias_ipv4> <alias_name>
For example:
10.10.10.1 User_1
There can be only one IP address and user name entry per line.
To import the alias file
1 Go to System > Config > IP Alias.
2 Click Import.
3 Enter the path and file name, or select Browse to locate the file.
4 Click OK.
Import If you have a text file with IP addresses and aliases mapping, you can import the file
instead of mapping them one by one on the FortiAnalyzer unit. See Importing IP
aliases on page 128.
Alias The name of the IP alias.
Host The IP address or range for the IP alias.
05-432-164257-20120229 129
Configuring RAID RAID (Redundant Array of Independent Disks) helps to divide data storage over
multiple disks which provides increased data reliability. FortiAnalyzer units that contain
multiple hard disks can configure the RAID array for capacity, performance and
availability.
From System > Dashboard > Status, you can view the status of the RAID array from the
Disk Monitor widget. The Disk Monitor widget displays the status of each disk in the
RAID array, including the disks RAID level. This widget also displays how much disk
space is being used. For more information, see Disk Monitor widget on page 71.
The Alert Message Console widget, located in System > Dashboard > Status provides
detailed information about RAID array failures. For more information see Alert
Message Console widget on page 75.
If you need to remove a disk from the FortiAnalyzer unit, you can hot swap it. Hot
swapping means that you can remove a failed hard disk and replace it with a new one
even while the FortiAnalyzer unit is still in operation. Hot swapping is a quick and
efficient way to replace hard disks. For more information about hot swapping, see
Swapping hard disks on page 73.
System > Config > RAID allows you to change the RAID level of the RAID array.
Changing the RAID level will remove all log data from the disks, and the device disk
quota may be reduced to accommodate the available disk space in the new RAID
array.
Figure 69: RAID Settings
130 05-432-164257-20120229
To change the RAID levels
1 Go to System > Config > RAID.
2 From RAID Level, select a RAID level.
3 Click Apply to begin the process of changing the RAID level.
The following message appears:
4 Click OK to continue with the process.
Supported RAID levels
RAID levels vary between FortiAnalyzer units. The following table explains the
recommended RAID levels for each unit, the supported RAID levels, and any additional
information.
RAID Level Select a RAID level and click Apply.
The FortiAnalyzer unit will reboot, destroy the existing RAID array, create
a new RAID array with the specified level, and then create a new file
system on the array. All existing data is lost.
Total Disk Space The amount of disk space available within the RAID array.
Free Disk Space The amount of free disk space.
Disk # The number identifying the disk. These numbers reflect what disks are
available on the FortiAnalyzer unit.For example, on a
FortiAnalyzer-4000A, there would be 1-12, whereas on a
FortiAnalyzer-2000A there would be 1-6.
Size (GB) The size of the individual hard disk.
Status The current status of the hard disk. For example, OK indicates that the
hard disk is okay and working normally; Not Present indicates that the
hard disk is not being detected by the FortiAnalyzer unit or has been
removed and no disk is available; Failed indicates that the hard disk is not
working properly.
Tip: Alternatively, go to System > Dashboard > Status and, on the Disk Monitor widget, click
RAID Settings in the title bar.
Table 10: RAID levels
FortiAnalyzer Platform Supported
Levels
Recommended
Level
Note
FortiAnalyzer-100B/100C RAID is not supported.
FortiAnalyzer-400B 0, 1 1 RAID 0 is supported for only
two-disk configuration.
05-432-164257-20120229 131
When changing the RAID level, the available levels depend on the number of working
disks that are actually present in the unit. For example, RAID5 is not available on
FortiAnalyzer units with fewer than three disks. With a full complement of working
disks, the default level is the recommended level in the above table. The following
sections assume a full complement except where noted.
You can find out information about RAID from the get system status or diag
raid info commands in the CLI.
Linear
A linear RAID level combines all hard disks into one large virtual disk. It is also known
as concatenation or JBOD (Just a Bunch of Disks). The total space available in this
option is the capacity of all disks used. There is very little performance change when
using this RAID format. If any of the drives fails, the entire set of drives is unusable until
the faulty drive is replaced. All data will be lost.
RAID 0
A RAID 0 array is also referred to as striping. The FortiAnalyzer unit writes information
evenly across all hard disks. The total space available is that of all the disks in the RAID
array. There is no redundancy available. If any of the drives fails, the data cannot be
recovered. This RAID level is beneficial because it provides better performance, since
the FortiAnalyzer unit can distribute disk writing across multiple disks.
RAID 1
A RAID 1 array is also referred to as mirroring. The FortiAnalyzer unit writes information
to one hard disk, and writes a copy (a mirror image) of all information to all other hard
disks. The total disk space available is that of only one hard disk, as the others are
solely used for mirroring. This provides redundant data storage with no single point of
failure. Should any of the hard disks fail, there are several backup hard disks available.
With a FortiAnalyzer-800 for example, if one disk fails, there are still three other hard
disks the FortiAnalyzer unit can access and continue functioning.
FortiAnalyzer-800/800B Linear, 0, 1, 5,
10
10 RAID 5 can be configured in the
CLI; however, using RAID 5
may decrease performance.
FortiAnalyzer-1000B 0, 1 1 RAID 0 is supported for only
two-disk configuration.
FortiAnalyzer-1000C Linear, 0, 1, 10 10
FortiAnalyzer-2000/2000
A/2000B
0, 5, 5 plus
spare, 10, 50
50 RAID 5 is supported on 2000B
with more than three disks.
FortiAnalyzer-4000A 0, 5, 5 plus
spare, 10, 50
50
FortiAnalyzer-4000B 0, 5, 5 plus
spare, 10, 50, 6,
6 plus spare, 60
50
Table 10: RAID levels (Continued)
Note: Fortinet recommends having an uninterruptible power supply (UPS) to reduce the
possibility of data inconsistencies when power failures occur.
132 05-432-164257-20120229
RAID 5
A RAID 5 array employs striping with a parity check. The FortiAnalyzer unit writes
information evenly across all drives. Additional parity blocks are written on the same
stripes. The parity block is staggered for each stripe. The total disk space is the total
number of disks in the array, minus one disk for parity storage. For example, on a
FortiAnalyzer-800 with four hard disks, the total capacity available is actually the total
for three hard disks. RAID 5 performance is typically better with reading than writing,
although performance is degraded when one disk has failed or is missing. With RAID 5,
one disk can fail without the loss of data. If a drive fails, it can be replaced and the
FortiAnalyzer unit will restore the data on the new disk using reference information from
the parity volume.
RAID 10
RAID 10 (or 1+0), includes nested RAID levels 1 and 0, or a stripe (RAID 0) of mirrors
(RAID 1). The total disk space available is the total number of disks in the array (a
minimum of 4) divided by 2. One drive from a RAID 1 array can fail without loss of data;
however, should the other drive in the RAID 1 array fail, all data will be lost. In this
situation, it is important to replace a failed drive as quickly as possible.
two RAID 1 arrays of two disks each (FortiAnalyzer-800/800B)
three RAID 1 arrays of two disks each (FortiAnalyzer-2000/2000A/2000B)
six RAID1 arrays of two disks each (FortiAnalyzer-4000A)
twelve RAID1 arrays of two disks each (FortiAnalyzer-4000B)
RAID 50
RAID 50 (or 5+0) includes nested RAID levels 5 and 0, or a stripe (RAID 0) and stripe
with parity (RAID 5). The total disk space available is the total number of disks minus
the number of RAID 5 sub-arrays. RAID 50 provides increased performance and also
ensures no data loss for the same reasons as RAID 5. One drive in each RAID 5 array
can fail without the loss of data. For the following FortiAnalyzer units, data is
recoverable when:
two RAID 5 arrays of three disks each (FortiAnalyzer-2000/2000A/2000B)
three RAID 5 arrays of four disks each (FortiAnalyzer-4000A)
two RAID 5 arrays of twelve disks each (FortiAnalyzer-4000B)
RAID 5 with hot spare
FortiAnalyzer-2000/2000A/2000B and FortiAnalyzer-4000A/4000B units can use one
of their hard disks as a hot spare (a stand-by disk for the RAID), should any of the other
RAID hard disks fail. If a hard disk fails, within a minute of the failure, the FortiAnalyzer
unit begins to automatically substitute the hot spare for the failed drive, integrating it
into the RAID array, and rebuilding the RAIDs data.
Note: RAID 5 appears in the Web-based Manager only for FortiAnalyzer units with hardware
RAID.
Note: Fortinet recommends using RAID 10 for redundancy instead of RAID 5 on FortiAnalyzer
units with software RAID. RAID 5 can cause decreased performance.
05-432-164257-20120229 133
When you replace the failed hard disk, the FortiAnalyzer unit uses the new hard disk as
the new hot spare. The total disk space available is the total number of disks minus
two.
RAID 6
RAID 6 provides fault tolerance from two drive failures; array continues to operate with
up to two failed drives. This makes larger RAID groups more practical, especially for
high-availability systems. This becomes increasingly important as large-capacity drives
lengthen the time needed to recover from the failure of a single drive. Single-parity
RAID levels are as vulnerable to data loss as a RAID 0 array until the failed drive is
replaced and its data rebuilt; the larger the drive, the longer the rebuild will take.
Double parity gives time to rebuild the array without the data being at risk if a single
additional drive fails before the rebuild is complete.
RAID 60
RAID 60 (or 6+0) includes nested RAID levels 6 and 0, or a stripe (RAID 0) and stripe
with parity (RAID 6). The total disk space available is the total number of disks minus
the number of RAID 6 sub-arrays. RAID 60 provides increased performance and also
ensures no data loss for the same reasons as RAID 6. One drive in each RAID 6 array
can fail without the loss of data. For the following FortiAnalyzer unit, data is
recoverable when:
two RAID 6 arrays of twelve disks each (FortiAnalyzer-4000B)
RAID 6 with hot spare
FortiAnalyzer-4000B unit can use one of its hard disks as a hot spare (a stand-by disk
for the RAID), should any of the other RAID hard disks fail. If a hard disk fails, within a
minute of the failure, the FortiAnalyzer unit begins to automatically substitute the hot
spare for the failed drive, integrating it into the RAID array, and rebuilding the RAIDs
data.
When you replace the failed hard disk, the FortiAnalyzer unit uses the new hard disk as
the new hot spare. The total disk space available is the total number of disks minus
two.
RAID array capacity
Based on the hard disk numbers and sizes, the following table lists the RAID array
capacity for selected FortiAnalyzer platforms. You can use the table as a reference for
choosing RAID levels.
Table 11: RAID array capacity for selected FortiAnalyzer platforms (All values are rounded)
Total Usable Disk Space (in GB)
Platform Number of
Disks
Size per
Disk (GB)
RAID 0 RAID 1 RAID 5 RAID 5
+ Spare
RAID
10
RAID
50
RAID 6 RAID 6
+ Spare
RAID
60
400B 2 500 930 460
800B 4 500 1860 465 1390 930
1000B 2 1000 1860 930
1000C 4 932 3668 917 1834
2000A
6 250 1390 1160 930 695 930
6 400 2230 1863 1490 1110 1490
6 500 2790 2320 1860 1390 1860
2000B 6 932 5500 4582 3666 2750 3666
134 05-432-164257-20120229
Configuring
LDAP queries for
reports
A directory is a set of objects with similar attributes organized in a logical and
hierarchical way. Generally, an LDAP directory tree reflects geographic or
organizational boundaries, with the Domain Name System (DNS) names at the top level
of the hierarchy. The common name identifier for most LDAP servers is cn; however
some servers use other common name identifiers such as uid.
For example, you could use the following base distinguished name:
ou=marketing,dc=fortinet,dc=com
where ou is organization unit and dc is a domain component.
You can also specify multiple instances of the same field in the distinguished name, for
example, to specify multiple organization units:
ou=accounts,ou=marketing,dc=fortinet,dc=com
Binding occurs when the LDAP server successfully authenticates the user and allows
the user access to the LDAP server based on the users permissions.
You can configure the FortiAnalyzer unit to use one of two types of binding:
anonymous - bind using anonymous user search
regular - bind using user name/password and then search
If your LDAP server requires authentication to perform searches, use the regular type
and provide values for user name and password.
In System > Config > LDAP, you can define a query to retrieve a list of LDAP users from
a remote LDAP server. LDAP queries are used in FortiAnalyzer reports as an additional
filter for the user field, providing a convenient way for filtering log data without having
to list the user names manually. For example, you need to create a scope in a report
that is restricted to include only log messages whose user= field matches user names
retrieved from the networks main LDAP server.
For more information about LDAP queries in FortiAnalyzer reports, see Indexer based
reports on page 219.
4000A
12 250 2790 2560 2320 1396 2320
12 400 4470 4090 3720 2330 3720
12 500 5580 5120 4650 2790 4650
4000B 24 932 15380 15380 15380 10990 14653 15380 15380 10990
Table 11: RAID array capacity for selected FortiAnalyzer platforms (All values are rounded)
Note: FortiAnalyzer-4000B supports up to 24 disks. Each disk size is 932 GB. In theory,
FortiAnalyzer-4000B can support a maximum disk space of 24 x 932 GB (close to 24 TB)
when RAID level is 0. However, the FortiAnalyzer unit uses filesystem ext3 which has a 16
TB limitation of disk space. Therefore, even if FortiAnalyzer-4000B has 24 TB RAID array
capacity, the total disk space is limited to 16 TB. This is why the max disk space for
FortiAnalyzer-4000B is 15380 GB.
Caution: By default, the LDAP query occurs over a standard LDAP connection. The
FortiAnalyzer unit does not support secure query (TLS or LDAPS) protocols.
05-432-164257-20120229 135
To view the LDAP server list, go to System > Config > LDAP.
Figure 70: LDAP server list
To define an LDAP server query
1 Go to System > Config > LDAP.
2 Select Create New, enter the appropriate information for the LDAP server, and
select OK.
Name The name of the LDAP server.
Server Name/IP The server name or IP address of the LDAP server.
Port The port with which the server is exchanging information. The
default port is 389.
Common Name Identifier The name of the common name identifier.
Distinguished Name The name of the attribute identifier that is used in the LDAP query
filter.
Name Enter the name for the LDAP server query.
Server Name/IP Enter the LDAP server domain name or IP address.
Server Port Enter the port number. By default, the port is 389.
136 05-432-164257-20120229
Querying for the base DN
The LDAP Distinguished Name Query list displays the LDAP Server IP address, and all
the distinguished names associated with the Common Name Identifier for the LDAP
server. The tree helps you to determine the appropriate entry for the Base DN field.
In the Base DN field, enter the DN you choose from the list and click OK. The DN
appears in the Base DN field of the LDAP server configuration.
Server Type Select whether to use anonymous or authenticated (regular) queries.
If selecting Anonymous, your LDAP server must be configured to
allow unauthenticated anonymous queries.
If selecting Regular, you must also enter the Bind DN and Bind
Password.
Bind DN Enter an LDAP user name in DN format to authenticate as a specific
LDAP user, and bind the query to a DN.
This option appears only when the Server Type is Regular.
Bind Password Enter the LDAP users password.
This option appears only when the Server Type is Regular.
Common Name
Identifier
Enter the attribute identifier used in the LDAP query filter. By default,
the identifier is cn.
For example, if the Base DN contains several objects, and you want
to include only objects whose cn=Admins, enter the Common Name
Identifier cn and enter the Group(s) value Admins when configuring
report profiles. For more information, see Indexer based reports on
page 219.
Report scopes using this query require Common Name Identifier. If
this option is blank, the LDAP query for reports will fail.
Base DN Enter the Distinguished Name of the location in the LDAP directory
which will be searched during the query.
To improve query speed, enter a more specific DN to constrain your
search to the relevant subset of the LDAP tree.
For example, instead of entering dc=example,dc=com you might
enter the more specific DN ou=Finance,dc=example,dc=com.
This restricts the query to the Finance organizational unit within the
tree.
Report scopes using this query require Base DN. If this option is
blank, the LDAP query for reports will fail.
LDAP Distinguished
Name Query
View the LDAP server Distinguished Name Query tree for the LDAP
server that you are configuring so that you can cross-reference to the
Distinguished Name.
Leave the Base DN field empty for this option to work.
For more information, see Querying for the base DN on page 136.
System Backing up the configuration & installing firmware
05-432-164257-20120229 137
Figure 71: LDAP Distinguished Name Query
Backing up the configuration & installing firmware
Backup & Restore displays the date and time of the last configuration backup and the
last firmware upload. It also enables you to:
download and back up a FortiAnalyzer units configuration
upload and restore a FortiAnalyzer units configuration
upload a firmware update
Backed up copies of the FortiAnalyzer unit configuration file can be encrypted with a
password. When restoring encrypted configuration files, the password must be
entered to decrypt the file.
For additional information about backing up and restoring configuration, see
Maintaining Firmware on page 271.
To back up the configuration and install firmware, go to System > Maintenance >
Backup & Restore.
Figure 72: Backup & Restore
Caution: Do not forget the password to the backed up configuration file. A password-encrypted
backup configuration file cannot be restored without the password.
Scheduling & uploading vulnerability management updates System
138 05-432-164257-20120229
Scheduling & uploading vulnerability management updates
You can update the engine and vulnerability scan modules in one of the following
ways:
manually upload update packages to the FortiAnalyzer unit from your management
computer
System Configuration
Last Backup The date and time of the last backup to local PC
Backup
configuration to:
Currently, the only option on the Web-based Manager is to back up
to your local PC. However, you can use the execute backup
config command to back up the system configuration to a file on a
FTP, SFTP, SCP, or TFTP server. For more information, see the
FortiAnalyzer CLI Reference.
Encrypt
configuration file
Select to encrypt the backup file. Enter a password in the Password
field and enter it again in the Confirm field. You will need this
password to restore the file.
You must encrypt the backup file if you are using a secure
connection to a FortiGate or FortiManager device.
Password Enter a password to encrypt the configuration file. This password is
required when restoring the configuration file.
Confirm Enter the password again to confirm.
Backup Select to back up the configuration.
Restore
configuration from:
Currently the only option is to restore from a PC.
Filename Enter the configuration file name or use the Browse button if you are
restoring the configuration from a file on the management computer.
Password Enter the password if the backup file is encrypted.
Restore Select to restore the configuration from the selected file.
Firmware
Partition A partition can contain one version of the firmware and the system
configuration.
Active A green check mark indicates which partition contains the firmware
and configuration currently in use.
Last Upgrade The date and time of the last update to this partition.
Firmware Version The version and build number of the FortiAnalyzer firmware. If your
FortiAnalyzer model has a backup partition, you can:
Select Upload to replace with firmware from the management
computer.
Select Upload and Reboot to replace the existing firmware and
make this the active partition.
System Scheduling & uploading vulnerability management updates
05-432-164257-20120229 139
configure the FortiAnalyzer unit to periodically request updates from the FortiGuard
Distribution Network (FDN).
You must register and license the FortiAnalyzer unit and purchase and register
vulnerability management service with the Customer Service & Support web site,
https://support.fortinet.com/, to receive vulnerability management updates from the
FDN. See (Vulnerability Management) Subscribe on page 140. The FortiAnalyzer unit
must also have a valid support contract, which includes VM update subscriptions, and
can connect to the FDN or the IP address that you have configured to override the
default FDN addresses. For port numbers required for license validation and update
connections, see the Knowledge Base article FDN Services and Ports.
For more information about configuring vulnerability scan jobs and viewing
vulnerability scan reports, see Network Vulnerability Scan on page 242.
To manually upload vulnerability management updates or to configure scheduled
vulnerability management updates, go to System > Maintenance > FortiGuard.
Figure 73: FortiGuard Distribution Network
Scheduling & uploading vulnerability management updates System
140 05-432-164257-20120229
FortiGuard Subscription
Services
Displays the VCM registration status, engine and module version
number, date of last update, and status of the connection to the
FortiGuard Distribution Network (FDN).
A green indicator means that the FortiAnalyzer unit can connect
to the FDN or override server.
An orange indicator means that the FortiAnalyzer unit cannot
connect to the FDN or override server. Check the configuration
of the FortiAnalyzer unit and any NAT or firewall devices that
exist between the FortiAnalyzer unit and the FDN or override
server. For example, you may need to add routes to the
FortiAnalyzer units routing table.
(Vulnerability
Management) Subscribe
Select to open the Customer Service & Support web site to
register the FortiAnalyzer unit and Vulnerability Management
Service to receive vulnerability management updates from the
FDN.
(VCM Plugin) Update Select to upload a VCM upgrade file from your management
computer. To obtain a VCM upgrade file, contact Customer
Service & Support.
You might upload a VCM file if you want to provide an immediate
update, or use a VCM version other than the one currently
provided by the FDN. If you want to use a VCM file other than
the one currently provided by the FDN, also disable scheduled
updates.
Note: Manual updates are not a substitute for a connection to
the FDN. As with scheduled updates, manual updates require
that the FortiAnalyzer unit can connect to the FDN to validate its
VCM license.
Service Configuration
Options
FortiGuard Server Select the Expand arrow to display this FortiAnalyzer units
FortiGuards server options for the subscription services.
Use override server
address
Enable Use override server address and enter the IP address
and port number of an FDS in the format <IP>:<port>, such
as 10.10.1.10:8889.
If you want to connect to a specific FDN server other than the
one to which the FortiAnalyzer unit would normally connect, you
can override the default IP addresses by configuring an override
server.
If, after applying the override server address, the FDN status
icon changes to indicate availability (a green check mark), the
FortiAnalyzer unit has successfully connected to the override
server. If the icon still indicates that the FDN is not available, the
FortiAnalyzer unit cannot connect to the override server. Check
the FortiAnalyzer configuration and the network configuration to
make sure you can connect to the FDN override server from the
FortiAnalyzer unit.
System Migrating data from one FortiAnalyzer unit to another
05-432-164257-20120229 141
Migrating data from one FortiAnalyzer unit to another
You can migrate configuration settings and log data from one FortiAnalyzer unit to
another from System > Maintenance > Migration. This is referred to as migrating data,
and provides an easy way to have the same information on multiple FortiAnalyzer units
without having to manually configure each one.
Use Web Proxy Select to enable the FortiAnalyzer unit to connect to the FDN
through a web proxy, then enter the IP, Port, and (if required)
Name and Password.
IP: Enter the IP address of the web proxy.
Port: Enter the port number of the web proxy.
This is usually 8080.
Name: If your web proxy requires a login, enter the user name
that your FortiAnalyzer unit should use when connecting to the
FDN through the web proxy.
Password: If your web proxy requires a login, enter the
password that your FortiAnalyzer unit should use when
connecting to the FDN through the web proxy.
Vulnerability Management Select the Expand arrow to display this FortiAnalyzer units VCM
options for the subscription services.
Scheduled Update
[Request Update Now]
Enable scheduled updates, then select the frequency of the
update (Every, Daily or Weekly).
Select Request Update Now if you want to immediately request
an update.
Every Select to update once every n hours, then select the number of
hours in the interval.
Daily Select to update once every day, then select the hour. The
update attempt occurs at a randomly determined time within the
selected hour.
Weekly Select to update once a week, then select the day of the week
and the hour of the day. The update attempt occurs at a
randomly determined time within the selected hour.
Caution: When migrating configuration settings and log data from one FortiAnalyzer unit to
another, the source FortiAnalyzer unit stops receiving logs from the managed devices
as soon as it enters into the migration mode. If you want to keep the logs from the
devices during the migration process, make sure that the managed devices send logs
to the destination FortiAnalyzer unit or another compatible log storage location. To
send logs to the destination FortiAnalyzer unit, simply swap the IP addresses of the
source and destination units by going to System > Network > Interface on each unit.
You also need to perform step 5 on the destination unit. You can swap the IP
addresses back after the migration completes.

The destination FortiAnalyzer unit will lose all of the data received prior to the migration
process starts. Back up the important data on the destination unit if necessary.
Migrating data from one FortiAnalyzer unit to another System
142 05-432-164257-20120229
You can also test the connection between two FortiAnalyzer units before migrating the
configuration settings to verify that the connection is working properly.
Before you begin the migration process, you need to verify that each FortiAnalyzer unit
is upgraded to FortiAnalyzer v4.0 MR1 or higher. The migration feature is available only
in FortiAnalyzer v4.0 MR1 or higher. You also need to decide which FortiAnalyzer unit
will be the one used for migrating data to the other before proceeding. Migrating data
should be done during a low traffic time period, for example at night, because,
depending on the amount of data being transferred, it could take more than an hour to
transfer.
You need to configure both the FortiAnalyzer unit that will be sending data (source
FortiAnalyzer unit) and the FortiAnalyzer unit that will be receiving data (destination
FortiAnalyzer unit) for migrating configuration settings.
To configure the source FortiAnalyzer unit
1 On the source FortiAnalyzer unit, log in to the Web-based Manager.
Remember the login password. You will need it for configuring the destination
FortiAnalyzer unit. See To configure the destination FortiAnalyzer unit for migrating
configuration settings on page 143.
2 Go to System > Maintenance > Migration.
3 Select Source to enable the FortiAnalyzer unit to send the configuration settings to
the other FortiAnalyzer unit.
Figure 74: Migration
4 In Peer IP, enter the IP address of the FortiAnalyzer unit that will be receiving the
data.
5 Select Apply, then select Enter Migration Mode.
A message similar to the following will be displayed:
Caution: To migrate data, the firmware release number and build number on the source and
destination FortiAnalyzer units must match. Otherwise the migration will fail.
System Migrating data from one FortiAnalyzer unit to another
05-432-164257-20120229 143
6 Select OK to reboot the FortiAnalyzer unit in migration mode.
This may take a few minutes. You may need to refresh the page so that the login
page appears. You can then log back in to the Web-based Manager to verify that
the FortiAnalyzer unit is in migration mode. Only the admin user can log in to the
FortiAnalyzer unit in migration mode.
Only System > Admin > Settings (Read + Write) and System > Maintenance >
Migration (Read + Write) menu items appear under migration mode for a source
FortiAnalyzer unit. You can modify these settings and they will be migrated to the
destination unit.
The migration will not start before the destination FortiAnalyzer unit is configured
and starts to query the source unit.
7 If you need to modify the Peer IP in migration mode, enter a new one and select
Apply.
To configure the destination FortiAnalyzer unit for migrating configuration
settings
1 On the destination FortiAnalyzer unit, log in to the Web-based Manager and go to
System > Maintenance > Migration.
2 Select Destination to enable the FortiAnalyzer unit to receive the configuration
settings.
Figure 75: Migrating configuration settings
3 Enter the IP address of the source FortiAnalyzer unit.
4 Enter the same password you used when logging in to the source FortiAnalyzer
unit.
The destination FortiAnalyzer unit will use this password to log in to the source
FortiAnalyzer unit to get the configuration. The migration will fail if the passwords
do not match.
Migrating data from one FortiAnalyzer unit to another System
144 05-432-164257-20120229
5 If you want this FortiAnalyzer unit to receive logs and data from the registered
devices during the migration process, select Accept Logs & Reports.
The logs and data received from the managed devices during the migration process
will not be overridden by the migrated data.
You can also enable or disable this option during the migration process. For more
information, see Actions during the migration process on page 145.
6 To receive certain logs and files, expand All Categories and then select what you
want to receive. To receive all the categories, select the check box beside All
Categories.
7 Click Apply, and then click Test Migration Mode.
This FortiAnalyzer unit contacts the source FortiAnalyzer unit to validate the
migration. The validation focuses on the following:
If the source unit and destination unit have different versions of firmware, the
destination unit aborts the migration.
If the destination unit has data, a warning appears. You may choose to proceed
or not.
If the source unit is not in migration mode, the destination unit aborts the
migration.
If the source units IP is wrong or there is a network problem, Migration
source is not reachable appears.
8 If the migration mode test is successful, select Enter Migration Mode.
Only the following menu items appear:
System > Dashboard > Dashboard (Read-Only)
System > Network > Interface/DNS/Routing (Read + Write)
System > Admin > Settings (Read + Write)
System > Admin > Maintenance > Migration (Read + Write)
Device > All > Device (Read-Only)
Log > Log Viewer > Real-time (Read + Write)
Tools > File Explorer (Read-Only)
You can modify the settings with Read + Write privileges and they will not be
overridden by the migrated data.
9 If you modify the configurations in migration mode, select Apply.
10 Select Start Migration.
This may take a few minutes or several hours, depending on the amount of data
that is being transferred. For example, if there is 500 GB of data that is being
transferred, it will take several hours to send.
See Actions during the migration process on page 145 for actions that can be
taken during the migration process.
11 When the migration process is complete, go to the source and destination
FortiAnalyzer units.
12 Log in to the Web-based Manager and go to System > Maintenance > Migration.
13 Select Exit Migration Mode.
System Importing a local server certificate
05-432-164257-20120229 145
Actions during the migration process
During the migration process, the destination FortiAnalyzer unit displays and
automatically updates phase descriptions and results and progress bar with size (such
as 123 of 480 GB) and time (such as 18 mins. of estimated 4h14m) indicators. You can
check the migration status from both the Web-based Manager and CLI in real-time.
You can also:
Choose Start/Stop Accepting New Data.
This action allows the destination unit to accept or deny data from the registered
devices. For example, if you want to speed up the data migration process and can
afford to lose some logs from the devices, you can select to stop accepting new
data. When the destination unit receives new logs and data, messages will appear
in migration status display.
Choose to pause the ongoing migration process from destination unit. You can
subsequently start again or cancel the migration by selecting the respective button.
If the destination unit is interrupted unexpectedly, for example, by a power or
network failure:
the message The migration destination became silent. Please
verify its status. appears on the source unit. Click OK.
when the destination unit is back alive in migration mode, resume or cancel the
migration by selecting the respective button.
Importing a local server certificate
You can change the FortiAnalyzer units default HTTPS certificate to a new certificate
(PKCS #12 format) signed by a certificate authority (CA) other than Fortinet.
This feature is not available on the Web-based Manager. However, you can do it with
the following CLI command:
execute admin-cert import {ftp|sftp|scp|tftp} <server_ipv4>
<argument1_str> <argument2_str> <argument3_str>
where:
<argument1_str> For FTP, SFTP or SCP, enter a user name. For TFTP, enter a
directory or file name.
<argument2_str> For FTP, SFTP or SCP, enter a password or -. For TFTP,
enter a file name or PKCS #12 file password or -.
<argument3_str> For FTP, SFTP or SCP, enter a directory or file name. For
TFTP, enter a PKCS #12 file password or -.
Web services are automatically encrypted with SSL (HTTPS). The FortiAnalyzer unit
automatically generates a self-signed public certificate. To view the public certificate,
in the CLI, enter the command:
get system ws-cert
You can use this auto-generated certificate, or you can replace it with your own
certificate using the associated set command. FortiManager units with which the
FortiAnalyzer unit is registered will automatically accept the new certificate.
For more information on HTTPS access to the Web-based Manager and web services,
see Configuring the network interfaces on page 87.
05-432-164257-20120229 146
8. Devices
The Devices menu controls connection attempt handling, permissions, disk space
quota, and other aspects of devices that are connected to the FortiAnalyzer unit for
remote logging, DLP archiving, quarantining, and/or remote management.
For information on traffic types, ports and protocols that FortiAnalyzer units use to
communicate with other devices and services, see the Knowledge Base article Traffic
Types and TCP/UDP Ports used by Fortinet Products.
This section contains the following topics:
Configuring connections with devices & their disk space quota
Configuring device groups
Classifying FortiGate network interfaces
Configuring connections with devices & their disk space quota
The device list displays devices that are allowed to connect to the FortiAnalyzer unit
including their connection permissions. The list may also display unregistered devices
attempting to connect.
Connection attempts occur when a device sends traffic to the FortiAnalyzer unit before
you have added the device to the FortiAnalyzer unit. FortiAnalyzer units either ignore
the connection attempt, or automatically add the device to its device list as either a
registered or unregistered device. This connection attempt handling depends on:
the type of the device that is attempting to connect;
your selections in Unregistered Options, and;
whether the maximum number of devices has been reached on the FortiAnalyzer
unit.
For more information on:
connection attempt handling, see Configuring unregistered device options on
page 157.
the device number maximum, see Maximum number of devices on page 150.
manually adding a device to the device list, see Manually configuring a device or
HA cluster on page 152.
Adding a device to the device list configures connections from the device but does not
automatically establish a connection. You need to configure the device to send traffic
to the FortiAnalyzer unit to establish a connection. For more information, see the
FortiOS Handbook, FortiMail Administration Guide, FortiManager Administration
Guide, FortiClient Administrators Guide, FortiWeb Administration guide, or your syslog
servers documentation.
Note: Connection attempts not handled by the device list include log aggregation, log
forwarding, and SNMP traps. For more information about configuring connection handling
for those types, see Configuring log aggregation on page 123, Configuring log
forwarding on page 126, and Configuring the SNMP agent on page 118.
Devices Configuring connections with devices & their disk space quota
05-432-164257-20120229 147
Due to the nature of connectivity for certain high availability (HA) modes, FortiGate
units in an HA cluster may not be able to send full DLP archives and quarantine data.
For more information, see the FortiOS Handbook.
You may want to block connection attempts from devices that you do not want to add
to the device list, since connection attempts must be reconsidered with each attempt.
For more information, see Blocking unregistered device connection attempts on
page 158.
Devices may automatically appear on the device list when the FortiAnalyzer unit
receives a connection attempt, according to your configuration of Unregistered
Options, but devices may also automatically appear as a result of importing log files.
For more information, see Importing a log file on page 180.
To view the device list, go to Devices > All Devices > Allowed.
Figure 76: Device list
Note: Hover your cursor over an item to display more information.
Depending on your column display settings, the columns appearing may vary.
Current page
Column Display Settings
Search
Configuring connections with devices & their disk space quota Devices
148 05-432-164257-20120229
Create New Select to manually add a new device to the device list.
For information about how to manually add devices, see Manually
Edit Reconfigure the selected device connection and retrieve the devices
logs if required. For more information, see To edit a device and retrieve
the devices logs on page 155.
Delete Remove the selected devices from the list. You cannot delete a device
that is referenced elsewhere in the configuration, such as by being
assigned to a device group. To delete the device, first remove all
configuration references to that device.
If you use the default proprietary indexed file storage system for log
storage, once a device is removed from the device list, the associated
logs and other data, such as DLP archives and the default report profile
for the device (that is, the device summary report
Default_<device_name>) are deleted. Reports that may have been
already generated from the devices log data, however, are not deleted.
If you use the local SQL file storage system for log storage, once a
device is removed from the device list, the associated logs are not
deleted. To delete the logs, use the command execute sql-local
remove-device. This command does not remove reports that may
have been already generated from the devices log data.
If the device is still configured to attempt to connect to the
FortiAnalyzer unit and you have configured Unregistered Device
Options to display connection attempts from unregistered devices, the
device may reappear in the device list.
Register This option only appears if you select an unregistered device.
Change a selected unregistered device into an registered one.
When the Register Device page appears, enter a name for the device,
and modify other settings if required. Click OK. The device appears in
the Allowed device list.
For more information on registering a device, see Manually configuring
a device or HA cluster on page 152.
Block Stop further connection attempts. This option appears if the selected
device is an unregistered device. For more information about on
blocking a device, see Blocking unregistered device connection
attempts on page 158
Column Display
Settings
Select to change the columns to view and the order they appear on the
page. For more information, see Displaying and arranging log
columns on page 168.
Search Enter the partial or the full name of a device and select the one you
want from the list to view or edit.
Name The name of the device in the device list. This can be any descriptive
name that you want assigned to it, and does not need to be its host
name.
Select the arrow beside Name to list the devices in either ascending or
descending order.
An orange exclamation point (!) icon before a device name indicates
that the device is connecting to the FortiAnalyzer unit and the devices
time zone is not synchronized with the FortiAnalyzer units time zone.
Model The model of the device. For example, the device list displays a
FortiGate-400A model as FGT400A.
05-432-164257-20120229 149
Unregistered vs.
registered
devices
Devices > All Devices > Allowed displays devices, both registered and unregistered,
that have attempted to connect to the FortiAnalyzer unit.
A registered device can use all features of the FortiAnalyzer unit, while an unregistered
device cannot use most of the FortiAnalyzer units features unless you add/register it.
IP Address The IP address of the device. If the device has not recently established
a connection, 0.0.0.0 appears.
Log
DLP
Quar
IPS
Mouse over an icon to view when the last logs or data the FortiAnalyzer
unit received from the device, if
there are any logs or data the FortiAnalyzer unit received from the
device
logs are disabled on the device
it is an unregistered device
Only FortiGate units can send DLP archives, quarantine files, and IPS
files to the FortiAnalyzer unit.
Secure Indicates whether IPSec VPN tunnelling has been enabled for secure
transmission of logs, content and quarantined files.
Caution: A locked icon indicates that secure connection is enabled, but
not necessarily fully configured, and the tunnel may not be up. For more
information, see Configuring IPSec secure connections on page 151.
Quota Usage The amount of the FortiAnalyzer disk space allocated for the device and
how much of that space is used. For information on configuring disk
space usage by quarantined files, see the FortiAnalyzer CLI Reference.
Virtual Domains The number of VDOMs on the device.
Type The type of the device: FortiGate unit, FortiManager unit, FortiMail unit,
FortiWeb unit, FortiClient installation, or syslog server.
ADOM The ADOMs to which the device is assigned.
This column does not appear:
on FortiAnalyzer-100 models
when ADOM is disabled on the FortiAnalyzer unit.
For more information about ADOM, see Administrative Domains
(ADOMs) on page 48.
Mode Indicate if the device is a standalone one or in a cluster.
Show Select the type of devices to display in the list. You can select devices
by type, or select Unregistered to display devices that are attempting to
connect but that have not yet been registered or added.
Current Page By default, the first page of the list of items is displayed. The total
number of pages displays after the current page number. For example,
if 2/10 appears, you are currently viewing page 2 of 10 pages.
To view pages, select the left and right arrows to display the first,
previous, next, or last page.
To view a specific page, enter the page number in the field and then
press Enter.
Note: Generic syslog devices cannot be used for features such as reports or DLP archives, and
therefore cannot be registered.
150 05-432-164257-20120229
By default, all supported Fortinet devices are discovered and listed as registered
devices. All generic syslog devices are discovered and automatically listed as
unregistered devices automatically. You can configure these settings. For more
information, see Configuring unregistered device options on page 157.
You can also manually add/register a device. For more information, see Manually
Maximum
number of
devices
Each FortiAnalyzer model is designed to support and provide effective logging and
reporting capabilities for up to a maximum number of devices (registered and
unregistered combined). The following table details these maximums.
To view the number of devices currently attempting to connect, see License
Information widget on page 63.
For networks with more demanding logging scenarios, an appropriate device ratio may
be less than the allowed maximum. Performance will vary according to your network
size, device types, logging thresholds, and many other factors. When choosing a
FortiAnalyzer model, consider your networks log frequency, and not only your number
of devices.
A VDOM or HA cluster counts as a single device towards the maximum number of
allowed devices. Multiple FortiClient installations (which can number up to the limit of
allowed FortiClient installations) also count as a single device.
For example, a FortiAnalyzer-100B could register up to either:
100 devices
99 devices and 100 FortiClient installations
99 devices and one HA pair
91 device and 9 VDOMs
Table 12: FortiAnalyzer device limits
FortiAnalyzer
models
Maximum number
of devices and/or
VDOMs allowed
Maximum number
of FortiClient
installations allowed
FortiGate
models
supported
FortiManager
models
supported
FortiMail
models
supported
FortiWeb
models
supported
FortiAnalyzer-
100B/100C
100 100 All All All All
FortiAnalyzer-
400B
FortiAnalyzer-
800/800B
FortiAnalyzer-
1000B
2000 No restrictions All All All All
FortiAnalyzer-
1000C
FortiAnalyzer-
2000/2000A
FortiAnalyzer-
2000B
FortiAnalyzer-
4000A/4000B
05-432-164257-20120229 151
When devices attempt to connect to a FortiAnalyzer unit that has reached its maximum
number of allowed devices, the FortiAnalyzer unit will reject connection attempts by
excess devices, and automatically add those excess devices to the list of blocked
devices. For more information about on blocked devices, see Configuring device
groups on page 160.
When the FortiAnalyzer unit has exceeded its maximum number of allowed devices,
you will not be able to add devices to the device list. To resume adding devices, you
must first block a device that is currently on your device list, then unblock the device
you want to add and add it to the device list.
Configuring
IPSec secure
connections
For secure transmission of logs, content archives, and quarantined files, you can
configure an IPSec VPN tunnel between the FortiAnalyzer unit and FortiGate devices or
HA clusters, and FortiManager devices.
For more information on the CLI commands used for secure connection, see the
FortiAnalyzer CLI Reference, FortiGate CLI Reference, and FortiManager CLI
Reference.
To configure a secure connection on a FortiAnalyzer unit
On the FortiAnalyzer CLI, enter the following commands:
config log device
edit <device_name>
set secure psk
set id <fortigates_device_name_on_the_fortianalyzer
/fortimanager-serial-number_str>
end
To configure a secure connection on a FortiGate unit
On the FortiGate CLI, enter the following commands:
config log {fortianalyzer | fortianalyzer2 | fortianalyzer3}
settings
set encrypt enable
set psksecret <preshared-key_str>
set localid <fortigates_device_name_on_the_fortianalyzer>
end
Note: You must configure the secure tunnel on both ends of the tunnel, the FortiAnalyzer unit
and the device.
Note: Changing a devices FortiAnalyzer settings clears sessions to that IP address. If the
FortiAnalyzer unit is behind a NAT device, such as a FortiGate unit, this also resets
sessions to other hosts behind that same NAT.
