Fortianalyzer Admin 40 Mr3

FortiAnalyzer v4.0 MR3 Patch Release 7Administration Guide

FortiAnalyzer v4.0 MR3 Patch Release 7 Administration Guide

April 12, 2013

05-437-164257-20130412

Copyright© 2013 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortiGuard®, are

registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks

of Fortinet. All other product or company names may be trademarks of their respective owners.

Performance metrics contained herein were attained in internal lab tests under ideal conditions,

and performance may vary. Network variables, different network environments and other

conditions may affect performance results. Nothing herein represents any binding commitment

by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the

extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a

purchaser that expressly warrants that the identified product will perform according to the

performance metrics herein. For absolute clarity, any such warranty will be limited to

performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in

full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise

this publication without notice, and the most current version of the publication shall be

applicable.

Technical Documentation docs.fortinet.com

Knowledge Base kb.fortinet.com

Customer Service & Support support.fortinet.com

Training Services training.fortinet.com

FortiGuard fortiguard.com

Document Feedback [email protected]

http://docs.fortinet.com

http://kb.fortinet.com

https://support.fortinet.com

http://training.fortinet.com

http://www.fortiguard.com/

mailto:[email protected]?Subject=Technical%20Documentation%20Feedback

Table of Figures

Logging, analyzing, and reporting workflow ................................................................ 22

Topology of the FortiAnalyzer unit in standalone mode .............................................. 28

Change operation mode .............................................................................................. 29


Topology of the FortiAnalyzer units in analyzer/collector mode .................................. 31

License information widget .......................................................................................... 34

FortiGuard Distribution Network window .................................................................... 34

Allowed devices window ............................................................................................. 37

Edit device window ...................................................................................................... 38

Putty console window .................................................................................................. 44

Packet capture in Notepad .......................................................................................... 44

Converting sniffer output to .pcap format ................................................................... 45

Viewing sniffer output in Wireshark ............................................................................. 46

Backup and restore window ........................................................................................ 47

Enabling ADOM configuration ..................................................................................... 50

FortiAnalyzer system menu ......................................................................................... 51

Create new ADOM ....................................................................................................... 51

New Administrative Domain window ........................................................................... 51

Switching to the global ADOM .................................................................................... 52

Administrative Domain name ....................................................................................... 53

Administrative settings window ................................................................................... 54

FortiAnalyzer system window ...................................................................................... 55

FortiAnalyzer system menu ......................................................................................... 56

FortiAnalyzer system dashboard ................................................................................. 58

Adding a widget ........................................................................................................... 59

Widget title bar ............................................................................................................ 59

System information widget .......................................................................................... 61

Time settings ............................................................................................................... 62

System information widget .......................................................................................... 63


License information widget .......................................................................................... 65

Unit operation widget .................................................................................................. 66

System resources widget ............................................................................................ 67

Edit system resources settings window ...................................................................... 68

Logs/data received widget .......................................................................................... 69

Edit logs/data received settings window ..................................................................... 69

Statistics widget .......................................................................................................... 70

Statistics widget .......................................................................................................... 70

Logs window ................................................................................................................ 71

Log details window ...................................................................................................... 72

Report engine widget ................................................................................................... 73

Disk monitor widget ..................................................................................................... 74

Status of a failed hard disk on a FAZ-800 unit as shown in the Disk Monitor widget 75

Log receive monitor widget ........................................................................................ 77

Editing log receive monitor settings ............................................................................ 77

Alert message console widget ..................................................................................... 78

List of all alert messages ............................................................................................. 79

Page 3

CLI console widget ...................................................................................................... 80

CLI console widget settings ........................................................................................ 80

Top traffic widget ......................................................................................................... 81

Top traffic widget settings ........................................................................................... 82

Top web traffic widget ................................................................................................. 83

Top web traffic widget settings ................................................................................... 83

Top email traffic widget ............................................................................................... 84

Top email traffic widget settings .................................................................................. 85

Top FTP traffic widget ................................................................................................. 86

Top FTP traffic widget settings .................................................................................... 86

Top IM/P2P traffic widget ............................................................................................ 87

Top IM/P2P traffic widget settings .............................................................................. 87