To prevent disruption of other devices traffic, on the NAT device, create a separate virtual
IP for the FortiAnalyzer unit.
Note: To enable and configure secure connection on a FortiGate HA cluster, configure the
primary device in the cluster. The primary device will synchronize the configuration with its
members.
152 05-432-164257-20120229
To configure a secure connection on a FortiManager system
On the FortiManager CLI, enter the following commands:
config fmsystem log fortianalyzer
set secure_connection enable
set localid <fortianalyzer_serial_number_str>
end
Manually
configuring a
device or HA
cluster
You can add devices to the FortiAnalyzer units device list either manually or
automatically. If you have configured Unregistered Options to automatically add known
type devices, you may only need to manually add unknown type devices such as a
generic syslog server. If you have configured Unregistered Options to list all devices as
unregistered, you may be required to add all devices manually. For more information,
see Configuring unregistered device options on page 157.
If the device has already been automatically added, the device was added to the
device list using default settings. You can reconfigure the device connection by
manually editing the device in the device list.
All FortiClient installations are added as a single device, rather than as one device
configuration per FortiClient installation, and their log messages are stored together.
Use the FortiAnalyzer reporting features to obtain network histories for individual
FortiClient installations.
You must add the FortiManager system to the FortiAnalyzer device list for the
FortiAnalyzer unit to be remotely administered by the FortiManager system.
Additionally, you must also:
enable web services on the FortiAnalyzer network interface that will be connected
to the FortiManager system. See Configuring and using FortiAnalyzer web
services on page 91;
register the FortiAnalyzer unit with the FortiManager system. See the FortiManager
Administration Guide;
be able to connect from your computer to the Web-based Manager of both the
FortiManager system and the FortiAnalyzer unit.
To manually add a device or HA cluster
2 Do one of the following:
To add unregistered devices, at the bottom of the page, select Unregistered from
Show. Select an unregistered device and select Register.
To add other devices, select Create New.
05-432-164257-20120229 153
Figure 77: Add a device to an HA cluster
3 Enter the appropriate information.
154 05-432-164257-20120229
Device Type Select the device type.
The type is automatically pre-selected if you are adding an
unregistered device from the device list, or if you are editing an
existing device.
Other device options vary by the device type.
Device Name Enter a name to represent the device, such as FG-1000-1.This can
be any descriptive name that you want assign to it, and does not
need to be its host name.
The device name is automatically pre-entered if you are adding a
FortiClient installation.
IP Address Enter the IP address of the device.
This option appears only if Device Type is Syslog.
Device ID Enter the device ID. Device IDs are usually the serial number of the
device, and usually appear on the dashboard of the devices
web-based manager.
The device ID is automatically pre-entered if you are adding an
unregistered device from the device list, or if you are editing an
existing device.
This option does not appear if Device Type is Syslog or FortiClient.
Cluster ID (primary
member)
Enter the ID of the primary member in an HA cluster.
This option appears only if Mode is HA.
Disk Allocation (MB) Enter the amount of hard disk space allocated to the devices log and
content messages, including quarantined files.
The allocated space should be at least 10 times the log rolling size
for the Log and DLP archive. For example, if you set the log and DLP
archive log file roll size to 50 MB, allocate at least 500 MB of disk
space for the device.
Amounts following the disk space allocation field indicate the
amount of disk space currently being used by the device, and the
total amount of disk space currently available on the FortiAnalyzer
unit.
When Allocated Disk
Space is All Used
Select to either Overwrite Oldest Files or Stop Logging to indicate
what the FortiAnalyzer unit should do when the allocated disk space
has been used. For more information about disk space allocation,
see System Resources widget on page 65.
Device Privileges Select the connection privileges of the device, such as for sending
and viewing log files, DLP archives and quarantined files. Available
permissions vary by device type.
Note: Remotely accessing logs, DLP archive logs and quarantined
files is available on FortiGate units running firmware v4.0 or later.
05-432-164257-20120229 155
4 Select OK.
The device appears in the device list. After registration, some device types can be
configured for secure connection. For more information, see Secure on page 149.
To edit a device and retrieve the devices logs
2 Select a device and click Edit.
Description Enter any additional information on the device. Description
information appears when you move the mouse over a device name
in the device list.
Mode If you are adding a single unit, select Standalone.
If you are adding an HA cluster, select HA, then select the devices
other than the primary member of the cluster from Available Devices
(devices on the FortiAnalyzer units device list) and move them to
Membership using the right pointing arrow. The devices are added to
the HA cluster. You can also manually enter a device ID in the field
under Available Devices and select Add to put it into the HA cluster.
Although the manually entered devices will not appear in the device
list since they are not added to the FortiAnalyzer unit, they can
communicate with the FortiAnalyzer unit through the primary device
of the cluster because the primary device synchronizes the
configuration with its members.
All device models in an HA cluster must be the same. The
FortiAnalyzer unit will check each device IDs first six digits to ensure
the consistency.
This option appears only if Device Type is FortiGate or FortiManager.
156 05-432-164257-20120229
3 Modify the device configuration as required. For more information, see To manually
add a device or HA cluster on page 152.
4 If you want to manually retrieve logs from this device, click Retrieve Logs.
5 Click OK.
Manually adding
a FortiGate unit
using the Fortinet
Discovery
Protocol
If you configure the FortiAnalyzer unit to respond to Fortinet Discovery Protocol (FDP)
packets, FortiGate units running FortiOS v4.0 MR1 or higher can use FDP to locate a
FortiAnalyzer unit. Both units must be on the same subnet to use FDP, and they also
must be able to connect using UDP. For more information, see About Fortinet
Discovery Protocol on page 91.
When a FortiGate administrator selects Automatic Discovery, the FortiGate unit sends
FDP packets to locate FortiAnalyzer units on the same subnet. If FDP has been
enabled for its interface to that subnet, the FortiAnalyzer unit will respond. Upon
receiving an FDP response, the FortiGate unit knows the IP address of the
FortiAnalyzer unit, and the administrator can configure the FortiGate unit to begin
sending log, DLP archive, and/or quarantine data to that IP address. When the
FortiGate unit attempts to send data to the FortiAnalyzer unit, the FortiAnalyzer unit
detects the connection attempt.
Connection attempts from devices not registered with the FortiAnalyzer units device
list may not be automatically accepted. In this case, you may need to manually add the
device to the device list. For more information, see Configuring unregistered device
options on page 157.
For a diagram of traffic types, ports and protocols that FortiAnalyzer units use to
communicate with other devices and services, see the Knowledge Base article Traffic
Types and TCP/UDP Ports used by Fortinet Products.
To enable the FortiAnalyzer unit to reply to FDP packets
2 Select Edit for the network interface that should reply to FDP packets.
Figure 78: Enable FDP packets on an interface
3 Enable Fortinet Discovery Protocol.
05-432-164257-20120229 157
4 Select OK.
The FortiAnalyzer unit is now configured to respond to FDP packets on that
network interface, including those from FortiGate units Automatic Discovery
feature. For more information about connecting the FortiGate unit using FDP, see
To connect a FortiGate unit to a FortiAnalyzer unit using FDP on page 157.
To connect a FortiGate unit to a FortiAnalyzer unit using FDP
This procedure is based on the FortiOS v4.0 MR2 release and may change in future
releases.
On the FortiGate unit CLI, enter
config log fortianalyzer setting
set address-mode auto-discovery
end
The FortiGate unit sends FDP packets to other hosts on the FortiGate units subnet. If a
FortiAnalyzer unit exists on the subnet and is configured to reply to FDP packets, it
sends a reply.
If your FortiGate unit is connecting to a FortiAnalyzer unit from another network, such
as through the Internet or through other firewalls, this may fail to locate the FortiAna-
lyzer unit, and you may need to configure an IPSec VPN tunnel to facilitate the connec-
tion. For more information and examples, see the Knowledge Base article Sending
remote FortiGate logs to a FortiAnalyzer unit behind a local FortiGate unit.
For more information about configuring FortiGate unit quarantining, DLP archiving,
and/or remote logging, see the FortiGate Administration Guide.
Configuring
unregistered
device options
You can configure the FortiAnalyzer unit to accept and handle connection attempts
from Fortinet devices (known devices) or generic syslog devices (unknown devices)
automatically.
To configure device connection attempt handling, go to
Devices > All Devices > Unregistered Options.
Figure 79: Unregistered Device Options
Note: Due to the nature of connectivity for certain high availability (HA) modes, full DLP archiving
and quarantining may not be available for FortiGate units in an HA cluster. For more
information, see the FortiGate HA Overview.
Unregistered Device Options apply to all device types attempting to connect, not just
FortiGate units.
158 05-432-164257-20120229
Blocking
unregistered
device
connection
attempts
FortiAnalyzer units support a maximum number of devices, including registered and
unregistered devices combined. For more information, see FortiAnalyzer device
limits on page 150. Blocking unregistered devices prevents them from being able to
connect to the FortiAnalyzer unit and therefore can free up spots on the unit.
Devices may automatically appear on your list of blocked devices. This can occur
when devices attempt to connect after the maximum number of allowed devices has
been reached.
To view, delete, or unblock blocked devices, go to Devices > All Devices > Blocked.
Known Device Types (FortiGate, FortiManager, FortiClient, FortiMail, FortiWeb)
Ignore connection and log
data
Select to deny any connection attempts and log-sending to the
FortiAnalyzer unit from Fortinet devices.
This option does not apply to manually added devices. For more
information on adding a device manually, see Manually
Allow connection, add to
unregistered table, but
ignore log data
Select to allow the devices to connect but list them as unregistered
devices. The FortiAnalyzer unit will ignore any logs sent from the
devices until you manually register them.
Allow connection, register
automatically, and store
up to
Select to allow the connection and automatically register the
devices. The FortiAnalyzer unit will store a specified amount of log
data from the devices.
Unknown Device Type (Generic Syslog Devices)
Ignore all unknown
unregistered devices
Select to deny any connection attempts from all unknown syslog
devices.
This option does not apply to manually added devices. For more
information on adding a device manually, see Manually
Add unknown
unregistered devices to
unregistered table, but
ignore data
Select to list unknown syslog devices as unregistered devices and
ignore any logs sent from these devices.
Add unknown
unregistered devices to
unregistered table, and
store up to
Select to list unknown devices as unregistered, and allow the
FortiAnalyzer unit to store a specified amount of log data from
these devices. The default amount of storage space is 1 000 MB.
The available MB of data is determined by how much is currently
available on your FortiAnalyzer unit, which fluctuates and is never a
fixed number.
Note: Many FortiAnalyzer features are not available for unregistered devices of unknown types.
For more information about the differences between unregistered and registered devices,
see Unregistered vs. registered devices on page 149.
Both registered and unregistered devices count towards the maximum number of devices
available for a FortiAnalyzer unit. Too many unregistered devices will prevent you from
adding a device. For more information, see Manually configuring a device or HA cluster
on page 152.
When devices attempt to connect to a FortiAnalyzer unit that has reached its maximum
number of allowed devices, the FortiAnalyzer unit will reject connection attempts by
excess devices, and automatically add those excess devices to the list of blocked
devices. For more information about blocked devices, see Blocking unregistered device
connection attempts on page 158.
05-432-164257-20120229 159
Figure 80: Blocked devices
To block a device
2 At the bottom of the page, from Show, select Unregistered.
Figure 81: Block a device
Unblock Register a selected device to the FortiAnalyzer units device list.
When the Register Device page appears, enter a name for the device, and
modify other settings if required. Select OK. The device appears in the
Allowed device list.
For more information on registering a device, see Manually configuring a
device or HA cluster on page 152.
Delete Remove a selected device from the list of blocked devices. If the device
attempts to connect to the FortiAnalyzer unit, it may appear in the device
list as an unregistered device, according to your configuration of
Unregistered Device Options. For more information, see Configuring
unregistered device options on page 157.
Device ID The unique ID or serial number of the blocked device.
Hardware Model The type of device, such as FortiGate, FortiManager, FortiMail, FortiClient,
FortiWeb, or syslog server.
IP Address The IP address of the blocked device.
Configuring device groups Devices
160 05-432-164257-20120229
3 Mark the check box of the unregistered device that you want to block, then click
Block.
The device appears in the blocked devices list (Devices > All Devices > Blocked).
Configuring device groups
When you have multiple devices belonging to a department or section of your
organization, you may want to create device groups to simplify log browsing or report
configuration.
A device can belong to multiple groups; however, the device cannot be deleted from
the device list until it is removed from all groups.
To view device groups, go to Devices > Group > Device Group.
Figure 82: Device groups
Show Select the device group type to display, such as FortiGate, FortiManager,
FortiMail or syslog groups.
Group Name The name of the device group.
Members The names of devices that belong to the device group.
Devices Classifying FortiGate network interfaces
05-432-164257-20120229 161
To configure a device group
1 Go to Devices > Group > Device Group.
2 Select Create New to configure a new device group, or select the Edit icon to
reconfigure an existing device group.
3 Select OK.
Classifying FortiGate network interfaces
After a FortiGate unit is added to the FortiAnalyzer unit, you need to assign each
FortiGate network interface to a network interface class (None, LAN, WAN, or DMZ)
based on your FortiGate network interface usage. Traffic between classes determines
traffic flow directionality for reports.
Through the FortiAnalyzer CLI command config log device, you can classify
network interfaces and VLAN subinterfaces according to their connections in your
network topology. Functionally classifying the devices network interfaces and VLAN
subinterfaces as None, LAN, WAN or DMZ indirectly defines the directionality of traffic
flowing between those network interfaces. For example, FortiAnalyzer units consider
log messages of traffic flowing from a WAN class interface to a LAN or DMZ class
interface to represent incoming traffic.
Some report types for FortiGate devices include traffic direction, inbound or outbound
traffic flow. When the FortiAnalyzer unit generates reports involving traffic direction, the
FortiAnalyzer unit compares values located in the source and destination interface
Group Name Enter a name for the device group.
Group Type Select the device group type that you want to create. You can choose
FortiGate Group, FortiMail Group, FortiManager Group, FortiWeb Group,
and Syslog Group. When you select a group type, the devices that are
available to that group appear in the Available Devices field.
FortiClient installations are treated as a single device, and so cannot be
configured as a device group.
Available Devices The available devices for the group type you select in Group Type. Select
a device and then use the right arrow to move it to the Members field.
Members The devices that are available in the group you are creating. If you want
to remove a device from the Members field, select the device and then
select the left arrow to remove it.
Classifying FortiGate network interfaces Devices
162 05-432-164257-20120229
fields of the log messages with your defined network interface classifications to
determine the traffic directionality.
The table below illustrates the traffic directionality derived from each possible
combination of source and destination interface class.
For more information on classifying FortiGate network interfaces, see the FortiAnalyzer
CLI Reference.
Example:
Your FortiGate unit has four interfaces: port 1 to 4. Port 1 is connected to WAN; Port 2
and Port 3 are connected to LAN; and Port 4 is connected to DMZ.
In this case, traffic from Port 1 (WAN) to Port 2 (LAN) is considered as incoming, while
traffic from Port 2 to Port 1 is considered outgoing.
Table 13: Traffic directionality by class of the source and destination interface
Source interface class Destination interface class Traffic direction
None All types Unclassified
All types None Unclassified
WAN LAN, DMZ Incoming
WAN WAN External
LAN, DMZ LAN, DMZ Internal
LAN, DMZ WAN Outgoing
05-432-164257-20120229 163
9. Log & Archive
The Log & Archive menu displays log messages and DLP archives from both other
devices and the FortiAnalyzer unit itself.
This sections includes the following topics:
Viewing log messages
Browsing log files
Backing up logs and archived files
Configuring rolling and uploading of devices logs
Using eDiscovery
Viewing log messages
Log & Archive > Log Access displays logs for devices that were added to the device
list, as well as the FortiAnalyzer unit itself.
You can view log messages from all devices or a particular device in realtime or within
a specified time frame.
For more information about log messages from FortiGate units, see the FortiGate Log
Message Reference.
To view all log messages, go to Log & Archive > Log Access > All Logs.
Note: FortiAnalyzer units cannot display logs from unregistered devices of unknown types. Add
the device first to view the logs of an unknown type device. For more information about
adding a device to the device list, see Configuring connections with devices & their disk
space quota on page 146.
You may need to reschedule the time when logs are rolled because log file size is now
reduced. For example, log files that are rolled every two months now need to be rolled
every four months. Fortinet recommends upgrading both the FortiGate and FortiAnalyzer
units to v4.0 MR1 firmware and later to take full advantage of this feature.
Note: FortiGate units send log messages to the FortiAnalyzer unit only after a session is closed.
All real-time log messages you view on the FortiAnalyzer unit therefore do not reflect the
real-time activities on the FortiGate units.
Note: The columns that appear reflect the content found in the log file. You can select an item in
a column to display more information.
Depending on your column display settings, the columns appearing may vary.
Viewing log messages Log & Archive
164 05-432-164257-20120229
Figure 83: All device logs.
Show Select the device or type of device that you want to view logs from. You
can select multiple devices.
Timeframe Select the time frame during which you want to display the logs.
Realtime Log Click to view the real-time device log messages.
After selecting Realtime Log, the Historical Log icon appears. Select it
to go back to view logs within a specified time frame.
Column Settings Click to change the columns to view and the order they appear on the
page. For more information, see Displaying and arranging log columns
on page 168.
Printable Version Click to download a HTML file containing all log messages that match
the current filters. The HTML file is formatted to be printable.
Time required to generate and download large reports varies by the total
amount of log messages, the complexity of any search criteria, the
specificity of your column filters, and the speed of your network
connection.
Download Current
View
Click to download log files in text (.txt), comma-separated value (.csv),
or standard .log (Native) file format. You can also select to compress
the log files in gzipped format before uploading to the server. The
downloaded version will match the current log view, containing only log
messages that match your current filter settings.
Log & Archive Viewing log messages
05-432-164257-20120229 165
To view a type of log, go to Log & Archive > Log Access and select a log type:
Event Log: records all event activities such as an administrator adding a firewall
policy on a FortiGate unit.
UTM Log: unified threat management log includes IPS (Attack), Application Control,
Web Filter, AntiVirus, Data Leak (DLP), and Email Filter.
Search If you choose to use the proprietary indexed file storage system by
selecting Disabled under System > Config > SQL Database, enter a
keyword to perform a simple search on the available log information,
then press the Enter key to begin the search.
If you choose to use SQL database by enabling Local Database or
Remote Database under System > Config > SQL Database, you need to
enter <field_name>=value, such as
device_id=FG600B3909601460 to perform a simple search on the
available log information, then press the Enter key to begin the search.
Log field names and values can be found in logs of raw format (see
Change Display Options on page 165), such as
device_id=FG600B3909601460, src_int=port1, or
dstname=192.168.30.2.
Advanced Search Select to search the device logs for matching text using two search
types: Quick Search and Full Search. For more information, see
Searching the logs on page 170.
Last Activity The date and time the log was received by the FortiAnalyzer unit.
Device ID The ID of the device that sent the log.
Type The log type.
Level The severity level of the log.
Device Time The date and time when events occurred on the devices that sent the
logs.
Timestamp The date and time when logs were received by the FortiAnalyzer unit.
Details The detailed information of the log.
Other Columns There are over 100 other columns that can be selected, depending on
the log type selected.
View n per page Select the number of rows of log entries to display per page. You can
choose up to 1000 entries.
Current Page Enter a page number, then press Enter to go to the page.
Change Display
Options
Select a view of the log file. Selecting Formatted (the default) displays
the log files in columnar format. Selecting Raw displays the log
information as it actually appears in the log file.
Note: Log messages that are received from a log aggregation device are scheduled transfers,
and not real-time messages, because log aggregation devices do not appear in the
Real-time log page. Individual high availability (HA) cluster members also do not appear
in the Real-time log page because HA members are treated as a single device. For more
information about log aggregation, see Configuring log aggregation on page 123.
166 05-432-164257-20120229
IPS (Attack): records all attacks that occur against your network. These log
messages also contain links to the Fortinet Vulnerability Encyclopedia where you
can better assess the attack.
This option does not appear if you enable Show Consolidated UTM Log in System
> Admin > Settings.
Application Control: records the application traffic generated by the applications on
the device.
> Admin > Settings.
Web Filter: records HTTP device log rating errors, including web content blocking
actions that the device performs.
> Admin > Settings.
AntiVirus: records virus incidents in Web, FTP, and email traffic.
> Admin > Settings.
Data Leak (DLP): provides information concerning files, such as email messages
and web pages, that are archived on the FortiAnalyzer unit by the device.
> Admin > Settings.
Email Filter: records IMAPS, POP3S, and SMTPS email traffic.
> Admin > Settings.
Traffic log: records all traffic to and through the interfaces on a device.
Vulnerability Scan Log: records the vulnerability scan activities on the device
VoIP: provides information on VoIP traffic on the device.
History: records all mail traffic going through the FortiMail unit.
IM: records instant message text, audio communications, and file transfers
attempted by users.
Generic Syslog: provides syslog information for the device.
All Logs: records all logs received by the FortiAnalyzer unit.
Note: The columns that appear reflect the content found in the log file. You can select an item in
a column to display more information.
05-432-164257-20120229 167
Viewing Log
Details
Log details can be viewed for any of the collected logs.
To view log details, left-click on any log in the log list. A details window for the selected
log will open.
Customizing the
log view
Log messages can be displayed in either Raw or Formatted view.
Raw view displays log messages exactly as they appear in the log file.
Formatted view displays log messages in a columnar format. Each log field in a log
message appears in its own column, aligned with the same field in other log
messages, for rapid visual comparison. When displaying log messages in
Formatted view, you can customize the log view by hiding, displaying and arranging
columns and/or by filtering columns, refining your view to include only those log
messages and fields that you want to see.
To display logs in Raw or Formatted view, go to a page that displays log messages,
such as Log & Archive > Log Access > All Logs, and select Change Display Options >
Raw/Formatted at the bottom of the page. By default, log messages appear in
Formatted view.
Note: The details provided in the details window will vary depending on the type of log
selected.
Note: When selecting Change Display Options for some log types, Resolve Host Name, Resolve
Services, or both may appear in addition to Formatted and Raw.
Resolve Host Name: Select to display recognizable device names rather than IP
addresses. For more information about configuring IP address host names, see
Configuring IP aliases on page 127.
Resolve Services: Select to display the network service names rather than the port
numbers, such as HTTP rather than port 80.
168 05-432-164257-20120229
Figure 84: Change display options
If you select Formatted, options appear that enable you to display and arrange log
columns and/or filter log columns. For more information, see Displaying and arranging
log columns and Filtering logs on page 169.
Displaying and arranging log columns
When viewing logs in Formatted view, you can display, hide and re-order columns to
display only relevant categories of information in your preferred order.
For most columns, you can also filter data within the columns to include or exclude log
messages which contain your specified text in that column. For more information, see
Filtering logs on page 169.
To display or hide columns
1 Go to a page which displays log messages, such as Log & Archive > Log Access >
All Logs.
2 Select the Column Settings icon .
Lists of available and displayed columns for the log type appear.
3 Select which columns to hide or display.
In the Available Fields area, select the names of individual columns you want to
display, then select the single right arrow to move them to the Display Fields
area.
Alternatively, to display all columns, select the double right arrow.
In the Display Fields area, select the names of individual columns you want to
hide, then select the single left arrow to move them to the Available Fields area.
Alternatively, to hide all columns, select the double left arrow.
To return all columns to their default displayed/hidden status, select Default.
4 Select OK.
To change the order of the columns
1 Go to a page which displays log messages, such as Log & Archive > Log Access >
All Logs.
2 Select Column Settings.
05-432-164257-20120229 169
3 In the Display Fields area, select a column name whose order of appearance you
want to change.
4 Select the up or down arrow to move the column in the ordered list.
Placing a column name towards the top of the Display Fields list will move the
column to the left side of the Formatted log view.
5 Select OK.
Filtering logs
When viewing log messages in Formatted view, you can filter columns to display only
those log messages that do or do not contain your specified content in that column. By
default, most column headings contain a gray filter icon, which becomes green when a
filter is configured and enabled.
Filters do not appear when viewing logs in Raw view, or for unindexed log fields in
Formatted view. When you are viewing real-time logs, filtering by time is not supported;
by definition of the real-time aspect, only current logs are displayed.
Figure 85: Filter icons
To filter log messages by column contents
1 In the heading of the column that you want to filter, select the Filter icon to open the
log filtering window.
2 If you want to exclude log messages with matching content in this column, select
NOT.
If you want to include log messages with matching content in this column, deselect
NOT.
3 Enter the text that matching log messages must contain.
Matching log messages will be excluded or included in your view based upon
whether you have selected or deselected NOT.
4 Select OK.
A columns Filter icon is green when the filter is currently enabled. You can select
Download Current View to download only log messages which meet the current
filter criteria.
Filter Filter in use
170 05-432-164257-20120229
Filtering tips
When filtering by source or destination IP, you can use the following in the filtering
criteria:
a single address (2.2.2.2)
an address range using a wild card (1.2.2.*)
an address range (1.2.2.1-1.2.2.100)
You can also use the Boolean operator (or) to indicate mutually exclusive choices:
1.1.1.1 or 2.2.2.2
1.1.1.1 or 2.2.2.*
1.1.1.1 or 2.2.2.1-2.2.2.10
Most column filters require that you enter the columns entire contents to successfully
match and filter contents; partial entries do not match the entire contents, and so will
not create the intended column filter.
For example, if the column contains a source or destination IP address (such as
192.168.2.5), to create a column filter, enter the entire IP address to be matched. If
you enter only one octet of the IP address, (such as 192) the filter will not completely
match any of the full IP addresses, and so the resulting filter would omit all logs, rather
than including those logs whose IP address contains that octet.
Exceptions to this rule include columns that contain multiple words or long strings of
text, such as messages or URLs. In those cases, you may be able to filter the column
using a substring of the text contained by the column, rather than the entire text
contained by the column.
Searching the
logs
When viewing device logs and archived files, you may find that some have a button
called Advanced Search. You can use the button to search the devices log files for
matching text using two search types: Quick Search and Full Search. For more
information, see Viewing log messages on page 163 and Viewing DLP archives on
page 173.
You can use Quick Search to find results more quickly if your search terms are
relatively simple and you only need to search indexed log fields. Indexed log fields are
those that appear with a filter icon when browsing the logs in column view; unindexed
log fields do not contain a filter icon for the column or do not appear in column view,
but do appear in the raw log view. Quick Search keywords cannot contain:
special characters such as single or double quotes ( or ") or question marks (?)
wild card characters (*), or only contain a wild card as the last character of a
keyword (logi*)
You can use Full Search if your search terms are more complex, and require the use of
special characters or log fields not supported by Quick Search. Full Search performs
an exhaustive search of all log fields, both indexed and unindexed, but is often slower
than Quick Search.
You can stop any search before the search is complete by selecting the Stop Search
button next to the Search button.
05-432-164257-20120229 171
Figure 86: Log search.
Device/Group Select to search logs from the FortiAnalyzer unit (Local Logs), a device, or a
device group.
Time Period Select to search logs from a time frame, or select Specify and define a custom
time frame by selecting the From and To date times.
From Enter the date (or use the calendar icon) and time of the beginning of the
custom time range.
This option appears only when you select Specify.
To Enter the date (or use the calendar icon) and time of the end of the custom
time range.
This option appears only when you select Specify.
Keyword(s) Enter search terms which will match to yield log message search results. To
specify that results must include all, any, or none of the keywords, select
these options in Match.
Search Select to perform a full search. Keywords for a full search may contain special
characters. Full Search examines all log message fields.
Stop Search Select to stop the search before it is completed. This option is grayed out
unless there is a search in progress.
More Options Select the Expand Arrow to hide or expand additional search options.
Match Select how keywords are used to match log messages which comprise
search results.
All Words: Select to require that matching log messages must contain
all search keywords. If a log message does not contain one or more
keywords, it will not be included in the search results.
Any Words: Select to require that matching log messages must contain
at least one of the search keywords. Any log message containing one
or more keyword matches will be included in the search results.
Does Not Contain the Words: Select to require that matching log
messages must not contain the search keywords. If a log message
contains any of the search keywords, it will be excluded from the
search results.
172 05-432-164257-20120229
Search tips
If your search does not return the results you expect, but log messages exist that
should contain matching text, examine your keywords and filter criteria using the
following search characteristics and recommendations.
Separate multiple keywords with a space (type=webfilter
subtype=activexfilter).
Keywords cannot contain unsupported special characters. Supported characters
vary by selection of Quick Search or Full Search.
Keywords must literally match log message text, with the exception of case
insensitivity and wild cards; resolved names and IP aliases will not match.
Some keywords will not match unless you include both the log field name and its
value (type=webfilter).
Remove unnecessary keywords and search filters which can exclude results. In
More Options, if All Words is selected, for a log message to be included in the
search results, all keywords must match; if any of your keywords do not exist in the
message, the match will fail and the message will not appear in search results. If
you cannot remove some keywords, select Any Words.
You can use the asterisk (*) character as a wild card (192.168.2.*). For example,
you could enter any partial term or IP address, then enter * to match all terms that
have identical beginning characters or numbers.
If you have disabled an SQL database for log storage in System > Config >
SQL Database, you can search for IP ranges, including subnets. For example:
172.16.1.1/24 or 172.16.1.1/255.255.255.0 matches all IP addresses
in the subnet 172.16.1.1/255.255.255.0
172.16.1.1-140.255 matches all IP addresses from 172.16.1.1 to
172.16.140.255
Other Filters Specify additional criteria, if any, that can be used to further restrict the search
criteria.
Log Type: Select to include only log messages of the specified type. For
example, selecting Traffic would cause search results to include only
log messages containing type=traffic.
Log Level: Select to include only log messages of the specified severity
level. For example, selecting Notice would cause search results to
include only log messages containing pri=notice.
Src IP: Enter an IP address to include only log messages containing a
matching source IP address. For example, entering 192.168.2.1
would cause search results to include only log messages containing
src=192.168.2.1 and/or content log messages containing a client IP
address of 192.168.2.1.
Dst IP: Enter an IP address to include only log messages containing a
matching destination IP address. For example, entering 192.168.2.1
dst=192.168.2.1 and/or content log messages containing a server
IP address of 192.168.2.1.
User Name: Enter a user name to include only log messages containing
a matching authenticated firewall user name. For example, entering
userA would cause search results to include only log messages
containing user=userA.
Group Name: Enter a group name to include only log messages
containing a matching authenticated firewall group name. For example,
entering groupA would cause search results to include only log
messages containing group=groupA.
05-432-164257-20120229 173
If you have disabled an SQL database for log storage in System > Config >
SQL Database, you can search for URLs in multiple ways, using part or all of the
URL. SQL-based search does not support part of the URL. You can use
"*/part1/*/part2*/*" instead.
Searching for the full URL may not return enough results if the URL contains
random substrings, such as session IDs. If your search keywords do not return
enough results, try one of the following:
using Full Search
shortening your keyword to the smallest necessary substring of the URL
shortening your keyword to a substring of the URL delimited by slash (/)
characters
The search returns results match all, any, or none of the search terms, according to
the option you select in Match.
For example, if you enter into Keyword(s):
srcaddr=192.168.* action=login
and if from Match you select All Words, log messages for attacks on 192.168.* by
W32/Stration.DU@mm do not appear in the search results. This is because
although the first keyword (the IP address) appears in attack log messages, the
second keyword (the name of the attack) does not appear, and so the match fails. If
the match fails, the log message is not included in the search results.
Viewing DLP
archives
DLP archiving provides a method of simultaneously logging and archiving copies of
content transmitted over your network, such as email messages and web pages.
FortiGate units can log metadata for common user content-oriented protocols. DLP
logs include information such as the senders, recipients, and the content of email
messages and files. If full DLP archiving is enabled, FortiGate units can also archive a
copy of the associated file or message with the DLP log message. Both FortiGate DLP
archive logs and their associated copies of files or messages can be stored and
viewed remotely on a FortiAnalyzer unit, leveraging its large storage capacity for large
media files that can be common with multimedia content. When DLP archives are
received by the FortiAnalyzer unit, you can use data filtering similar to other log files to
track and locate specific email or instant messages, or to examine the contents of
archived files.
For more information about how to configure the FortiGate unit to send DLP archives
to the FortiAnalyzer unit, see the FortiGate Administration Guide.
You can view DLP archives of these types:
IPS Packet
Quarantine
Web
Email
FTP
IM
VoIP Log
MMS (By default, this option is not available. To make it appear, you need to enable
it in System > Admin > Settings.)
174 05-432-164257-20120229
You can view full and/or summary DLP archives. Summary DLP archives are those
which contain only a log message consisting of summary metadata. Full DLP archives
are those which contain both the summary and a hyperlink to the associated archived
file or message. For example, if the FortiAnalyzer unit has a full DLP archive for an
email message, the subject log field of email DLP archives contains a link that enables
you to view that email message. If the FortiAnalyzer unit has only a DLP archive
summary, the subject field does not contain a link.
A full or summary DLP archive varies by:
whether the device is configured to send full DLP archives
whether the content satisfies DLP archiving requirements
whether the FortiAnalyzer unit has the file or message associated with the summary
log message (that is, full DLP archives do not appear if you have deleted the
associated file or message)
For more information about requirements and configuration of DLP archiving, see the
FortiGate Administration Guide.
To view DLP archives, go to Log & Archive > Archive Access. Select a DLP archive
type. Each type has similar controls.
Figure 87: DLP log archive
Note: The columns that appear reflect the content found in the archive file. You can select an
item in a column to display more information.
Show To view the archives from a single FortiGate unit, select the FortiGate
unit from the list. Select All FortiGates to view a combined list of
archives from all the configured FortiGate units.
Timeframe Select a time frame to display only the archived files from the
specified period. Select Any time to display all the archived files.
05-432-164257-20120229 175
Column Settings Select to change the columns to view and the order they appear on
the page. For more information, see Displaying and arranging log
columns on page 168.
Note: This option is not available for the Quarantine type.
Printable Version Select to download an HTML file containing all DLP archive
summaries that match the current filters. The HTML file is formatted
to be printable.
Time required to generate and download large reports varies by the
total number of log messages, the complexity of any search criteria,
the specificity of your column filters, and the speed of your network
connection.
Download Current View Select to download a copy of the archived file with the current filters
applied. For example, if you have a filter applied to display only the
entries with a particular URL, selecting Download Current View will
allow you to download a log file with only the entries related to the
URL configured in the filter.
Delete associated DLP
archive files
Select to delete the links of all DLP archive files to the currently
selected device, not the file records.
Note: This option is not available for IPS Packet, Quarantine, and
VoIP archive.
Search If you choose to use the proprietary indexed file storage system by
selecting Disabled under System > Config > SQL Database, enter a
keyword to perform a simple search on the available log information,
then press Enter to begin the search.
If you choose to use SQL database by enabling Local Database or
Remote Database under System > Config > SQL Database, you need
to enter <field_name>=value, such as
device_id=FG600B3909601460 to perform a simple search on
the available log information, then press the Enter key to begin the
search. Log field names and values can be found in logs of raw
format (see Change Display Options on page 176), such as
device_id=FG600B3909601460, log_id=32776, or
pri=information.
View n per page Select the number of log entries to display per page.
176 05-432-164257-20120229
Viewing
quarantined files
FortiAnalyzer units can act as a central repository for files that are suspicious or known
to be infected by a virus, and have therefore been quarantined by your FortiGate units.
This section describes how to view quarantined files.
If a secure connection has been established with the FortiGate and FortiAnalyzer units,
the communication between them is the same IPSec tunnel that the FortiGate unit
uses when sending log files.
For more information about configuring the FortiGate unit to send quarantined files to
the FortiAnalyzer unit, see the FortiGate Administration Guide.
To view the quarantine summary, go to Log & Archive > Archive Access > Quarantine.
Figure 88: Quarantine summary.
Current Page Enter a page number, then press Enter to go to the page.
Change Display Options Select a view of the archive file. This option is not available for the
Quarantine type.
Resolve Host Name: Select to view the IP alias instead of the clients
IP address. You must configure the IP aliases on the FortiAnalyzer
unit for this setting to take effect. For more information, see
Configuring IP aliases on page 127. This option is not available for
the Email type.
Resolve Service: Select to display the network service names rather
than the port numbers, such as HTTP rather than port 80. This option
is only available for the IPS Packet type.
Formatted (the default): Select to display the log files in columnar
format.
Raw: Select to display the log information as it actually appears in
the log file.
Note: DLP Archives allow you to both view logged details and to download the archived files. If
you want to display only the DLP archive log file, instead go to Log & Archive > Log
Browse > Log Browse and select the devices dlog.log file. For more information, see
Browsing log files on page 178.
Note: Sending quarantine files to a FortiAnalyzer unit is available only on FortiGate units running
FortiOS v4.0 or later.
FortiAnalyzer units do not accept quarantine files from devices that are not registered
with the FortiAnalyzer units device list. For more information about adding devices, see
Manually configuring a device or HA cluster on page 152.
Delete Select to remove the selected quarantined file summary of this device and
all quarantined files under it from the hard disk.
Details Select to view the quarantined files for this device. For more information,
see To view the details of a quarantined file on page 177.
05-432-164257-20120229 177
To view the details of a quarantined file
1 Go to Log & Archive > Archive Access > Quarantine.
2 Select a file and click on Details.
Show Select a device from the list of available devices to display the list of
quarantined files for a specific device.
Timeframe Select a span of time when quarantined files were sent to the FortiAnalyzer
unit.
From Device The FortiGate unit from which the file originated. Select the expand arrow
next to a FortiGate unit to view the files sent from that unit.
Type The type of quarantined file. For example, and infected file is quarantined
because a virus is detected. A blocked file is quarantined because the file
matches a defined file pattern. The Reason field offers additional detail.
Reason The reason a file is quarantined. This elaborates on the information in the
Type field. For example, if the Type is listed as Infected, the virus name
appears in the Reason field.
First Detection
Time
The date and time the FortiGate unit quarantined the first instance of this
file, in the format yyyy/mm/dd hh:mm:ss.
Last Detection
Time
The date and time the FortiGate unit quarantined the last instance of this
file, in the format yyyy/mm/dd hh:mm:ss, if multiple copies of this file
are quarantined.
Unique The number of quarantined files from this device.
Count The number of duplicates of the same file that are quarantined. A rapidly
increasing number can indicate a virus outbreak.
Delete Select to remove files whose check boxes are selected.
To delete one or more files, select the check box next to their file
name, then select Delete.
To delete all files, select the column heading check box. All files
check boxes are selected, and then select Delete.
Download Select to save the file to another location when it is deemed safe for
the recipient to collect. You can enter a password to protect the file.
Caution: Quarantined files are suspected or known to contain a virus
or other network threat. Inspecting quarantine files involves a
significant security risk. Use caution when downloading quarantined
files.
Details Select to view the log for this quarantined file. For information on
viewing logs, see Viewing log messages on page 163.
Analyze Select to analyze a .sis file using the SIS Analyzer.
This option is only available if there is a quarantined .sis file.
Refresh Select to update the current page.
From Device The FortiGate unit from which the file originated.
Browsing log files Log & Archive
178 05-432-164257-20120229
Browsing log files
Log & Archive > Log Browse > Log Browse displays log files stored for both devices
and the FortiAnalyzer itself.
When a log file reaches its maximum size, or reaches the scheduled time, the
FortiAnalyzer rolls the active log file by renaming the file. The file name will be in the
form of xlog.N.log, where x is a letter indicating the log type and N is a unique
number corresponding to the time the first log entry was received.
For information about setting the maximum file size and log rolling options, see
Configuring rolling and uploading of devices logs on page 182.
If you display the log messages in Formatted view, you can display and arrange
columns and/or filter log messages by column contents. For more information, see
Customizing the log view on page 167.
For more information about log messages, see the FortiGate Log Message Reference
and Viewing log messages on page 163.
File Name The processed file name of the quarantined file.
First Detection Time The date and time the FortiGate unit quarantined the first instance of
this file, in the format yyyy/mm/dd hh:mm:ss.
Last Detection Time The date and time the FortiGate unit quarantined the last instance of
this file, in the format yyyy/mm/dd hh:mm:ss, if multiple copies of
this file are quarantined.
Service The service by which the quarantined file was attempting to be
transmitted, such as SMTP.
Checksum A 32-bit checksum the FortiGate unit created from the file.
Type The type of quarantined file. For example, an infected file is
quarantined because a virus is detected. A blocked file is
quarantined because the file matches a defined file pattern. The
Reason field offers additional detail.
Reason The reason a file is quarantined. This elaborates on the information in
the Type field. For example, if the Type is listed as Infected, the virus
name appears in the Reason field.
DC Duplicate count. A count of how many duplicates of the same file
were quarantined. A rapidly increasing number can indicate a virus
outbreak.
View n per page Select the number of quarantine files to display per page.
number of pages displays after the current page number. For
example, if 2/10 appears, you are currently viewing page 2 of 10
pages.
press Enter.
Log & Archive Browsing log files
05-432-164257-20120229 179
Figure 89: Log file list.
Delete Mark the check box of the file whose log messages you want to delete, then
click this button.
Display Mark the check box of the file whose log messages you want to view, then
click this button. For more information, see Viewing log messages on
page 163.
Import Click to import log files. You can only import log files in native format. For
more information about importing log files, see Importing a log file on
page 180.
Download Mark the check box of the log file that you want to download, click this
button, then select a format for saving the log files: text (.txt), comma-
separated value (.csv), or standard .log (native).
You can also select to compress the log files before saving them.
For more information, see Downloading a log file on page 180
Device Type Select the type of devices whose logs you want to view.