Virus activity widget ..................................................................................................... 88

Virus activity widget settings ....................................................................................... 89

Intrusion activity widget ............................................................................................... 90

Intrusion activity widget settings ................................................................................. 90

Interface list window .................................................................................................... 91

Network interfaces ....................................................................................................... 92

Edit interface window .................................................................................................. 93

Edit interface window .................................................................................................. 96

Allowed devices window ............................................................................................. 96

DNS configuration ....................................................................................................... 98

Route list ...................................................................................................................... 98

New routing entry window ........................................................................................... 99

Network share user list .............................................................................................. 100

User configuration window ........................................................................................ 101

User group list ........................................................................................................... 102

Group configuration window ..................................................................................... 103

Windows network share user list ............................................................................... 103

Windows share configuration window ....................................................................... 104

List of users with NFS share access .......................................................................... 105

NFS export configuration window ............................................................................. 106

Administrator account list .......................................................................................... 108

New administrator window ........................................................................................ 109

Access profile list ....................................................................................................... 111

New access profile window ....................................................................................... 111

Authentication group list ............................................................................................ 112

new Auth Group window ........................................................................................... 113

RADIUS server list ..................................................................................................... 113

New RADIUS server window ..................................................................................... 114

TACACS+ server list .................................................................................................. 115

New TACACS+ Server window ................................................................................. 115

Administrators’ settings ............................................................................................. 116

Monitoring administrators .......................................................................................... 117

SQL database ............................................................................................................ 119

Database upgrade notice .......................................................................................... 120

Alert events list .......................................................................................................... 121

Add alert event window ............................................................................................. 122

Mail server list ............................................................................................................ 124

Mail server settings window ...................................................................................... 125

Test mail server window ............................................................................................ 126

SNMP access list ....................................................................................................... 127

Table of Figures Page 4 FortiAnalyzer v4.0 MR3 Patch Release 7 Administration Guide

http://www.fortinet.com/

New SNMP community window ................................................................................ 129

Syslog server list ........................................................................................................ 130

New syslog server window ........................................................................................ 131

Test syslog server window ........................................................................................ 131

Log aggregation client configuration ........................................................................ 133

Log aggregation server configuration ........................................................................ 134

Log forwarding ........................................................................................................... 135

List of IP aliases ......................................................................................................... 136

RAID settings ............................................................................................................. 137

LDAP server list ......................................................................................................... 143

New LDAP Server window ......................................................................................... 144

LDAP distinguished name query ............................................................................... 145

Backup & Restore page ............................................................................................. 146

FortiGuard Distribution Network window .................................................................. 148

Migration source ........................................................................................................ 151

Migrating configuration settings ................................................................................ 152

Device list .................................................................................................................. 156

Add a device to an HA cluster ................................................................................... 161

Add device ................................................................................................................. 162

Edit device window .................................................................................................... 165

Enable FDP packets on an interface ......................................................................... 166

Edit Interface .............................................................................................................. 166

Unregistered device options window ........................................................................ 167

Blocked devices ........................................................................................................ 168

Block a device ........................................................................................................... 169

Blocked devices ........................................................................................................ 170

Device groups ............................................................................................................ 170

Create new group ...................................................................................................... 171

All device logs ............................................................................................................ 174

Log details window .................................................................................................... 177

Change display options ............................................................................................. 178

Column display settings ............................................................................................ 178

Filter icons ................................................................................................................. 179

Filters window ............................................................................................................ 179

Log search ................................................................................................................. 181

DLP log archive window ............................................................................................ 184

Quarantine summary ................................................................................................. 186

Quarantine window .................................................................................................... 188

Log file list .................................................................................................................. 189

Import log file window ............................................................................................... 191

Download log file window .......................................................................................... 192

Device log settings .................................................................................................... 194

eDiscovery folders list page ....................................................................................... 195

eDiscovery Config ...................................................................................................... 197

New eDiscovery folder window ................................................................................. 197

eDiscovery search window ........................................................................................ 198

View eDiscovery search window ............................................................................... 199

Enable the SQL local database ................................................................................. 203

Start time options ...................................................................................................... 203

SQL database window ............................................................................................... 204

Left-click and right-click menu options ..................................................................... 205