Show Log File
Names
Enable to display the file names of log files in the Log Files column when their
log type is expanded.
Log Files A list of available log files for each device or device group. Click the group
name to expand the list of devices within the group, and to view their log files.
The current, or active, log file appears as well as rolled log files. Rolled log
files include a number in the file name, such as vlog.1267852112.log.
If you configure the FortiAnalyzer unit to delete the original log files after
uploading rolled logs to an FTP server, only the current log will exist.
# The number of devices in a group, and the number of log files for a device.
From The start time when the log file was generated.
To The end time when the log file was generated.
Browsing log files Log & Archive
180 05-432-164257-20120229
Importing a log
file
You can import devices log files. This can be useful when restoring data or loading log
data for temporary use.
For example, if you have older log files from a device, you can import these logs to the
FortiAnalyzer unit so that you can generate reports containing older data. Importing log
files is also useful when changing your RAID configuration. Changing your RAID
configuration reformats the hard disk, erasing log files. If you back up the log files, after
changing the RAID configuration, you can import logs to restore them to the
FortiAnalyzer unit.
You can only import log files in native format.
To import a log file
1 Go to Log & Archive > Log Browse > Log Browse.
2 Select the Device Type.
3 Expand the group name or device name to view the list of available log files under
each log type.
4 Select a log file in native format and then select Import.
5 Select from Device to which device in the device list the imported log file belongs,
or select Take From Imported File to read the device ID from the log file.
If you select Take From Imported File, your log file must contain a device_id field
in its log messages.
6 In Filename, enter the path and file name of the log file, or select Browse.
7 Select OK.
A message appears, stating that the upload is beginning, but will be cancelled if
you leave the page.
8 Select OK.
Upload time varies by the size of the file and the speed of the connection.
After the log file successfully uploads, the FortiAnalyzer unit inspects the log file.
If the device_id field in the uploaded log file does not match the device, the
import will fail. Select Return to attempt another import.
If you selected Take From Imported File, and the FortiAnalyzer units device list
does not currently contain that device, a message appears after the upload.
Select OK to import the log file and automatically add the device to the device
list, or select Cancel.
Downloading a
log file
You can download a log file to save it as a backup or for use outside the FortiAnalyzer
unit. The download consists of either the entire log file, or a partial log file, as selected
by your current log view filter settings.
To download a whole log file
Log & Archive Browsing log files
05-432-164257-20120229 181
each log type.
4 Select the specific log file (wlog.log, elog.log, etc.) that you want to download.
5 Select Download.
6 Select from the following the following download options:
7 Select OK.
8 If prompted by your web browser, select a location to save the file, or open it
without saving.
To download a partial log file
each log type.
4 Select the specific log file (wlog.log, elog.log, etc.) that you want to download.
5 Select Display.
6 Select a filter icon to restrict the current view to only items which match your
criteria, then select OK.
Filtered columns have a green filter icon, and Download Current View appears next
to Printable Version. For more information about filtering log views, see Filtering
logs on page 169.
7 Select Download Current View . The Download Log File window opens.
8 Select from the following download options:
9 Select OK.
Log File format Downloads the log in text (.txt), comma-separated value (.csv), or
standard .log (native) format. Each log element is separated by a
comma. CSV files can be viewed in spreadsheet applications.
Compress with gzip Compress the .txt, .log, or .csv file with gzip compression. For
example, downloading a log-formatted file with gzip compression
would result in a download with the file extension .log.gz.
Log File Format Downloads the log in text (.txt), comma-separated value (.csv),
or standard .log (native) format. Each log element is separated
by a comma. CSV files can be viewed in spreadsheet
applications.
Compress with gzip Compress the .txt, .log, or .csv file with gzip compression.
For example, downloading a log-formatted file with gzip
compression would result in a download with the file extension
.log.gz.
Backing up logs and archived files Log & Archive
182 05-432-164257-20120229
without saving.
Backing up logs and archived files
To back up both logs and associated DLP archive files, enter the CLI command
execute backup logs. To back up logs only, enter execute backup logs-only.
For more information, see the FortiAnalyzer CLI Reference.
Configuring rolling and uploading of devices logs
You can control devices log file size and consumption of the FortiAnalyzer disk space
by configuring log rolling and/or scheduled uploads to a server.
As the FortiAnalyzer unit receives new log items, it performs the following tasks:
verifies whether the log file has exceeded its file size limit
checks to see if it is time to roll the log file if the file size is not exceeded.
Configure the time to be either a daily or weekly occurrence, and when the roll
occurs.
When a current log file (tlog.log) reaches its maximum size, or reaches the
scheduled time, the FortiAnalyzer unit rolls the active log file by renaming the file. The
file name will be in the form of xlog.N.log (for example, tlog,1252929496.log),
where x is a letter indicating the log type and N is a unique number corresponding to
the time the first log entry was received. The file modification time will match the time
when the last log was received in the log file.
Once the current log file is rolled into a numbered log file, it will not be changed. New
logs will be stored in the new current log called tlog.log.
If log uploading is enabled, once logs are uploaded to the remote server or
downloaded via the Web-based Manager, they are in the following format:
FG3K6A3406600001-tlog.1252929496.log-2009-09-14-14-00-14.gz
If you have enabled log uploading, you can choose to automatically delete the rolled
log file after uploading, thereby freeing the amount of disk space used by rolled log
files. If the log upload fails, such as when the FTP server is unavailable, the logs are
uploaded during the next scheduled upload.
To enable and configure log rolling or uploading, go to Log & Archive > Options > Log
File Options.
Tip: You can also configure rolling and uploading settings for the FortiAnalyzer units own log
files. For details, see the FortiAnalyzer CLI Reference.
Log & Archive Configuring rolling and uploading of devices logs
05-432-164257-20120229 183
Figure 90: Device log settings
Log file should not
exceed
Enter the maximum size of each device log file.
Log file should be
rolled
Set the time of day when the FortiAnalyzer unit renames the current log
file and starts a new active log file.
Optional: Roll log files only when the log file reaches the maximum
file size, regardless of time interval.
Daily: Roll log files daily, even if the log file has not yet reached
maximum file size.
Weekly: Roll log files weekly, even if the log file has not yet reached
maximum file size.
Enable log uploading Select to upload log files to a server when a log file rolls.
Server type Select the protocol to use when uploading to a server:
File Transfer Protocol (FTP)
Secure File Transfer Protocol (SFTP)
Secure Copy Protocol (SCP)
Server IP address Enter the IP address of the log upload server.
Username Enter the user name required to connect to the upload server.
Password Enter the password required to connect to the upload server.
Confirm Password Re-enter the password to verify correct entry.
Directory Enter a location on the upload server where the log file should be
saved.
Using eDiscovery Log & Archive
184 05-432-164257-20120229
Using eDiscovery
eDiscovery allows you to search through the bulk of stored email from the FortiGate
units, extract and download the search results, and share them with a third party if
required in situations such as a lawsuit or regulatory violation action.
To prove that shared data is an exact copy of the original, the FortiAnalyzer unit
produces local logs indicating when each search was executed, when the search
results were downloaded, and when they were deleted. In addition, the FortiAnalyzer
unit generates SHA1 and MD5 digests for every search result. When a search result is
downloaded to an external device, the SHA1 or MD5 digest calculated on the
downloaded file must match the same digest generated by the FortiAnalyzer unit in
order to prove that the search result has not been tampered with since leaving the
FortiAnalyzer unit.
Log & Archive > eDiscovery > Folders displays the list of eDiscovery folders containing
search results.
Figure 91: eDiscovery folders list
Upload Files Select when the FortiAnalyzer unit should upload files to the server.
When rolled: Uploads logs whenever the log file is rolled, based on
Log file should be rolled.
Daily at: Uploads logs at the configured time, regardless of when or
what size it rolls at according to Log file should be rolled.
Uploaded log format Select a format for uploading the log files. The format is in text (.txt),
comma-separated value (.csv), or standard .log (Native) file.
Compress uploaded
log files
Select to compress the log files before uploading to the server.
Delete files after
uploading
Select to remove the log file from the FortiAnalyzer hard disk after the
FortiAnalyzer unit completes the upload.
Log & Archive Using eDiscovery
05-432-164257-20120229 185
To use eDiscovery, follow the general steps below:
Set the disk quota for eDiscovery results out of the current disk space reserved for
the system (that is, space not allocated to the devices), since the search results
may take considerable amount of disk space. See To set the eDiscovery disk
quota on page 185.
Create folders to store search results. Typically, you store search results that are
part of a single investigation under one folder. See To create eDiscovery folders
on page 186.
Search email based on the search criteria and save the results to a folder where you
will view, download, delete, or clone the results. See To search email on
page 186.
To set the eDiscovery disk quota
1 Go to Log & Archive > eDiscovery > Config.
Download
Click to save the selected folder and the contained search results.
The saved information can be shared with a third party.
Run Now
Click to refresh the search tasks in a selected folder. This will update the email
lists in the search tasks.
Clone
Click to duplicate a folder to use as a basis for creating a new one.
Folder Name
The names of the eDiscovery folders that you create. For more information, see
To create eDiscovery folders on page 186.
Select the arrow beside a folder name to display the task names of the search
results saved in the folder. For more information, see Task Name on page 187.
Select a task name to view the email list. See To view a search task on
page 187.
Creation Date The date and time when the folder and search tasks were created.
Search
Results
Each eDiscovery folder displays the number of search results contained in it.
Each search task displays the number of email extracted based on the search
criteria. See To search email on page 186.
Size (bytes)
The size of the folders and search tasks.
This column also displays the status of search results:
Completed: Search is completed and results are available for viewing.
Incomplete: Search was interrupted by a system shutdown.
Running: Search is in progress.
Pending: Search is queued and will run once other searches are completed.
Quota Exceeded: Search was stopped because the disk quota has been
exceeded.
186 05-432-164257-20120229
2 Enter the maximum size of disk space for storing eDiscovery search results.
The used and available disk spaces also display. The size of the reserved space for
eDiscovery varies by the total disk space. You cannot adjust the disk quota below
the size of the existing eDiscovery results. eDiscovery results will not be saved if
they exceed the disk quota.
3 Click Apply.
To create eDiscovery folders
1 Go to Log & Archive > eDiscovery > Folders.
2 Click Create New.
3 Enter a folder name.
4 Click OK.
To search email
1 Go to Log & Archive > eDiscovery > Search.
2 Complete the following search criteria:
Device Select the FortiGate unit of which you want to search the archived email.
Timeframe Select the time period for the email that you want to search. If you click
Specify, enter the start and end time.
From Enter the senders email address that you want to search. This can be a full
or partial email address.
To Enter all or part of the recipients email address. For multiple recipients, enter
any one of the recipients, or enter multiple recipient addresses in the order
that they appear in the email address field, separated by a comma (,) and a
space, such as:
user1@example.com, user2@example.com
Subject Enter all or part of the subject line of the email message.
Message
Contains
Enter all or part of a word or phrase in the email message.
Log & Archive Using eDiscovery
05-432-164257-20120229 187
3 Do one of the following:
If you selected Dont Save in the Save to Folder field, select Search.
The search results appear.
If you selected a folder in the Save to Folder field, select Search & Save.
The search results are saved to the selected folder.
To view a search task
1 Go to Log & Archive > eDiscovery > Folders.
2 Select the arrow beside a folder that contains the task you want to view.
3 Left-click on the task name you want to view.
The tasks email list displays. Selecting an item displays its detailed information.
Save to
Folder
If you want to save the search results, select a folder.
If you do not want to save the search results, select Dont Save.
If you want to create a new folder for the search results, select Create New,
enter a folder name and select OK.
Task Name Enter a unique name for this search task. Such a name will help you identify a
particular search result in a folder. For more information, see Folder Name
on page 185.
This field appears only if you selected a folder in the Save to Folder field.
Description Enter a note to describe the task name. For more information, see
Description on page 187.
This field appears only if you selected a folder in the Save to Folder field.
Task name The name of this search task. For more information, see Task Name on
page 187.
Description The note for this task. For more information, see Description on page 187.
Device The serial number(s) of the FortiGate unit(s) of which you have searched the
archived email. For more information, see Device on page 186.
Timeframe The date and time when the search task was created.
188 05-432-164257-20120229
SHA1 The SHA1 digest for this search task.
When a search result is downloaded to an external device, the SHA1 digest
calculated on the downloaded file must match this digest in order to prove
that the search result was not tampered with since leaving the FortiAnalyzer
unit.
MD5 The MD5 digest for this search task.
When a search result is downloaded to an external device, the MD5 digest
calculated on the downloaded file must match this digest in order to prove
that the search result was not tampered with since leaving the FortiAnalyzer
unit.
Last Activity The date and time that the FortiAnalyzer unit received the email from the
FortiGate unit.
From The senders email address that was searched. This can be a full or partial
email address.
To The recipients email address that was searched. This can be a full or partial
email address.
Subject The subject line of an email.
The email list can display full and/or summary email archives. Summary email
archives contain only email messages with summary metadata. Full email
archives contain both the summary and a hyperlink to the associated
archived message.
For example, if the FortiAnalyzer unit has a full email archive for an email
message, the subject column of the email contains a link that enables you to
view the email message. If the FortiAnalyzer unit has only a email archive
summary, the subject column does not contain a link.
A full or summary email archive varies by:
whether the FortiGate unit is configured to send full email archives
whether the content satisfies email archiving requirements
whether the FortiAnalyzer unit has the file or message associated with the
summary email message (that is, full email archives do not appear if you
have deleted the associated message)
For more information about requirements and configuration of DLP archiving,
see the FortiGate Administration Guide.
Size The size of the email message.
Attachment
icon
If an email has an attachment, this icon appears.
05-432-164257-20120229 189
10. Reports
FortiAnalyzer units can analyze information collected from the log files of connected
FortiGate, FortiMail, and FortiWeb devices, FortiClient End Point agents, and syslog
compatible devices. It then presents the information in tabular and graphical reports.
These reports provide a quick and detailed analysis of activity on your networks.
You can create reports based on logs from Structured Query Language (SQL)
databases or from the proprietary indexer file system.
By using reports, you can:
minimize the effort required to identify attack patterns when customizing policies
monitor Internet surfing patterns for compliance with company policies
identify your web site visitors for potential customers.
FortiAnalyzer reports are also flexible, offering system administrators the choice to
compile a report layout based on pre-defined variables or specific information.
This chapter includes the following topics:
SQL based reports
Indexer based reports
SQL based reports
If you have selected the SQL database for log storage in System > Config >
SQL Database, you will configure reports based on logs from a SQL database.
Logs are the basis of all FortiAnalyzer reports and must be collected or uploaded
before you can generate a report. After logs are collected or uploaded, you can then
configure reports based on the default or customized chart templates. For more
information on logs, see Log & Archive on page 163.
In most cases, the default chart templates are sufficient for report configuration.
However, you can create customized chart templates by configuring the datasets to
get the exact chart data you want, see Advanced report settings on page 205.
Reports are generated based on SQL queries of log files.
A report generated from an SQL query has the following components:
report chart template
report filters
graphics and language
report schedule.
Note: FortiWeb reports are only available when logging to SQL databases.
Note: SQL Database based reports support FortiGate, FortiClient, FortiMail, FortiWeb and
syslog compatible devices.
SQL based reports Reports
190 05-432-164257-20120229
Enable/disable SQL database
Enable/disable remote SQL database
Left & right click menu tree
Default device reports
Email/upload remote output
Predefined Reports
Custom Reports
Advanced report settings
View report layout
Enable/disable
SQL database
Go to System > Config > SQL Database and select Local Database to enable the SQL
database for logging. You can configure the FortiAnalyzer to use the indexer based
database, a local SQL database, or a remote SQL database. From this menu you can
also specify the logging start date and time, and configure the types of logs that you
want the device to collect (see Figure 92 and Figure 93). Configure the following
variables and select Apply.
Figure 92: Enable the SQL local database
Note: FortiGate, when referenced in the Web-based Manager and supporting documentation,
includes FortiGate, FortiWifi, FortiGate-VM, FortiGate-One and FortiCarrier devices.
Reports SQL based reports
05-432-164257-20120229 191
Figure 93: Start time options
S
Location
Disabled Select Disabled when logging to the proprietary indexer based
database.
Local Database Select Local Database when logging to a local SQL database.
Remote Database Select Remote Database when logging to a remote SQL database.
When selecting this option, a drop-down menu appears to allow you
to configure the database type, database name, username and
password.
Start Time Left-click on the calendar icon to set the log start date and time.
Log Type Select the required log types from the list.
192 05-432-164257-20120229
Enable/disable
remote SQL
database
Go to System > Config > SQL Database and select Remote Database to enable the
SQL database for logging (see Figure 94). Configure the following variables and select
Apply.
Figure 94: Enable the SQL remote database
Location
Disabled Select Disabled when logging to the proprietary indexer based
database.
Local Database Select Local Database when logging to a local SQL database.
Remote Database Select Remote Database when logging to a remote SQL database.
When selecting this option, a drop-down menu appears to allow you
to configure the database type, database name, username and
password.
Start Time Left-click on the calendar icon to set the log start date and time.
Type Enter the server type. The default server type is MySQL.
Server Enter the server name.
Database Name Enter the database name.
User Name Enter the server user name.
Password Enter the server password.
Log Type Select the required log types from the list.
05-432-164257-20120229 193
Left & right click
menu tree
Figure 95 summarizes the menu functions available when left-clicking and
right-clicking within each level of the menu tree.
Figure 95: Left-click and right-click menu options
Default device
reports
Each device that is connected to the FortiAnalyzer has a default device report
associated with it. Go to Report > Default Device Reports and select a hostname of a
connected device to view its default report. The default report consists of the following,
pre-defined sections:
Bandwidth and Application Usage
Web Usage
Emails
Threats
VPN Usage
1
2
3
4
7
8
No. Left-Click Right-Click
1
2
3
4
5
6
7
8
Show the device list in the left
pane. You can expand/collapse
and click to jump to devices.
Show the cover page, including a
hyperlink ToC, for the device
report.
Show the available report sections.
N/A
- Edit the report options
- Create a new report section
- Copy the report
Show the selected report section. - Rename the report section
- Delete the report section
- Create a new report section
- Move the report section up or down in the report
Show the predened report list in
the left pane. You can
expland/collapse the report
catagories.
N/A
Show the unclassied reports list in
the left pane.
- Rename, Delete, Cut, Copy, Paste, or Clone the
report
Show the indexer based reports
list in the left pane.
N/A
Show the selected indexer based
report in the right pane.
N/A
Show the custom report types list
in the left pane.
N/A
5
6
2
2
3
2
Caution: Once a default device report is edited, you can not restore the report layout to the
default settings. Fortinet recommends using the right-click menu options to Copy the
default device report layout and Paste it to Custom Reports > Unclassified Reports.
You can then use the right click menu to edit and customize the report copy.
194 05-432-164257-20120229
Figure 96: Default device reports
Edit Select to edit the report layout.
Run Select to generate a report immediately based on the current report
layout.
Historical Reports Select to display all the reports generated based on the current
report layout. You can select a report to view the detailed
information.
Right-click menu
New Select New > Section to add a new section to the predefined report
layout. See Add a report section on page 197 for information on
configuring a new report section.
Edit Select to edit the Report Settings. See Report settings on
page 196 for information on configuring report settings.
Copy Select to copy a predefined report layout. You can paste this report
layout under the Custom Reports > Unclassified Reports folder.
05-432-164257-20120229 195
Add a section to the default device report
To add a new section to the default device report, go to
Report > Default Device Report, and select the serial number of the device from the
list. Right-click on the serial number and select New > Section from the drop-down list.
See Add a report section on page 197 for more information.
Figure 97: Add section to default device report
196 05-432-164257-20120229
Report settings
Go to Report > Default Device Reports, right-click on the device serial number and
select Edit to display the Report Settings window. Report settings allow you to
configure the Report Schedule, Report Filters, and Advanced Settings options for the
device report (see Figure 98). Configure the below variables and select OK to save the
report layout changes.
Figure 98: Report options
Title The default title is Default Report for the serial number selected. This
field can be customized.
Description Optional description field.
Report Schedule Specify the frequency of report generation including the start and
send date and time.
Email/Upload Mark the check box if you want to apply a report output template
from the drop-down menu.
Print Table of
Contents
Select if you want a table of contents for the report.
05-432-164257-20120229 197
Add a report section
To add a new report section to a Default Device Report, go to Report > Default Device
Reports, select a serial number of a connected device. Right-click on the serial number
and select New > Section.
Enter a name for the new section and press enter. Select Edit to configure the new
report section (see Figure 99). Configure the following variables, and select OK to save
the new section.
Print Device List Select the way to display the devices in a report. The result can only
be seen in PDF reports.
Compact: Display a compact comma-separated list of device names
included in the report.
Count: Display only the number of devices included in the report.
Detailed: Display a table of device information for each device
included in the report.
Report Filters
Device The default value is the serial number of the device.
Time Period The default value is Last 7 days. Use the drop-down menu to select a
pre-configured time period or select Specify some other date and
time range to select a specific time period.
More Filters Additional options to specify VDOM, User, Group, Hostname, Source
Interface and Destination Interface.
Advanced Settings
Other Format Select MHT, MS Word, Text or XML
Language The default language is English. Use the drop-down menu to select:
French;
Japanese;
Korean;
Portuguese;
Simplified Chinese;
Spanish;
Traditional Chinese.
Per-Device Reports Enable to have a separate report generated for each connected
device.
198 05-432-164257-20120229
Figure 99: Edit new report section
Text
Heading 1 Left-click the Heading 1 (H1) icon and drag and drop into the body of
the report to add a new heading to the section.
Enter the heading that you would like for the section.
Heading 2 Left-click the Heading 2 (H2) icon and drag and drop into the body of
the report to add a new heading to the section.
Enter the heading that you would like for the section.
Text Left-click the Text (T) icon and drag and drop into the header or body
of the report to add a new text to the section.
Enter the text that you would like for the section.
Chart
Bar Chart Drag and drop the bar chart icon into the body of the report to add a
new bar chart to the section. Configure the bar chart variables in the
pop-up window.
Select the chart type and one or more variables, then fill out the
required information and select OK.
Pie Chart Drag and drop the pie chart icon into the body of the report to add a
new pie chart to the section. Configure the pie chart variables in the
pop-up window.
Table Chart Drag and drop the table chart icon into the body of the report to add
a new table chart to the section. Configure the table chart variables
in the pop-up window.
other
05-432-164257-20120229 199
Email/upload
remote output
Before you can enable this feature in report settings, you need to configure a new
report output. Go to System > Config > Remote Output, configure the following
variables, and select OK.
Image Drag and drop the image icon into the body of the report section to
add a new image to the section.
Select an image from the database or select Upload and browse
your local hard drive to upload a custom image to the section. Select
OK to import the image into the report section.
Page Break Drag and drop the page break icon into the body of the report
section to insert a page break.
200 05-432-164257-20120229
Name Enter a name for the new remote output.
Description Enter a description for the remote output. This field is optional.
Output Format Select the output format for the report. You can select more than one
output format.These options include the following:
HTML
PDF
MS Word
Text
MIME HTML (MHT)
Extensible Markup Language (XML)
Connectwise
Send Report by Mail Select Send Report by Mail and/or Upload Report to Server and
configure the variables in the drop down menus.
Compress Report Files Select to compress the report before sending.
From Specify an email address that will be used in the From field in the
email.
Server Select a server from the drop down list or select Create New to
configure a new mail server.
SMTP Server Enter the name of the SMTP server.
Enable
Authentication
Select to enable authentication for the new server configuration.
Email Account Enter the email account for the mail server.
Password Enter a password for the mail server.
Recipient Specify an email address that will be used in the To field in the email
and select Add. You can specify multiple recipient emails.
Add Add the recipient to the To list.
Delete Select an email defined under recipient and click Delete to remove
the email from the recipient list.
To The recipients who will be receiving the report.
Attachment Name Optionally enter a name for the attachment.
Use Default Select to use the default report name.
Subject Optionally enter a subject for the email containing the report.
05-432-164257-20120229 201
After configuring the remote output to email the report and/or upload it to a server, you
can enable this feature in report settings. See Report settings on page 196 for more
information.
Predefined
Reports
The Predefined Reports section includes a set of report layouts. Go to
Report > Predefined Reports to view, edit, and run these reports. Predefined reports
can be edited, but not deleted. To add a new section to a report layout, see Add a
section to the default device report on page 195. The predefined report layout
includes the following reports:
Overview
Body Optionally enter body text for the email containing the report.
Upload Report to Server Select Send Report by Mail and/or Upload Report to Server and
configure the variables in the drop down menus.
Server type Select the server type. The options include the following:
Secure Copy (SCP)
IP address Enter the IP address of the server.
Username Enter the server username.
Password Enter the server password.
Directory Specify the directory to which you want to upload the file to.
Delete file(s) after
uploading
Enable to delete the report file from the FortiAnalyzer upon
successful upload to the server.
202 05-432-164257-20120229
Firewall_and_Bandwidth_Usage_Report
Threat_and_Malware_Report
Web_Filtering_and_Usage_Report
Application_Usage_Report
Virtual_Private_Networking_Usage_Report
Email_Filtering_and_Usage_Report
Wireless_PCI_Report
Vulnerability_PCI_Report
User_Activity_Summary
Figure 100: Report filters
Custom Report
Filters
FortiAnalyzer v4.0 MR3 Patch Release 2 supports custom report filters in report set-
tings. The custom variables can be configured from the CLI, but once configured, the
variable will be listed under Report Settings > Report Filters. You can use this custom
filter feature to create a filter for any log field.
config sql report layout
edit samplelayout
config filter
edit action {Filter name is the log field to be filtered}
set description webfilter action {Description of
filter name, can be any string}
set value block {Filter value}
set status enable | disable
set opcode equal | not_equal
end
end
Note: For the User_Activity Summary predefined report, the User filter must be configured under
Report Options.
Caution: Once a predefined report is edited or changed, you can not restore the report layout to
the default settings. Fortinet recommends using the right-click menu options to Copy
the predefined report layout and Paste it to Custom Reports > Unclassified Reports.
You can then edit and customize the report copy.
05-432-164257-20120229 203
Figure 101: Predefined reports
layout.
information.
Right-click menu
New Select New > Section to add a new section to the predefined report
layout. See Add a report section on page 197 for information on
configuring a new report section.
Edit Select to edit the Report Settings. See Report settings on
page 196 for information on configuring report settings.
Copy Select to copy a predefined report layout. You can paste this report
layout under the Custom Reports > Unclassified Reports folder.
204 05-432-164257-20120229
Custom Reports The custom reports section includes unclassified and indexer based report
classifications. Go Report > Custom Reports to view, edit, and run these reports.
Figure 102: Custom reports
If you used the proprietary indexer file system for log storage in v4.0 MR2 and have
upgraded to v4.0 MR3 and enabled the SQL database, you can still view the indexer
based reports. Go to Report > Custom Reports > Indexer Based Reports > Indexer
Based Reports to view indexer Based Reports that have been configured.
For more information on indexer based reports, see Indexer based reports on
page 219.
Figure 103: Indexer based reports view options
layout.
information.
05-432-164257-20120229 205
Create a new folder
To create a new folder, go to Report > Custom Reports, and right-click anywhere in the
drop-down menu. Select New > Folder, and enter the new folder name at the prompt.
You can then right-click on this new folder and select New > Report, to configure
specific reports that you would like listed within this folder.
Figure 104: Create a new folder
Advanced report
settings
Go to Report > Advanced to configure charts, datasets, calendar, and report language.
Configuring report chart templates
Report datasets
View report schedule with Calendar
Configuring report language
Configuring report chart templates
The FortiAnalyzer unit provides predefined report chart templates for each report
category. You can create customized report chart templates using your own dataset
configuration.
Pre-defined Charts
Go to Report > Advanced > Chart to view the list of both pre-defined and customized
report chart templates.
The FortiAnalyzer unit provides pre-defined chart templates for each supported device:
FortiClient, FortiGate, FortiMail, and FortiWeb.
206 05-432-164257-20120229
Figure 105: Pre-defined charts
Pre-defined charts
FortiClient AntiVirus, EmailFilter, Traffic, WebFilter.
FortiGate AntiVirus, Application Control, Attack, DLP, DLP Archive, EmailFilter,
Event, Network Scan, Traffic, WebFilter.
FortiMail History
FortiWeb Attack, Event, Traffic.
Create New Select to create a new chart template.
Edit Select to edit a custom chart. Pre-defined charts can not be edited.
Delete Select to delete a custom chart. Pre-defined charts can not be
deleted.
Clone Create a duplicate of a report chart template to use as a basis for
creating a new one.
The cloned template shares the same name with
Copy_<sequential-number> appended to the end.
Favorite Click Add to Favorite to add one or more selected report chart
templates to your favorite list.
The star icon (Toggle Favorite State) turns orange.
Click Remove from Favorite to remove one or more selected
report chart templates from your favorite list.
The star icon (Toggle Favorite State) turns gray.
The favorite templates can be used to generate reports for quick and
easy access.
Search Enter a keyword and press Enter to search for charts.
05-432-164257-20120229 207
Create a new chart template
To create a new chart template, go to Report > Advanced > Chart and select
Create New to create a new chart template (see Figure 106). Configure the following
and select OK to save. Select Edit from the menu to edit variables on a custom chart
template.
Figure 106: Create new chart template
Name Enter the name for the chart template.
Description Enter any comments or notes about the chart template.
Category Enter the log category for the chart template from the drop-down list.
The following log types are available:
AntiVirus
Application Control
Data Leak (DLP)
Email Filter
Event
FortiMail
FortiWeb
IPS (Attack)
Network Monitor
Network Scan
Traffic
VPN
VoIP
Web Filter
208 05-432-164257-20120229
Dataset Select the dataset for the selected category.
FortiAnalyzer datasets are a collection of the log files from the
devices monitored by the FortiAnalyzer unit. Reports are generated
based on the datasets.
Depending on the dataset selection, the values in the Field Output
and Data Bindings fields may vary.
Field Output Depending on the dataset selection, the values of this option may
vary. These values are used for marking the report graphs, such as
the X or Y axes in a bar graph, or column or row title in a table.
Graph Type Select the graph type from the drop-down menu. The available graph
types are bar, pie, and table.
Resolve Host Name Enable this option to display the devices host name from an IP alias
or reverse DNS lookup, rather than an IP address.
Favorite Enable to add this chart template to the favorite list.
Data Bindings, Bar Depending on your selection in the Graph Type field, the values in
this section may vary.
X-axis Data Binding Data Binding: Select a value for the X-axis of the bar graph. The
values in this field change depending on your dataset selection.
Only Show First n Items: Select the check box and enter a number to
show the top ranked log information, such as the top number of
viruses, in the report chart. The default number is six. The rest of the
log information will be marked as Others in the chart.
Overwrite Label: Mark the check box to modify the default value for
the X-axis, if required.
Y-axis Data Binding Data Binding: Select a value for the Y-axis of the bar graph. The
values in this field change depending on your dataset selection.
Overwrite Label: Mark the check box to modify the default value for
the Y-axis, if required.
Group By: Mark the check box to group the log information
according to the dataset field output. This option appears only when
a datasets output contains more than three fields.
Only Show First n Items: Select the check box and enter a number to
show the top ranked log information, such as the top number of
viruses, in the report chart. The default number is three. The rest of
the log information will be marked as Others in the chart. This
option appears only when a datasets output contains more than
three fields.
Data Binding, Pie Depending on your selection in the Graph Type field, the values in
Data Binding Select a value to show the size of each segment of log information in
the pie chart. The values in this field change depending on your
dataset selection.
For example, in a pie chart called Top Services by Volume, one of the
top services is SMTP, and its percentage in the pie is 8.81. This
percentage is generated by the selection in this field.
Enable Only Show First n Items (Bundle rest into Others) and enter a
number to show the top ranked log information, such as the top
number of viruses, in the report chart. The default number is six. The
rest of the log information will be marked as Others in the chart.
05-432-164257-20120229 209
View custom chart templates
To view custom chart templates, go to Report > Advanced > Chart, and select Custom
Charts from the drop-down menu.
Figure 107: Custom chart template
Label Binding Select a value to label each segment of log information in the pie
chart. The values in this field change depending on your dataset
selection.
For example, in a pie chart called Top Services by Volume, one of the
top services is labeled as SMTP. This label is generated by the
selection in this field.
Data Binding, Table Depending on your selection in the Graph Type field, the values in
Display Data In Select Ranked to show the log information in ranked format, such as
top x, or top y of top x, in the table.
Select Raw to show the log information as an audit report which
displays the results only, such as all blocked sites and all sites
visited.
Add Column Select to add a column to the table. This option only appears after
you select the Remove the column icon.
The data display in the table will be in raw format after selecting the
Remove the column icon.
Field Output Select a value to show the column title for the log information in the
table. The values in these fields change depending on your dataset
selection.
Overwrite Header Mark the check box to modify the Field Output value, if required.
Only Show First n
Items
Mark the check box and enter a number to show the top ranked log
information, such as the top number of viruses, in the table. The
default number is three. The rest of the log information will be
marked as Others in the table.
This option is only available if you select to display data in ranked
format.
210 05-432-164257-20120229
Report datasets
FortiAnalyzer datasets are the collection of log files from the devices monitored by the
FortiAnalyzer unit. Reports are generated based on the datasets. The FortiAnalyzer unit
provides pre-defined datasets for each supported device type. You can also create
new datasets by writing your own SQL queries.
Pre-defined datasets
Go to Report > Advanced > Dataset to view the pre-defined datasets for each
supported device type: FortiClient, FortiGate, FortiMail, and FortiWeb.
Figure 108: Pre-defined datasets
Pre-defined datasets
FortiClient AntiVirus, EmailFilter, Traffic, WebFilter.
FortiGate AntiVirus, Application Control, Attack, DLP, DLP Archive, EmailFilter,
Event, Network Scan, Traffic, WebFilter.
FortiMail History
FortiWeb Attack, Event, Traffic.
05-432-164257-20120229 211
Custom datasets
Go to Report > Advanced > Dataset and select Create New to create a custom dataset
for the supported device type or local logs (see Figure 109 and Figure 110). Configure
the below variables and select OK to save the new dataset.
Figure 109: Custom datasets
Figure 110: Enable variables for the dataset option
212 05-432-164257-20120229
Name Enter the name for the custom dataset.
Device Type Select FortiGate, FortiClient, FortiMail, FortiWeb, or Local Logs from
the drop-down list.
Log Type ($log) Enter the type of logs to be used for the dataset. $log is used in the
SQL query to represent the log type you select. The log type options
include the following:
Attack
DLP Archive
DLP
Event
Generic
History
Network Scan
Application Control
Email Filter
Traffic
AntiVirus
Web Filter
Enable Variables for
Dataset
Enable/Disable to include in $filter. Select to add variables for the
customized data used in a selected chart.
If you add a variable for a dataset and choose a chart that contains
this dataset, the name of the variable will appear. You can select the
variable name and enter a value to filter the dataset.
For example, if a variable name username appears and you enter
John as the value, your report chart will show Johns information
based on the filtered information in the dataset.
Variable Select a variable in the list. The variables are the same as log field
names.
Variable Name Enter a name for the variable selected.
Add Select to add the variable to the dataset.
SQL Query Enter the SQL query syntax to retrieve the log data you want from the
SQL database.
Test Click to test whether the SQL query is successful.
05-432-164257-20120229 213
Figure 111: SQL Query console option
View report schedule with Calendar
The Calendar provides an overview of report schedules. You can select a past day to
view the generated reports or an upcoming day to preview the scheduled reports.
Calendar is useful for managing report generation. For example, you can avoid
generating reports in the peak hours to free up your system resources for network
usage.
When you select a day, the report schedules for that day are listed under Tasks,
together with their status. You can open a finished report.
To view the calendar, go to Report > Advanced > Calendar.
Device Select a FortiGate unit, FortiMail unit, FortiWeb unit, or FortiClient
installation to apply the SQL query.
VDOM If you want to apply the SQL query to a FortiGate VDOM, enter the
name of the VDOM. Then use $filter in the where clause of the SQL
query to limit the results to the FortiGate VDom you specify.
Time Period Select the time period from the drop-down menu
SQL Query If necessary, modify the SQL query to retrieve the log data you want
from the SQL database.
Run Click to execute the SQL query.
If the query is not successful, check the SQL query you entered and
make sure that the SQL database is working properly on the
FortiAnalyzer unit.
Clear Select to remove the displayed query results.
Save Options Select to save the SQL query console configuration to the dataset
configuration.
The Device and VDOM configurations are not used by the dataset
configuration.
Close Click to return to the dataset configuration page.
214 05-432-164257-20120229
Figure 112: View calendar and task list
Configuring report language
When creating a report layout, you can specify the report language. If your preferred
language requires modification, you can edit any of the pre-configured languages or
create a new report language. Go to Report > Advanced > Language to view the
default report language options.
Report language components include:
a string file, also known as a language resource file, containing report text;
a format file specifying the language encoding, as well as file format specific
settings;
a font file whose glyphs support your encodings character set.
See Configuring report language on page 236 for more information about configuring
the report language.
Go to Report > Advanced > Language to view, and edit report language. You can also
download the language format file and string file.
Note: Both format and string files use Unix-style line endings (LF characters, not CR-LF).
05-432-164257-20120229 215
Figure 113: Configure language options
Edit report language
To edit the report language entry, go to Report > Advanced >Language and select a
language entry from the list (Figure 114). Select the Edit icon, configure the following
variables, and select OK to save the language entry.
Figure 114: Edit Report Language
Pre-configured
languages
The pre-configured languages include the following:
English (default report language);
French;
Japanese;
Korean;
Portuguese;
Simplified Chinese;
Spanish;
Traditional Chinese.
216 05-432-164257-20120229
Language The language field displays the language entry that you have
selected.
Description Enter a description for the report language entry.
Format File If you changed the encoding of the string file, go to Download >
Download Format File and open the format file using a plain text
editor that supports Unix-style line endings, such as jEdit, and edit
the encoding and character set values for each file format. If you
have switched between a single-byte and a double-byte encoding,
also set the doublebytes value to true (1) or false (0).
For specifications on how to indicate encoding and character set,
refer to each file formats specifications:
W3C HTML 4.01 Specification
Adobe PDF Reference
Microsoft Word 2003 Rich Text Format (RTF) Specification, version
1.8
Save the format file.
String File Open the string file using a plain text editor that supports Unix-style
line endings and the string files encoding, such as jEdit. Verify that
the correct encoding has been detected or selected.
Locate and edit text that you want to customize.
Do not change or remove keys. Modifiable text is located to the right
of the equal symbol (=) in each line.
Save the string file.
Font File (Optional) If you want to customize the font of report graph titles and Y-axis
labels, for Font File, click Browse and locate your font.
If your font is located in the system font folder, you may need to first
copy the font from the system font folder to another location, such as
a temporary folder or your desktop, to be able to select the font for
upload.
Note: Some font licenses prohibit copying or simultaneous use on multiple hosts or by multiple
users. Verify your fonts license.
05-432-164257-20120229 217
Add a report language
To add a report language go to Report > Advanced > Language and select Create New
(see Figure 115). Configure the below variables and select OK to save the language
entry.
Figure 115: The Add Report Language window
Table 14 lists error messages that can result when adding a report language.
Language Enter the language name.
Description Enter a description for the language entry.
Format File For the Format File, select Browse and locate your customized
format file.
String File For the String File, select Browse and locate your customized string
file.
upload.
Note: The time required to upload the language customization files varies by the size of the files
and the speed of your connection. If there are any errors with your files, correct the errors,
then repeat this procedure.
Table 14: Language file error messages
Error message Description
Specified format file contains invalid syntax. Your format or string file contains syntax
errors. To locate the errors, compare your
customized file with a default languages file.
Refer to file format specifications or view
default files for valid syntax.
Specified language string file is missing one or
more strings.
Your string file is missing strings for one or
more keys. To locate missing strings, compare
your customized format file with a default
languages string file.
218 05-432-164257-20120229
View report
layout
To view a report layout, go to Report > Custom Reports > Unclassified Reports and
select a report layout.
Figure 116: Report layout
Specified font file is not a standard TrueType
font (*.ttf).
Your font file is not a TrueType font. Only
TrueType fonts are supported.
Specified format file contains invalid syntax. Your format or string file contains syntax
errors. To locate the errors, compare your
customized file with a default languages file.
Refer to file format specifications or view
Table 14: Language file error messages (Continued)
Reports Indexer based reports
05-432-164257-20120229 219
If you have disabled the SQL database for log storage in
System > Config > SQL Database, you will configure reports based on logs from the
proprietary indexer file system. See Enable/disable SQL database on page 190 for
more information.
Logs are the basis of all FortiAnalyzer reports and must be collected or uploaded
before you can generate a report, see Log & Archive on page 163 for more
information about logs. After logs are collected or uploaded, you can then define the
three basic components that make up a report based on logs from the proprietary
indexed file system:
report layout (the report template and the contents)
output and data filter templates, language (optional components)
report schedule (log data parameters and time range).
Viewing Scheduled Reports
Configuring report schedules
Configuring reports
Viewing
Scheduled
Reports
To view reports that are generated by the FortiAnalyzer unit using log data from the
proprietary indexer file storage system, go to Report > Access > Scheduled Report.
This page displays all generated reports, including scheduled reports. See Figure 117.
Figure 117: Browse indexer based reports
Note: Indexer based reports support FortiGate, FortiClient, and FortiMail. FortiWeb is only
supported with SQL Database.
Delete Select to remove selected reports.
Refresh Select to refresh the list. If the FortiAnalyzer unit is in the process of
generating a report, use Refresh to update the status of the report
generation.
Report Files Select the report name to view the entire report in HTML format.
Select the Expand Arrow to view the individual reports in HTML
format.
Indexer based reports Reports
220 05-432-164257-20120229
Configuring
report schedules
You configure report schedules after you configure report layouts. If you do not have a
report layout, you can not configure a report schedule.
Report schedules provide a way to schedule a daily, monthly, or weekly report so that
the report will be generated at a specific time. You can configure multiple report
schedules.
Device Type The type of device of which the logs were used for generating the
report.
Started The date and time when the FortiAnalyzer unit generated the report.
Finished The date and time when the FortiAnalyzer unit completed the report.
If the FortiAnalyzer unit is in the process of generating a report, a
progress bar will appear in this column. If the FortiAnalyzer unit has
not yet started generating the report, which can occur when another
report is not yet finished, Pending appears in this column.
Size (bytes) The file size of the reports HTML format output, if any.
The size does not reflect other output formats that may be present,
such as PDF.
Other Formats Select a file format, if any, to view the generated report in that format.
In addition to HTML, if any, the generated reports may also be
available in PDF, RTF, XML/XSL, and ASCII text formats, depending
on the output configuration.
number of pages displays after the current page number. For
example, if 2/10 appears, you are currently viewing page 2 of 10
pages.
press Enter.
Note: When configuring a report schedule that contains both an output template and selected
file formats in Output Types, the file formats sent by email are determined by the
configuration settings. Only those file formats that are enabled in both output template
and schedule output types are sent by email. For example, if PDF and Text formats are
selected in the output template, and PDF and MHT are selected in the report schedule, the
reports file format in the email attachment will be PDF.
05-432-164257-20120229 221
View the report schedule
To view the report schedule list, go to Report > Schedule > Schedule.
Figure 118: View report schedule list
Create New Select to create a new report schedule.
Edit Edit an existing report schedule.
Delete Delete a report schedule.
Run Run a report schedule immediately, (on demand), instead of waiting
for the scheduled time.
222 05-432-164257-20120229
Create a new report schedule
To create a new report schedule, go to Report > Schedule > Schedule, and select
Create New (Figure 119). Configure the following variables and select OK to save.
Figure 119: New Report Schedule
Name Enter a name for the schedule.
Description Enter a description for the schedule. This field is optional.
Layout Select a configured report layout from the drop-down list. You must
apply a report layout to a report schedule.
Language Select a language from the drop-down list or choose Default to use
the default language.
Schedule Select one of the following to have the report generated on demand,
once, daily, weekly, or monthly at a specified date and time.
Daily Select to generate the report every day at the same time. Enter the
start time and select a start and end date for the report.
Weekly Select to generate the report on specified days of the week. Select
the days of the week, enter the start time, and select a start and end
date for the report.
05-432-164257-20120229 223
Monthly Select to generate the report on a specific day or days of the month.
Enter the days with a comma to separate the days. For example, you
want to generate the report on the first day, the 21st day and 30th
day: 1, 21, 30, then enter the start time and select a start and end
date for the report.
Once Select to have the report generated only once on the specified date.
On Demand Select to have the report generated on demand.
Log Data Filtering You can specify the variables that were selected in the charts when
configuring the report layout.
If you did not specify any variables in the charts added to report
layout, proceed to Data Filter.
Device/Group Select a device or device group from the list.
If a layout is not selected, no FortiGate units or groups will appear in
the list.
Virtual Domain Select to create a report based on virtual domains. Enter a specific
virtual domain to include in the report.
User Select to create a report based on a network user. Enter the user or
users in the field.
Group Select to create a report based on a group network users, defined
locally. Enter the name of the group or groups in the field.
LDAP Query Select an LDAP directory from the drop-down list or select Create
New, to create a new LDAP server entry. See Configuring LDAP
queries for reports on page 134 for more information.
LDAP Group Enter an LDAP group. This option appears only when LDAP Query is
selected. See Configuring LDAP queries for reports on page 134
for more information.
Data Filter Select a data filter template from the drop-down list to the report
schedule. Select Create New Data Filter to create a new data filter
entry.
Time Period Local Time for: Select to base the time period on the local time of the
FortiAnalyzer unit or the selected devices.
Log time stamps reflect when the FortiAnalyzer unit received the
message, not when the device generated the log message. If you
have devices located in different time zones, and are creating a
report layout based on a span of time, ensure that the time span is
relative to the device, not the FortiAnalyzer unit.
For example, if you have a device and a FortiAnalyzer unit located
three time zones apart, a report for the time frame from 9 AM to 11
AM will yield different results depending on whether the report time
frame is relative to the devices local time, or to the FortiAnalyzer
units local time.
From: Select the beginning date and time of the log time range.
To: Select the ending date and time of the log time range.
Output Select the type of output you want the report to be in and if you want
to apply an output template as well.
224 05-432-164257-20120229
Configuring
reports
To configure a report layout
Edit an existing report layout
Create a new report layout
Run a report
To configure a report layout
Go to Report > Config > Layout to view the predefined report layouts. You can Edit,
Delete, Clone, or Run a default or custom report from this page.
You can configure and define multiple report layouts, which can then be applied to
report schedules or generated immediately. When configuring a report layout, you can
choose and specify which charts to include in the report.
Figure 120: Predefined report layouts
Output Type Select the type of file format you want the generated report to be.
You can choose from PDF, XML, HTML (default), MS Word, Text, and
MHT.
Note: Only those file formats that are enabled in both output
template and schedule output types are sent by email. For example,
if PDF and Text formats are selected in the output template, and then
PDF and MHT are selected in the report schedule, the reports file
format in the email attachment is PDF.
Email/Upload Select the check box if you want to apply a report output template
from the drop-down list.
05-432-164257-20120229 225
Edit an existing report layout
To edit an existing report layout, go to Report > Config > Layout, select one of the
report layouts and left-click Edit (Figure 121). Configure the following variables and
select OK to save.
After adding charts, sections, and texts, you can edit charts in a report layout at any
time as well as rearrange the charts from within the Chart List. You can also edit Text
and Section.
You can not edit the charts of predefined report layouts.
Default Layout
Bandwidth_Analysis An overview of bandwidth consuming applications and users
Forensic_Analysis An overview of detailed network activity information such as instant
messaging programs and email.
Threat_Analysis An overview of user AntiVirus, Intrusion Protection and AntiSpam
threats for the time period.
Web_Filtering-Grou
p_Activity
An overview of user web site activity for a group of users while also
providing a summary and analysis information on usage and
behavior.
Web_Filtering-User_
Activity
An overview of user web site activity plus detailed audit of all
blocked sites and all sites visited.
Create New Create a new report layout.
Edit Edit an existing report layout.
Delete Delete a report layout. The pre-configured report layouts can not be
deleted.
Clone Create a duplicate of a report layout to use as a basis for creating a
new report layout.
Run Run a report layout immediately (on demand), instead of waiting for
the report layouts scheduled time.
226 05-432-164257-20120229
Figure 121: The Edit Report Layout window
Name Enter a name for the report.
Description Enter a description, for example, for what the report is about.
Company Name Enter the name of your company or organization.
Report Title Enter a title name for the report, for example, Report_1.
Header Enter a header name for the report.
Title Page Logo Select the Browse logo files icon to choose a logo that will appear on
the title page of the report. You need to select a logo file format that
is compatible with your selected file format outputs. The logo will not
appear if it is incompatible with the chosen file format.
You can choose JPG, PNG, and GIF logo formats for PDFs and
HTML; WMF is also supported for RTF.
05-432-164257-20120229 227
Create a new report layout
You can add default or user-defined charts to your report. You can also add a section
to a report that keeps charts separate from each other, or add a note or comment
about a section or to include additional information about the charts that are in the
report.
To create a new report layout, go to Report > Config > Layout and select Create New
(see Figure 122, Figure 123, Figure 124, and Figure 125). Configure the following
variables and select OK to save the layout.
Header Logo Select the Browse logo files icon to choose a logo that will appear
only in the header of the report. Logo formats for headers also need
to be compatible with the chosen file format. The same logo formats
for the title page also apply to headers.
Chart List Select to add default or user-defined charts to your report.
Device Type Select a device type from the drop-down list. The available types are
FortiGate, FortiClient and FortiMail. The reports log information will
come from the selected device type. For example, if you selected
FortiMail, the log information used is only FortiMail logs.
Category Select a category or all categories of charts from the drop-down list.
Note: Customized charts (Custom Charts) are under Others
category.
Chart Name
The names of the charts in each category. The category name is in
bold, and the charts associated within that category name and data
source are displayed beneath.
Action Select the plus (+) symbol in the row containing the main chart name
to add all charts of the category to the report.
Select the plus (+) symbol in each row to add charts individually.
When the plus (+) symbol is selected, a minus (-) symbol appears.
Select the minus (-) symbol in each row to remove the selected chart
or charts.
228 05-432-164257-20120229
Figure 122: Create new report layout
Figure 123: Add chart to the new report layout
05-432-164257-20120229 229
Figure 124: Add section to new report layout
Figure 125: Add text to new report layout
230 05-432-164257-20120229
Name Enter a name for the report.
Description Enter a description of the report.
Company Name Enter the name of your company or organization.
Report Title Enter a title name for the report.
Header Enter a header name for the report.
Title Page Logo Select the Browse logo files icon to choose a logo that will appear on
the title page of the report. You need to select a logo file format that
is compatible with your selected file format outputs. The logo will not
appear if it is incompatible with the chosen file format.
You can choose JPG, PNG, and GIF logo formats for PDFs and
HTML; WMF is also supported for RTF.
Header Logo Select the Browse logo files icon to choose a logo that will appear
only in the header of the report. Logo formats for headers also need
to be compatible with the chosen file format. The same logo formats
for the title page also apply to headers.
Chart List
Add Chart (s) Select to add default or user-defined charts to your report.
Add Section Select to add a section to a report that keeps charts separate from
each other.
Title: Enter a name to describe the charts and information.
Description: Enter a description, if applicable, to describe the
charts.
Add Text Select to add a note or comment about a section or to include
additional information about the charts that are in the report.
Note: Report layouts can not be deleted if they are associated with a report schedule; if you
want to delete a report layout, remove that layout from the schedule it is associated with,
and then delete it.
05-432-164257-20120229 231
Run a report
To run a report with a default or custom layout, go to Report > Config > Layout and
select the layout from the list and select Run (see Figure 126). Configure the following
variables and select OK to run the report.
Figure 126: Run a report based on a default or custom layout
Name Name of report. For example, Bandwidth_Analysis.
Layout This field is greyed out, but displays the report layout selected.
Language The default language is English. Select an alternate language using
the drop down menu.
Log Data Filtering You can specify the variables that were selected in the charts when
configuring the report layout.
If you did not specify any variables in the charts added to report
layout, proceed to Data Filter.
Device/Group Select a device or device group from the list. If a layout is not
selected, no FortiGate units or groups will appear in the list.
Virtual Domain Select to create a report based on virtual domains. Enter a specific
virtual domain to include in the report.
User Select to create a report based on a network user. Enter the user or
users in the field.
Group Select to create a report based on a group network users, defined
locally. Enter the name of the group or groups in the field.
LDAP Query Select an LDAP directory from the drop-down menu, or select Create
New to configure a new LDAP server.
Data Filter Select a data filter from the drop-down menu, or select Create New
Data Filter to configure a new data filter.
232 05-432-164257-20120229
Configuring data
filter templates
Data filters are configured to sort through and omit specific log information, enabling
you to include or exclude log messages to focus your report on certain types of log
messages that match your criteria. You can configure multiple data filter templates for
reports.
For example, you want to include a specific range of IP addresses. In the Sources field
you input the IP addresses range, 172.16.110.0-255, which will match all IP addresses
in the 172.16.110.0/255.255.255.0 or 172.16.120.110/24. If you do not want to match
this specific IP address range, you would enter the IP address range and mark the not
check box.
Data filter options operate on specific log message fields. For information about log
message fields, see the FortiGate Log Message Reference.
To view and configure the data filter templates, go to Report > Config > Data Filter.
Figure 127: Data Filter template menu
Time Period Select local time for either the FortiAnalyzer or Selected Devices.
Specify the time period from the drop-down menu.
Output Specify the report output type. These include the following:
HTML (enabled by default);
PDF;
MS Word;
Text;
MHT; and
XML.
Email/Upload Enable and select report output or select Create New Report Output
from the drop-down list.
Create New Select to create a new data filter template.
Edit Select to edit an existing data filter template.
Delete Select to delete an existing data filter template.
05-432-164257-20120229 233
Create new data filter
To create a new Data Filter, go to Report > Config > Data Filter, and select Create New
(Figure 128). Configure the following variables and select OK to save.
Figure 128: New data filter
234 05-432-164257-20120229
Name Enter a name for the new data filter.
Description Enter a description for the data filter. This is optional.
Filter Logic Select all to include only the logs in the report that match all data
filter criteria. If the logs does not match all criteria, the FortiAnalyzer
will exclude the log message from the report.
Select any to include the logs in the report that match any of the data
filter criteria. If the logs match any of the criteria, the FortiAnalyzer
will include the log message in the report.
Source (s) Enter the source IP or a range of source IP addresses to include
matching logs. You can also select from the alias list. Separate
multiple sources with a comma.
You can filter on IP ranges or subnets. The following formats are
supported:
IP Range: xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx;
Subnet: xxx.xxx.xxx.xxx/xxx.xxx.xxx.xxx; or xxx.xxx.xxx.xxx/cidr.
Note: you cannot use the format 172.20.110.0-255.
Alias Select the appropriate alias from the drop-down list.
not Select to include the log messages that do not match this criterion.
For example, you might includes logs except those matching a
specific source IP address.
Destination (s) Enter the destination IP or a range of destination IP addresses to
include matching logs. You can also select from the alias list.
Separate multiple destinations with a comma.
You can filter on IP ranges or subnets. The following formats are
supported:
IP Range: xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx;
Subnet: xxx.xxx.xxx.xxx/xxx.xxx.xxx.xxx; or xxx.xxx.xxx.xxx/cidr.
Note: you cannot use the format 172.20.110.0-255.
Alias Select the appropriate alias from the drop-down list.
not Select to include the log messages that do not match this criterion.
For example, you might want to include logs except those matching
a specific destination IP address.
Interface (s) Enter the network interface or interfaces to include matching logs.
Separate multiple interface names with a comma.
not Select to instead include only log messages that do not match this
criterion. For example, you might include logs except those
matching a specific network interface.
Policy ID (s) Enter the device policy ID numbers to include matching logs. The
report will include logs from all device log files containing policy ID
numbers, which excludes event and DLP archive logs. Separate
multiple policy IDs with a comma.
matching a specific policy ID.
Service (s) Enter specific services to include matching logs. Separate multiple
services with a comma.
matching a specific service.
05-432-164257-20120229 235
Email Domain (s) Enter the email domain or domains that you want included in the
filter.
An email domain is a set of email accounts that reside on a particular
email server. The email domain is the portion of the users email
address following the @ symbol. For more information about email
domains, see the FortiMail Administration Guide.
This field is used only when creating FortiMail reports.
matching a specific email domain.
Email Direction (s) Enter one of the following types of email directions:
IN: The incoming email traffic direction;
OUT: The outgoing email traffic direction;
UNKNOWN: The unknown email traffic direction.
matching a specific email direction.
Email Sender (s) Enter one or more senders of the email.
matching a specific email sender.
Email Recipient (s) Enter one or more receivers of the email.
matching a specific email recipient.
Day of Week Select specific days of the week to include matching logs.
Web Category Select the categories you want to filter logs by selectively including
web filtering logs that match your criteria, then indicate included
categories by selecting one or more category check box.
You can select a whole category by selecting the check box beside
the Expand Arrow of the category. You can also select the individual
subcategories that are within the category by selecting the Expand
Arrow to display the sub-categories. For example, you might select
to include all web filtering logs with a category of Potentially
Bandwidth Consuming, or you might select only Internet Radio and
TV within that category.
not Select to instead include only logs that do not match the criterion.
For example, you might include logs except those matching a
specific web category.
Priority Priority Select a severity level from the Available Levels column and
then use the -> arrow to move the level to the Selected Levels
column.
If you want to remove a severity level from the Selected Levels
column, select the level first and then use the <- arrow to move the
level back to the Available Levels column.
Generic Filter (s) Enter a generic filter for the data filter template.
Key Enter a keyword in this field.
236 05-432-164257-20120229
Configuring
report language
When creating a report layout, you can specify the report language. If your preferred
language requires modification, you can edit any of the pre-configured languages or
create a new report language. Go to Report > Config > Language to view the default
report language options.
Report language components include:
a string file, also known as a language resource file, containing report text
a format file specifying the language encoding, as well as file format specific
settings
a font file whose glyphs support your encodings character set.
The font file is used to render graph titles and Y-axis labels in a font of your choice.
Some fonts, particularly for double-byte languages, do not support character rotation,
which is required by the Y-axis label. Compatible fonts must be a TrueType (.ttf) font,
and must support character rotation. Examples of known compatible fonts include
Arial, AR PL Mingti2L Big5, AR PL SungtiL GB, DFPHSGothic-W5, and Verdana.
The string file specifies pieces of text that may be used in various places throughout
the report. Each string line consists of a key followed by an equal symbol (=) and its
value. You can add comments to the string file by preceding them with a number
symbol (#).
For example, in these lines:
# Printed in place of report when zero log messages matched
report filter.
no_match=No matching log data for this report
the comment is:
# Printed in place of report when zero log messages matched
report filter.
the key is no_match, and the string value for that key is No
matching log data for this report.
Keys are required and must not be removed or changed. Keys map a string to a
location in the report, and are the same in each language file. If you change or remove
keys, the FortiAnalyzer unit can not associate your string with a location in the report,
string file validation will fail, and the string file upload will not succeed.
String values may be changed to customize report text. If your custom string values
use a different encoding or character set than the default language file, customize your
format file to reflect your new character set and/or encoding.
Value Enter a number for the value.
matching a specific generic filter.
Add Select Add to add the keyword and value number to the generic filter
list. The generic filter list displays all configured generic filters in the
field beside both Add and Delete.
Delete Select to delete the generic filter. Select the generic filter first, and
then select Delete.
05-432-164257-20120229 237
Comment lines are optional; you can add them throughout the file to provide notes on
your work.
The format file contains settings for the file format renderers, including encodings. The
format file contains sections that are preceded by an output type label, consisting of
the file format name followed by a colon (:). Within each output types section, one or
more settings exist, consisting of a variable name followed by an equal symbol (=) and
its value, contained by quotes (). You can add comments to the format file by
preceding them with a number symbol (#).
For example, in these lines:
# Localization uses a Latin character set.
html:
html_charset="iso-8859-1"
The comment is:
# Localization uses a Latin character set.
The output type label is html:, the variable name is html_charset, and the
variables value is iso-8859-1.
Variables are required and must not be removed or changed. If you change or remove
variables, the FortiAnalyzer unit may not be able to properly format your reports.
If your custom string values use a different encoding or character set than the default
language file, you must customize your format file to reflect your new character set
and/or encoding. If your string file requires double-byte encoding, set
doublebytes="1", otherwise, set doublebytes="0". The variables value must be in a
pattern acceptable by the output type. If the variable value syntax is not correct, format
file validation will fail, and the format file upload will not succeed.
Supported encodings used by the string file and referenced in the format file include
those specified by the PDF, RTF, and HTML standards. For character set, encoding
syntax, and other specifications, see the following documents:
W3C HTML 4.01 Specification;
Adobe PDF Reference;
Microsoft Word 2003 Rich Text Format (RTF) Specification, version 1.8.
Comment lines are optional; you can add them throughout the file to provide notes on
your work.
If you require further format file customization, including adjustments to PDF objects,
contact Customer Service & Support.
Go to Report > Config > Language to view the default report language options.
Note: Both format and string files use Unix-style line endings (LF characters, not CR-LF).
238 05-432-164257-20120229
Figure 129: Configure report language
To edit the report language
To edit the report language, go to Report > Config > Language, choose the language
entry from the list and select Edit (Figure 130). Configure the below variables and
select OK to save.
Figure 130: Edit report language
Create New Select to create a new report language type.
Edit Select to edit a language entry.
Delete Select to delete a customized language entry. The option to delete is
not available for the pre-configured language entries.
Delete Font File Remove the font file from the selected report language.
Download Select Download Format File to download the file format settings.
Select Download String File to download the language resource.
Select Download Font File to download the custom font file. This
option is disabled for default languages and report language
customizations using a default font.
Note: The string file contains many keys, and each report type uses a subset of those keys. If
your language modification does not appear in your report, verify that you have modified
the string of a key used by that report type.
05-432-164257-20120229 239
Language The language field displays the language entry that you have
selected.
Descrition Enter a description for the report language entry.
Format File If you changed the encoding of the string file, go to Download >
Download Format File and open the format file using a plain text
editor that supports Unix-style line endings, such as jEdit, and edit
the encoding and character set values for each file format. If you
have switched between a single-byte and a double-byte encoding,
also set the doublebytes value to true (1) or false (0).
For specifications on how to indicate encoding and character set,
refer to each file formats specifications:
W3C HTML 4.01 Specification
Adobe PDF Reference
Microsoft Word 2003 Rich Text Format (RTF) Specification, version
1.8
Save the format file.
String File Open the string file using a plain text editor that supports Unix-style
line endings and the string files encoding, such as jEdit. Verify that
the correct encoding has been detected or selected.
Locate and edit text that you want to customize.
Do not change or remove keys. Modifiable text is located to the right
of the equal symbol (=) in each line.
Save the string file.
upload.
Note: Some font licenses prohibit copying or simultaneous use on multiple hosts or by multiple
users. Verify your fonts license.
240 05-432-164257-20120229
To add a report language
To add a report language, go to Report > Config > Language and select Create New to
create a new language entry (Figure 131). Configure the below variables and select OK
to save.
Figure 131: Add Report Language
Language Enter the language name.
Description Enter a description for the language entry.
Format File For the Format File, select Browse and locate your customized
format file.
String File For the String File, select Browse and locate your customized string
file.
upload.
Note: Time required to upload the language customization files varies by the size of the files and
the speed of your connection. If there are any errors with your files, correct the errors, then
repeat this procedure.
05-432-164257-20120229 241
Table 15 lists error messages that can result when adding a report language.
Table 15: Language file error messages
Error message Description
Specified format file contains
invalid syntax.
Your format or string file contains syntax errors. To locate
the errors, compare your customized file with a default
languages file. Refer to file format specifications or view
Specified language string file is
missing one or more strings.
Your string file is missing strings for one or more keys. To
locate missing strings, compare your customized format
file with a default languages string file.
Specified font file is not a standard
TrueType font (*.ttf).
Your font file is not a TrueType font. Only TrueType fonts are
supported.
Specified format file contains
invalid syntax.
Your format or string file contains syntax errors. To locate
the errors, compare your customized file with a default
languages file. Refer to file format specifications or view
05-432-164257-20120229 242
11. Network Vulnerability Scan
The Network Vulnerability Scan menu configures vulnerability scans and displays the
scan results.
New vulnerabilities appear in any organization's network due to problems such as
flaws in software or faulty application configuration. The vulnerability management
feature can determine whether your organizations computers are vulnerable to
attacks. With this feature, you can define your host assets or discover hosts in the
network, configure vulnerability management scans, generate reports, and interpret
the results.
FortiAnalyzer units come with a default database of more than 2 500 vulnerabilities. For
FortiGuard Vulnerability Management Service subscribers, this database can be
periodically updated via the FortiGuard Distribution Network (FDN) to receive
definitions of the most recently discovered vulnerabilities. For details, see Scheduling
& uploading vulnerability management updates on page 138.
The vulnerability scan is suitable for scanning many types of hosts, including those
running Microsoft Windows or Unix variants such as Linux and Apple Mac OS X, as
well as a variety of applications and services/daemons.
The workflow of vulnerability scan is as following:
How to use Network Vulnerability Scan
Configuring host assets
Discovering network host assets
Preparing for authenticated scanning
Configuring vulnerability scans
Viewing scan results
Note: SQL database storage must be enabled to perform network vulnerability scans. See
Configuring SQL database storage on page 111 for more information.
Parsing Scan Settings Detecting Live Hosts
Scanning Ports if
Required
Scanning OS if
Required
Performing Service
Scan
Performing Vulnerability
Scan with Specified
FIDs
Network Vulnerability Scan Platform Support
05-432-164257-20120229 243
Platform Support
FortiAForti
How to use Network Vulnerability Scan
To configure vulnerability scan, follow these general steps:
1 Define which host assets that you want to scan. You can do this either manually or
automatically, by performing a discovery scan. For details, see Configuring host
assets on page 243 or Discovering network host assets on page 245.
2 Prepare for network vulnerability scan. For more information, see Preparing for
authenticated scanning on page 246.
3 Schedule network vulnerability scans. For more information, see Configuring
vulnerability scans on page 248.
4 View scan results. For more information, see Viewing scan results on page 252.
Configuring host assets
Network Vulnerability Scan > Asset Definition > Asset Definition displays the list of
known host assets. An asset is a server or workstation computer on your network.
Before the FortiAnalyzer unit can scan your hosts for vulnerabilities, you must define
your host assets. You can either add hosts to this list manually, or, alternatively,
discover them through a network map scan. For details, see Discovering network host
assets on page 245.
Table 16: Platform support
Platform Supported Max. Hosts to Scan No. Concurrent Scans
FortiAnalyzer-100B Yes 200 4
FortiAnalyzer-100C Yes 200 4
FortiAnalyzer-400 No N/A N/A
FortiAnalyzer-800 Yes 1000 8
FortiAnalyzer-1000C Yes 2000 16
FortiAnalyzer-2000 Yes Unlimited (65535) 20
FortiAnalyzer-2000A Yes Unlimited (65535) 20
FortiAnalyzer-2000B Yes Unlimited (65535) 20
FortiAnalyzer-4000A Yes Unlimited (65535) 32
FortiAnalyzer-4000B Yes Unlimited (65535) 32
FortiAnalyzer-VM Yes Unlimited (65535) 32
FortiAnalyzer-VM64 Yes Unlimited (65535) 32
Configuring host assets Network Vulnerability Scan
244 05-432-164257-20120229
Figure 132: Host asset list
To add a host asset
1 Go to Network Vulnerability Scan > Asset Definition > Asset Definition.
2 Click Create New.
3 Enter the appropriate information and click OK.
Create New Select to add a host asset. See To add a host asset on page 244.
View Select an asset and click View to displace the scan result of this asset,
including the host IP address and host discovery method.
Discover Assets Select one or more assets and click Discover Assets to discover these
assets. See Discovering network host assets on page 245.
Start Scan Select one or more assets and click Start Scan to scan these assets.
Quick check only the most commonly used ports
Standard check the ports used by most known applications
Full check all TCP and UDP ports
For a detailed list of the TCP and UDP ports examined by each scan
mode, see Table 17 on page 249.
Name The host name.
Type The type of the host: IP address or IP address range.
IP Address/Range The IP address of the host, or the IP address range of the hosts.
Right-click Menu Right-click a row to show context menu for performing some actions.
Network Vulnerability Scan Discovering network host assets
05-432-164257-20120229 245
Discovering network host assets
The simplest way to build the asset list is to perform a discovery scan on the range of
IP addresses where your network assets are installed. A discovered host can be
scanned for vulnerability.
Asset discovery scans the following ports:
TCP: 21-23, 25, 53, 80, 88,110-111, 135, 139, 443, 445
UDP: 53, 111, 135, 137, 161, 500
To discover assets
1 Go to Network Vulnerability Scan > Asset Definition > Asset Definition and select
one or more assets you added. See To add a host asset on page 244.
2 Click Discover Assets.
Three discovery options appear:
Quick: This option uses ARP and PING to quickly discover hosts on a local
network, or through a gateway (PING only).
Standard: This is the default option. It is a more advanced scanning to discover
hosts running with other standard open ports. In addition to ARP and PING,
other standard ports are tested to determine if a host is present.
Full: This option tests the full port range from1 to 65535, attempting to identify
hosts running any open ports.
3 Select an option and click Start Scan.
Depending on the number of computers to be discovered, the scan can take
several minutes, until the Web-based Manager reports Discover Is Completed. You
can select Scan Results to view the discovered host IP address and the discovery
method used.
Name The name of the host. Names can not contain spaces.
Type Select Host for a single host, or Range for multiple hosts in a
contiguous IP address range.
Host If you set Type to Host, enter the host IP address.
IP Address If you set Type to Range, enter the first and last IP addresses of
the range. All the hosts within the range will be included in the
host asset.
Windows Authentication Select to use authentication on a Windows operating system.
Enter the username and password in the fields provided.
For more information, see Preparing for authenticated scanning
on page 246.
UNIX Authentication Select to use authentication on a Unix operating system.
Enter the username and password in the fields provided.
For more information, see Preparing for authenticated scanning
on page 246.
Preparing for authenticated scanning Network Vulnerability Scan
246 05-432-164257-20120229
Customize Discovery Method
Basic: ARP and ping are used to quickly find hosts on a local network or through a
gateway (ping only).
Extended: More advanced scanning to discover hosts running with standard open
ports. In addition to ARP and ping, other standard ports are tested to determine of a
host is present.
Preparing for authenticated scanning
You can configure the FortiAnalyzer unit to perform authenticated network scan which
can provide you with authenticated host-level configuration and security data.
Authenticated scan is optional but recommended. With authenticated scan, the
FortiAnalyzer unit can log in to a target host and obtain system information that would
otherwise not be available. For example, the FortiAnalyzer unit can detect installed
service packs, hot fixes, security upgrades, and package versions and patches. It can
more accurately detect the operating system, such as Windows version, and the
particular distribution and product on each host, such as various Linux distributions.
With the information gathered, the FortiAnalyzer unit can perform more in-depth
vulnerability analysis since many vulnerabilities can only be detected via authenticated
scan.
Depending on your configurations, a regular network scan may not be thorough as it
may be limited to a port scan or unable to accurately complete certain probes.
The effectiveness of an authenticated scan is determined by the level of access the
FortiAnalyzer unit obtains to the host operating system. Rather than using the system
administrators account, it might be more convenient to set up a separate account for
the exclusive use of the vulnerability scanner with a password that does not change.
This section describes the requirements by Microsoft Windows hosts and Unix hosts
for authenticated scan.
Microsoft
Windows hosts
domain scanning
The user account provided for authentication must
have administrator rights
be a Security type of account
have global scope
belong to the Domain Administrators group
meet the Group Policy requirements listed below:
Group Policy - Security Options
In the Group Policy Management Editor, go to Computer Configuration > Windows
Settings > Security Settings > Local Policies > Security Options.
Setting Value
Network access: Sharing and security model for local accounts Classic
Accounts: Guest account status Disabled
Network access: Let Everyone permissions apply to anonymous users Disabled
Network Vulnerability Scan Preparing for authenticated scanning
05-432-164257-20120229 247
Group Policy - System Services
In the Group Policy Management Editor, go to Computer Configuration > Windows
Settings > Security Settings > System Services.
Group Policy - Administrative Templates
In the Group Policy Management Editor, go to Computer Configuration >
Administrative Templates > Network > Network Connections > Windows Firewall >
Domain Profile.
or
1
Windows prompts you for a range of IP addresses. Enter either * or the IP address of the For-
tiAnalyzer unit that is performing the vulnerability scan.
Microsoft
Windows hosts
local
(non-domain)
scanning
The user account provided for authentication must
be a local account
belong to the Administrators group
The host must also meet the following requirements:
Server service must be enabled. (Windows 2000, 2003, XP)
Remote Registry Service must be enabled.
File Sharing must be enabled.
Public folder sharing must be disabled. (Windows 7)
Simple File Sharing (SFS) must be disabled. (Windows XP)
Windows firewall settings
Enable the Remote Administration Exception in Windows Firewall. (Windows 2003,
Windows XP)
Setting Value
Remote registry Automatic
Server Automatic
Windows Firewall Automatic
Setting Value
Windows Firewall: Protect all network connections Disabled
Setting Value
Windows Firewall: Protect all network connections Enabled
Windows Firewall: Allow remote administration exception Enabled
Allow unsolicited messages from
1
*
Windows Firewall: Allow file and printer sharing exception Enabled
1
*
Windows Firewall: Allow ICMP exceptions Enabled
1
*
Configuring vulnerability scans Network Vulnerability Scan
248 05-432-164257-20120229
Allow File and Print sharing and Remote Administration traffic to pass through the
firewall. Specify the IP address or subnet of the FortiAnalyzer unit that is performing
the vulnerability scan. (Windows Vista, 2008)
For each of the active Inbound Rules in the File and Printer Sharing group, set the
Remote IP address under Scope to either Any IP address or to the IP address or
subnet of the FortiAnalyzer unit that is performing the vulnerability scan.
(Windows 7)
Unix hosts The user account provided for authentication must be able at a minimum to execute
these commands:
The account must be able to execute uname in order to detect the platform for
packages.
If the target is running Red Hat, the account must be able to read
/etc/redhat-release and execute rpm.
If the target is running Debian, the account must be able to read
/etc/debian-version and execute dpkg.
Configuring vulnerability scans
You can configure regular network scans on a daily, weekly, or monthly basis. There are
three scan modes. Full scan checks every TCP and UDP port and takes the most time.
Standard scan checks the ports used by most known applications. Quick scan checks
only the most commonly used ports. For a detailed list of the TCP and UDP ports
examined by each scan mode, see Table 17 on page 249.
You can also initiate the configured scan manually.
Network Vulnerability Scan Configuring vulnerability scans
05-432-164257-20120229 249
Table 17: Ports scanned in each scan mode
Standard
Scan
TCP: 1-3, 5, 7, 9, 11, 13, 15, 17-25, 27, 29, 31, 33, 35, 37-39, 41-223, 242-246, 256-265,
280-282, 309, 311, 318, 322-325, 344-351, 363, 369-581, 587, 592-593, 598, 600, 606-620,
624, 627, 631, 633-637, 666-674, 700, 704-705, 707, 709-711, 729-731, 740-742, 744,
747-754, 758-765, 767, 769-777, 780-783, 786, 799-801, 860, 873, 886-888, 900-901, 911,
950, 954-955, 990-993, 995-1001, 1008, 1010-1011, 1015, 1023-1100, 1109-1112, 1114, 1123,
1155, 1167, 1170, 1207, 1212, 1214, 1220-1222, 1234-1236, 1241, 1243, 1245, 1248, 1269,
1313-1314, 1337, 1344-1625, 1636-1774, 1776-1815, 1818-1824, 1901-1909, 1911-1920,
1944-1951, 1973, 1981, 1985-2028, 2030, 2032-2036, 2038, 2040-2049, 2053, 2065, 2067,
2080, 2097, 2100, 2102-2107, 2109, 2111, 2115, 2120, 2140, 2160-2161, 2201-2202, 2213,
2221-2223, 2232-2239, 2241, 2260, 2279-2288, 2297, 2301, 2307, 2334, 2339, 2345, 2381,
2389, 2391, 2393-2394, 2399, 2401, 2433, 2447, 2500-2501, 2532, 2544, 2564-2565, 2583,
2592, 2600-2605, 2626-2627, 2638-2639, 2690, 2700, 2716, 2766, 2784-2789, 2801,
2908-2912, 2953-2954, 2998, 3000-3002, 3006-3007, 3010-3011, 3020, 3047-3049, 3080,
3127-3128, 3141-3145, 3180-3181, 3205, 3232, 3260, 3264, 3267-3269, 3279, 3306,
3322-3325, 3333, 3340, 3351-3352, 3355, 3372, 3389, 3421, 3454-3457, 3689-3690, 3700,
3791, 3900, 3984-3986, 4000-4002, 4008-4009, 4080, 4092, 4100, 4103, 4105, 4107,
4132-4134, 4144, 4242, 4321, 4333, 4343, 4443-4454, 4500-4501, 4567, 4590, 4626, 4651,
4660-4663, 4672, 4899, 4903, 4950, 5000-5005, 5009-5011, 5020-5021, 5031, 5050, 5053,
5080, 5100-5101, 5145, 5150, 5190-5193, 5222, 5236, 5300-5305, 5321, 5400-5402, 5432,
5510, 5520-5521, 5530, 5540, 5550, 5554-5558, 5569, 5599-5601, 5631-5632, 5634,
5678-5679, 5713-5717, 5729, 5742, 5745, 5755, 5757, 5766-5767, 5800-5802, 5900-5902,
5977-5979, 5997-6053, 6080, 6103, 6110-6112, 6123, 6129, 6141-6149, 6253, 6346, 6387,
6389, 6400, 6455-6456, 6499-6500, 6515, 6558, 6588, 6660-6670, 6672-6673, 6699, 6767,
6771, 6776, 6831, 6883, 6912, 6939, 6969-6970, 7000-7021, 7070, 7080, 7099-7100, 7121,
7161, 7174, 7200-7201, 7300-7301, 7306-7308, 7395, 7426-7431, 7491, 7511, 7777-7778,
7781, 7789, 7895, 7938, 7999-8020, 8023, 8032, 8039, 8080-8082, 8090, 8100, 8181, 8192,
8200, 8383, 8403, 8443, 8450, 8484, 8732, 8765, 8886-8894, 8910, 9000-9001, 9005, 9043,
9080, 9090, 9098-9100, 9400, 9443, 9535, 9872-9876, 9878, 9889, 9989-10000, 10005, 10007,
10080-10082, 10101, 10520, 10607, 10666, 11000, 11004, 11223, 12076, 12223, 12345-12346,
12361-12362, 12456, 12468-12469, 12631, 12701, 12753, 13000, 13333, 14237-14238, 15858,
16384, 16660, 16959, 16969, 17007, 17300, 18000, 18181-18186, 18190-18192, 18194,
18209-18210, 18231-18232, 18264, 19541, 20000-20001, 20011, 20034, 20200, 20203, 20331,
21544, 21554, 21845-21849, 22222, 22273, 22289, 22305, 22321, 22555, 22800, 22951,
23456, 23476-23477, 25000-25009, 25252, 25793, 25867, 26000, 26208, 26274, 27000-27009,
27374, 27665, 29369, 29891, 30029, 30100-30102, 30129, 30303, 30999, 31336-31337, 31339,
31554, 31666, 31785, 31787-31788, 32000, 32768-32790, 33333, 33567-33568, 33911, 34324,
37651, 40412, 40421-40423, 42424, 44337, 47557, 47806, 47808, 49400, 50505, 50766,
51102, 51107, 51112, 53001, 54321, 57341, 60008, 61439, 61466, 65000, 65301, 65512
UDP: 7, 9, 13, 17, 19, 21, 37, 53, 67-69, 98, 111, 121, 123, 135, 137-138, 161, 177, 371, 389,
407, 445, 456, 464, 500, 512, 514, 517-518, 520, 555, 635, 666, 858, 1001, 1010-1011, 1015,
1024-1049, 1051-1055, 1170, 1243, 1245, 1434, 1492, 1600, 1604, 1645, 1701, 1807, 1812,
1900, 1978, 1981, 1999, 2001-2002, 2023, 2049, 2115, 2140, 2801, 3024, 3129, 3150, 3283,
3527, 3700, 3801, 4000, 4092, 4156, 4569, 4590, 4781, 5000-5001, 5036, 5060, 5321,
5400-5402, 5503, 5569, 5632, 5742, 6073, 6502, 6670, 6771, 6912, 6969, 7000, 7300-7301,
7306-7308, 7778, 7789, 7938, 9872-9875, 9989, 10067, 10167, 11000, 11223, 12223,
12345-12346, 12361-12362, 15253, 15345, 16969, 20001, 20034, 21544, 22222, 23456, 26274,
27444, 30029, 31335, 31337-31339, 31666, 31785, 31789, 31791-31792, 32771, 33333, 34324,
40412, 40421-40423, 40426, 47262, 50505, 50766, 51100-51101, 51109, 53001, 61466, 65000
Full Scan All TCP and UDP ports (1-65535)
Quick
Scan
TCP: 11, 13, 15, 17, 19-23, 25, 37, 42, 53, 66, 69-70, 79-81, 88, 98, 109-111, 113, 118-119,
123, 135, 139, 143, 220, 256-259, 264, 371, 389, 411, 443, 445, 464-465, 512-515, 523-524,
540, 548, 554, 563, 580, 593, 636, 749-751, 873, 900-901, 990, 992-993, 995, 1080, 1114,
1214, 1234, 1352, 1433, 1494, 1508, 1521, 1720, 1723, 1755, 1801, 2000-2001, 2003, 2049,
2301, 2401, 2447, 2690, 2766, 3128, 3268-3269, 3306, 3372, 3389, 4100, 4443-4444,
4661-4662, 5000, 5432, 5555-5556, 5631-5632, 5634, 5800-5802, 5900-5901, 6000, 6112,
6346, 6387, 6666-6667, 6699, 7007, 7100, 7161, 7777-7778, 8000-8001, 8010, 8080-8081,
8100, 8888, 8910, 9100, 10000, 12345-12346, 20034, 21554, 32000, 32768-32790
UDP: 7, 13, 17, 19, 37, 53, 67-69, 111, 123, 135, 137, 161, 177, 407, 464, 500, 517-518, 520,
1434, 1645, 1701, 1812, 2049, 3527, 4569, 4665, 5036, 5060, 5632, 6502, 7778, 15345
Configuring vulnerability scans Network Vulnerability Scan
250 05-432-164257-20120229
To view the scheduled scan list, go to Network Vulnerability Scan > Scan Schedule.
Figure 133: Scan schedule list.