Default device reports ................................................................................................ 206



Add section to default device report ......................................................................... 207

Report options window .............................................................................................. 208

Edit new report section .............................................................................................. 210

New report output ...................................................................................................... 212

Mail server settings window ...................................................................................... 212

Report settings .......................................................................................................... 214

Report filters .............................................................................................................. 215

Predefined reports page ............................................................................................ 216

Custom reports window ............................................................................................ 217

Indexer based reports view options .......................................................................... 218

Create a new folder ................................................................................................... 218

Pre-defined charts window ........................................................................................ 219

Create new chart template ........................................................................................ 220

Custom chart template .............................................................................................. 223

Pre-defined datasets ................................................................................................. 223

New data set window ................................................................................................ 224

SQL query console window ....................................................................................... 225

View calendar and task list ........................................................................................ 226

Language options window ......................................................................................... 227

Edit report language window ..................................................................................... 228

Add report language window ..................................................................................... 229

Report layout ............................................................................................................. 231

Indexer based reports page ....................................................................................... 232

View report schedule list window .............................................................................. 233

New report schedule window .................................................................................... 234

Predefined report layouts window ............................................................................. 237

Edit report layout window .......................................................................................... 238

Create new report layout ........................................................................................... 240

Add chart to the new report layout ............................................................................ 240

Add section to new report layout .............................................................................. 241

Add text to new report layout dialog box .................................................................. 241

Run report now window ............................................................................................. 243

Data filter template menu .......................................................................................... 244

New data filter ............................................................................................................ 245

Configure report languageTo edit the report language ............................................. 250

Edit report language window ..................................................................................... 251

Add report language window ..................................................................................... 252

Host asset list page ................................................................................................... 256

Create asset window ................................................................................................. 257

Scan schedule list page ............................................................................................. 263

New scan schedule window ...................................................................................... 264

Scan result list page .................................................................................................. 265

Vulnerability scan results page .................................................................................. 266

Example network topology for Network Analyzer use ............................................... 269

Enable Network Analyzer in GUI Menu Customization ............................................. 269

Configure Network Analyzer settings ........................................................................ 270

Real time Network Analyzer logs page ...................................................................... 271

Historical network analyzer logs page ....................................................................... 272

Network analyzer log file list page ............................................................................. 274

Download log file window .......................................................................................... 275

Download a partial (filtered) log file ........................................................................... 275

Change display options ............................................................................................. 276



Column display settings window ............................................................................... 277

Filter icons in Network Analyzer ................................................................................ 278

Filters window ............................................................................................................ 278

Network Analyzer log search window ........................................................................ 279

Traffic log settings page ............................................................................................ 282

File explorer window .................................................................................................. 285

Firmware upgrade path ............................................................................................. 287

Backup & Restore menu ............................................................................................ 288

Firmware version [Update] page ................................................................................ 292

Database upgrade notice .......................................................................................... 292

Enable administrative access on the interface .......................................................... 300

Create a new data set window .................................................................................. 322

SQL query console window ....................................................................................... 323

Adding a dataset to a chart template ........................................................................ 361

Adding a chart to a report .......................................................................................... 362

New dataset window ................................................................................................. 363

ConnectWise setup tables ......................................................................................... 370

ConnectWise Integrator login .................................................................................... 370

ConnectWise management IT ................................................................................... 371

ConnectWise company information .......................................................................... 372

ConnectWise configuration menu ............................................................................. 373



Table of Contents

Table of Figures ................................................................................................ 3

Change Log..................................................................................................... 12

Introduction..................................................................................................... 13Scope..................................................................................................................... 14

Entering FortiAnalyzer configuration data.............................................................. 14

What’s New in FortiAnalyzer v4.0 MR3......................................................... 16Stackable license model for FortiAnalyzer VM ...................................................... 16

Report enhancements ........................................................................................... 16

Web-based Manager changes .............................................................................. 17

Structured Query Language database................................................................... 17

FortiWeb support ................................................................................................... 18

FortiAnalyzer Virtual Machine support................................................................... 18

Logging enhancements ......................................................................................... 18

Additional enhancements ...................................................................................... 19

Key Concepts and Workflow......................................................................... 21Administrative Domains ......................................................................................... 21