Create New Select to add a scan schedule. See To schedule a scan on page 251.
Start Scan Select a schedule and click Start Scan to initiate an on-demand scan and
override the schedule.
Stop Select to stop an on-demand scan.
Pause Select to pause an on-demand scan.
Resume Select to resume an on-demand scan.
Name The name of the scheduled scan.
Target The assets selected for scanning.
Schedule The scheduled scan time.
Status The status of the scan process.
Progress The progress of the scan process.
Network Vulnerability Scan Configuring vulnerability scans
05-432-164257-20120229 251
To schedule a scan
1 Go to Network Vulnerability Scan > Scan Schedule.
2 Click Create New and enter the following information.
Name Enter a name for this scan schedule.
Available Assets The current host assets. See Configuring host assets on page 243.
Select an asset and click the right arrow to move it into the Member
Assets field to be scanned.
Member Assets The host assets are moved from the Available Assets field into this
field for scanning.
Vulnerability Scan
Mode
Select a scan mode.
Quick check only the most commonly used ports
Standard check the ports used by most known applications
Full check all TCP and UDP ports
For a detailed list of the TCP and UDP ports examined by each scan
mode, see Table 17 on page 249.
Schedule
Enable Schedule Select to enable the scan schedule.
Recurrence Select Daily, Weekly, or Monthly.
If you select Weekly, the Day of Week drop-down list appears. If you
select Monthly, the Day of Month drop-down list appears.
Viewing scan results Network Vulnerability Scan
252 05-432-164257-20120229
3 Click OK.
Viewing scan results
The results of network scanning are available as summary graphs and log entries.
To view the scan result list, go to Network Vulnerability Scan > Vulnerability Result >
Vulnerability Result.
Figure 134: Scan result list.
Suspend scan
between
If you want to stop scanning for a certain time period, enter the time.
Advanced Select to enable the following scan options if required:
TCP port scan
UDP port scan
OS detection
Service detection
View Select to display a selected scan result.
Name The name of the scan result. The results include on-demand and scheduled
scans.
Start Time The time when the scan started.
End Time The time when the scan ended.
Status The progress of the scan.
Total Hosts The total number of hosts scanned.
Network Vulnerability Scan Viewing scan results
05-432-164257-20120229 253
To view a scan result
1 Go to Network Vulnerability Scan > Vulnerability Result > Vulnerability Result.
2 Select a scan result and click View.
The network vulnerability scan report appears in the right-hand pane.
(Scan) Name The name of the scan result.
Start Time The time when the scan started.
End Time The time when the scan ended.
Status The progress of the scan.
Total Hosts The total number of hosts scanned.
(Host) Name The name of the scanned host. If the scanned hosts type is Host, one
host name appears. If the scanned hosts type is Range, the names of
the hosts in the IP range appear. For more information about host
type, see Configuring host assets on page 243.
IP Address The IP address of the scanned host.
OS Version The version of the operation system of the scanned host.
Vulnerability Level The vulnerability rating of the scanned host.
Total Vulnerabilities The total number of vulnerabilities found on the host.
Vulnerability The name of the vulnerability detected.
ID Select the ID to view the details of the vulnerability in the FortiGuard
Center.
Category The category that the vulnerability belongs to.
Severity The severity level of the vulnerability.
Port The port of the host that was scanned to detect the vulnerability.
Scan Name
Host Name
Select a host to view its vulnerability information.
05-432-164257-20120229 254
12. Tools
The Tools menu provides the ability to view the files on your FortiAnalyzer unit using
the File Explorer, and to view packets on your network using the Network Analyzer.
By default, the Tools menu is hidden. To make it visible, go to System > Admin >
Settings and enable Show Network Analyzer, and enable Show File Explorer. For
details, see Configuring the Web-based Managers global settings on page 109.
Network Analyzer
File Explorer
Network Analyzer
Network Analyzer can be used as an enhanced local network traffic sniffer to diagnose
areas of the network where firewall policies may require adjustment, or where traffic
anomalies occur.
Network Analyzer logs all traffic seen by the interface for which it is enabled. If that
network interface is connected to the span port of a switch, observed traffic will
include all traffic sent through the switch by other hosts. You can then locate traffic that
should be blocked, or that contains other anomalies.
All captured traffic information is saved to the FortiAnalyzer hard disk. You can then
display this traffic information directly, search it, or generate reports from it.
This section describes how to enable and view traffic captured by the Network
Analyzer. It also describes Network Analyzer log storage configuration options.
Network Analyzer is not visible under the Tools menu until it is enabled in System >
Admin > Settings.
Connecting the
FortiAnalyzer unit
to analyze
network traffic
You usually first connect your FortiAnalyzer unit to a hub or the span (or mirroring) port
of an Ethernet switch to sniff traffic with your FortiAnalyzer unit. Both the management
and sniffing ports can be connected to the same switch.
Figure 135: Example network topology for Network Analyzer use
Tools Network Analyzer
05-432-164257-20120229 255
To connect the FortiAnalyzer unit for use with Network Analyzer
1 Connect an Ethernet cable to a port on the FortiAnalyzer unit other than the port
used to collect device logs.
For example, if you receive logs and quarantined files on port1, you might use
Network Analyzer on port2. Using a separate port for sniffing prevents log and
quarantine traffic from cluttering Network Analyzer messages, and enables you to
analyze networks without tampering with network settings related to normal logging
and quarantine activity.
2 Connect the other end of the Ethernet cable to the span or mirroring port of an
Ethernet switch.
If connected to the span or mirror port of a switch, Network Analyzer can observe
all traffic passing through the switch.
3 In the Web-based Manager, go to System > Admin > Settings > GUI Menu
Customization, enable Show Network Analyzer and select Apply.
Figure 136: Enable Network Analyzer in GUI Menu Customization.
4 In the Web-based Manager, go to System > Network > Interface.
5 If the interface you will use with Network Analyzer is currently down, select Bring Up
to enable it.
6 Select Edit for the interface you will use with Network Analyzer.
7 In the IP/Netmask field, enter the IP address and netmask for the interface, such as
100.20.10.110/255.255.255.0.
8 Select OK.
Network Analyzer Tools
256 05-432-164257-20120229
You can now configure Network Analyzer settings in Tools > Network Analyzer >
Config.
Figure 137: Configure Network Analyzer settings.
Viewing Network
Analyzer log
messages
After attaching a FortiAnalyzer unit interface to the network and enabled the Network
Analyzer for that interface, traffic information appears.
The Network Analyzers log viewers display logs of traffic seen by the network interface
you have configured for use with Network Analyzer, focusing on specific time frames.
The Network Analyzer has two types of log viewing options:
Realtime displays the Network Analyzer log messages of traffic most recently
observed by the network interface for which Network Analyzer is enabled. The
display refreshes every few seconds, and contains only the most current activity.
Historical displays all Network Analyzer log messages whose time stamps are
within your specified time frame.
Viewing current Network Analyzer log messages
The realtime logs in Network Analyzer update continually, displaying the most recent
traffic observed by the Network Analyzer.
To view the most recent traffic, go to Tools > Network Analyzer > Historical and select
the Realtime Log icon.
You can view the details of a log message by double-clicking any of its columns.
05-432-164257-20120229 257
Figure 138: Realtime Network Analyzer logs
Historical Log
Pause/Resume
Column Settings Search
Type The type of log you are viewing.
Historical Log Select to view the historical Network Analyzer log messages. For more
information, see Viewing historical Network Analyzer log messages on
page 258.
Pause Select to stop updating the realtime logs.
Column Settings Select to change the columns to view and the order they appear on the
on page 262.
Search Enter a keyword to perform a simple search on the available log
information, then press the Enter key to begin the search.
Last Activity The date and time the traffic was transmitted.
Src The IP address of the sender of the traffic.
Dst The IP address of the recipient of the traffic.
Src Port The port a UDP or TCP packet was being sent from.
Dst Port The port a UDP or TCP packet was being sent to.
Protocol The protocol used when sending the traffic.
Message Information payload of the traffic sent through the switch.
View n per page Select the number of rows of log entries to display per page.
Change Display Options
Resolve Host
Name
Select to display host names by a recognizable name rather than IP
addresses. For more information about on configuring IP address host
names, see Configuring IP aliases on page 127.
Resolve Service Select to display the network service names rather than the port numbers,
such as HTTP rather than port 80.
Formatted Select to display the Network Analyzer log files in columnar format. This
is the default view. For more information, see Customizing the Network
Analyzer log view on page 261.
Raw Select to display the Network Analyzer log information as it actually
appears in the log file. For more information, see Customizing the
Network Analyzer log view on page 261.
258 05-432-164257-20120229
Viewing historical Network Analyzer log messages
The Historical tab in Tools > Network Analyzer displays Network Analyzer logs for a
specific time range. When viewing log messages, you can filter the information to find
specific traffic information.
To view a historical Network Analyzer log, go to Tools > Network Analyzer > Historical
and then select the log you want to view. You can view the details of a log message by
double-clicking any of its columns.
Figure 139: Historical Network Analyzer logs
Type The type of log you are viewing.
Timeframe Select the time frame during which you want to view the logs.
Realtime Log Select to view the realtime Network Analyzer log messages. For more
information, see Viewing current Network Analyzer log messages on
page 256.
Column Settings Select to change the columns to view and the order they appear on the
on page 262.
Printable Version Select to download an HTML file containing all log messages that match
the current filters. The HTML file is formatted to be printable.
Time required to generate and download large reports varies by the total
amount of log messages, the complexity of any search criteria, the
specificity of your column filters, and the speed of your network
connection.
Download Current
View
Select to download only those log messages which are currently visible,
according to enabled filters.
Search Enter a keyword to perform a simple search on the log information
available. Press Enter to begin the search.
Advanced Select to search the Network Analyzer log files for matching text using
two search types: Quick Search and Full Search. For more information,
see Searching the Network Analyzer logs on page 265.
Last Activity The date and time the traffic was transmitted.
Src The IP address of the sender of the traffic.
Dst The IP address of the recipient of the traffic.
Src Port The port a UDP or TCP packet was being sent from.
Dst port The destination port of the traffic.
Protocol The protocol used when sending the traffic.
Column Settings
Printable Version
Realtime Log Search
Current Page
Download Current View
05-432-164257-20120229 259
Browsing Network
Analyzer log files
The Browse tab in Tools > Network Analyzer lets you see all stored Network Analyzer
log files, view the Network Analyzer logs, download log files to your hard disk or delete
unneeded files.
When a log file reaches its maximum size, or reaches the scheduled time, the
FortiAnalyzer rolls the active log file by renaming the file. The file name will be in the
form of xlog.N.log, where x is a letter indicating the log type and N is a unique
number corresponding to the time the first log entry was received.
For more information about setting the maximum file size and log rolling options, see
Rolling and uploading Network Analyzer logs on page 267.
To view the log file list, go to Tools > Network Analyzer > Browse.
Figure 140: Network analyzer log file list
Message Information payload on the traffic sent through the switch.
View n per page Select the number of rows of log entries to display per page.
Current page By default, the first page of vulnerabilities is displayed. The total number of
pages appears after the current page number. For example, if 2 of 10
appears, you are currently viewing page 2 of 10 pages.
To view pages, select the left and right arrows to display the first, previous,
next, or last page.
To view a specific page, enter the page number in the field and then press
Enter.
Change Display Options
Resolve Host
Name
Select to display host names by a recognizable name rather than IP
addresses. For more information about on configuring IP address host
names, see Configuring IP aliases on page 127.
Resolve Service Select to display the network service names rather than the port numbers,
such as HTTP rather than port 80.
Formatted Select to display the Network Analyzer log files in columnar format. This
is the default view. For more information, see Customizing the Network
Analyzer log view on page 261.
Raw Select to display the Network Analyzer log information as it actually
appears in the log file. For more information, see Customizing the
Network Analyzer log view on page 261.
260 05-432-164257-20120229
Viewing Network Analyzer log file contents
The Browse tab enables you to view all log messages within Network Analyzer log files.
If you display the log messages in formatted view, you can display and arrange col-
umns and/or filter log messages by column contents. For more information, see Cus-
tomizing the Network Analyzer log view on page 261.
To view a log file
1 Go to Tools > Network Analyzer > Browse.
2 Select a log file and then select Display.
The log files contents appear. For more information on understanding the log file
contents, see Viewing Network Analyzer log messages on page 256.
Downloading a Network Analyzer log file
You can download a log file to save it as a backup or for use outside the FortiAnalyzer
unit. You can choose to download either the entire file or only log messages selected
by filtering.
To download a whole log file
2 Select a log file.
3 Click Download.
4 Select any of the following download options you want and click OK.
without saving.
Display Select to view the contents of the selected log file.
Download Select to save the selected log file to your local hard disk.
From The date and time when the FortiAnalyzer unit starts to generate the log file.
To The date and time when the FortiAnalyzer unit completes generating the log file
when the file reaches its maximum size or the scheduled time.
Log file format Downloads the log in text (.txt), comma-separated value (.csv), or
Compress with
gzip
Compress the .log or .csv file with gzip compression. For example,
downloading a log-formatted file with gzip compression would result in a
download with the file extension .log.gz.
05-432-164257-20120229 261
To download a partial (filtered) log file
2 Select a log file.
3 Click Display.
Figure 141: Download a partial (filtered) log file
4 Select a filter icon to restrict the current view to only items which match your
criteria, then select OK. For more information about filtering information, see
5 Select Download Current View.
6 Select any of the download options you want and click OK.
without saving.
Customizing the
Network Analyzer
log view
Log messages can be displayed in either raw or formatted view.
Raw view displays log messages exactly as they appear in the log file.
Formatted view displays log messages in a columnar format. Each log field in a log
message appears in its own column, aligned with the same field in other log
messages, for rapid visual comparison. When displaying log messages in formatted
view, you can customize the log view by hiding, displaying and arranging columns
and/or by filtering columns, refining your view to include only those log messages
and fields that you want to see.
Log file format Downloads the log in text (.txt), comma-separated value (.csv), or
Compress with
gzip
262 05-432-164257-20120229
To display logs in raw or formatted view
1 Go to a page which displays log messages, such as Tools > Network Analyzer >
Historical.
2 Select Change Display Options.
Figure 142: Change Dispay Options
3 Select Formatted or Raw.
If you select Formatted, options appear that enable you to display and arrange log
columns and/or filter log columns.
Displaying and arranging log columns
When viewing logs in formatted view, you can display, hide and re-order columns to
display only relevant categories of information in your preferred order.
For most columns, you can also filter data within the columns to include or exclude log
messages which contain your specified text in that column. For more information, see
To display or hide columns
Historical.
05-432-164257-20120229 263
3 Select which columns to hide or display.
In the Available Fields area, select the names of individual columns you want to
display, then select the single right arrow to move them to the Display Fields
area.
Alternatively, to display all columns, select the double right arrow.
In the Display Fields area, select the names of individual columns you want to
hide, then select the single left arrow to move them to the Available Fields area.
Alternatively, to hide all columns, select the double left arrow.
To return all columns to their default displayed/hidden status, select Default.
4 Select OK.
To change the order of the columns
Historical.
3 In the Display Fields area, select a column name whose order of appearance you
want to change.
4 Select the up or down arrow to move the column in the ordered list.
Placing a column name towards the top of the Display Fields list will move the
column toward the left side of the formatted log view.
5 Select OK.
Filtering logs
When viewing log messages in formatted view, you can filter columns to display only
those log messages that do or do not contain your specified content in that column. By
default, most column headings contain a gray filter icon, which becomes green when a
filter is configured and enabled.
Figure 143: Filter icons in Network Analyzer
To filter log messages by column contents
1 In the heading of the column that you want to filter, select the filter icon.
Note: Filters do not appear in raw view, or for unindexed log fields in formatted view.
When viewing realtime logs, you cannot filter on the time column: by definition of the
realtime aspect, only current logs are displayed.
Filter icon
264 05-432-164257-20120229
2 If you want to exclude log messages with matching content in this column, select
NOT.
If you want to include log messages with matching content in this column, deselect
NOT.
3 Enter the text that matching log messages must contain.
Matching log messages will be excluded or included in your view based upon
whether you have selected or deselected NOT.
4 Select OK.
A columns filter icon is green when the filter is currently enabled.
To disable a filter
1 In the heading of the column whose filter you want to disable, select the filter icon.
A columns filter icon is green when the filter is currently enabled.
2 To disable the filter on this column, click the Remove Filter icon (x).
Alternatively, to disable the filters on all columns, select Clear all filters. This
disables the filter; it does not delete any filter text you might have configured.
3 Select OK.
A columns filter icon is gray when the filter is currently disabled.
Filtering tips
When filtering by source or destination IP, you can use the following in the filtering
criteria:
a single address (2.2.2.2);
an address range using a wild card (1.2.2.*);
an address range (1.2.2.1-1.2.2.100).
You can also use a Boolean operator (or) to define mutually exclusive choices:
1.1.1.1 or 2.2.2.2;
1.1.1.1 or 2.2.2.*;
1.1.1.1 or 2.2.2.1-2.2.2.10.
Most column filters require that you enter the columns entire contents to successfully
match and filter contents; partial entries do not match the entire contents, and so will
not create the intended column filter.
For example, if the column contains a source or destination IP address (such as
192.168.2.5), to create a column filter, enter the entire IP address to be matched. If
you enter only one octet of the IP address, (such as 192) the filter will not completely
match any of the full IP addresses, and so the resulting filter would omit all logs, rather
than including those logs whose IP address contains that octet.
Exceptions to this rule include columns that contain multiple words or long strings of
text, such as messages or URLs. In those cases, you may be able to filter the column
using a substring of the text contained by the column, rather than the entire text
contained by the column.
05-432-164257-20120229 265
Searching the
Network Analyzer
logs
You can search the Network Analyzer log files for matching text using two search
types: quick search and full search.
You can use quick search to find results more quickly if your search terms are relatively
simple and you only need to search indexed log fields. Indexed log fields are those that
appear with a filter icon when browsing the logs in column view; unindexed log fields
do not contain a filter icon for the column or do not appear in column view, but do
appear in the raw log view. quick search keywords cannot contain:
special characters such as single or double quotes (' or ") or question marks (?);
wild card characters (*), or only contain a wild card as the last character of a
keyword (logi*).
You can use Full Search if your search terms are more complex, and require the use of
special characters or log fields not supported by Quick Search. Full Search performs
an exhaustive search of all log fields, both indexed and unindexed, but is often slower
than Quick Search.
To search the logs, go to Tools > Network Analyzer > Historical. Select Advanced
Search.
Figure 144: Network Analyzer log search
Time Period Select to search logs from a time frame, or select Specify and define a
custom time frame by selecting the From and To date and times.
From Enter the date and select the time of the beginning of the custom time
range.
This option appears only when Date is Specify.
To Enter the date and select the time of the end of the custom time range.
This option appears only when Date is Specify.
Keyword(s) Enter search terms which will be matched to yield log message search
results. To specify that results must include all, any, or none of the
keywords, select from Match.
Quick Search Select to perform a Quick Search, whose keywords cannot contain special
characters and that searches only indexed fields.
Full Search Select to perform a Full Search, whose keywords may contain special
characters, and searches all log message fields. The time of the search
varies by the complexity of the search query and the amount of log
messages to be searched.
Stop Search Select to stop the search process.
266 05-432-164257-20120229
Search tips
If your search does not return the results you expect, but log messages exist that
should contain matching text, examine your keywords and filter criteria using the fol-
lowing search characteristics and recommendations.
Separate multiple keywords with a space (arp who-has 1.1.1.1).
Keywords cannot contain unsupported special characters. Supported characters
vary by selection of Quick Search or Full Search.
Keywords must literally match log message text, with the exception of case
insensitivity and wild cards; resolved names and IP aliases will not match.
Some keywords will not match unless you include both the log field name and its
value, surrounded by quotes (Ack=2959769124).
Remove unnecessary keywords and search filters which can exclude results. For a
log message to be included in the search results, all keywords must match; if any of
your keywords does not exist in the message, the match will fail and the message
will not appear in search results.
You can use the asterisk (*) character as a wild card (192.168.2.*). For example,
you could enter any partial term or IP address, and then enter * to match all terms
that have identical beginning characters or numbers.
You can search for IP ranges, including subnets. For example:
172.168.1.1/24 or 172.168.1.1/255.255.255.0 matches all IP
addresses in the subnet 172.168.1.1/255.255.255.0
172.168.1.1-140.255 matches all IP addresses from 172.168.1.1 to
172.168.140.255
The search returns results that match all of the search terms.
For example, consider two similar keyword entries: 172.20.120.127 tcp and
172.20.120.127 udp. If you enter the keywords 172.20.120.127 tcp, UDP
traffic would not be included in the search results, since although the first keyword
(the IP address) matches, the second keyword, tcp, does not match.
Printing and downloading the search results
After completing a search, a Printable Version and a Download Current View button
appears. You can use the Printable Version button to download and print an HTML
copy of the search results. You can also use the Download Current View button to
download the search results in text (.txt), comma-separated value (.csv), or standard
log (.log) format (native format).
More Options Select the blue arrow to hide or expand additional search options.
Other Filters Specify additional criteria, if any, that can be used to further restrict the
search criteria.
Src IP: Enter an IP address to include only log messages containing a
matching source IP address. For example, entering 192.168.2.1
src=192.168.2.1.
Dst IP: Enter an IP address to include only log messages containing a
matching destination IP address. For example, entering 192.168.2.1
dst=192.168.2.1.
05-432-164257-20120229 267
To download and print search results, select the Printable Version button to download
the results. You can print this file immediately, save it to your computer for later use, or
email it.
To download log search results
1 Go to Tools > Network Analyzer > Historical.
2 Perform a search using either simple or advanced search.
If your search finds one or more matching log events, a Download Current View
button appears next to the Printable Version button.
3 Select Download Current View.
Options appear for the downloads file format and compression.
4 Select the download options that you want, then select OK.
without saving.
Rolling and
uploading
Network Analyzer
logs
You can control log file size and manage log file consumption of the hard disk space
with log rolling and uploading.
The Network Analyzer captures a very detailed network traffic information, and its log
volume can consume the FortiAnalyzer units hard disk space more rapidly than
standard logs. Rolling and uploading logs frees hard disk space to collect further data.
As the FortiAnalyzer unit receives new log items, it performs the following tasks:
verifying whether the log file has exceeded its file size limit
checking if it is time to roll the log file if the file size is not exceeded.
You configure the time to be either a daily or weekly occurrence, and when the roll
occurs.
When a current log file (tlog.log) reaches its maximum size, or reaches the
scheduled time, the FortiAnalyzer unit rolls the active log file by renaming the file. The
file name will be in the form of xlog.N.log (for example, tlog,1252929496.log),
where x is a letter indicating the log type and N is a unique number corresponding to
the time the first log entry was received. The file modification time will match the time
when the last log was received in the log file.
Once the current log file is rolled into a numbered log file, it will not be changed. New
logs will be stored in the new current log called tlog.log.
If log uploading is enabled, once logs are uploaded to the remote server or down-
loaded via the Web-based Manager, they are in the following format:
FG3K6A3406600001-tlog.1252929496.log-2009-09-14-14-00-14.gz
Note: Large logs require more time to download. Download times can be improved by selecting
Compress with gzip.
Log file format Downloads the log file in text (.txt), comma-separated value (.csv), or
standard .log (Native) file format.
Compress with
gzip
Compress the downloaded log file with gzip compression. For example,
268 05-432-164257-20120229
If you have enabled log uploading, you can choose to automatically delete the rolled
log file after uploading, thereby limiting the amount of disk space used by rolled log
files.
To enable log rolling, or to disable Network Analyzer, go to Tools > Network Analyzer >
Config.
Figure 145: Traffic Log Settings
Enable Network
Analyzer on
Enable and select the port on which Network Analyzer observes
traffic.
If you disable this option and log out, Network Analyzer will be
hidden in the web-based manager menu. For more information about
on re-enabling Network Analyzer and making it visible again, see
Connecting the FortiAnalyzer unit to analyze network traffic on
page 254.
Allocated Disk Space
(MB)
Enter the amount of disk space reserved for Network Analyzer logs.
The dialog also displays the amount used of the allocated space.
When Allocated Disk
Space is All Used
Select what the FortiAnalyzer unit does when the allocated disk space
is filled up. Select to either overwrite the older log file or stop logging
until you can clear some room.
To avoid completely filling the hard disk space, use the log rolling and
uploading options.
Reuse settings from
standard logs
Select to use the same log rolling and uploading settings that you set
for standard logs files in Logs > Config.
This option is selected by default.
Tools File Explorer
05-432-164257-20120229 269
File Explorer
File Explorer is not enabled by default. To enable File Explorer, go to System > Admin >
Settings and enable Show File Explorer under GUI Menu Customization. File Explorer
diplays the FortiAnalyzer units directories and files.
There are two main directories:
Log rolling settings Define when the FortiAnalyzer unit should roll its Network Analyzer
log files. This option becomes active only if you deselect Reuse
Settings from Standard Logs.
Log file should not
exceed
Enter the maximum size of each Network Analyzer log file.
When the log file reaches the specified maximum size, the
FortiAnalyzer unit saves the current log file with an incremental number
and starts a new active log file. For example, if the maximum size is
reached, the current xlog.log is renamed to xlog.n.log, then a
new xlog.log is created to receive new log messages.
Log file should be
rolled... even if size
is not exceeded
Set the time of day when the FortiAnalyzer unit renames the current log
file and starts a new active log file.
Daily: Roll log files daily, even if the log file has not yet reached
maximum file size.
Weekly: Roll log files weekly, even if the log file has not yet reached
maximum file size.
Optional: Roll log files only when the log file reaches the maximum
file size, regardless of time interval.
Enable log
uploading
Select to upload log files to an server when a log file rolls.
Server type Select the protocol to use when uploading to the server:
Secure Copy Protocol (SCP)
Server IP address Enter the IP address of the log upload server.
Username Enter the user name required to connect to the upload server. By
default, the user name is anonymous; select the field to enter a
different user name.
Password Enter the password required to connect to the upload server.
Confirm Password Re-enter the password to verify correct entry.
Directory Enter a location on the upload server where the log file should be
saved.
Upload Files Select when the FortiAnalyzer unit should upload files to the server.
When rolled: Uploads logs whenever the log file is rolled, based on
Log file should be rolled.
Daily at: Uploads logs at the configured time, regardless of when or
what size it rolls at according to Log file should be rolled.
Uploaded log
format
Select to upload the log file in text (.txt), comma-separated value
(.csv), or standard .log (native) file format.
Compress
uploaded log files
Select to compress the log files in gzip format before uploading to the
server.
Delete files after
uploading
Select to remove the log file from the FortiAnalyzer hard disk once the
FortiAnalyzer unit completes the upload.
File Explorer Tools
270 05-432-164257-20120229
Archive: Contains files associated with eDiscovery, full DLP archiving, and the
quarantine.
Storage: Contains information unlikely to change once written, like logs and reports.
To expand or hide the two main directories or their subdirectories, click the plus or
minus icon located beside each directory name.
For details, see Configuring the Web-based Managers global settings on page 109.
Figure 146: File Explorer
Note: The file explorer lists log files stored using the Proprietary Index file system only. If you
have enabled SQL database storage, logs stored using that method will not appear in the
file explorer.
05-432-164257-20120229 271
13. Maintaining Firmware
Fortinet recommends reviewing this section before upgrading or downgrading the
FortiAnalyzer firmware because it contains important information about how to
properly back up your current configuration settings and log data, including what to do
if the upgrade or downgrade is unsuccessful.
In addition to firmware images, Fortinet releases patch releases: maintenance release
builds that resolve important issues. Fortinet strongly recommends reviewing the
release notes for the patch release before upgrading the firmware. Installing a patch
release without reviewing release notes or testing the firmware may result in changes
to settings or unexpected issues.
Firmware upgrade path and general firmware upgrade steps
Backing up your configuration
Testing firmware before upgrading/downgrading
Installing firmware from the BIOS menu in the CLI
Upgrading your FortiAnalyzer unit
Firmware upgrade path and general firmware upgrade steps
Follow the path below to upgrade your FortiAnalyzer firmware. Failing to do so may
cause unexpected problems.
For more information about your specific firmware release, see the Release Notes for
the release.
Figure 147: Firmware upgrade path
Note: Fortinet recommends upgrading the FortiAnalyzer unit during a low traffic period, for
example at night, to re-index log data. During the upgrade process, the FortiAnalyzer unit
re-indexes log data, which takes time to complete if there is a large amount of log data.
You can verify that the indexing of log data is complete by viewing the Alert Message
console on the Dashboard.

Downgrading from FortiAnalyzer v4.0 to FortiAnalyzer v3.0 MR7 is not supported.
Note: FortiAnalyzer v3.0 MR7 was End of Life on July 18, 2011.
FortiAnalyzer v4.0 GA was End of Life on February 24, 2012.
V3.0 MR6
V3.0 MR7
V4.0
V4.0 MR1 V4.0 MR2 V4.0 MR3
Backing up your configuration Maintaining Firmware
272 05-432-164257-20120229
Follow the general upgrade steps below:
Download and review the release notes for the firmware release;
Download the firmware release;
Back up the current configuration; See Backing up your configuration on
page 272.
Testing the firmware; See Testing firmware before upgrading/downgrading on
page 273 and Installing firmware from the BIOS menu in the CLI on page 275.
Upgrade the firmware. See Upgrading your FortiAnalyzer unit on page 275.
Backing up your configuration
Fortinet recommends backing up all configuration settings from your FortiAnalyzer unit
before upgrading. This ensures all configuration settings are retained if you later want
to downgrade and want to restore those configuration settings.
Backing up your
configuration
through the Web-
based Manager
The following procedures describe how to back up your current configuration through
the Web-based Manager.
To back up your configuration file through the Web-based Manager
1 Go to System > Maintenance > Backup & Restore.
Figure 148: Backup & Restore menu
2 Select Local PC from the Backup Configuration to list.
3 If you want to encrypt your configuration file, select Encrypt configuration file, enter
a password, and enter the password again to confirm.
4 Select Backup.
Caution: Always back up your configuration and log data before installing a patch release,
upgrading/downgrading firmware, or resetting configuration to factory defaults.
Maintaining Firmware Testing firmware before upgrading/downgrading
05-432-164257-20120229 273
Backing up your
configuration
through the CLI
The following procedure describes how to back up your current configuration through
the CLI. You can enter a password for added security.
Enter the following to back up the configuration:
execute backup config <filename_str> <address_ipv4>
<password_str>
This may take a few minutes.
Backing up your
log files
Backing up your log files uses the same procedure as downloading log files. You can
back up log files through either the Web-based Manager or CLI. Fortinet recommends
backing up all log files before upgrading/downgrading, resetting to factory defaults, or
when testing a new firmware image.
To back up FortiAnalyzer v4.0 MR1, v4.0 MR2 log files through the Web-based
Manager
2 Select the device type from the Device Type list.
3 In the Log Files column, locate a device and log type. Click the Expand arrows to
reveal the specific log file (wlog.log, elog.log, etc.) that you want to back up.
4 Select a log and click Download.
5 Select one of the following:
6 Select OK.
7 Select a location when prompted by your web browser to save the file.
To back up log files through the CLI
Enter the following to back up all log files:
execute backup logs all {ftp | sftp | scp} <server_ipv4>
<username_str> <password_str> <directory_str>
After successfully backing up your configuration file, either from the CLI or the Web-
based Manager, proceed with upgrading.
Testing firmware before upgrading/downgrading
You may want to test the firmware you want to install before upgrading to a new
firmware version, maintenance or patch release. By testing the firmware image, you
can familiarize yourself with the new features and changes to existing features, as well
as understand how your configuration works with the firmware. You can test a firmware
image by installing it from a system reboot and saving it to system memory. After the
firmware is saved to system memory, the FortiAnalyzer unit operates using the
firmware with the current configuration.
Log file format Select to download log files in text (.txt), comma-separated value (.csv),
or standard .log (native) file format. Each log element is separated by a
Compress with
gzip
Testing firmware before upgrading/downgrading Maintaining Firmware
274 05-432-164257-20120229
The procedure does not permanently install the firmware; the next time the
FortiAnalyzer unit restarts, it operates using the firmware originally installed on the
FortiAnalyzer unit. You can install the firmware permanently using the procedures in
Upgrading your FortiAnalyzer unit on page 275.
You can use the following procedure for either a regular firmware image or a patch
release. The following procedure assumes that you have already downloaded the
firmware image to your management computer.
To test the firmware image before upgrading/downgrading
1 Copy the new firmware image file to the root directory of the TFTP server.
2 Start the TFTP server.
3 Log in to the CLI.
4 Enter the following command to ping the computer running the TFTP server:
execute ping <server_ipaddress>
Pinging the computer running the TFTP server verifies that the FortiAnalyzer unit
and TFTP server are successfully connected.
5 Enter the following to restart the FortiAnalyzer unit.
execute reboot
6 As the FortiAnalyzer unit reboots, a series of system startup messages appears.
When the following message appears,
Press any key to display configuration menu
7 Immediately press any key to interrupt the system startup.
If you successfully interrupt the startup process, the following message appears:
[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[B]: Boot with backup firmware and set as default.
[C]: Configuration and information.
[Q]: Quit menu and continue to boot with default firmware.
[H]: Display this list of options.
8 Type G to get the new firmware image from the TFTP server.
Enter TFTP server address [192.168.1.168]:
9 Type the address of the TFTP server and press Enter.
Enter Local Address [192.168.1.188]:
Note: After you test the firmware, and reboot the FortiAnalyzer unit, the original configuration is
cleared. You need to restore the configuration after testing the firmware.
Note: You have only three seconds to press any key. If you do not press a key soon enough, the
FortiAnalyzer unit reboots and you must log in and repeat steps 3 to 7 again.
Maintaining Firmware Installing firmware from the BIOS menu in the CLI
05-432-164257-20120229 275
10 Type the internal IP address of the FortiAnalyzer unit.
This IP address connects the FortiAnalyzer unit to the TFTP server. This IP address
must be on the same network as the TFTP server, but make sure you do not use an
IP address of another device on the network.
Enter firmware image file name [image.out]:
11 Enter the firmware image file name and press Enter.
The TFTP server uploads the firmware image file to the FortiAnalyzer unit and the
following appears:
Save as Default firmware/Backup firmware/Run image without
saving: [D/B/R]
12 Type R.
The FortiAnalyzer firmware image installs and saves to system memory. The
FortiAnalyzer unit starts running the new firmware image with the current
configuration.
When you are done testing the firmware, you can reboot the FortiAnalyzer unit and
resume using the original firmware. You will need to restore the original configuration
file after the testing.
Installing firmware from the BIOS menu in the CLI
If you encounter access problems to the Web-based Manager after upgrading the
firmware, you can re-install the previous firmware image from the BIOS menu in the
CLI. During some upgrades, the firmware image may not successfully install on the
FortiAnalyzer unit, which may be caused by the corrupted firmware image.
To install firmware from the BIOS menu, use the procedure in Testing firmware before
upgrading/downgrading on page 273. At step 12 in the procedure, enter D instead of
R. The option D installs the firmware permanently on the FortiAnalyzer unit, as the
default firmware.
Upgrading your FortiAnalyzer unit
After backing up your current configuration, you can now upgrade the firmware on your
FortiAnalyzer unit. The following procedures are used every time you upgrade the
firmware, whether it is a maintenance release or patch release.
You can also use the following procedure when installing a patch release. A patch
release is a maintenance release build that resolves important issues. You can install a
patch release whether the FortiAnalyzer unit was upgraded to the current firmware
version or not.
Caution: You must back up your current configuration before using the following procedure. The
following procedure resets all settings to their default state, which includes interface IP
addresses, HTTP, HTTPS, SSH, and Telnet access.
Note: The FortiAnalyzer upgrade path is as following: v3.0 MR6 > v3.0 MR7 > v4.0 > v4.0 MR1 >
v4.0 MR2 > v4.0 MR3. However, the RVS configuration will not be carried forward and the
FortiGuard configuration will be reset to its defaults.
Upgrading your FortiAnalyzer unit Maintaining Firmware
276 05-432-164257-20120229
Upgrading/down
grading through
the Web-based
Manager
The following procedure uses the Web-based Manager for upgrading the FortiAnalyzer
unit from v4.0 MR2 to v4.0 MR3. The following procedure assumes that you have
already downloaded the firmware image to your management computer.
To upgrade through the Web-based Manager
1 Copy the firmware image file to your management computer.
2 Log in to the Web-based Manager as the administrative user.
4 In the System Information area, select Update for Firmware Version.
Figure 149: Firmware Version [Update]
5 Enter the path of the firmware image file, or select Browse and locate the file.
6 Select OK.
7 The FortiAnalyzer unit uploads the firmware image file, upgrades to the new
firmware version, restarts, and displays the FortiAnalyzer login. This process may
take a few minutes.
When the upgrade is successfully installed:
Ping to your FortiAnalyzer unit to verify there is still a connection;
Clear the browsers cache and log in to the Web-based Manager.
After logging back in to the Web-based Manager, you should save the configuration
settings that are carried forward. Go to System > Maintenance > Backup & Restore to
save the configuration settings that are carried forward.
Upgrade notice
If you use the proprietary indexed file system for log storage in v4.0 MR2, after
upgrading to v4.0 MR3, an upgrade notice appears when you log in to the Web-based
Manager, asking if you want to switch to the SQL database and migrate all logs to the
SQL database.
Maintaining Firmware Upgrading your FortiAnalyzer unit
05-432-164257-20120229 277
Figure 150: Database upgrade notice
If you want to switch to the SQL database, click Upgrade Now and select local or
remote SQL database, then click OK. For more information about SQL database con-
figuration, see Configuring SQL database storage on page 111.
Your logs stored in the proprietary indexed file system will still be kept after the switch.
Database switch affects report configuration. For more information, see Reports on
page 189.
Upgrading/down
grading through
the CLI
The following procedure uses the CLI and a TFTP server to upgrade the FortiAnalyzer
unit. The CLI upgrade procedure reverts all current firewall configurations to factory
default settings.
The following procedure assumes that you have already downloaded the firmware
image to your management computer.
The procedures may vary depending on the firmware versions you use for the upgrade.
To upgrade the FortiAnalyzer unit through the CLI
1 Copy the new firmware image file to the root directory of the TFTP server.
2 Start the TFTP server.
3 Log in to the CLI.
4 Enter the following command to ping the computer running the TFTP server:
execute ping <server_ipaddress>
Pinging the computer running the TFTP server verifies that the FortiAnalyzer unit
and TFTP server are successfully connected.
Upgrading your FortiAnalyzer unit Maintaining Firmware
278 05-432-164257-20120229
5 Enter the following command to copy the firmware image from the TFTP server to
the FortiAnalyzer unit:
execute restore image tftp <name_str> <tftp_ip4>
Where <name_str> is the name of the firmware image file and <tftp_ip> is the
IP address of the TFTP server. For example, if the firmware image file name is
image.out and the IP address of the TFTP server er is 192.168.1.168, enter:
execute restore image tftp image.out 192.168.1.168
The FortiAnalyzer unit responds with a message similar to the following:
This operation will replace the current firmware version!
Do you want to continue? (y/n)
6 Type y.
The FortiAnalyzer unit uploads the firmware image file, upgrades to the new
firmware version, and restarts. This process takes a few minutes.
7 Reconnect to the CLI.
8 Enter the following command syntax to confirm the firmware image installed
successfully:
get system status
Verifying the
upgrade
After upgrading, you should verify that the configuration settings have been carried for-
ward. Verifying your configuration settings also enables you to familiarize yourself with
the new features and changes in the new firmware.
You can verify your configuration settings by:
going through each menu and tab in the Web-based Manage;r
using the show command in the CLI.
05-432-164257-20120229 279
14. Troubleshooting
This chapter provides troubleshooting techniques for some frequently encountered
problems. It includes general troubleshooting methods and specific troubleshooting
tips using both the command line interface (CLI) and the Web-based Manager.
Some CLI commands provide troubleshooting information not available through the
Web-based Manager. The Web-based Manager is better suited for viewing large
amounts of information on screen, reading logs and archives, and viewing status
through the dashboard.
For more information on troubleshooting, see the Knowledge Base.
Troubleshooting Process
Troubleshooting FortiAnalyzer issues
Troubleshooting Process
Before you begin troubleshooting, you need to prepare. Doing so will shorten the time
to solve your issue.
Establish a baseline
Define the problem
Gathering facts
Search for a solution
Create a troubleshooting plan
Gather system information
Check port assignments
Troubleshoot connectivity issues
Obtain any required additional equipment
Ensure you have administrator access to required equipment
Contact Customer Service & Support
Establish a
baseline
Note that many of these questions compare the current situation to normal operation.
For this reason Fortinet recommends that you know what your normal operating status
is. This can easily be accomplished through logs, or regularly running information
gathering commands and saving the output. Then when there is a problem, this regular
operation data will enable you to determine what is different.
It is a good idea to back up the FortiAnalyzer configuration for your unit on a regular
basis. Apart from troubleshooting, if you accidently change something the backup can
help you restore normal operation efficiently.
Troubleshooting Process Troubleshooting
280 05-432-164257-20120229
Define the
problem
Before starting to troubleshoot a problem, answer the following questions:
What is the problem?
Do not assume that the problem is being experienced is the actual problem. First
determine that the problem does not lie elsewhere on the network before starting to
troubleshoot the FortiAnalyzer unit.
Has it worked before?
If the device never worked from the first day, you may not want to spend time
troubleshooting something that could be defective.
Can the problem be reproduced at will or is it intermittent?
If the problem is intermittent, it may be dependent on system load. Also an
intermittent problem can be very difficult to troubleshoot due to the difficulty
reproducing the issue.
What has changed?
Do not assume that nothing has changed in the network. Use the FortiAnalyzer
event log to see if any configuration changes were made.
If something has changed, see what the effect is if the change is rolled back.
After you have isolated the problem, what applications, users, devices, and
operating systems does it effect?
Before you can solve a problem, you need to understand it. Often this step can be
the longest in this process.
Answer questions such as:
What is not working? Be specific.
Is there more than one thing not working?
Is it partly working? If so, what parts are working?
Is it a connectivity issue for the whole device, or is there an application that is
not able to connect to the Internet?
Be as specific as possible with your answers, even if it takes awhile to find the
answers.
These questions will help you define the problem. Once the problem is defined, you
can search for a solution and then create a plan on how to solve it.
Gathering facts Fact gathering is an important part of defining the problem.
Consider the following:
Where did the problem occur?
When did the problem occur and to whom?
What components are involved?
What is the affected application?
Can the problem be traced using a packet sniffer?
Can the problem be traced in the session table?
Can log files be obtained that indicate that a failure has occurred?
Answers to these questions will help you narrow down the problem, and what you have
to check during your troubleshooting. The more things you can eliminate, the fewer
things you need to check during troubleshooting.
Troubleshooting Troubleshooting Process
05-432-164257-20120229 281
Search for a
solution
An administrator can save time and effort during the troubleshooting process by first
checking if the issue has been experienced before. Several resources are available to
provide valuable information about FortiAnalyzer technical issues, including:
Technical documentation;
Release notes;
Knowledge Base;
Technical discussion forums;
Training services online campus.
Create a
troubleshooting
plan
Once you define the problem, and search for a solution, you can create a plan to solve
that problem. Even if your search did not find a solution to your problem you may have
found some additional things to check to further define your problem.
The plan should list all the possible causes of the problem, and how to test for each
possible cause.
The plan will act as a checklist so that you know what you have tried and what is left to
check. This is important to have if more than one person will be troubleshooting.
Without a written plan, people will become easily confused and steps will be skipped.
Also if you have to hand over the problem to someone else, providing them with a
detailed list of what data you gathered and what solutions you tried, demonstrates a
good level of professionalism.
Be ready to add to your plan as needed. After you are part way through, you may
discover that you forgot some tests or a test you performed discovered new
information. This is normal.
Also if you contact support, they will require information about your problem as well as
what you have already tried to fix the problem. This should all be part of your plan.
Providing
supporting
elements
If Customer Service & Support needs to be contacted to help you with your issue, be
prepared to provide the following information:
the firmware build version (use the get system status command);
a recent configuration file;
a recent debug log;
a network topology diagram;
what troubleshooting steps you have performed and the results.
Gather system
information
Your FortiAnalyzer unit provides many features to aid in troubleshooting and
performance monitoring.
Use the Web-based Manager's dashboard and the CLI commands to define the scope
and details of your problem. Keep track of the information you gather, Customer
Service & Support may request it if you contact them for assistance.
Troubleshooting Process Troubleshooting
282 05-432-164257-20120229
Table 18: Web-based Manager information gathering features
Table 19: CLI information gathering features
The above CLI commands explain how to display data. Many of these commands also
have options for modifying data. For CLI command syntax details for these and other
commands, see the FortiAnalyzer CLI Reference.
System > Dashboard > Status Displays a dashboard with widgets that each indicates
performance level or other status.
By default, widgets display the serial number and current
system status of the FortiAnalyzer unit, including uptime,
system resource usage, host name, firmware version,
system time, and log throughput. The dashboard also
contains a CLI widget that enables you to use the command
line through the Web-based Manager. These widgets
appear on a single dashboard.
System > Network > Interface Displays details about each configured system interface
(port).
System > Network > Routing Displays a list of configured static routes including their IPs,
masks, and gateways.
diagnose debug crashlog list Displays details on application proxies that have backtraces,
traps, and registration dumps.
diagnose debug report Displays the FortiAnalyzer configuration.
diagnose fortiguard status Displays the running status of the FortiGuard daemon.
diagnose netlink Displays the netlink information, including the FortiAnalyzer
units interface statistics, interface status and parameters,
the physical and virtual IP addresses associated with the
network interfaces of the FortiAnalyzer unit, routing table
contents, routing cache information, TCP socket
information, and UDP sockets information.
diagnose sniffer packet Performs a packet trace on a specified network interface.
diagnose sys Displays the system information.
diagnose test Tests the connectivity of the remote LDAP authentication
server.
execute ping Tests connectivity to other devices on your network or
elsewhere.
execute traceroute Traces the route of packets between the FortiAnalyzer unit
and a specified server.
get system performance Displays CPU usage, memory usage, and uptime.
get system status Provides the firmware version, serial number, bios, and host
name.
Troubleshooting Troubleshooting Process
05-432-164257-20120229 283
Check port
assignments
There are 65 535 ports available for each of the TCP and UDP stacks that applications
can use when communicating with each other. If someone recently changed a
FortAnalyzer or network port, that may be part of your problem.
For information on FortiAnalyzer port assignment, see Appendix D on page 352.
In addition, some ports may be assigned to other Fortinet appliances on your network.
See the Knowledge Base article, Traffic Types and TCP/UDP Ports used by Fortinet
Products at:
http://kb.fortinet.com
Many UDP and TCP port numbers have internationally recognized IANA port
assignments and are commonly associated with specific applications or protocols.
Troubleshoot
connectivity
issues
This section includes troubleshooting questions related to connectivity issues.
Are all cables and interfaces connected properly?
See Check hardware connections on page 283.
Are you experiencing packet loss or device connectivity problems?
See Run ping and traceroute on page 284.
Are there routes in the routing table for default and static routes? Do all connected
subnets have a route in the routing table?
See Verify the contents of the routing table on page 287.
Are the ARP table entries correct for the next-hop destination?
See Verify the contents of the ARP table on page 287.
Is traffic entering the FortiAnalyzer unit and, if so, does it arrive on the expected
interface? Is the traffic exiting the FortiAnalyzer unit to the expected destination? Is
the traffic being sent back to the originator?
Perform a sniffer trace. See What can sniffing packets tell you on page 287.
Check hardware connections
If there is no traffic flowing from the FortiAnalyzer unit, it may be a hardware problem.
To check hardware connections
Ensure the network cables are properly plugged in to the interfaces on the
FortiAnalyzer unit.
Ensure there are connection lights for the network cables on the unit.
Change the cable if the cable or its connector are damaged or you are unsure about
the cables type or quality.
Connect the FortiAnalyzer unit to different hardware to see if that makes a
difference.
Run ping and traceroute Troubleshooting
284 05-432-164257-20120229
In the Web-based Manager, select System > Network > Interface and ensure the
link status is up (up arrow on green circle) for the interface.
If the status is down (down arrow on red circle), click Bring Up next to it in the
Status column.
You can also enable an interface in CLI, for example:
config system interface
edit port2
set status up
end
If any of these checks solve the problem, it was a hardware connection issue. You
should still perform some basic software tests to ensure complete connectivity.
If the hardware connections are correct and the unit is powered on but you cannot
connect using the CLI or Web-based Manager, you may be experiencing bootup
problems. See Bootup issues on page 297.
Run ping and traceroute
Ping and traceroute are useful tools in network troubleshooting. Both tools accept
either IP addresses or fully-qualified domain names as parameters. This can help you
determine why particular services, such as email or web browsing, are not working
properly.
Both ping and traceroute require particular ports to be open on firewalls to function.
Since you typically use these tools to troubleshoot, you can allow them in the firewall
policies and on interfaces only when you need them, and otherwise keep the ports
disabled for added security.
Check
connections with
ping
The ping command sends a small data packet to the destination and waits for a
response. The response has a timer that may expire, indicating the destination is
unreachable.
Ping is part of Layer-3 on the Open Systems Interconnection (OSI) Networking Model.
Ping sends Internet Control Message Protocol (ICMP) echo request packets to the
destination, and listens for echo response packets in reply. However, many public
networks block ICMP packets because ping can be used in a denial of service (DoS)
attack, or by an attacker to find active locations on the network. By default,
FortiAnalyzer units have ping enabled.
If ping does not work from your FortiAnalyzer unit, make sure it was not disabled. Go to
System > Network > Interface. Examine the list of allowed protocols in the Access
column for the port used by the Web-based Manager (usually port1). If ping is not in
the list, enable it.
To enable ping
1 Go to System >Network >Interface.
2 Click the Edit icon in the applicable row. A dialog window appears.
3 Select PING on the Edit Interface dialog window.
Note: If ping does not work, you likely have it disabled on at least one of the interface settings,
and firewall policies for that interface.
Troubleshooting Run ping and traceroute
05-432-164257-20120229 285
4 Click OK.
Figure 151: Enable administrative access on the interface
What ping can tell you
Beyond the basic connectivity information, ping tells you the amount of packet loss (if
any), how long it takes the packet to make the round trip, and the variation in that time
from packet to packet.
If ping shows any packet loss, you should investigate:
possible ECMP, split horizon, or network loops;
cabling to ensure no loose connections.
If ping shows total packet loss, you should investigate:
hardware to ensure cabling is correct;
all equipment between the two locations to determine they are properly connected;
addresses and routes to ensure all IP addresses and routing information along the
route is configured as expected;
firewalls to ensure they are set to allow ping to pass through.
How to use ping
You can ping from the FortiAnalyzer unit in the CLI Console widget of the Web-based
Manager or through CLI. For example:
execute ping 172.20.120.169
See the execute ping command in the FortiAnalyzer CLI Reference for an
explanation of the command output and see execute ping-options for a
description of the many options to tailor the ping response to your needs.
If the FortiAnalyzer Web-based Manager and CLI are not available, you can run ping on
a Windows or Linux PC.
To ping a device from a Windows PC
1 Open a command window.
In Windows XP, select Start > Run, enter cmd, and select OK.
In Windows 7, select the Start icon, enter cmd in the search box, and select
cmd.exe from the list.
Run ping and traceroute Troubleshooting
286 05-432-164257-20120229
2 In the command window, enter the ping command and an IP address, for example:
ping 172.20.120.169
Ping options include:
-t, to send packets until you press Control-C
-a, to resolve addresses to domain names where possible
-n x, where x is an integer stating the number of packets to send
To ping a device from a Linux PC
1 Go to a command line prompt.
2 Enter:
/bin/etc/ping 172.20.120.169
Check routes
with traceroute
Traceroute sends ICMP packets to test each hop along the route. It sends three
packets, and then increases the time to live (TTL) setting by one each time. This
effectively allows the packets to go one hop farther along the route. This explains why
most traceroute commands display their maximum hop count before they start tracing
the route; that is the maximum number of steps it will take before declaring the
destination unreachable. The TTL setting may result in steps along the route timing out
due to slow responses. There are many possible reasons for this to occur.
Traceroute by default uses UDP with destination ports numbered from 33434 to 33534.
The traceroute utility usually has an option to specify use of ICMP echo request (type
8) instead, as used by the Windows tracert utility. If you have a firewall and you want
traceroute to work from both machines (Unix-like systems and Windows) you will need
to allow both protocols inbound through your firewall (UDP with ports from 33434 to
33534 and ICMP type 8).
What traceroute
can tell you
Where ping only tells you if the signal reached its destination and came back
successfully, traceroute shows each step of its journey to its destination and how long
each step takes. If ping finds an outage between two points, use traceroute to locate
exactly where the problem is. The traceroute output can identify other problems, such
as an inability to connect to a DNS server.
How to use
traceroute
You can run a route trace from the FortiAnalyzer unit in the CLI Console widget of the
Web-based Manager or through CLI, for example:
execute traceroute docs.fortinet.com
See the execute traceroute command in the FortiAnalyzer CLI Reference for an
explanation of the command output.
If the FortiAnalyzer Web-based Manager and CLI are not available, you can trace a
route on a Windows or Linux PC.
To use traceroute on a Windows PC
1 Open a command window.
In Windows XP, select Start > Run, enter cmd, and select OK.
In Windows 7, select the Start icon, enter cmd in the search box, and select
cmd.exe from the list.
2 Enter the tracert command to trace the route from the host PC to the destination
web site, for example:
tracert fortinet.com
Troubleshooting What can sniffing packets tell you
05-432-164257-20120229 287
In the tracert output, the first, or left column, is the hop count, which cannot go over 30
hops. The second, third, and fourth columns are how long each of the three packets
takes to reach this stage of the route. These values are in milliseconds and normally
vary quite a bit. Typically a value of <1ms indicates a local connection.
The fifth, or far right column, is the domain name of that device and its IP address or
possibly just the IP address.
To use traceroute on a Linux PC
1 Go to a command line prompt.
2 Enter:
/bin/etc/traceroute fortinet.com
The Linux traceroute output is very similar to the MS Windows tracert output.
Verify the contents of the routing table
When you have little connectivity, a good place to look for information is the routing
table.
The routing table is where the FortiAnalyzer unit stores currently used static routes. If a
route is in the routing table, it saves the time and resources of a lookup. If a route was
not used for a while and a new route needs to be added, the oldest, least-used route is
bumped if the routing table is full. This ensures the most recently used routes stay in
the table.
To check the routing table in the CLI, enter:
diagnose network route list
Verify the contents of the ARP table
When you have poor connectivity, another good place to look for information is the
address resolution protocol (ARP) table. A functioning ARP is especially important in
high-availability configurations.
To check the ARP table in the CLI, enter:
diagnose system arp
What can sniffing packets tell you
Packet sniffing can tell you if the traffic is reaching its destination, what the port of
entry is on the FortiAnalyzer unit, if the ARP resolution is correct, and if the traffic is
being sent back to the source as expected. Packet sniffing can also tell you if the
FortiAnalyzer unit is silently dropping packets.
Perform a sniffer trace
When troubleshooting networks and routing in particular, it helps to look inside the
headers of packets to determine if they are traveling along the route you expect.
Packet sniffing is also called a network tap, packet capture, or logic analyzing.
Note: If you configure virtual IP addresses on your FortiAnalyzer unit, it will use those addresses
in preference to the physical IP addresses. You will notice this when you are sniffing
packets because all traffic will use the virtual IP addresses. This is due to the ARP update
that is sent out when the virtual IP address is configured.
Contact Customer Service & Support Troubleshooting
288 05-432-164257-20120229
To sniff packets
The CLI syntax of the internal FortiAnalyzer packet sniffer command is:
diagnose sniffer packet <interface_name> <filter_str>
<verbose-level> <count_int>
This example checks network traffic on port1, with no filter, and captures 10 packets:
diagnose network sniffer packet port1 none 1 10
See the FortiAnalyzer CLI Reference for an explanation of the command and its
parameters.
Obtain any
required
additional
equipment
You may require additional networking equipment, computers, or other equipment to
test your solution.
Normally network administrators have additional networking equipment available
either to loan you, or a lab where you can bring the FortiAnalyzer unit to test.
If you do not have access to equipment, check for shareware applications that can
perform the same task. Often there are software solutions when hardware is too
expensive.
Ensure you have
administrator
access to
required
equipment
Before troubleshooting your FortiAnalyzer unit, you will need administrator access to
the equipment.
Also, you may need access to other networking equipment such as switches, routers,
and servers to help you test. If you do not normally have access to this equipment,
contact your network administrator for assistance.
Contact Customer Service & Support
After you define your problem, researched a solution, created a plan, and executed
that plan, and if you have not solved the problem, it is time to contact Customer
Service & Support for assistance.
To receive technical support and service updates, your Fortinet product must be
registered and reflect a valid support contract. Registration, support programs,
assistance, and regional phone contacts are available at the following URL:
https://support.fortinet.com
Troubleshooting Troubleshooting FortiAnalyzer issues
05-432-164257-20120229 289
When you are registered and ready to contact support:
1 Prepare the following information first:
your contact information;
the firmware version;
a recent server policy configuration;
access to recent event, traffic and attack logs;
a network topology diagram and IP addresses;
a list of troubleshooting steps performed so far and the results.
For bootup problems:
provide all console messages and output;
if you suspect a hard disk issue, provide your evidence.
2 Document the problem and the steps you took to define the problem.
3 Open a support ticket.
For details on using the Fortinet support portal and providing the best information, see
the Knowledge Base article, Customer Service & Support Portal for Product Registra-
tion, Contract Registration, Ticket Management, and Account Management at:
http://kb.fortinet.com
Troubleshooting FortiAnalyzer issues
This section lists the common issues you may encounter in using the FortiAnalyzer unit
and the solutions.
File system issue
Report issue
Binary files issue
CPU usage issue
HA log issue
NFS server connection issue
Vulnerability management issues
Upgrade issue
Web-based Manager issue
Disk usage issue
Device IP issue
Running an HQIP for hardware integrity control
Packet capture (CLI sniffer) best practice
No logs received with encryption enabled between a FortiGate unit and a
FortiAnalyzer unit
Bootup issues
Troubleshooting FortiAnalyzer issues Troubleshooting
290 05-432-164257-20120229
File system issue You see Read Only on top of the Web-based Manger or Maintenance Mode during
the FortiAnalyzer system bootup.
Solution
If the FortiAnalyzer unit loses its file system at run time, you will see Read Only on top
of the Web-based Manger. If the unit cannot mount its file system as Read + Write
during bootup, the unit will boot in maintenance mode.
Both the read-only mode and maintenance mode are either caused by a hard disk
failure for FortiAnalyzer units without RAID or complete RAID failure for FortiAnalyzer
units with RAID.
If this happens, you must contact Customer Service & Support.
Report issue FortiAnalyzer reports show the same users twice (name in uppercase and lowercase).
Solution
When a FortiGate unit is set to require authentication, it may use two methods to
authenticate: Lightweight Directory Access Protocol (LDAP) and Fortinet Single Sign
On (FSSO).
The behavior is different depending on the method used and this will cause the
FortiAnalyzer unit to have two different log entries for the same user: one with upper
case name and one with lower case name.
The FortiAnalyzer reports will show the same user twice. This is because the
FortiAnalyzer filter is case-sensitive.
This issue was resolved in FortiOS 4.0 MR1 with the addition of a new CLI command to
allow ALL user names logged to be in upper case. This is useful when the same
servers are shared by LDAP and FSSO.
Binary files issue The Alert Message Console on the Dashboard may display a message similar to the
following:
2 of 70 binary files need to be regenerated.
Solution
The binary files indicated in the message are used by the FortiAnalyzer report engine to
generate reports. During a firmware upgrade, the binary files may have changed due to
some new features. In such a case, the affected binary files are regenerated. This
message means that some of the binary file have not yet regenerated.
The speed of regeneration (how long it takes to complete) depends on the activity of
the FortiAnalyzer unit, such as the logging rate and number of reports running.
The number displayed in the message will steadily decrease. It may briefly increase
when log files are manually imported, or in some cases during log rolling on a non-
processed file.
This is a normal process, and will resolve itself once the regeneration is complete.
05-432-164257-20120229 291
CPU usage issue The FortiAnalyzer units CPU usage can appear to be continually high.
Solution
There are three key CPU-intensive operations on a FortiAnalyzer unit:
Log indexing;
A FortiAnalyzer unit deployed in a network can receive hundreds of log messages
per second throughout the day. The FortiAnalyzer unit indexes nearly all fields in a
log message to include it in the database. This process can be very CPU intensive,
as the indexing component is continually running to keep up with the incoming log
messages.
Report generation and other enhanced features;
Due to the many reporting functions, various report generations can be running at
any time during the day, including:
security event reports;
traffic summary reports;
regular reports whose complexity can vary depending on the requirements;
quota checking with log rolling;
network sniffing;
vulnerability scan.
Summary reports daemon.
The summary reports daemon (sumreportsd) is responsible for computing data
for drill down widgets configured on the dashboard.
The widgets are:
Top Web Traffic;
Intrusion Activity;
Virus Activity;
Top FTP Traffic;
Top Email Traffic;
Top IM/P2P Traffic;
Top Traffic.
By default, none of these drilldown widgets are enabled.
Depending on the hardware platform or the amount of logs present in the
FortiAnalyzer unit, sumreportsd may consume a considerable amount of CPU
when running and may run for a considerable amount of time (from a few minutes,
to hours, or even longer if it has to compute new data while still processing old
ones). The resulting effect is that drilldown widgets may be empty or not up to date.
All these tasks can be CPU intensive, especially when a combination of them is
occurring at the same time. This often can cause the CPU usage to stay at 90% or
more. It is important to set the indexing operation to the lowest priority so that the
critical processes, such as receiving log messages, are not affected.
On smaller devices, such as the FortiAnalyzer-100C, where the CPU and disk speeds
are not as fast as the higher-end models, the CPU usage can appear more
pronounced.
292 05-432-164257-20120229
In case of high CPU usage and depending on the current environments on the
FortiAnalyzer unit, it is suggested to:
reduce the devices being monitored to only the ones needed;
reduce the Time Scope of a widget to a lower value (Hour or Day);
disable all drill down widgets from all admin accounts.
HA log issue When sending FortiGate logs to the FortiAnalyzer unit with a secure connection, only
the primary unit's logs are successfully received by the FortiAnalyzer unit.
Solution
When configuring a secure connection to send log information, you need to set the
secure connection for all units in an HA cluster on the FortiAnalyzer unit. For more
information, see Secure on page 149.
If the FortiAnalyzer unit will still not accept log information from the FortiGate unit for
which you have enabled secure connection, check if you entered the preshared key
and the device information correctly.
NFS server
connection issue
When attempting to connect to the FortiAnalyzer unit as an NFS server, the connection
times out or does not connect.
Solution
The FortiAnalyzer unit uses the DNS settings to enable connections for network file
sharing. If the DNS settings are not configured correctly, or have incorrect DNS entries,
the FortiAnalyzer unit cannot perform reverse lookups for users attempting to connect.
If the FortiAnalyzer unit cannot perform this check, the operation times out, appearing
to the user as being unable to connect.
To verify your DNS configuration, go to System > Network > DNS. For more
information, see Configuring DNS on page 93.
The FortiAnalyzer unit uses the DNS settings for a number of network functions. The
DNS settings must be valid to ensure the system functions correctly.
Vulnerability
management
issues
On the Dashboard, Vulnerability Management (VM) under License Information showing
as not registered.
Solution
Vulnerability Management is an additional service which, similar to FortiGuard
Services, must be purchased and registered.
Even if the FortiAnalyzer unit is registered and licensed, Vulnerability Management
Service will show as Not Registered if not purchased and registered.
Vulnerability management updates are not working.
Solution
1 Make sure you have a valid license
Vulnerability management is a separate subscription that must be purchased. Make
sure that there is a valid VM subscription before starting to troubleshoot. For more
information, see Scheduling & uploading vulnerability management updates on
page 138.
05-432-164257-20120229 293
2 Check the default gateway.
The FortiAnalyzer unit needs a default gateway to be able to access the Internet
and download updates. Go to System > Network > Routing and make sure the
default gateway is configured correctly.
If the default gateway is configured correctly, it should be possible to ping IP
addresses on the Internet (assuming that nothing is blocking the pings). This can be
tested by using the command:
execute ping <IP address on the Internet>
3 Make sure nothing is blocking port 443 from the FortiAnalyzer unit.
The FortiAnalyzer unit will contact the update servers on port 443. If something
(usually a firewall) is blocking port 443 from the FortiAnalyzer unit, it will not be able
to receive updates. Check if something is blocking port 443 by sniffing the traffic
using the command:
diagnose sniff packet any 'port 443' 4
If something is blocking port 443, TCP SYNs will be seen going out but with no TCP
SYN/ACKs coming back in.
4 Enable Debug.
There are a number of other issues that may be causing a problem with VM
updates. The easiest way to check all of them is to enable debugging and check
the output for errors. Run the commands below:
diagnose debug output enable
diagnose debug application fortiguard 8
execute update-vm
The output will show any errors that are happening with the update process. Once
the update is complete, it is important to disable debug using the commands:
diagnose debug application fortiguard 0
diagnose debug output disable
Upgrade issue The message Upload file is too big or invalid may appear when
upgrading a FortiAnalyzer unit from the Web-based Manager.
Solution
Assuming that the correct firmware image has been downloaded from
support.fortinet.com, a possible cause of this problem is related to the free memory on
a FortiAnalyzer unit that has had a long uptime. In order to load the required firmware
image, it is necessary to reboot the FortiAnalyzer unit so that more system resources
become available. Once the device has been rebooted, the upgrade will proceed as
required.
Web-based
Manager issue
After logging in to the Web-based Manager, the following occurs:
console access window opens blank;
menu, tabs and button bar do not work;
log view settings are not saved.
Solution
Enable cookies and JavaScript in your browser. Make sure that cookies are not erased
when you close your browser.
294 05-432-164257-20120229
Cookies store preferences for the browser you use to access the Web-based Manager.
If the cookies are erased when you close the browser (session cookies), the
preferences are not saved, and will not be available the next time you open the
browser.
JavaScript is used for navigation of the menus and tabs in the Web-based Manager.
The following procedures describe how to enable cookies and JavaScript in Internet
Explorer and Firefox.
In Internet Explorer 7 and 8:
1 Go to Tools > Internet Options.
2 Select the Privacy Tab.
3 Select a level of Medium or lower for the Privacy level.
4 Select OK.
5 Select the Security Tab.
6 Select Custom Level.
7 In Settings, under Scripting, enable Active Scripting and Scripting of Java Applets.
8 Select OK.
In Firefox:
1 Go to Tools > Options.
2 Select Privacy.
3 Select Use custom settings for history.
4 Select Accept cookies from sites.
5 Select Accept third-party cookies and Keep until: they expire.
6 Select Content.
7 Select Enable JavaScript.
8 Select OK.
Disk usage issue Disk usage on a FortiAnalyzer unit shows different values than on a monitored
FortiGate unit.
Solution
The disk usage on a FortiGate unit shows the usage of the allocated space for that
particular FortiGate unit configured on the FortiAnalyzer unit. While the disk usage on
the FortiAnalyzer unit represents the total disk usage on the FortiAnalyzer unit as a
whole.
For information about configuring allocated space for a device, see Manually config-
uring a device or HA cluster on page 152.
05-432-164257-20120229 295
Device IP issue Device IP address displays as 0.0.0.0 on the FortiAnalyzer unit device list (Devices > All
Devices > Allowed) even if the FortiGate unit is already registered on the FortiAnalyzer
unit.
Solution
The FortiAnalyzer unit will change the IP once it receives logs from the FortiGate unit.
The IP address of the FortiGate unit is 0.0.0.0 if the FortiAnalyzer unit has not received
logs from the FortiGate unit.
The FortiAnalyzer unit may not be receiving logs even if the Test Connectivity test on
the FortiGate unit shows that the FortiGate unit is connected to the FortiAnalyzer unit
(on the FortiGate unit: Log&Report > Log Config > Log Settings > FortiAnalyzer > Test
Connectivity). This can be due to the fact that the FortiGate unit is configured to send
logs to the FortiAnalyzer unit but is not generating any logs yet or that a connectivity
problem between the FortiGate unit and the FortiAnalyzer unit on port 514 UDP (Test
connectivity runs on port 514 TCP).
Non-encrypted connection
You can use sniffer commands to check if the FortiGate unit is generating logs and if
the FortiAnalyzer unit is receiving them. Note that the commands below are for a non-
encrypted traffic.
On the FortiGate unit:
diagnose sniffer packet any 'host <IP address of
FortiAnalyzer> and port 514' 4
On the FortiAnalyzer unit:
diagnose sniffer packet any 'host <IP address of the
FortiGate> and port 514'
This shows whether the FortiGate unit is sending traffic and whether the FortiAnalyzer
unit is receiving it. The TCP sessions in the sniffer outputs are for content archive logs
while UDP session are for normal logs just about everything else.
Common cases:
1 The FortiGate unit is generating logs but the FortiAnalyzer unit is not receiving
them. This is usually due to something dropping (filtering) out port 514 (UDP or
TCP) between the FortiGate and the FortiAnalyzer units.
2 The FortiGate unit is not generating logs. Check the logging options on the firewall
policies and the protection profiles. Make sure they are set to send logs to the
FortiAnalyzer unit. Also check the logging level on the FortiGate unit and make sure
it is not set too high (Log&Report > Log Config > Log Settings > FortiAnalyzer >
Minimum log level). If these are set correctly, you can check the filters on the
FortiGate unit by running the CLI command:
show full log fortianalyzer filters
Encrypted connections
You can sniff the connection between the FortiGate unit and the FortiAnalyzer unit
using the commands:
diagnose sniffer packet any 'host <IP address of
FortiAnalyzer>'4
296 05-432-164257-20120229
diagnose sniffer packet any 'host <IP address of FortiGate>'
UDP port 500 is for IKE trying to create the VPN tunnel between the FortiGate unit and
the FortiAnalyzer unit. If this is the only thing you see between the two devices, then
the encryption settings between the FortiGate unit and FortiAnalyzer unit are not
correct and the tunnel cannot be established.
IP protocol 50 is for ESP which carries the encrypted traffic. If you see IP protocol 50
leaving the FortiGate unit but not reaching the FortiAnalyzer unit, then something is
dropping the packets in the middle, although seeing IP protocol 50 means that the
connection settings are correct between the two devices.
Running an HQIP
for hardware
integrity control
The Hardware Quick Inspection Package (HQIP) test image can be used to check the
FortiAnalyzer unit's system function and its interfaces. HQIP will check almost all
components, including CPU, memory, Compact Flash, hard disk and PCI devices
(NIC/ASIC). It will also check the critical benchmarks and system configurations.
HQIP cannot detect all hardware malfunctions. If the FortiAnalyzer unit is rebooting or
unstable, HQIP cannot detect the issues.
If an HQIP test is required, follow the instructions in Knowledge Base.
Packet capture
(CLI sniffer) best
practice
Fortinet devices include a built-in sniffer that you can use for debugging purposes.
Details on its usage are explained in the Knowledge Base.
The following are suggestions to improve the usability of this tool:
Always include ICMP in the sniffer filter. You may capture an ICMP error message
that can help identify the cause of the problem. For example:
diagnose sniff packet interface wan1 'tcp port 3389 or icmp' 3.
Use the any interface if you want to confirm that a specific packet is received or
sent by the Fortinet device, without specifically knowing on which interface this
may be. This will essentially enable the sniffer for all interfaces. For example:
diagnose sniff packet interface any 'tcp port 3389' 3.
The Fortinet device may not display all packets if too much information is requested
to be displayed, or the traffic being sniffed is significant. When this occurs, the unit
will log the following message once the trace is terminated:
12151 packets received by filter
3264 packets dropped by kernel
When this occurs, it is possible that what you were attempting to capture was not
actually captured. In order to avoid this, you may try to tighten the display filters,
reduce the verbose level, or perform the trace during a lower traffic period.
The packet timestamps as displayed by the sniffer may become skewed or delayed
under high-load conditions. This may occur even if no packets were dropped (as
mentioned above). Therefore, it is not recommended that you rely on these values
in order to troubleshoot or measure performance issues that require absolute
precise timing.
Enabling the sniffer will consume additional CPU resources. This can be as high as
an additional 25% of CPU usage on low-end models. Therefore, enabling it on a
unit that is experiencing excessively high CPU usage can only render the situation
worse. If you must perform a sniff, keep the sniffing sessions short.
05-432-164257-20120229 297
The Ethernet source and/or destination MAC addresses may be incorrect when
using the any interface. They may be displayed as all zeros (00:00:00:00:00:00) or
00:00:00:00:00:01.
No logs received
with encryption
enabled between
a FortiGate unit
and a
FortiAnalyzer unit
Logs are being sent correctly from the FortiGate unit to the FortiAnalyzer unit when
encryption is disabled but no logs are received once encryption is enabled.
Sniffing the traffic between the FortiGate unit and the FortiAnalyzer unit only shows
UDP port 500 (IKE) but does not show IP protocol 50 (ESP):
On the FortiGate unit, run the command:
diagnose sniff packet any 'host <IP address of FortiAnalyzer>
and port 514' 4
On the FortiAnalyzer unit, run the command:
diagnose sniff packet any 'host <IP address of the FortiGate>
and port 514' 4
The VPN monitor on the FortiGate unit (VPN > IPSec > Monitor) also shows the tunnel
as down.
The most common cause of this problem is that the Local ID on the FortiGate unit is
not configured correctly.
Use the following commands to enable encryption between the FortiGate unit and the
FortiAnalyzer unit:
config log fortianalyzer setting
set encrypt enable
set psksecret <presharedkey_str>
set localid <devname_str>
end
config log device
edit <devname_str>
set secure psk
set psk <presharedkey_str>
set id <devid_str>
end
The local ID on the FortiGate unit (line 4) needs to match the device name on the
FortiAnalyzer unit (line 2). If these values do not match, the IPSec tunnel will not be
established.
Bootup issues When powering on your FortiAnalyzer unit, you may experience problems. Bootup
issues, while rare, can be very difficult to troubleshoot due to the lack of information
about your issue. When the unit not running, you do not have access to your typical
tools such as diagnose CLI commands. This section walks you through some possible
issues to give you direction in these situations.
To troubleshoot a bootup problem with your unit, go to the section that lists your
problem. If you have multiple problems, go the problem closest to the top of the list
first, and work your way down the list.
298 05-432-164257-20120229
The issues covered in this section all refer to various potential bootup issues including:
You have text on the screen, but you have problems.
You do not see the boot options menu.
You have problems with the console text.
You have visible power problems.
You have a suspected defective FortiAnalyzer unit.
Examples: Error message "EXT3-fs error (device...)"
You have text on the screen, but you have problems.
Solution
1 If the text on the screen is garbled, ensure your console communication parameters
are correct. Check your QuickStart Guide for settings specific to your model.
2 If that fixes your problem, you are done.
3 If not, go to You do not see the boot options menu.
You do not see the boot options menu.
Solution
1 Ensure your serial communication parameters are set to no flow control, and
the proper baud rate and reboot the FortiAnalyzer unit by powering off and on.
2 If that fixes your problem, you are done.
3 If it doesnt fix your problem, go to You have a suspected defective FortiAnalyzer
unit.
You have problems with the console text.
1 Do you have any console message?
If Yes, go to You have visible power
problems.
If No, continue.
2 Is there garbage text on screen?
If Yes, ensure console communication parameters are ok.
If that fixes the problem, you are done.
3 If no, does the unit stop before the Press Any Key to Download Boot Image
prompt?
If Yes, go to You have a suspected defective FortiAnalyzer unit..
If No, go to Step 4.
4 Console Message Press any key to Download Boot Image
Note: It is rare that units experience any of the symptoms listed here. Fortinet hardware is
reliable with a long expected operation life.
Note: FortiAnalyzer units ship with a baud rate of 9600 by default. If you have access, verify this
with the CLI command config system console get, or parse an archived
configuration file for the term baudrate.
05-432-164257-20120229 299
5 When pressing a key do you see one of the following messages?
[G] Get Firmware image from TFTP server
[F] Format boot device
[B] Boot with backup firmware and act as default
[Q] Quit menu and continue to boot with default firmware
[H] Display this list of options
If Yes, go to You have a suspected defective FortiAnalyzer unit..
6 If No, ensure you serial communication parameters are set to no flow control,
and the proper baud rate and reboot the FortiAnalyzer unit by powering off and on.
7 Did the reboot fix the problem?
If that fixes your problem, you are done.
If that doesnt fix your problem, go to You have a suspected defective
FortiAnalyzer unit..
You have visible power problems.
1 Is there any LED activity?
If No, ensure power is on. If that fixes the problem you are done.
If Yes, continue.
2 Do you have an external power adapter?
If No, go to You have a suspected defective FortiAnalyzer unit..
If Yes, try replacing the power adapter.
3 Is the power supply defective or you cannot determine one way or the other?
If No, go to You have a suspected defective FortiAnalyzer unit.
If Yes, go to You have text on the screen, but you have problems.
You have a suspected defective FortiAnalyzer unit.
If you have followed these steps and determined there is a good chance your unit is
defective, follow these steps.
1 Open a support ticket through Customer Service & Support at
2 In the ticket, document the problem or problems, and these steps that you have
taken.
3 Provide all console messages and output.
4 Indicate if you have a suspected hard disk issue, and provide your evidence.
Customer Service & Support will contact you to help you with your ticket and issue.
Examples: Error message "EXT3-fs error (device...)"
FortiAnalyzer unit does not boot properly and/or some errors are displayed on console
during the boot.
Note: FortiAnalyzer units ship with a baud rate of 9600 by default. If you have access, parse an
archived configuration file for the term baudrate or verify this setting with the CLI
command:
config system console
get
300 05-432-164257-20120229
Example 1:
Reading boot image 1463602 bytes.
Initializing firewall...
System is started.
EXT3-fs error (device md(9,0)): ext3_readdir: bad entry in
directory #1474561: r
ec_len is smaller than minimal - offset=0, inode=0, rec_len=0,
name_len=0
EXT3-fs error (device md(9,0)): ext3_readdir: bad entry in
directory #1474561: r
ec_len is smaller than minimal - offset=0, inode=0, rec_len=0,
name_len=0
Example 2:
Reading boot image 1463602 bytes.
Initializing firewall...
System is started.
EXT3-fs error (device ide0(3,1)): ext3_get_inode_loc: unable
to read inode block - inode=65409, block=131074
EXT3-fs error (device ide0(3,1)) in ext3_reserve_inode_write:
IO failure
IO failure
IO failure
IO failure
Some error details may vary from a device to another, but the EXT3-fs error indicates
there is an issue with the local file system.
Solution
This issue appears to be due to some corruption in the file system that affects the boot
device and/or firmware loading.
In most cases the issue may be resolved by reformatting the boot device and then
reinstalling the firmware via TFTP.
Make sure to reload the same firmware version as the one used to save the
configuration backup file. In case there is no configuration backup file, the unit needs
to be reconfigured from scratch.
05-432-164257-20120229 301
To reload the firmware
1 Connect to the FortiAnalyzer unit on the serial console.
2 Reboot the unit and press any key to enter the Boot Menu.
3 Select format boot device.
4 Select Reload Firmware via TFTP.
5 When the unit is up, open the Web-based Manager and go to System >
Maintenance > Backup & Restore and restore the latest configuration from backup.
05-432-164257-20120229 302
APPENDIX A
SNMP MIB support
The FortiAnalyzer SNMP agent supports the following management information blocks
(MIBs):
You can obtain these MIB files from the Customer Service & Support web site,
To be able to communicate with your FortiAnalyzer units SNMP agent, you must first
compile these MIBs into your SNMP manager. If the standard MIBs used by the SNMP
agent are already compiled into your SNMP manager, you do not have to compile them
again.
To view a trap or querys name, object identifier (OID), and description, open its MIB file
in a plain text editor.
All traps sent include the message, the FortiAnalyzer units serial number, and host
name.
For instructions on how to configure traps and queries, see Configuring the SNMP
agent on page 118.
Table 20: FortiAnalyzer MIBs
MIB or RFC Description
FORTINET-CORE-MIB This Fortinet-proprietary MIB enables your SNMP manager
to query for system information and to receive traps that
are common to multiple Fortinet devices.
FORTINET-FORTIANALYZER-MIB This Fortinet-proprietary MIB enables your SNMP manager
to query for FortiAnalyzer-specific information and to
receive FortiAnalyzer-specific traps.
RFC-1213 (MIB II) The FortiAnalyzer SNMP agent supports MIB II groups,
except:
There is no support for the EGP group from MIB II (RFC
1213, section 3.11 and 6.10).
Protocol statistics returned for MIB II groups (IP, ICMP,
TCP, UDP, etc.) do not accurately capture all
FortiAnalyzer traffic activity. More accurate information
can be obtained from the information reported by the
FortiAnalyzer MIB.
RFC-2665 (Ethernet-like MIB) The FortiAnalyzer SNMP agent supports Ethernet-like MIB
information except the dot3Tests and dot3Errors groups.
05-432-164257-20120229 303
APPENDIX B
Maximum values matrix
Table 21: Maximum values of FortiAnalyzer models
Feature
FortiAnalyzer-
100B, 100C
FortiAnalyzer-
400B
FortiAnalyzer-
800, 800B
FortiAnalyzer-
1000,1000C
FortiAnalyzer-
2000, 2000A,
2000B
FortiAnalyzer-
4000A, 4000B
Administrative
domains (ADOMs)
1
a
10 50 50 100 250
Devices per ADOM 100 200 500 2000 2000 2000
Administrators 10 20 100 100 200 500
Administrator access
profiles
10 20 100 100 200 500
RADIUS servers 6 6 6 6 6 6
RADIUS authentication
groups
6 6 6 6 6 6
RADIUS servers per
authentication group
6 6 6 6 6 6
Static routes 32 32 32 32 32 32
SMB shares 16 32 64 64 64 64
SMB users 16 32 64 64 64 64
SMB groups 16 32 64 64 64 64
SMB users per group 16 32 64 64 64 64
SMB read-only users &
groups per share
16 32 64 64 64 64
SMB read-write users
& groups per share
16 32 64 64 64 64
NFS exports 16 32 64 64 64 64
NFS RO clients per
export
16 32 64 64 64 64
NFS RW clients per
export
16 32 64 64 64 64
Registered log devices
(FGT/FMG/FML/SL
+FC)
100 200 500 2000 2000 2000
HA members per log
device
5 5 5 5 5 5
Log device groups 50 100 250 1000 1000 1000
Log devices per device
group
100 200 500 2000 2000 2000
Unregistered log
devices
100 200 500 2000 2000 2000
Blocked log devices 100 200 500 2000 2000 2000
Report LDAP servers 6 6 6 6 6 6
Maximum values matrix Appendix B
304 05-432-164257-20120229
Report IP aliases 256 256 512 512 512 512
Report schedules 250 250 500 500 750 1000
Report layouts 250 250 500 500 750 1000
Objects/queries per
report layout
500 500 500 500 500 500
Report outputs 250 250 500 500 750 1000
Report filters 250 250 500 500 750 1000
Report datasets 250 250 500 500 750 1000
Outputs per report
dataset
3 3 3 3 3 3
Report custom charts 250 250 500 500 750 1000
SQL report layouts 1000 1000 1000 1000 1000 1000
SQL report chart
templates
1000 1000 1000 1000 1000 1000
SQL report datasets 1000 1000 1000 1000 1000 1000
SQL report
components per layout
500 500 500 500 500 500
Alerts/SNMP
managers
(CmdGens/NotRcvrs)
31 31 31 31 31 31
Alerts/SNMP
managers per
community
10 10 10 10 10 10
Alerts email servers 1 8 16 16 32 32
Alerts syslog servers 1 8 16 16 32 32
Alerts events 10 100 100 100 256 256
Alerts destinations per
event
16 16 32 32 64 64
Network vulnerability
scan assets
200 500 1000 2000 65535 65535
Network vulnerability
scans
80 160 160 320 400 640
Administrator
sessions
300 300 300 300 300 300
NTP servers 20 20 20 20 20 20
External SQL database
size limit
1000 2000 4000 4000 8000 24000
a. The FortiAnalyzer 100B and 100C do not support Administrative Domains (ADOMs).