Operation mode..................................................................................................... 21

Log storage............................................................................................................ 22

Workflow................................................................................................................ 22

Setting up the FortiAnalyzer.......................................................................... 23Connecting to the Web-based Manager or CLI..................................................... 23

Updating the firmware ........................................................................................... 27

The operation mode............................................................................................... 28

Changing the administrator password................................................................... 31

Configuring the system time and date................................................................... 32

Configuring basic network settings ....................................................................... 32

Configuring global settings .................................................................................... 32

Configuring administrative domains ...................................................................... 33

Connecting to FortiGuard services........................................................................ 33

Collecting device logs............................................................................................ 37

Testing the setup ................................................................................................... 40

Backing up the configuration................................................................................. 46

Administrative Domains................................................................................. 48Configuring ADOMs............................................................................................... 49

Accessing ADOMs as the admin administrator ..................................................... 55

Page 8

Assigning administrators to an ADOM................................................................... 55

System............................................................................................................. 57Viewing the dashboard .......................................................................................... 57

Configuring network settings................................................................................. 91

Configuring network shares................................................................................... 99

Configuring administrator related settings........................................................... 107

Configuring the Web-based Manager’s global settings ...................................... 116

Monitoring administrators.................................................................................... 117

Configuring log storage & query features ............................................................ 118

Backing up the configuration and installing firmware.......................................... 145

Scheduling & uploading vulnerability management updates............................... 147

Migrating data from one FortiAnalyzer unit to another ........................................ 150

Importing a local server certificate....................................................................... 154

Devices .......................................................................................................... 155Configuring connections with devices & their disk space quota......................... 155

Unregistered vs. registered devices .............................................................. 159

Maximum number of devices......................................................................... 159

Manually configuring a device or HA cluster ................................................. 160

Manually adding a FortiGate unit using the Fortinet Discovery Protocol ...... 165

Configuring unregistered device options....................................................... 167

Blocking unregistered device connection attempts ...................................... 168

Configuring device groups................................................................................... 170

Classifying FortiGate network interfaces ............................................................. 172

Log & Archive................................................................................................ 173Viewing log messages ......................................................................................... 173

Viewing Log Details........................................................................................ 177

Customizing the log view............................................................................... 177

Searching the logs ......................................................................................... 180

Viewing DLP archives .................................................................................... 183

Viewing quarantined files ............................................................................... 186

Browsing log files................................................................................................. 189

Importing a log file ......................................................................................... 190

Downloading a log file.................................................................................... 191

Backing up logs and archived files ...................................................................... 193

Configuring rolling and uploading of devices’ logs.............................................. 193

Using eDiscovery ................................................................................................. 195

Page 9


Reports .......................................................................................................... 201SQL based reports............................................................................................... 201

Enable/disable SQL database ....................................................................... 202

Enable/disable remote SQL database ........................................................... 204

Left and right click menu tree ........................................................................ 205

Default device reports.................................................................................... 205

Email/upload remote output .......................................................................... 211

Predefined reports ......................................................................................... 214

Custom report filters ...................................................................................... 216

Custom reports .............................................................................................. 217

Advanced report settings............................................................................... 218

View report layout .......................................................................................... 230

Indexer based reports.......................................................................................... 231

Viewing scheduled reports............................................................................. 232

Configuring report schedules......................................................................... 233

Configuring reports ........................................................................................ 236

Configuring data filter templates.................................................................... 244

Configuring report language .......................................................................... 248

Network Vulnerability Scan ......................................................................... 254Model support...................................................................................................... 255

How to use the network vulnerability scan feature.............................................. 255

Configuring host assets ....................................................................................... 256

Discovering network host assets......................................................................... 258

Preparing for authenticated scanning.................................................................. 258

Microsoft Windows hosts domain scanning.................................................. 259

Microsoft Windows hosts local (non-domain) scanning ................................ 260

Unix hosts ...................................................................................................... 261

Configuring vulnerability scans............................................................................ 261

Viewing scan results ............................................................................................ 265

Tools .............................................................................................................. 268Network analyzer ................................................................................................. 268

Connecting the FortiAnalyzer unit to analyze network traffic ........................ 268