Table 21: Maximum values of FortiAnalyzer models (Continued)
05-432-164257-20120229 305
APPENDIX C
Querying FortiAnalyzer SQL log databases
The FortiAnalyzer unit supports local PostgreSQL and remote MySQL databases for
storage of log tables.
To create a report based on the FortiGate log messages in a local or remote database,
you can use either the predefined datasets, or create your own custom datasets by
querying the log messages in the SQL database on the FortiAnalyzer unit.
This document describes the procedure for creating datasets, and describes the fields
in each type of log table to assist in writing SQL queries.
The supported SQL commands depend on your SQL database. If you use a local
PostgreSQL database, refer to the PostgreSQL user documentation for the command
syntax. If you use a remote MySQL database, refer to the MySQL user documentation
for the command syntax.
Creating datasets
SQL tables
Examples
Creating datasets The following procedure describes how to create datasets in the Web-based Manager.
You can also use the CLI command config sql-report dataset to create
datasets. For details, see the FortiAnalyzer CLI Reference and the Examples section.
To create a custom dataset in the Web-based Manager
1 Enable the SQL database for log storage in System > Config > SQL Database. For
information on selecting the storage method, see Configuring SQL database
storage on page 111.
2 Go to Report > Advanced > Data Set.
3 Click Create New.
4 Configure the following, then click OK.
Querying FortiAnalyzer SQL log databases Appendix C
306 05-432-164257-20120229
Figure 152: Create a new DataSet
Name Enter the name for the dataset.
Log Type
($log)
Enter the type of logs to be used for the dataset.
$log is used in the SQL query to represent the log type you select, and it is
run against all tables of this type.
SQL Query Enter the SQL query syntax to retrieve the log data you want from the SQL
database.
Different SQL systems use different query syntaxes to deal with date/time
format. The FortiAnalyzer unit uses PostgreSQL as the local database and
supports MySQL as the remote database. To facilitate querying in both
MySQL and PostgreSQL systems, you can use the following default
date/time macros and query syntaxes for the corresponding time period you
choose:
Hour_of_day: For example, you can select Yesterday for the Time Period
and enter the syntax "select $hour_of_day as hourstamp, count(*) from
$log where $filter group by hourstamp order by hourstamp.
Day_of_week: For example, you can select This Week for the Time
Period and enter the syntax "select $day_of_week as datestamp,
count(*) from $log where $filter group by datestamp order by
datestamp".
Day_of_month: For example, you can select This Month for the Time
Period and enter the syntax "select $day_of_month as datestamp,
count(*) from $log where $filter group by datestamp order by
datestamp.
Week_of_year: For example, you can select This Year for the Time Period
and enter the syntax "select $week_of_year as weekstamp, count(*) from
$log where $filter group by weekstamp order by weekstamp.
Month_of_year: For example, you can select This Year for the Time
Period and enter the syntax "select $month_of_year as monthstamp,
count(*) from $log where $filter group by monthstamp order by
monthstamp.
The results of running the queries will display the date and time first,
followed by the log data.
Test Click to test whether or not the SQL query is successful. See To test a SQL
query on page 307.
Appendix C Querying FortiAnalyzer SQL log databases
05-432-164257-20120229 307
To test a SQL query
1 Follow the procedures in To create a custom dataset in the Web-based Manager
on page 305.
2 After entering the SQL query, click Test.
3 Configure the following, then click Run to view the query results.
Figure 153: SQL Query test results
Device Select a specific FortiGate unit, FortiMail unit, or FortiClient installation, or
select all devices, to apply the SQL query to.
VDom If you want to apply the SQL query to a FortiGate VDOM, enter the name of
the VDOM. Then use $filter in the where clause of the SQL query to limit
the results to the FortiGate VDom you specify.
Time Period
($filter)
Select to query the logs from a time frame, or select Specified and define a
custom time frame by selecting the Begin Time and End Time. Then use
$filter in the where clause of the SQL query to limit the results to the
period you select.
Past N
Hours/Days
/Weeks
If you selected Past N Hours/Days/Weeks for Time Period, enter the
number.
Begin Time Enter the date (or use the calendar icon) and time of the beginning of the
custom time range.
This option appears only when you select Specified in the Time Period
($filter) field.
End Time Enter the date (or use the calendar icon) and time of the end of the custom
time range.
This option appears only when you select Specified in the Time Period
($filter) field.
308 05-432-164257-20120229
Troubleshooting
If the query is unsuccessful, an error message appears in the results window indicating
the cause of the problem.
SQL statement
syntax errors
Here are some example error messages and possible causes:
You have an error in your SQL syntax (remote/MySQL) or ERROR: syn-
tax error at or near... (local/PostgreSQL)
Check that SQL keywords are spelled correctly, and that the query is well-formed.
Table and column names are demarked by grave accent (`) characters. Single (') and
double (") quotation marks will cause an error.
No data is covered.
The query is correctly formed, but no data has been logged for the log type. Check
that you have configured the FortiAnalyzer unit to save that log type. Under System
> Config > SQL Database, make sure that the log type is checked.
Connection
problems
If well formed queries do not produce results, and logging is turned on for the log type,
there may be a database configuration problem with the remote database.
Ensure that:
MySQL is running and using the default port 3306.
You have created an empty database and a user with create permissions for the
database.
Here is an example of creating a new MySQL database named fazlogs, and adding
a user for the database:
#Mysql u root p
mysql> Create database fazlogs;
mysql> Grant all privileges on fazlogs.* to fazlogger@*
identified by fazpassword;
mysql> Grant all privileges on fazlogs.* to
fazlogger@localhost identified by fazpassword;
SQL Query Enter the SQL query to retrieve the log data you want from the SQL
database.
Run Click to execute the SQL query.
The results display. If the query is not successful, see Troubleshooting on
page 308.
Clear Select to remove the displayed query results.
Save
Options
Select to save the SQL query console configuration to the dataset
configuration.
The Device and VDOM configurations are not used by the dataset
configuration.
Close Click to return to the dataset configuration page.
05-432-164257-20120229 309
SQL tables The FortiAnalyzer unit creates a database table for each managed device and each log
type, when there is log data. If the FortiAnalyzer unit is not receiving data from a
device, or logging is not enabled under System > Config > SQL Database, it does not
create log tables for that device.
SQL tables follow the naming convention of [Device Name]-[SQL table type]-
[timestamp], where the SQL table type is one of the types listed in Table on
page 309.
To view all the named tables created in a database, you can use:
local (PostgreSQL) database: SELECT * FROM pg_tables
remote (MySQL): SHOW TABLES
The names of all created tables and their types are stored in a master table named
table_ref.
Note: The timestamp portion of the log name depends on the FortiAnalyzer unit firmware
release. It is either the creation time of the table (in releases before 4.2.1), or the timestamp
of the log on disk (in releases 4.2.1 and later).
Table 22: Log types and table types
Log Type SQL table
type
Description
Traffic log tlog The traffic log records all traffic to and through the FortiGate
interface.
Event log elog The event log records management and activity events. For
example, when an administrator logs in or logs out of the
web-based manager.
Antivirus log vlog The antivirus log records virus incidents in Web, FTP, and email
traffic.
Webfilter log wlog The web filter log records HTTP FortiGate log rating errors
including web content blocking actions that the FortiGate unit
performs.
Attack log alog The attack log records attacks that are detected and prevented
by the FortiGate unit.
Spamfilter log slog The spam filter log records blocking of email address patterns
and content in SMTP, IMAP, and POP3 traffic.
Data Leak
Prevention log
dlog The data leak prevention log records log data that is
considered sensitive and that should not be made public. This
log also records data that a company does not want entering
their network.
Application
Control log
rlog The application control log records data detected by the
FortiGate unit and the action taken against the network traffic
depending on the application that is generating the traffic, for
example, instant messaging software, such as MSN
Messenger.
310 05-432-164257-20120229
FortiAnalyzer logs also include log subtypes, which are types of log messages that are
within the main log type. For example, in the event log type there are the subtype
admin log messages. FortiAnalyzer log types and subtypes are numbered, and these
numbers appear within the log identification field of the log message.
DLP archive log clog The DLP archive log, or clog.log, records all log messages,
including most IM log messages as well as the following
session control protocols (VoIP protocols) log messages:
SIP start and end call
SCCP phone registration
SCCP call info (end of call)
SIMPLE log message
Vulnerability
Management
log
nlog The vulnerability management log, or netscan log, contains
logging events generated by a network scan.
Table 23: Log Sub-types
Log Type Sub-Type
traffic (Traffic Log) allowed Policy allowed traffic
violation Policy violation traffic
Other
event
(Event Log)
For FortiGate devices:
system System activity event
ipsec IPSec negotiation event
dhcp DHCP service event
ppp L2TP/PPTP/PPPoE service event
admin Admin event
ha HA activity event
auth Firewall authentication event
pattern Pattern update event
alertemail Alert email notifications
chassis FortiGate-5000 series chassis event
sslvpn-user SSL VPN user event
sslvpn-admin SSL VPN administration event
sslvpn-session SSL VPN session even
his-performance Performance statistics
vipssl VIP SSL events
ldb-monitor LDB monitor events
dlp
(Data Leak Prevention)
dlp Data Leak Prevention
app-crtl (Application
Control Log)
app-crtl-all All application control
DLP archive
(DLP Archive Log)
HTTP Virus infected
FTP FTP content metadata
SMTP SMTP content metadata
POP3 POP3 content metadata
IMAP IMAP content metadata
virus (Antivirus Log) infected Virus infected
filename Filename blocked
oversize File oversized
Table 22: Log types and table types (Continued)
05-432-164257-20120229 311
Log severity levels
You can define what severity level the FortiGate unit records logs at when configuring
the logging location. The FortiGate unit logs all message at and above the logging
severity level you select. For example, if you select Error, the unit logs Error, Critical,
Alert, and Emergency level messages.
The Debug severity level, not shown in Table 24, is rarely used. It is the lowest log
severity level and usually contains some firmware status information that is useful
when the FortiGate unit is not functioning properly. Debug log messages are only gen-
erated if the log severity level is set to Debug. Debug log messages are generated by
all types of FortiGate features.
webfilter (Web Filter Log) content content block
urlfilter URL filter
FortiGuard block
FortiGuard allowed
FortiGuard error
ActiveX script filter
Cookie script filter
Applet script filter
ips (Attack Log) signature Attack signature
anomaly Attack anomaly
emailfilter (Spam Filter Log) SMTP
POP3
IMAP
Table 24: Log Severity Levels
Levels Description Generated by
0 - Emergency The system has become unstable. Event logs, specifically administrative
events, can generate an emergency
severity level.
1 - Alert Immediate action is required. Attack logs are the only logs that
generate an Alert severity level.
2 - Critical Functionality is affected. Event, Antivirus, and Spam filter logs.
3 - Error An error condition exists and
functionality could be affected.
Event and Spam filter logs.
4 - Warning Functionality could be affected. Event and Antivirus logs.
5 - Notification Information about normal events. Traffic and Web Filter logs.
6 - Information General information about system
operations.
Content Archive, Event, and Spam filter
logs.
Table 23: Log Sub-types (Continued)
312 05-432-164257-20120229
Log fields in each table
This section describes the fields of each log table stored in an SQL database. Because
of differences in SQL dialects, some fields have different types depending on whether
they are stored locally or remotely.
The tables described in this section are:
Common log fields, on page 312
Application control log fields on page 314
Attack log fields on page 316
DLP archive / content log fields on page 317
Data Leak Prevention log fields on page 322
Email filter log fields on page 323
Event log fields on page 325
Traffic log fields on page 338
Antivirus log fields on page 340
Web filter log fields on page 343
Netscan log fields on page 345
Common log fields
All log tables share some common fields, described in Table 25.
Table 25: Common fields
Field Type Description Tables
PostgreSQL MySQL
id int not null
primary key
int unsigned
not null primary
key
ID / primary key for the record all
itime timestamp datetime The time the log event was received by the FortiAnalyzer. all
dtime timestamp datetime The time the log event was generated on the device. all
cluster_id varchar(24) varchar(24) The HA cluster ID if the FortiGate runs in HA mode. all
device_id varchar(16) varchar(16) The serial number of the device. all
log_id int default 0 smallint
unsigned
default 0
A ten-digit number. The first two digits represent the log
type and the following two digits represent the log
subtype. The last one to five digits are the message id.
For more detail about what the combination of type,
subtype and message ID means, see the FortiGate Log
Message Reference.
all
subtype varchar(255) varchar(255) The subtype of the log message. The possible values of
this field depend on the log type. See Table 23 for a list
of subtypes associated with each log type.
all
type varchar(255) varchar(255) The log type. all
timestamp int default 0 int unsigned
default 0
Timestamp for the event all
pri varchar(255) varchar(255) The log priority level. See Table 24 for a list of priority
levels and the log types that generate them.
all
05-432-164257-20120229 313
vd varchar(255) varchar(255) The virtual domain where the traffic was logged. If no
virtual domains are enabled and configured, this field
contains the virtual domain, root.
all
user varchar(255) varchar(255) The name of the user creating the traffic. all except nlog
group varchar(255) varchar(255) The name of the group creating the traffic. all except nlog
src varchar(40)
(255 for alog)
varchar(40)
(255 for alog)
The source IP address. all except nlog
dst varchar(40)
(255 for alog)
varchar(40)
(255 for alog)
The destination IP address. all except nlog
src_port int default 0 smallint
unsigned
default 0
The source port of the TCP or UDP traffic. The source
protocol is zero for other types of traffic.
all except nlog
dst_port int default 0 smallint
unsigned
default 0
The destination port number of the TCP or UDP traffic.
The destination port is zero for other types of traffic.
all except nlog
src_int varchar(255) varchar(255) The interface where the through traffic comes in. For
outgoing traffic originating from the firewall, it is
unknown.
all except clog
and nlog
dst_int varchar(255) varchar(255) The interface where the through traffic goes to the public
or Internet. For incoming traffic to the firewall, it is
unknown.
all except clog
and nlog
policyid bigint default
0
int unsigned
default 0
The ID number of the firewall policy that applies to the
session or packet. Any policy that is automatically
added by the FortiGate will have an index number of
zero. For more information, see the Knowledge Base
article, Firewall policy=0.
all except nlog
service varchar(255) varchar(255) The service of where the activity or event occurred,
whether it was on a web page using HTTP or HTTPs.
This field is an enum, and can have one of the following
values:
http
https
smtp
pop3
imap
ftp
mm1
mm3
mm4
mm7
nntp
im
smtps
pop3s
imaps
all except clog
identidx bigint default
0
int unsigned
default 0
The identity index number. all except nlog
profile varchar(255) varchar(255) The protection profile associated with the firewall policy
that traffic used when the log message was recorded.
all except dlog,
tlog, and nlog
Table 25: Common fields (Continued)
314 05-432-164257-20120229
Application control log fields
The table below lists the fields defined in application control log tables (type rlog).
profiletype varchar(255) varchar(255) The type of profile associated with the firewall policy that
traffic used when the log message was recorded.
all except dlog,
tlog, and nlog
profilegroup varchar(255) varchar(255) The profile group associated with the firewall policy that
traffic used when the log message was recorded.
all except dlog,
tlog, and nlog
Table 25: Common fields (Continued)
Table 26: Application control log fields
Field Type Description
PostgreSQL MySQL
status varchar(255) varchar(255) The status of the action the FortiGate unit took when the event occurred.
For application control logs, this field can be:
request
cancel
accept
fail
download
stop
start
end
timeout
blocked
succeeded
failed
authentication-required
pass
block
carrier_ep varchar(255) varchar(255) The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field will
always display N/A in FortiOS.
kind varchar(255) varchar(255) This field is an enum, and can be one of the following values:
login
chat
file
photo
audio
call
regist
unregister
call-block
request
response
dir varchar(255) varchar(255) The direction of the traffic. This field is an enum, and can be one of the
following:
incoming
outgoing
N/A
src_name varchar(255) varchar(255) The name of the source or the source IP address.
dst_name varchar(255) varchar(255) The destination name or destination IP address.
05-432-164257-20120229 315
proto int default 0 smallint
unsigned
default 0
The protocol number that applies to the session or packet. The protocol
number in the packet header that identifies the next level protocol.
Protocol numbers are assigned by the Internet Assigned Number
Authority (IANA).
serial bigint default 0 int unsigned
default 0
Serial number of the log message.
app_list varchar(255) varchar(255) The application control list (under UTM > Application Control >
Application Control List on the FortiGate unit) that contains the policy
that triggered this log item.
app_type varchar(255) varchar(255) The application category.
app varchar(255) varchar(255) The application name. You can look the application type up in UTM >
Application Control > Application List, and then select the name that is
in the field to go to more detailed information on the FortiGuard
Encyclopedia.
action varchar(255) varchar(255) The action the FortiGate unit took for this session or packet.
This field is an enum and can be one of the following values:
pass
block
monitor
kickout
encrypt-kickout
reject
count bigint default 0 int unsigned
default 0
Total number of blocked applications.
filename varchar(255) varchar(255) The file name associated with the blocked application.
filesize bigint default 0 int unsigned
default 0
The file size of the file.
message varchar(255) varchar(255) The blocked message of chat applications.
content varchar(255) varchar(255) Content of the blocked applications.
reason varchar(255) varchar(255) The reason why the log was recorded.
This field is an enum, and can be one of the following values:
meter-overload-drop
meter-overload-refuse
rate-limit
dialog-limit
long-header
unrecognized-form
unknown
block-request
invalid-ip
exceed-rate
req varchar(255) varchar(255) Request.
phone varchar(255) varchar(255) Phone number of the blocked application.
msg varchar(255) varchar(255) Explains why the log was recorded.
attack_id bigint default 0 int unsigned
default 0
Attack ID.
Table 26: Application control log fields (Continued)
316 05-432-164257-20120229
Attack log fields
The table below lists the fields defined in attack log tables (type alog).
Table 27: Attack log fields
PostgreSQL MySQL
For attack logs, this field can be:
detected
dropped
reset
reset_client
reset_server
drop_session
pass_session
clear_session
default 0
The serial number of the log message.
attack_id bigint default 0 int unsigned
default 0
The identification number of the attack log message.
severity varchar(255) varchar(255) The specified severity level of the attack.
This field is an enum, and can have one of the following values:
info
low
medium
high
critical
display the MSISDN of the phone that sent the MMS message. If you do
not have FortiOS Carrier, this field always display N/A.
sensor varchar(255) varchar(255) The DLP sensor that was used.
icmp_id varchar(255) varchar(255) The Internet Control Message Protocol (ICMP) message ID (returned for
ECHO REPLY).
icmp_type varchar(255) varchar(255) The ICMP message type.
icmp_code varchar(255) varchar(255) The ICMP message code.
proto smallint default
0
tinyint
unsigned
default 0
The protocol of the event.
ref varchar(255) varchar(255) A reference URL to the Fortiguard IPS database for more information
about the attack.
default 0
The number of times that attack was detected within a short period of
time. This is useful when the attacks are DoS attacks.
incident_serial
no
bigint default 0 int unsigned
default 0
The unique ID for this attack. This number is used for cross-references
IPS packet logs.
msg varchar(255) varchar(255) Explains the activity or event that the FortiGate unit recorded. In this
example, an attack occurred that could have caused a system crash.
05-432-164257-20120229 317
DLP archive / content log fields
The table below lists the fields defined in application DLP / Content log tables (type
clog).
Table 28: DLP archive/content log fields
PostgreSQL MySQL
clogver smallint default
0
tinyint unsigned
default 0
The version of the content log.
epoch bigint default 0 int unsigned
default 0
The unique number for each archive. It is used for cross reference
purposes.
eventid bigint default 0 int unsigned
default 0
The ID of the archive event.
SN bigint default 0 int unsigned
default 0
The session number.
endpoint varchar(255) varchar(255) The ID of the endpoint, such as MSISDN or account ID.
client varchar(40) varchar(40) The IP of the client.
server varchar(40) varchar(40) The IP of the server.
laddr varchar(40) varchar(40) The local IP.
raddr varchar(40) varchar(40) The remote IP.
cstatus varchar(255) varchar(255) The cstatus field can be any one of the following:
clean
infected
heuristic
banned_word
blocked
exempt
oversize
carrier_endpoint_filter (FortiOS Carrier only)
mass_mms (FortiOS Carrier only)
dlp
fragmented
spam
im_summary
im-message
im_file_request (a file was transferred
im_file_accept (an file was accepted)
im_file_cancel
im_voice (an IM voice chat)
im_photo_share_request (a photo was shared)
im_photo_share_cancel
im_photo_share_stop
im_photo_xfer (a photo was transferred during the chat)
voip
error
318 05-432-164257-20120229
infection varchar(255) varchar(255) The infection type. This field is an enum, and can be one of the following:
bblock
fileexempt
file intercept
mms block
carrier end point filter
mms flood
mms duplicate
virus
virusrm
heuristic
html script
script filter
banned word
exempt word
oversize
virus
heuristic
worm
mime block
fragmented
exempt
ip blacklist
dnsbl
FortiGuard - AntiSpam ip blacklist
helo
emailblacklist
mimeheader
dns
FortiGuard - AntiSpam ase block
banned word
ipwhitelist
emailwhitelist
fewhitelist
headerwhitelist
wordwhitelist
dlp
dlpban
pass
mms content checksum
virus varchar(255) varchar(255) The virus name.
rcvd bigint default 0 int unsigned
default 0
The number of bytes that were received from the client.
sent bigint default 0 int unsigned
default 0
The number of bytes that were received from the server.
method varchar(255) varchar(255) The type of HTTP command used. For example, GET.
url varchar(255) varchar(255) The URL address of the web site that was accessed.
cat varchar(255) varchar(255) The http/https category.
cat_desc varchar(255) varchar(255) The http/https category description.
to varchar(255) varchar(255) To
from varchar(255) varchar(255) From
subject varchar(255) varchar(255) Subject
Table 28: DLP archive/content log fields (Continued)
05-432-164257-20120229 319
direction varchar(255) varchar(255) Incoming or outgoing.
attachment smallint default
0
tinyint unsigned
default 0
Mail attachment present.
ftpcmd varchar(255) varchar(255) The FTP command. This field is an enum and can be one of:
NONE
USER
PASS
ACCT
STOR
RETR
QUIT
file varchar(255) varchar(255) The archive file name.
local varchar(255) varchar(255) The local user.
remote varchar(255) varchar(255) The remote user.
proto varchar(255) varchar(255) The protocol.
kind varchar(255) varchar(255) The kind field can be any one of the following:
summary
chat
file (a file was transferred)
photo (photo sharing)
photo-xref (a photo was transferred)
audio (a voice chat)
oversize (an oversized file)
fileblock (a file was blocked)
fileexempt
virus
dlp
call-block (SIP call blocked)
call-info (SIP call information)
call (SIP call)
register (SIP register)
unregister (SIP unregister)
action varchar(255) varchar(255) The action.
dir varchar(255) varchar(255) The direction, either "inbound" or "outbound".
messages bigint default 0 int unsigned
default 0
The message number.
start-date varchar(255) varchar(255) The local start date.
end-date varchar(255) varchar(255) The local end date.
content varchar(255) varchar(255) IM chat content.
filename varchar(255) varchar(255) File name.
filesize bigint default 0 int unsigned
default 0
File size.
message varchar(255) varchar(255) Message.
conn-mode varchar(255) varchar(255) Connection mode.
heuristic varchar(255) varchar(255) Heuristic.
duration bigint default 0 int unsigned
default 0
The duration of the session.
reason varchar(255) varchar(255) The reason.
320 05-432-164257-20120229
phone varchar(255) varchar(255) Phone number.
dlp_sensor varchar(255) varchar(255) DLP sensor.
message_ty
pe
varchar(255) varchar(255) The message type. This field is an enum, and be one of:
request
response
request_na
me
varchar(255) varchar(255) Request name.
malform_de
sc
varchar(255) varchar(255) Malformed content description. This field is an enum, and can be one of
the values listed in Table 29 on page 320.
malform_da
ta
default 0
Malformed data.
line varchar(255) varchar(255) Line.
column bigint default 0 int unsigned
default 0
Column.
Table 29: Values for malform-desc
<att-field>-
expected
<att-value>-
expected
<bandwidth>-
expected
<bwtype>-
expected
<callid>-expected <CSeq-num>-
expected
<delta-seconds>-
expected
<encoding-name>-
expected-in-
rtpmap
<fmt>-expected <gen-value>-
expected
<generic-param>-
with-invalid-<gen-
value>
<integer>-
expected
<m-attribute>-
expected-after-
SEMI
<m-subtype>-
expected
<m-type>-
expected
<media>-expected <method>-does-
not-match-the-
request-line
<method>-
expected
<Method>-
expected-after-
<CSeq-num>
<payload-type>-
expected-in-
rtpmap
<proto>-expected <repeat-interval>-
expected
<response-num>-
expected
<seq>-number-
expected
<sess-id>-
expected
<sess-version>-
expected
<text>-expected <time>-expected <token>-expected-
in-<proto>-after-
slash
<typed-time>-
expected
<username>-
expected
<word>-expected boundary-
parameter-
appears-more-
than-once
colon-expected digits-expected domain-label-
oversize
domain-name-
invalid
domain-name-
oversize
duplicated-sip-
header
empty-quoted-
string
end-of-line-error EQUAL-expected-
after-<m-attribute>
expires-header-
repeated
header-line-
oversize
header-parameter-
expected
IN-expected invalid-<clock-
rate>-in-rtpmap
invalid-<encoding-
parameters>-in-
rtpmap
invalid-<gen-
value>
invalid-<m-value> invalid-<protocol-
name>
invalid-<protocol-
version>
invalid-<quoted-
string>-in-<gen-
value>
invalid-<quoted-
string>-in-<m-
value>
invalid-<SIP-
Version>-on-
request-line
invalid-<start-
time>
invalid-<stop-
time>
invalid-<transport> invalid-<userinfo> invalid-branch-
parameter
invalid-candidate-
line
invalid-escape-
encoding-in-
<reason-phrase>
invalid-escape-
encoding-in-
<userinfo>
invalid-escape-
encoding-in-uri-
header
invalid-escape-
encoding-in-uri-
parameter
invalid-expires-
parameter
05-432-164257-20120229 321
invalid-fqdn invalid-ipv4-
address
invalid-ipv6-
address
invalid-maddr-
parameter
invalid-max-
forwards
invalid-method-uri-
parameter
invalid-port invalid-port-after-
ip-address-in-alt-
line
invalid-port-after-
ip-address-in-
candidate-line
invalid-port-in-
rtcp-line
invalid-q-
parameter
invalid-quoted-
string-in-display-
name
invalid-quoting-
character
invalid-received-
parameter
invalid-rport-
parameter
invalid-status-code invalid-tag-
parameter
invalid-transport-
uri-parameter
invalid-ttl-
parameter
invalid-ttl-uri-
parameter
invalid-uri-header-
name
invalid-uri-header-
name-value-pair
invalid-uri-header-
value
invalid-uri-
parameter-pname
invalid-uri-
parameter-value
invalid-user-uri-
parameter
IP-expected IP4-or-IP6-
expected
ipv4-address-
expected
IPv4-or-IPv6-
address-expected
ipv6-address-
expected
left-angle-bracket-
is-mandatory
line-order-error LWS-expected missing-
mandatory-field
msg-body-oversize
multipart-Content-
Type-has-no-
boundary
no-matching-
double-quote
no-METHOD-on-
request-line
no-SLASH-after-
<protocol-name>
no-SLASH-after-
<protocol-version>
no-tag-parameter
o-line-not-allowed-
on-media-level
port-expected port-not-allowed r-line-not-allowed-
on-media-level
right-angle-
bracket-not-found
s-line-not-allowed-
on-media-level
sdp-alt-line-
before-m-line
sdp-candidate-
line-before-m-line
sdp-invalid-alt-line sdp-rtcp-line-
before-m-line
sdp-v-o-s-t-lines-
are-mandatory
sip-udp-message-
truncated
sip-Yahoo-
candidate-invalid-
protocol
slash-expected-
after-<encoding-
name>-in-rtpmap
SLASH-expected-
after-<m-type>
space-violation syntax-malformed t-line-not-allowed-
on-media-level
token-expected too-many-c-lines too-many-
candidate-lines
too-many-i-lines too-many-m-lines too-many-o-lines
too-many-rtcp-
lines
too-many-s-lines too-many-v-line trailing-bytes unexpected-
character
unknown-header
unknown-scheme uri-expected uri-parameter-
repeat
uri-parameters-
not-allowed-by-
RFC
v-line-not-allowed-
on-media-level
via-parameter-
repeat
whitespace-
expected
z-line-not-allowed-
on-media-level
Table 29: Values for malform-desc (Continued)
322 05-432-164257-20120229
Data Leak Prevention log fields
The table below lists the fields defined in data leak prevention log tables (type dlog).
Table 30: DLP log fields
PostgreSQL MySQL
status varchar(255) varchar(255) The status of the action the FortiGate unit took when the event
occurred.
For DLP logs, this field can be:
detected
blocked
service varchar(255) varchar(255) The service of where the activity or event occurred. For DLP logs,
this field is an enum, and can have one of the following values:
http
https
smtp
pop3
imap
ftp
mm1
mm3
mm4
mm7
nntp
im
smtps
pop3s
imaps
default 0
sport int default 0 smallint
unsigned
default 0
The source port.
dport int default 0 smallint
unsigned
default 0
The destination port.
hostname varchar(255) varchar(255) The host name or IP address.
url varchar(255) varchar(255) The URL address of the web site that was visited.
from varchar(255) varchar(255) The senders email address.
to varchar(255) varchar(255) The receivers email address.
msg varchar(255) varchar(255) Explains the activity or event that the FortiGate unit recorded.
rulename varchar(255) varchar(255) The name of the rule within the DLP sensor.
compoundname varchar(255) varchar(255) The compound name.
05-432-164257-20120229 323
Email filter log fields
The table below lists the fields defined in email filter log tables (type slog).
action varchar(255) varchar(255) The action that was specified within the rule. In some rules
within sensors, you can specify content archiving. If no log
type is specified, this field displays log-only.
log-only
block
exempt
ban
ban sender
quarantine ip
quarantine interface
severity smallint default
0
tinyint unsigned
default 0
The level of severity for the specified rule.
Table 30: DLP log fields (Continued)
Table 31: Email filter log fields
PostgreSQL MySQL
For email filter logs, this field can be:
exempted
blocked
detected
service varchar(255) varchar(255) The service of where the activity or event occurred. For DLP logs, this
field is an enum, and can have one of the following values:
http
smtp
pop3
imap
ftp
mm1
mm3
mm4
mm7
im
nntp
https
smtps
imaps
pop3s
default 0
unsigned
default 0
The source port.
324 05-432-164257-20120229
unsigned
default 0
not have FortiOS Carrier, this field always displays N/A.
from varchar(255) varchar(255) The senders email address.
to varchar(255) varchar(255) The receivers email address.
banword varchar(255) varchar(255) The name of the Banned Word policy.
tracker varchar(255) varchar(255) Tracker
dir varchar(255) varchar(255) The email direction. This field is an enum, and can have one of the
following values:
tx
rx
agent varchar(255) varchar(255) This field is for FortiGate units running FortiOS Carrier. If you do not have
FortiOS Carrier running on your FortiGate unit, this field always displays
N/A.
msg varchar(255) varchar(255) Explains the activity or event that the FortiGate unit recorded. In this
example, the senders email address is in the blacklist and matches the
fourth email address in that list.
Table 31: Email filter log fields (Continued)
05-432-164257-20120229 325
Event log fields
The table below lists the fields defined in event log tables (type elog).
Table 32: Event log fields
PostgreSQL MySQL
For event logs, the possible values of this field depend on the
subcategory:
subcategory ipsec
success
failure
negotiate_error
esp_error
dpd_failure
subcategory voip
start
end
timeout
blocked
succeeded
failed
authentication-required
subcategory gtp
forwarded
prohibited
rate-limited
state-invalid
tunnel-limited
traffic-count
user-data
msg varchar(255) varchar(255) Explains the activity or event that the FortiGate unit recorded.
ssid varchar(255) varchar(255) The service set identifier.
326 05-432-164257-20120229
action varchar(255) varchar(255) The action the FortiGate unit should take for this firewall policy.
For event logs, the possible values of this field depend on the
subcategory of the event:
subcategory ipsec:
negotiate
error
install_sa
delete_phase1_sa
delete_ipsec_sa
dpd
tunnel-up
tunnel-down
tunnel-stats
phase2-up
phase2-down
subcategory nac-quarantine:
ban-ip
ban-interface
ban-src-dst-ip
subcategory sslvpn-user
tunnel-up
tunnel-down
ssl-login-fail
subcategory sslvpn-admin
info
subcategory sslvpn-session
tunnel-stats
ssl-web-deny
ssl-web-pass
ssl-web-timeout
ssl-web-close
ssl-sys-busy
ssl-cert
ssl-new-con
ssl-alert
ssl-exit-fail
ssl-exit-error
tunnel-up
tunnel-down
tunnel-statsssl-tunnel-unknown-tag
ssl-tunnel-error
Table 32: Event log fields (Continued)
05-432-164257-20120229 327
action
(continued)
subcategory voip:
permit
block
monitor
kickout
encrypt-kickout
cm-reject
exempt
ban
ban-user
log-only
subcategory his-performance
perf-stats
session_id bigint default 0 int unsigned
default 0
The session ID
default 0
The number of dropped SIP packets.
proto varchar(255) varchar(255) The protocol
cpu smallint default
0
tinyint unsigned
default 0
The CPU usage, for performance.
epoch bigint default 0 int unsigned
default 0
The unique number for each archive. It is used for cross reference
purposes.
mem smallint default
0
tinyint unsigned
default 0
The memory usage, for performance.
default 0
The duration of the interval for item counts (such as infected, scanned,
etc) in this log entry.
infected bigint default 0 int unsigned
default 0
The number of infected messages.
from varchar(255) varchar(255) Source IP address.
ha_group smallint default
0
tinyint unsigned
default 0
High availability group
tunnel_id bigint default 0 int unsigned
default 0
Tunnel ID
bssid varchar(255) varchar(255) The basic service set identifier.
tunnel_type varchar(255) varchar(255) Tunnel type
event_id bigint default 0 int unsigned
default 0
Event ID
ip varchar(40) varchar(40) IP address
ha_role varchar(255) varchar(255) High availability role.
rem_ip varchar(40) varchar(40) Remote IP (used in ipsec subcategory logs).
suspicious bigint default 0 int unsigned
default 0
The number of suspicious messages.
sn varchar(255) varchar(255) Serial number of the event
to varchar(255) varchar(255) Destination IP address.
total_session bigint default 0 int unsigned
default 0
Total IP sessions.
ap varchar(255) varchar(255) The physical AP name.
328 05-432-164257-20120229
scanned bigint default 0 int unsigned
default 0
The number of scanned messages.
vcluster bigint default 0 int unsigned
default 0
Virtual cluster.
remote_ip varchar(40) varchar(40) Remote IP (Used in sslvpn-* subcategory logs).
imsi varchar(255) varchar(255) An International Mobile Subscriber Identity or IMSI is a unique number
associated with all GSM and UMTS network mobile phone users.
loc_ip varchar(40) varchar(40) Local IP
from_vcluster bigint default 0 int unsigned
default 0
From virtual cluster.
rem_port int default 0 smallint
unsigned
default 0
Remote port.
msisdn varchar(255) varchar(255) The MSISDN of the carrier endpoint.
tunnel_ip varchar(40) varchar(40) Tunnel IP.
intercepted bigint default 0 int unsigned
default 0
The number of intercepted messages.
vap varchar(255) varchar(255) The virtual AP name.
apn varchar(255) varchar(255) The access point name.
out_intf varchar(255) varchar(255) The out interface.
blocked bigint default 0 int unsigned
default 0
The number of blocked messages.
mac varchar(255) varchar(255) MAC address.
to_vcluster bigint default 0 int unsigned
default 0
To virtual cluster.
acct_stat varchar(255) varchar(255) The accounting state. This is an enum and can have one of the following
values:
Start
Stop
Interim-Update
Accounting-On
Accounting-Off
selection varchar(255) varchar(255) The selection. This is an enum and can have one of the following values:
apns-vrf
ms-apn-no-vrf
net-apn-no-vrf
reason varchar(255) varchar(255) The reason this log was generated.
rate smallint default
0
tinyint unsigned
default 0
Traffic rate
loc_port int default 0 smallint
unsigned
default 0
Local port.
vcluster_me
mber
default 0
Virtual cluster member.
05-432-164257-20120229 329
vcluster_stat
e
varchar(255) varchar(255) Virtual cluster state.
app-type varchar(255) varchar(255) Application type.
nsapi smallint default
0
tinyint unsigned
default 0
Network Service Access Point Identifier, an identifier used in cellular
data networks.
unsigned
default 0
Destinatlon port.
channel smallint default
0
tinyint unsigned
default 0
Channel.
cookies varchar(255) varchar(255) Cookies.
checksum bigint default 0 int unsigned
default 0
The number of content checksum blocked messages.
dst_host varchar(255) varchar(255) Destination host name or IP.
nf_type varchar(255) varchar(255) The notification type. This is an enum and can have one of the following
values:
bword
file_block
carrier_ep_bwl
flood
dupe
alert
mms_checksum
virus
vdname varchar(255) varchar(255) The VDOM name.
linked-nsapi smallint default
0
tinyint unsigned
default 0
Linked Network Service Access Point Identifier.
next_stats bigint default 0 int unsigned
default 0
Next Statistics.
virus varchar(255) varchar(255) Virus name.
imei-sv varchar(255) varchar(255) International Mobile Equipment Identity or IMEI is a number, usually
unique, to identify GSM, WCDMA, and iDEN mobile phones, as well as
some satellite phones.
devintfname varchar(255) varchar(255) The device interface name.
security varchar(255) varchar(255) The wireless security. This field is an enum, and can have one of the
following values:
open
wep64
wep128
wpa-psk
wpa-radius
wpa
wpa2
wpa2-auto
policy_id bigint default 0 int unsigned
default 0
The policy ID that triggered this log.
rai varchar(255) varchar(255) Routing Area Identification.
hostname varchar(255) varchar(255) The host name or IP
xauth_user varchar(255) varchar(255) Authenticated user name.
330 05-432-164257-20120229
uli varchar(255) varchar(255) User Location Information.
xauth_group varchar(255) varchar(255) Authenticated user group.
sent numeric(20)
default 0
bigint unsigned
default 0
Number of bytes sent.
rcvd numeric(20)
default 0
bigint unsigned
default 0
Number of bytes received.
sess_duratio
n
default 0
The duration of the session.
hbdn_reason varchar(255) varchar(255) Heartbeat down reason. This field is an enum, and can have one of the
following values:
linkfail
neighbor-info-lost
banned_src varchar(255) varchar(255) Banned source. This field is an enum, and can have one of the following
values:
ips
dos
dlp-rule
dlp-compound
av
end-usr-
address
varchar(40) varchar(40) End user address.
msg-type smallint default
0
tinyint unsigned
default 0
Message type.
sync_type varchar(255) varchar(255) Synchronization type. This field is an enum, and can have one of the
following values:
configurations
external-files
banned_rule varchar(255) varchar(255) Banned rule / reason.
vpn_tunnel varchar(255) varchar(255) VPN tunnel.
sync_status varchar(255) varchar(255) Synchronization status. This field is an enum, and can have one of the
following values:
out-of-sync
in-sync
alert varchar(255) varchar(255) Alert.
sensor varchar(255) varchar(255) Sensor name.
endpoint varchar(255) varchar(255) The endpoint.
stage smallint default
0
tinyint unsigned
default 0
Stage.
voip_proto varchar(255) varchar(255) This field is an enum, and can have one of the following values:
sip
sccp
05-432-164257-20120229 331
deny_cause varchar(255) varchar(255) This field is an enum, and can have one of the following values:
packet-sanity
invalid-reserved-field
reserved-msg
out-state-msg
reserved-ie
out-state-ie
invalid-msg-length
invalid-ie-length
miss-mandatory-ie
ip-policy
non-ip-policy
sgsn-not-authorized
sgsn-no-handover
ggsn-not-authorized
invalid-seq-num
msg-filter
apn-filter
imsi-filter
adv-policy-filter
desc varchar(255) varchar(255) Description
dir varchar(255) varchar(255) Direction (inbound or outbound).
kind varchar(255) varchar(255) This field is an enum, and can have one of the following values:
register
unregister
call
call-info
call-block
init varchar(255) varchar(255) This field is an enum, and can have one of the following values:
local
remote
mode varchar(255) varchar(255) This field is an enum, and can have one of the following values:
aggressive
main
quick
xauth
xauth_client
cert-type varchar(255) varchar(255) Certificate type. This field is an enum, and can have one of the following
values:
CA
CRL
Local
Remote
ui varchar(255) varchar(255) User interface.
exch varchar(255) varchar(255) This field is an enum, and can have one of the following values:
NSA_INIT
AUTH
CREATE_CHILD
332 05-432-164257-20120229
rat-type varchar(255) varchar(255) This field is an enum, and can have one of the following values:
utran
geran
wlan
gan
hspa
error_num varchar(255) varchar(255) This field is an enum, and can have one of the following values:
Invalid ESP packet detected.
Invalid ESP packet detected (HMAC validation failed).
Invalid ESP packet detected (invalid padding).
Invalid ESP packet detected (invalid padding length).
Invalid ESP packet detected (replayed packet).
Received ESP packet with unknown SPI.
method varchar(255) varchar(255) The method.
phase2_nam
e
varchar(255) varchar(255) IPSec VPN Phase 2 name
spi varchar(255) varchar(255) IPSec VPN SPI.
c-sgsn varchar(40) varchar(40) SGSN IP address for GTP signalling.
request_nam
e
varchar(255) varchar(255) Request name
seq varchar(255) varchar(255) Sequence number
c-ggsn varchar(40) varchar(40) GGSN IP address for GTP signalling.
in_spi varchar(255) varchar(255) Remote SPI in IPSec VPN configuration.
u-sgsn varchar(40) varchar(40) SGSN IP address for GTP user traffic.
out_spi varchar(255) varchar(255) Local SPI in IPSec VPN configuration.
u-ggsn varchar(40) varchar(40) GGSN IP address for GTP user traffic.
c-sgsn-teid bigint default 0 int unsigned
default 0
SGSN TEID (Tunnel endpoint identifier) for signalling.
enc_spi varchar(255) varchar(255) Encryption SPI in IPSec VPN.
c-ggsn-teid bigint default 0 int unsigned
default 0
GGSN TEID for signalling.
dec_spi varchar(255) varchar(255) Decryption SPI in IPSec VPN.
message_typ
e
varchar(255) varchar(255) Message type. This field is an enum, and can have one of the following
values:
request
response
malform_des
c
varchar(255) varchar(255) Malformed description. This field is an enum. See Malform Description
Values on page 335 for possible values.
tunnel varchar(255) varchar(255) Tunnel name
u-sgsn-teid bigint default 0 int unsigned
default 0
SGSN TEID for user traffic.
u-ggsn-teid bigint default 0 int unsigned
default 0
GGSN TEID for user traffic.
malform_dat
a
default 0
Malformed data.
tunnel-idx bigint default 0 int unsigned
default 0
VPN tunnel index.
05-432-164257-20120229 333
line varchar(255) varchar(255) The content of misformed SIP line.
column bigint default 0 int unsigned
default 0
The syntax error point in the SIP line.
c-pkts numeric(20)
default 0
bigint unsigned
default 0
Number of packets for signalling.
phone varchar(255) varchar(255) SCCP phone device name.
profile_group varchar(255) varchar(255) Profile group name.
c-bytes numeric(20)
default 0
bigint unsigned
default 0
Number of bytes for signalling.
u-pkts numeric(20)
default 0
bigint unsigned
default 0
Number of packets used for traffic.
profile_type varchar(255) varchar(255) Profile type.
u-bytes numeric(20)
default 0
bigint unsigned
default 0
Number of bytes used for traffic.
next_stat bigint default 0 int unsigned
default 0
Next stat.
user_data varchar(255) varchar(255) User data.
role varchar(255) varchar(255) This field is an enum, and can have one of the following values:
responder
initiator
result varchar(255) varchar(255) This field is an enum, and can have one of the following values:
ERROR
OK
DONE
PENDING
xauth_result varchar(255) varchar(255) Authorization result. This field is an enum, and can have one of the
following values:
XAUTH authentication successful
XAUTH authentication failed
esp_transfor
m
varchar(255) varchar(255) ESP Transform. This field is an enum, and can have one of the following
values:
ESP_NULL
ESP_DES
ESP_3DES
ESP_AES
esp_auth varchar(255) varchar(255) ESP Authorization. This field is an enum, and can have one of the
following values:
no authentication
HMAC_SHA1
HMAC_MD5
HMAC_SHA256
334 05-432-164257-20120229
error_reason varchar(255) varchar(255) Text explanation for the error. This field is an enum, and can have one of
the following values:
invalid certificate
invalid SA payload
probable pre-shared key mismatch
peer SA proposal not match local policy
peer notification
not enough key material for tunnel
encapsulation mode mismatch
no matching gateway for new request
aggressive vs main mode mismatch for new request
peer_notif varchar(255) varchar(255) Peer Notification.
NOT-APPLICABLE
INVALID-PAYLOAD-TYPE
DOI-NOT-SUPPORTED
SITUATION-NOT-SUPPORTED
INVALID-COOKIE
INVALID-MAJOR-VERSION
INVALID-MINOR-VERSION
INVALID-EXCHANGE-TYPE
INVALID-FLAGS
INVALID-MESSAGE-ID
INVALID-PROTOCOL-ID
INVALID-SPI
INVALID-TRANSFORM-ID
ATTRIBUTES-NOT-SUPPORTED
NO-PROPOSAL-CHOSEN
BAD-PROPOSAL-SYNTAX
PAYLOAD-MALFORMED
INVALID-KEY-INFORMATION
INVALID-ID-INFORMATION
INVALID-CERT-ENCODING
INVALID-CERTIFICATE
BAD-CERT-REQUEST-SYNTAX
INVALID-CERT-AUTHORITY
INVALID-HASH-INFORMATION
AUTHENTICATION-FAILED
INVALID-SIGNATURE
ADDRESS-NOTIFICATION
NOTIFY-SA-LIFETIME
CERTIFICATE-UNAVAILABLE
UNSUPPORTED-EXCHANGE-TYPE
UNEQUAL-PAYLOAD-LENGTHS
CONNECTED
RESPONDER-LIFETIME
REPLAY-STATUS
INITIAL-CONTACT
R-U-THERE
R-U-THERE-ACK
HEARTBEAT
RETRY-LIMIT-REACHED
05-432-164257-20120229 335
Malform Description Values
unexpected-character
invalid-quoting-character
trailing-bytes
header-line-oversize
msg-body-oversize
domain-name-oversize
domain-label-oversize
syntax-malformed
duplicated-sip-header
space-violation
invalid-ipv4-address
invalid-ipv6-address
invalid-port
invalid-fqdn
no-matching-double-quote
empty-quoted-string
invalid-<userinfo>
invalid-escape-encoding-in-<userinfo>
invalid-escape-encoding-in-uri-parameter
invalid-escape-encoding-in-uri-header
invalid-escape-encoding-in-<reason-phrase>
port-expected
port-not-allowed
domain-name-invalid
<gen-value>-expected
invalid-<gen-value>
invalid-<quoted-string>-in-<gen-value>
ipv4-address-expected
ipv6-address-expected
uri-expected
invalid-transport-uri-parameter
invalid-user-uri-parameter
invalid-method-uri-parameter
invalid-ttl-uri-parameter
invalid-uri-parameter-pname
invalid-uri-parameter-value
uri-parameter-repeat
invalid-uri-header-name
invalid-uri-header-value
336 05-432-164257-20120229
invalid-uri-header-name-value-pair
invalid-quoted-string-in-display-name
left-angle-bracket-is-mandatory
right-angle-bracket-not-found
invalid-status-code
no-METHOD-on-request-line
uri-parameters-not-allowed-by-RFC
unknown-scheme
whitespace-expected
LWS-expected
invalid-<SIP-Version>-on-request-line
invalid-<protocol-name>
invalid-<protocol-version>
invalid-<transport>
no-SLASH-after-<protocol-name>
no-SLASH-after-<protocol-version>
header-parameter-expected
invalid-ttl-parameter
invalid-maddr-parameter
invalid-received-parameter
invalid-branch-parameter
invalid-rport-parameter
via-parameter-repeat
<seq>-number-expected
<method>-expected
<method>-does-not-match-the-request-line
<response-num>-expected
<CSeq-num>-expected
<Method>-expected-after-<CSeq-num>
expires-header-repeated
<delta-seconds>-expected
invalid-max-forwards
token-expected
invalid-expires-parameter
invalid-q-parameter
<generic-param>-with-invalid-<gen-value>
<m-type>-expected
SLASH-expected-after-<m-type>
<m-subtype>-expected
<m-attribute>-expected-after-SEMI
05-432-164257-20120229 337
boundary-parameter-appears-more-than-once
EQUAL-expected-after-<m-attribute>
invalid-<quoted-string>-in-<m-value>
invalid-<m-value>
multipart-Content-Type-has-no-boundary
digits-expected
IN-expected
IP-expected
IP4-or-IP6-expected
IPv4-or-IPv6-address-expected
line-order-error
z-line-not-allowed-on-media-level
<time>-expected
<typed-time>-expected
r-line-not-allowed-on-media-level
<repeat-interval>-expected
<bwtype>-execpted
colon-expected
<bandwidth>-expected
t-line-not-allowed-on-media-level
invalid-<start-time>
invalid-<stop-time>
too-many-i-lines
<text>-expected
too-many-c-lines
too-many-v-line
v-line-not-allowed-on-media-level
too-many-o-lines
o-line-not-allowed-on-media-level
<username>-expected
<sess-id>-expected
<sess-version>-expected
too-many-s-lines
s-line-not-allowed-on-media-level
too-many-m-lines
<media>-expected
<integer>-expected
<proto>-expected
<token>-expected-in-<proto>-after-slash
<fmt>-expected
338 05-432-164257-20120229
<att-field>-expected
<att-value>-expected
<payload-type>-expected-in-rtpmap
<encoding-name>-expected-in-rtpmap
slash-expected-after-<encoding-name>-in-rtpmap
invalid-<clock-rate>-in-rtpmap
invalid-<encoding-parameters>-in-rtpmap
invalid-candidate-line
sdp-candidate-line-before-m-line
sip-Yahoo-candidate-invalid-protocol
invalid-port-after-ip-address-in-candidate-line
too-many-candidate-lines
sdp-invalid-alt-line
sdp-alt-line-before-m-line
invalid-port-after-ip-address-in-alt-line
sdp-rtcp-line-before-m-line
invalid-port-in-rtcp-line
too-many-rtcp-lines
<callid>-expected
<word>-expected
invalid-tag-parameter
no-tag-parameter
sdp-v-o-s-t-lines-are-mandatory
unknown-header
end-of-line-error
sip-udp-message-truncated
missing-mandatory-field
Traffic log fields
The table below lists the fields defined in traffic log tables (type tlog).
Table 33: Traffic log fields
PostgreSQL MySQL
For traffic logs, this field can be:
accept
deny
start
dir_disp varchar(255) varchar(255) The direction of the sessions. Org displays if a session is not a child
session or the child session originated in the same direction as the
master session. Reply displays if a different direction is taken from the
master session.
05-432-164257-20120229 339
tran_disp varchar(255) varchar(255) The packet is source NAT translated or destination NAT translated. This
field is an enum, and can have one of the following values:
noop
snat
dnat
srcname varchar(255) varchar(255) The source name or the IP address.
dstname varchar(255) varchar(255) The destination name or IP address.
tran_ip varchar(40) varchar(40) The translated IP in NAT mode. For transparent mode, it is 0.0.0.0.
tran_port int default 0 smallint
unsigned
default 0
The translated port number in NAT mode. For transparent mode, it is
zero (0).
proto int default 0 smallint
unsigned
default 0
The protocol that applies to the session or packet. The protocol number
in the packet header that identifies the next level protocol. Protocol
numbers are assigned by the Internet Assigned Number Authority
(IANA).
app_type varchar(255) varchar(255) The application or program used. This field is an enum, and can have
one of the following values:
N/A
BitTorrent
eDonkey
Gnutella
KaZaa
Skype
WinNY
AIM
ICQ
MSN
YAHOO
default 0
This represents the value in seconds.
rule bigint default 0 int unsigned
default 0
The rule number.
sent bigint default 0 int unsigned
default 0
The total number of bytes sent.
rcvd bigint default 0 int unsigned
default 0
The total number of bytes received.
sent_pkt bigint default 0 int unsigned
default 0
The total number of packets sent during the session.
rcvd_pkt bigint default 0 int unsigned
default 0
The total number of packets received during the session.
vpn varchar(255) varchar(255) The name of the VPN tunnel used by the traffic.
SN bigint default 0 int unsigned
default 0
Table 33: Traffic log fields (Continued)
340 05-432-164257-20120229
Antivirus log fields
The table below lists the fields defined in antivirus log tables (type vlog).
wanopt_app_
type
varchar(255) varchar(255) The type of WAN optimization that was used. This field is an enum, and
can have one of the following values:
web-cache
cifs
tcp
ftp
mapi
http
wan_in bigint default 0 int unsigned
default 0
This field always displays WAN in.
wan_out bigint default 0 int unsigned
default 0
This field always displays WAN out.
lan_in bigint default 0 int unsigned
default 0
This field always displays LAN in.
lan_out bigint default 0 int unsigned
default 0
This field always displays LAN out.
app varchar(255) varchar(255) The type of application. On the FortiGate unit, you can look the
application type up in UTM > Application Contol > Application List, and
then select the name that is in the field to go to more detailed
information on the FortiGuard Encyclopedia.
app_cat varchar(255) varchar(255) The application category that the application is associated with.
shaper_drop_
sent
default 0
The number of sent traffic shaper bytes that were dropped.
shaper_drop_
rcvd
default 0
The number of received traffic shaper bytes that were dropped.
perip_drop bigint default 0 int unsigned
default 0
The number of per-IP traffic shaper bytes that were dropped.
shaper_sent_
name
varchar(255) varchar(255) The name of the traffic shaper sending the bytes.
shaper_rcvd_
name
varchar(255) varchar(255) The name of the traffic shaper receiving the bytes
perip_name varchar(255) varchar(255) The name of the per-IP traffic shaper.
Table 33: Traffic log fields (Continued)
Table 34. Antivirus log fields
PostgreSQL MySQL
For antivirus logs, this field can be:
blocked
passthrough
monitored
msg varchar(255) varchar(255) Explains the activity or event that the FortiGate unit recorded. For
example, the file that was downloaded from the web site exceeded the
specified size limit.
05-432-164257-20120229 341
unsigned
default 0
The source port of where the traffic is originating from.
unsigned
default 0
The destination port of where the traffic is going to.
default 0
dir varchar(255) varchar(255) Direction
filefilter varchar(255) varchar(255) The file filter. This field is an enum, and can have one of the following
values:
none
file pattern
file type
Table 34. Antivirus log fields (Continued)
342 05-432-164257-20120229
filetype varchar(255) varchar(255) The file type. This field is an enum, and can have one of the following
values:
arj
cab
lzh
rar
tar
zip
bzip
gzip
bzip2
bat
msc
uue
mime
base64
binhex
com
elf
exe
hta
html
jad
class
cod
javascript
msoffice
fsg
upx
petite
aspack
prc
sis
hlp
activemime
jpeg
gif
tiff
png
bmp
ignored
unknown
file varchar(255) varchar(255) The file name.
checksum varchar(255) varchar(255) The file checksum.
quarskip varchar(255) varchar(255) This field is an enum, and can have one of the following values:
No skip
No quarantine for HTTP GET file pattern block.
No quarantine for oversized files.
File was not quarantined.
virus varchar(255) varchar(255) The virus name.
ref varchar(255) varchar(255) The URL reference that gives more information about the virus. If you
enter the URL in your web browsers address bar, the URL directs you to
the specific page that contains information about the virus.
url varchar(255) varchar(255) The URL address of where the file was acquired.
05-432-164257-20120229 343
Web filter log fields
The table below lists the fields defined in web filter log tables (type wlog).
N/A.
from varchar(255) varchar(255) The from email address.
to varchar(255) varchar(255) The to email address.
command varchar(255) varchar(255) Protocol specific command, such as POST and GET for HTTP,
MODE and REST for FTP.
dtype varchar(255) varchar(255) Detection type, possible values:
virus
grayware
Table 35: Web filter log fields
PostgreSQL MySQL
For web filter logs, this field can be:
blocked
exempted
allowed
passthrough
filtered
DLP
default 0
unsigned
default 0
The source port.
unsigned
default 0
hostname varchar(255) varchar(255) The host name or IP.
req_type varchar(255) varchar(255) The request type. This field is an enum, and can have one of the
following values:
direct
referral
url varchar(255) varchar(255) The URL.
msg varchar(255) varchar(255) A text message explaining the log entry. For example, 'Message was
blocked because it contained a banned word.'
344 05-432-164257-20120229
dir varchar(255) varchar(255) The direction.
N/A.
from varchar(255) varchar(255) From
to varchar(255) varchar(255) To
banword varchar(255) varchar(255) The name of the banned word policy that triggered the log event.
error varchar(255) varchar(255) The Web Filter error.
method varchar(255) varchar(255) The HTTP method. This field is an enum, and can have one of the
following values:
ip
domain
class smallint default
0
tinyint unsigned
default 0
Class
class_desc varchar(255) varchar(255) Class description
cat smallint default
0
tinyint unsigned
default 0
Category
cat_desc varchar(255) varchar(255) Category description
mode varchar(255) varchar(255) The mode. Can be 'rule' or 'off-site'.
rule_type varchar(255) varchar(255) Rule type. This field is an enum, and can have one of the following
values:
directory
domain
rating
rule_data varchar(255) varchar(255) Rule data
ovrd_tbl varchar(255) varchar(255) Override table
ovrd_id bigint default 0 int unsigned
default 0
Override ID
default 0
The number of scripts blocked by the scriptfilter within the page.
url_type varchar(255) varchar(255) URL Type. This field is an enum, and can have one of the following
values:
http
https
ftp
telnet
mail
urlfilter_idx bigint default 0 int unsigned
default 0
URL Filter Index
urlfilter_list varchar(255) varchar(255) URL Filter List
quota_excee
ded
varchar(255) varchar(255) Quota Exceeded. Can be 'yes' or 'no'.
quota_used bigint default 0 int unsigned
default 0
Quota time used (in seconds).
quota_max bigint default 0 int unsigned
default 0
Maximum quota time allowed (in seconds).
Table 35: Web filter log fields (Continued)
05-432-164257-20120229 345
Netscan log fields
The table below lists the fields defined in vulnerability / netscan log tables (type nlog).
Table 36: Netscan log fields
PostgreSQL MySQL
action varchar(255) varchar(255) The nature of the event. This field is an enum, and can have one of the
following values:
scan
vuln-detection
host-detection
service-detection
start bigint default 0 int unsigned
default 0
GMT epoch time the scan was started.
end bigint default 0 int unsigned
default 0
GMT epoch time the scan was started
engine varchar(255) varchar(255) The netscan engine version.
plugin varchar(255) varchar(255) The version of netscan plugins.
ip varchar(40) varchar(40) The IP of the scanned asset.
proto varchar(255) varchar(255) The protocol. Can be:
tcp
udp
port int default 0 smallint
unsigned
default 0
The port scanned.
vuln varchar(255) varchar(255) The name of the vulnerability found.
vuln_cat varchar(255) varchar(255) The found vulnerability category.
vuln_id bigint default 0 int unsigned
default 0
The found vulnerability ID.
vuln_ref varchar(255) varchar(255) A link to the detected vulnerability in FortiGuard.
severity varchar(255) varchar(255) The severity of the vulnerability. This field is an enum, and can have one
of the following values:
critical
high
medium
low
info
os varchar(255) varchar(255) The operating system of the scanned asset.
os_family varchar(255) varchar(255) The family of the operating system on the scanned asset.
os_gen varchar(255) varchar(255) The generation of the operating system on the scanned asset.
os_vendor varchar(255) varchar(255) The vendor of the operating system on the scanned asset.
message varchar(255) varchar(255) Informational message.
346 05-432-164257-20120229
Examples The following examples illustrate how to write custom datasets.
After you create the datasets, you can use them when you configure chart templates
under Report > Advanced > Chart.
Figure 154: Adding a dataset to a chart template
Then you can add the chart template to a report when you create the new report under
Report > Unclassified Reports. For more information, see Configuring report chart
templates on page 205.
Select the dataset
05-432-164257-20120229 347
Figure 155: Adding a chart to a report
Note: On the FortiAnalyzer unit, datasets can be created via the CLI or the Web-based Manager.
348 05-432-164257-20120229
Example 1: Distribution of applications by type
Figure 156: Creating a dataset
Web-based Manager procedure
1 Go to Report > Advanced > Dataset.
2 Click Create New to create a new dataset and enter a name (such as "apps_type").
3 Under Log Type($log), select Application Control.
4 Enter the query:
SELECT app_type, COUNT( * ) AS totalnum
FROM $log
AND app_type IS NOT NULL
GROUP BY app_type
ORDER BY totalnum DESC
CLI procedure
To perform the same task using the CLI, use these commands:
config sql-report dataset
edit apps_type
set device-type FortiGate
set log-type app-ctrl
set query "SELECT app_type, COUNT( * ) AS totalnum FROM
$log AND app_type IS NOT NULL GROUP BY app_type ORDER
BY totalnum DESC"
end
Notes:
$log queries all application control logs.
The application control module classifies each firewall session in app_type. One
firewall session may be classified to multiple app_types. For example, an HTTP
session can be classified to: HTTP, Facebook, etc.
Some app/app_types may not be able to detected, then the app_type field may be
null or N/A. These will be ignored by this query.
05-432-164257-20120229 349
The result is ordered by the total session number of the same app_type. The most
frequent app_types will appear first.
Example 2: Top 100 applications by bandwidth
2 Click Create New to create a new dataset and enter a name (such as
"top_100_aps").
3 Under Log Type($log), select Traffic.
4 Enter the query:
SELECT (
TIMESTAMP - TIMESTAMP %3600
) AS hourstamp, app, service, SUM( sent + rcvd ) AS volume
FROM $log
GROUP BY app
ORDER BY volume DESC
LIMIT 100
CLI procedure
edit top_100_apps
set log-type traffic
set query "SELECT app, service, SUM( sent + rcvd ) AS
volume FROM $log and app IS NOT NULL GROUP BY app ORDER
BY volume DESC LIMIT 100"
end
Notes:
SUM(sent + rcvd) AS volume - this calculates the total sent and received
bytes.
ORDER BY volume DESC - this orders the results by descending volume (largest
volume first)
LIMIT 100 - this lists only the top 100 applications.
Example 3: Top 10 attacks
2 Click Create New to create a new dataset and enter a name (such as
"top_attacks").
3 Under Log Type($log), select Attack.
4 Enter the query:
SELECT attack_id, COUNT( * ) AS totalnum
FROM $log
and attack_id IS NOT NULL
GROUP BY attack_id
350 05-432-164257-20120229
ORDER BY totalnum DESC
LIMIT 10
CLI procedure
edit top_attacks
set log-type attack
set query "SELECT attack_id, COUNT( * ) AS totalnum FROM
$log and attack_id IS NOT NULL GROUP BY attack_id ORDER
BY totalnum DESC LIMIT 10"
end
Notes:
The result is ordered by the total attack number of the same attack_id. The most
frequent attack_id will appear first.
Example 4: Top WAN optimization applications
2 Click Create New to create a new dataset and enter a dataset name (such as
"WAN_OPT").
3 Under Log Type($log), select Traffic.
4 Enter the query:
SELECT wanopt_app_type, SUM( wan_in + wan_out ) AS bandwidth
FROM $log
AND subtype = 'wanopt-traffic'
GROUP BY wanopt_app_type
ORDER BY SUM( wan_in + wan_out ) DESC
LIMIT 5
CLI procedure
edit WAN_OPT
set log-type traffic
set query "SELECT wanopt_app_type, SUM( wan_in + wan_out )
AS bandwidth FROM $log AND subtype = 'wanopt-traffic'
GROUP BY wanopt_app_type ORDER BY SUM( wan_in + wan_out
) DESC LIMIT 5"
end
Notes:
The WAN optimizer module will log each application bandwidth. All bandwidth data
is logged in traffic logs and wan opt data will have the subtype wanopt-traffic
05-432-164257-20120229 351
SUM(wan_in + wan_out) AS bandwidth - this calculates the total in and out
traffic.
05-432-164257-20120229 352
APPENDIX D
Port Numbers
The following tables describe the port numbers that the FortiAnalyzer unit uses:
ports for traffic originating from units (outbound ports)
ports for traffic receivable by units (listening ports)
ports used to connect to the FortiGuard Distribution Network (FDN ports)
Traffic varies by enabled options and configured ports. Only default ports are listed.
Table 37: FortiAnalyzer outbound ports
Functionality Port(s)
DNS lookup UDP 53
NTP synchronization UDP 123
Windows share UDP 137-138
SNMP traps UDP 162
Syslog, log forwarding UDP 514
Note: If a secure connection
has been configured between
a FortiGate and a
FortiAnalyzer, syslog traffic
will be sent into an IPSec
tunnel. Data will be
exchanged over UDP
500/4500, Protocol IP/50.
Log and report upload TCP 21 or TCP 22
SMTP alert email TCP 25
User name LDAP queries for reports TCP 389 or TCP 636
Vulnerability Management updates TCP 443
RADIUS authentication TCP 1812
TACACS+ authentication TCP 49
Log aggregation client TCP 3000
Device registration of FortiGate or FortiManager units; remote
access to quarantine, logs & reports from a FortiGate unit;
remote management from a FortiManager unit (configuration
retrieval) (OFTP)
TCP 514
Appendix D Port Numbers
05-432-164257-20120229 353
Table 38: FortiAnalyzer listening ports
Windows share UDP 137-139 and TCP 445
Syslog, log forwarding UDP 514
Note: If a secure connection
has been configured between
a FortiGate and a
FortiAnalyzer, syslog traffic
will be sent into an IPSec
tunnel. Data will be
exchanged over UDP
500/4500, Protocol IP/50.
SSH administrative access to the CLI TCP 22
Telnet administrative access to the CLI TCP 23
HTTP administrative access to the Web-based Manager TCP 80
HTTPS administrative access to the Web-based Manager;
remote management from a FortiManager unit
TCP 443
Device registration of FortiGate or FortiManager units; remote
access to quarantine, logs & reports from a FortiGate unit;
remote management from a FortiManager unit (configuration
retrieval) (OFTP)
TCP 514
NFS share TCP 2049
HTTP or HTTPS administrative access to the Web-based
Manager's CLI dashboard widget.
Protocol used will match the protocol used by the administrator
when logging in to the Web-based Manager.
TCP 2032
Log aggregation server
Log aggregation server support requires model FortiAnalyzer-
800 or greater.
TCP 3000
Remote management from a FortiManager unit (configuration
installation)
TCP 8080
Remote MySQL database connection TCP 3306
Table 39: FortiAnalyzer FDN ports
Vulnerability Management updates TCP 443
05-432-164257-20120229 354
APPENDIX E
FortiAnalyzer Compatibility with ConnectWise
The FortiAnalyzer unit integrates with the ConnectWise Management Services Platform
(MSP) by providing statistics from FortiGate logs and reports for the MSPs Executive
Summary report. The statistics include:
Top 10 web sites
Top 10 intrusions prevented
Top 10 web filter categories
Total bandwidth usage
Total number of events
The Executive Summary provides important metrics from different solutions to
generate informative reports for the end users. By connecting to the ConnectWise
MSP, the FortiAnalyzer unit uploads reporting data each time it runs.
The ConnectWise support is controlled through the CLI only. For more information, see
the config connectwise report command in FortiAnalyzer CLI Reference.
This section describes how to configure the ConnectWise server and the FortiAnalyzer
unit to generate executive reports.
This process assumes that you have installed the ConnectWise server properly.
To set the integrator login and add a new management IT
1 Login to ConnectWise.
2 From the navigation pane, click Setup > Setup Tables.
Figure 157: ConnectWise setup tables
3 Search and select Integrator Login.
Note: This configuration uses ConnectWise 2010. It might be different from your version.
Appendix E FortiAnalyzer Compatibility with ConnectWise
05-432-164257-20120229 355
Figure 158: ConnectWise Integrator login
4 In Enable Available APIs, select Managed Services API.
5 Click Save.
6 Search and select Management IT and click Add New.
Figure 159: ConnectWise Management IT
Username Enter the user name, such as UserName1.
Password Enter the password, such as PassW1.
Name Enter the name of the Management IT, such as
FortiAnalyzer Central Office.
FortiAnalyzer Compatibility with ConnectWise Appendix E
356 05-432-164257-20120229
7 Click Save.
To configure the Management IT in company record
2 From the navigation pane, click Contacts > Company.
3 Search for your company name.
Before you log into the ConnectWise server, your company information has already
been set up.
Figure 160: ConnectWise company information
4 Go to the Management tab.
5 Under Management Solutions, create a new management solution.
6 Click Save.
To add configurations for FortiGate units
2 From the navigation pane, click Contacts > Company.
Management IT Solution Select Custom.
Custom Solution Name Enter the same name as the Management IT.
Company Select your company name.
Solution Select the name for the Management IT created in step 6,
FortiAnalyzer Central Office/FortiAnalyzer Central Office.
Management ID Enter a management ID, such as
FAZCentralOfficeManagementID.
Appendix E FortiAnalyzer Compatibility with ConnectWise
05-432-164257-20120229 357
3 Search for your company name.
Before you log into the ConnectWise server, your company information has already
been set up.
4 Click the Configuration tab to create a new configuration for the FortiGate units.
Figure 161: ConnectWise configuration menu
5 For Configuration Type, select Network Security Appliance.
6 For Name, enter the same name used by these FortiGate units on the FortiAnalyzer
unit, such as FG100A.
7 Enter the other information as required.
8 Click Save.
9 Repeat this procedure for all the FortiGate units that report their usage to
ConnectWise through the FortiAnalyzer unit.
To configure the FortiAnalyzer unit
1 In the FortiAnalyzer CLI, type the following commands to enable ConnectWise
report:
config connectwise report
set status enable
set integration-login-id
<user_name_used_in_ConnectWise_Management IT_config>
set integration-password
<Password_used_in_ConnectWise_Management IT_config>
set company-name <company_ID_used_at_ConnectWise_login>
set management-solution-name <ConnectWise_Managment_ID_name>
set connectwise-server <ConnectWise_server_address>
end
2 Create a device group if you only want certain FortiGate units to report to
ConnectWise.
For more information, see Configuring device groups on page 160.
FortiAnalyzer Compatibility with ConnectWise Appendix E
358 05-432-164257-20120229
3 Create a report for the FortiGate units to report to ConnectWise.
For more information, see Reports on page 189.
4 Create a report output template for the FortiGate units to report to ConnectWise.
5 Create a report schedule (for proprietary indexed file system) or configure report
settings (for SQL database).
For more information, see Configuring report schedules on page 220 and Report
settings on page 196.
When configuring the report schedule or settings:
Use the report layout you configured.
Select the device group you created if you only want certain FortiGate units to
report to ConnectWise, or select All FortiGates.
Use the report output template you configured.
05-432-164257-20120229 359
Index
Symbols
_email, 11
_fqdn, 11
_index, 11
_int, 11
_ipv4, 11
_ipv4/mask, 11
_ipv4mask, 11
_ipv6, 11
_ipv6mask, 11
_name, 11
_pattern, 11
_str, 11
_url, 11
_v4mask, 11
_v6mask, 11
A
access profile, 48
adding configuring defining
log severity levels, 311
administrative access
interface settings, 89
restricting, 88, 89, 101
administrative domains. See ADOMs
administrator
"admin" account, 24, 25, 31
admin, accessing ADOMs, 53
assigning to ADOM, 54
password, 31
permissions, 31
ADOMs, 49
access privileges, 48
accessing as admin administrator, 53
admin account privileges, 48
assigning administrators, 54
disabling, 52
enabling, 49
Global, 48
maximum number, 303
permissions, 48
root, 52
aggregation client, 124
alerts, 114, 120, 122
testing, 118
alias, 127
ARP, 287
authenticated network scan
preparing, 246
authentication, 24
B
backing up log files, 273
backing up the configuration
using the CLI, 273
using web-based manager, 272
backup & restore, 137
baseline, 47
baud rate, 299
best practices, 14
blocking device connection attempts, 158
Boolean operator, 264
Bootup issues, 297
browse
network analyzer, 259
sniffer, 259
browser, 23, 24
warnings, 24
C
cable
null modem, 25
certificate
default, 24
mismatch, 24
self-signed, 24
warning, 24
certificate authority (CA), 24
charts, 225
create a template, 207
pre-defined, 205
view custom templates, 209
CIDR, 11
classifying FortiGate network interfaces, 161
CLI
commands, 282
connecting to, 25
clock, 60, 61
column view
network analyzer logs, 262
command line interface (CLI), 9, 11, 23, 56, 76, 101
Console widget, 76
prompt, 61
command prompt, 61
common name (CN) field, 24
communications (COM) port, 25
connecting
web UI, 24
connection attempt handling, 157
ConnectWise, 19
contract, 63
360 05-432-164257-20120229
conventions, 9
count, 177
CPU usage, 65, 66
D
dashboard, 56
data filter, 232
create new, 233
data sets, 210
custom, 211
pre-defined, 210
database
SQL, 17
DC (duplicate count), 178
default
administrator account, 24, 25, 31
certificate, 24
IP address, 32
password, 9, 24, 25, 26, 27, 31
settings, 24, 25
URL, 24
delete after upload
network analyzer log, 269
device
adding or deleting, 154
groups, 160
list, 146
maximum number, 150
registration and reports, 176
reports, 193
unregistered vs. registered, 149
device communication, 19
disk space
allocated to Network Analyzer, 268
DLP archive, 173
backing up, 182
DNS server, 32, 93
test connection, 286
documentation
conventions, 9
domain name
certificate, 24
DOS, 23
dotted decimal, 11
down, 88
download
logs, 180, 266
search results, 266
E
eDiscovery, 184
error
log level, 42
Ethernet, 24, 25
event
log, 42
expected input, 11
F
factory default settings, 24, 25
Federal Information Processing Standards (FIPS), 8
file
extension, 70, 260, 267
filter
criteria, 264
icon, 261, 263, 265
logs, 169
tip, 264
tips, 170
firmware
install, 59
version, 60
formatted view
FortiClient, 18
FortiGate
adding, 38
registering, 38
FortiGate unit
registering, 37
FortiGuard
scheduling updates, 35
Vulnerability Management, 33
FortiMail, 18
Fortinet
Forums, 14
Technical Documentation, 15
conventions, 9
Technical Support, 33
Training Services, 15
Fortinet Discovery Protocol (FDP), 88, 89, 91
Fortinet Distribution Network (FDN), 33
Fortinet Distribution Server (FDS), 33
FortiWeb, 18
FTP, 269
fully qualified domain name (FQDN), 11
further reading, 40
G
gateway, 32
gzip, 70, 260, 261, 267, 269
H
HA cluster, 39, 151, 154
hard disk, 73
historical viewer
host name, 24, 61
HTTP, 89

05-432-164257-20120229 361
HTTPS, 24, 88, 89
HyperTerminal, 25
I
ICMP, 89
importing log files, 180
index number, 11
indexed log fields, 265
input constraints, 11
installation, 9
interface
configuring, 32
IP address, 24, 25, 32
IP alias, 127
resolve host names, 176
IPsec VPN tunnel, 39, 151
J
JavaScript, 76
K
kernel upgrade, 20
L
license information, widget, 63
license validation, 33
lightweight directory access protocol (LDAP), 134, 136
Linux, 287
local console access, 76
log
event, 42
log forwarding, 126
logs, 60
backing up, 182
configuring, 39
content. See DLP archive
CSV format, 267
DNS, 19
download, 266
enhancements, 18
FortiClient, 18
FortiMail, 18
FortiWeb, 18
gzip, 70, 260, 261, 267
indexed fields, 265
integrity validation, 18
raw view, 263, 265
search, 265
search tips, 172
unindexed fields, 263, 265
UTM, 18
M
mail server, 118
maximum transmission unit (MTU), 90
Maximum Values Matrix, 303
media access control (MAC) address, 89
memory usage, 65
menu layout, 17
Microsoft
Internet Explorer, 24
migrating data, 141
mode
operation, 28
Mozilla Firefox, 24
MS Windows, 286
N
netmask, 32
network
interface, 24, 25
sniffer, 259
network analyzer
browse, 259
column view, 257
delete after download, 269
download logs, 260
enable, 268
filter, 263
gzip, 269
historical viewer, 258
real-time viewer, 256
resolve host names, 257, 259
roll settings, 267
upload to, 269
network analyzer logs
column view, 262
formatted view, 262
network file share (NFS), 8
network interface
administrative access, 89
status, 88
network interfaces, classifying (FortiGate), 161
network share, 8, 95
Network Time Protocol (NTP), 32, 60
new disk
adding for 2000B and 4000B, 73
null modem cable, 25
O
operation mode, 17, 28
P
password, 24, 25, 26, 27, 31, 103
administrator, 9
log upload, 269
patch releases, 271
pattern, 11
performance, 56
permissions, 31
access profile, 104
ADOMs, 48
362 05-432-164257-20120229
ping, 41, 89
port
destination, 257
numbers, 283
scan, 8
source, 257
port number, 33
port1, 24, 25
ports
UDP ports 33434-33534, 286
powering on, 297
prompt, 76
protocol
FTP, 269
SCP, 269
SFTP, 269
Q
quarantine, 176
count, 177
duplicate count, 178
ticket number, 178
query, 134, 136
DNS, 93
R
raid monitor, widget, 71
random access memory (RAM), 65
real-time viewer
Register a FortiGate unit, 37
regular expression, 11
remote authentication dial in user service (RADIUS),
106
report
add a language, 217, 240
add a section, 195, 197
browsing, 219
calendar, 213
chart template, 205
charts, 225
custom, 204
data filter, 233
data filters, 232
data sets, 210
default device, 193
edit a language, 238
edit a layout, 225
edit a section, 197
email filters, 19
enhancements, 16
index based, 204
language, 214, 215, 236
layout, 218, 220, 224, 225, 227
new folder, 205
profiles, 225
redefined, 201
remote output, 199
run, 231
schedule, 213
settings, 196
SQL based, 189
report engine, widget, 71
resolve host names, 176
network analyzer, 257, 259
RJ-45, 24, 25
roll settings
root
administrator account, 31
root (Management Administrative Domain), 52
root ADOM, 49, 52
router, 32
S
scheduled reports
configuring, 220
scheduling, 60
scheduling updates, 35
SCP, 269
search
DLP archive, 173
download results, 266
Network Analyzer logs, 254, 265
tips, 172, 266
user data, 173
secure connection, 176
Secure Shell (SSH), 23, 76, 88, 89
security certificate, 24
self-signed, 24
serial number, 59

05-432-164257-20120229 363
serial port parameters, 298
severity levels (logs), 311
SFTP, 269
share, 8
simple network management protocol (SNMP)
system name, 61
SMP support, 20
sniffer, 254, 259
See also network analyzer
SNMP
community, 120
event, 122
manager, 121
queries, 122
span port, 254
special characters, 62
SQL
database, 190
remote database, 192
reports, 189
SQL database, 17
SSL, 60
statistics widget, 68
string, 11
subnet, 266
supported RFCs
1213, 119
1918, 9
2665, 119, 302
sync interval, 61
syntax, 11
Syslog server, 122
system information, widget, 59
system operation, widget, 64
system resources, widget, 65
system time, 32, 282
T
TACACS+ server, 19
Telnet, 23, 76, 90
terminal, 23, 25
Terminal Access Controller Access-Control System
(TACACS+), 107
test
configuration, 40
ticket number, 178
time, 32, 60
time to live (TTL), 286
time zone, 33, 35
traceroute, 41, 286
tracert, 286
troubleshooting, 41, 279
packet sniffing, 287
routing table, 287
trust certificate, 24
U
unindexed log fields, 263, 265
UNIX, 23
unknown, 157
unregistered, 149, 176
up, 88
upgrade
FortiGuard Vulnerability Management, 33
upgrading, 276
uptime, 282
URL, 24
US-ASCII, 43, 62
V
value parse error, 11
verify
configuration, 40
virus
See quarantine
vulnerability management, 242
assets, 243
database, 242
signatures, 242
vulnerability scan, 19
viewing results, 252
W
web browser, 23, 24
warnings, 24
web filtering, 172
web services, 91
web UI, 24
widget, 56
intrusion activity, 86
license information, 63
log receive monitor, 74
logs/data received, 67
raid monitor, 71
report engine, 71
statistics, 68
system information, 59
system operation, 64
system resources, 65
top email traffic, 81
top ftp traffic, 82
top im/p2p traffic, 83
top traffic, 78
top web traffic, 79
virus activity, 85
wild cards, 11
WSDL file
obtaining, 92

Fortianalyzer Admin 40 Mr3

Încărcat de

Informații document

Descriere originală:

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Fortianalyzer Admin 40 Mr3

Încărcat de

Drepturi de autor:

Formate disponibile

FortiAnalyzer v4.

S-ar putea să vă placă și