Viewing network analyzer log messages ....................................................... 270

Browsing network analyzer log files .............................................................. 273

Customizing the network analyzer log view................................................... 276

Searching the network analyzer logs ............................................................. 279

Rolling and uploading network analyzer logs ................................................ 282

File explorer ......................................................................................................... 284

Maintaining Firmware .................................................................................. 286Firmware upgrade path and general firmware upgrade steps............................. 286

Backing up your configuration............................................................................. 287

Testing firmware before upgrading/downgrading ............................................... 289

Installing firmware from the BIOS menu in the CLI ............................................. 291

Page 10


Upgrading your FortiAnalyzer unit ....................................................................... 291

Troubleshooting ........................................................................................... 294Troubleshooting process ..................................................................................... 294

Run ping and traceroute ...................................................................................... 299

What can sniffing packets tell you ....................................................................... 302

Contact customer service & support ................................................................... 303

Troubleshooting FortiAnalyzer issues.................................................................. 304

Appendix A: SNMP MIB Support................................................................. 317SNMP MIB support.............................................................................................. 317

Appendix B: Maximum Value Matrix........................................................... 318Maximum values matrix ....................................................................................... 318

Appendix C: SQL Log Databases................................................................ 321Querying FortiAnalyzer SQL log databases......................................................... 321

Appendix D: Port Numbers.......................................................................... 367Port numbers ....................................................................................................... 367

Appendix E: ConnectWise ........................................................................... 369FortiAnalyzer compatibility with ConnectWise .................................................... 369

Index .............................................................................................................. 375

Page 11


Change Log

Date Change Description

2012-02-29 Initial release.

2012-03-28 Reports chapter updated.

2012-04-03 Added custom report filter details.

2012-09-13 Updated document template.

2013-03-01 Minor document updates.

2013-04-12 Updated for FortiAnalyzer v4.0 MR3 Patch Release 7.

Page 12

Introduction

Welcome and thank you for selecting Fortinet products for your network protection.

FortiAnalyzer units are network appliances that provide integrated log collection and reporting

tools. Reports analyze logs for email, FTP, web browsing, security events, and other network

activity to help identify and mitigate security issues throughout your network.

In addition to logging and reporting, FortiAnalyzer units also have several major features that

augment or enable certain FortiGate unit functionalities, such as DLP archiving and

quarantining, and improve your ability to stay informed about the state of your network.

• Logging and reporting: A FortiAnalyzer unit can aggregate and analyze log data from

Fortinet and other syslog-compatible devices. Using a comprehensive suite of

easily-customized reports, you can filter and review records, including traffic, event, virus,

attack, web content, and email data, mining the data to determine your security stance and

ensure regulatory compliance. For information about the FortiAnalyzer logging, analyzing,

and reporting workflow, see Figure 1 on page 22.

• DLP archive / Data mining: Both FortiGate DLP (Data Leak Prevention) archive logs and

their associated copies of files or messages can be stored on and viewed from a

FortiAnalyzer unit, leveraging its storage capacity for large media files that can be common

with multimedia content. When DLP archives are received by the FortiAnalyzer unit, you can

use data filtering similar to other log files to track and locate specific email or instant

messages, or to examine the contents of archived files.

• Quarantine repository: A FortiAnalyzer unit can act as a central repository for files that are

suspicious or known to be infected by a virus, and have therefore been quarantined by your

FortiGate units.

• Network vulnerability scan: A FortiAnalyzer unit can scan your designated target hosts for

known vulnerabilities and open TCP and/or UDP ports. When the vulnerability scan is

complete, the FortiAnalyzer unit generates a report that describes the discovered security

issues and their known solutions.

FortiAnalyzer units can utilize the FortiGuard subscription service to update their

vulnerability databases with new entries added as they are discovered.

• Packet capture: FortiAnalyzer units can log observed packets to diagnose areas of the

network where firewall policies may require adjustment, or where traffic anomalies occur.

• File explorer: You can browse through the list of content archive/DLP, quarantine, log, and

report files on the FortiAnalyzer unit.

• Network sharing: FortiAnalyzer units can use their hard disks as an NFS or Windows-style

network share for FortiAnalyzer reports and logs, as well as users’ files.

• FIPS support: Federal Information Processing Standards (FIPS) are supported in some

special releases of FortiAnalyzer firmware. Contact Customer Service & Support for more

information.

Introduction Page 13 FortiAnalyzer v4.0 MR3 Patch Release 7 Administration Guide

http://support.fortinet.com/


Scope

This document describes how to use the Web-based Manger to set up and configure the

FortiAnalyzer unit. It assumes you have already successfully installed the FortiAnalyzer unit by

following the instructions in the FortiAnalyzer Install Guide.

At this stage:

• You have administrative access to the Web-based Manger and/or CLI.

• The FortiAnalyzer unit can connect to the Web-based Manger and CLI.

This document explains how to use the Web-based Manger to:

• maintain the FortiAnalyzer unit, including backups

• configure basic

• such as system time, DNS settings, administrator password, and network interfaces

• configure advanced features, such as adding devices, DLP archiving, vulnerability

management, logging, and reporting

This document does not cover commands for the command line interface (CLI). For information

on the CLI, see the FortiAnalyzer v4.0 MR3 Patch Release 7 CLI Reference.

Entering FortiAnalyzer configuration data

The configuration of a FortiAnalyzer unit is stored as a series of configuration settings in the

FortiAnalyzer configuration database. To change the configuration you can use the Web-based

Manger or CLI to add, delete or change configuration settings. These configuration changes are

stored in the configuration database as they are made.

Individual settings in the configuration database can be text strings, numeric values, selections

from a list of allowed options, or on/off (enable/disable).

Entering text strings (names)

Text strings are used to name entities in the configuration. For example, the name of a report

chart, administrative user, and so on. You can enter any character in a FortiAnalyzer

configuration text string except, to prevent Cross-Site Scripting (XSS) vulnerabilities, text

strings in FortiAnalyzer configuration names cannot include the following characters:

" (double quote), & (ampersand), ' (single quote), < (less than), and < (greater than)

You can determine the limit to the number of characters that are allowed in a text string by

determining how many characters the Web-based Manger or CLI allows for a given name field.

From the CLI, you can also use the tree command to view the number of characters that are

allowed. For example, report chart names can contain up to 64 characters. When you add a

report chart name to the Web-based Manger, you are limited to entering 64 characters in the

report chart name field.


http://docs.fortinet.com/fa.html



From the CLI you can do the following to confirm that the firewall address name field allows 64

characters:

config report chartedit <chart_name>

tree--- [chart] --*name (64)|- type|- title (128 xss)|- comment (1024)|- dataset (64)+- graph-type

Note that the tree command output also shows the number of characters allowed for other

report chart name settings. For example, the comment field can contain up to 1024 characters.

Selecting options from a list

If a configuration field can only contain one of a number of selected options, the Web-based

Manger and CLI present you a list of acceptable options and you can select one from the list.

No other input is allowed. From the CLI, you must spell the selection name correctly.

Enabling or disabling options

If a configuration field can only be on or off (enabled or disabled), the Web-based Manger

shows a check box or other control that can only be enabled or disabled. From the CLI, you can

set the option to enable or disable.



What’s New in FortiAnalyzer v4.0 MR3

This chapter lists and describes some of the key changes and new features added to the

FortiAnalyzer system. For upgrade information, see the Release Notes available at

https://support.fortinet.com, and “Maintaining Firmware” on page 286.

Stackable license model for FortiAnalyzer VM

Customers who purchase a version 5.0 FortiAnalyzer VM license can now apply this license to

their existing version 4.0 MR3 FortiAnalyzer VM environment. When applying the v5.0 license to

v4.0 MR3 you are required to use FortiAnalyzer v4.0 MR3 Patch Release 7. See the

FortiAnalyzer v4.0 MR3 Patch Release 7 Release Notes for more information.

Report enhancements

The FortiAnalyzer system in v4.0 MR3 includes a number of changes and improvements to the

report settings, report sections, and reports contents. These improve the user experience when

generating and working with reports at both the device and group levels. See “Reports” on

page 201 for more information.

Default device reports

The FortiAnalyzer includes predefined report layouts at the device level. These report layouts

contains a selection of the most commonly used charts and datasets. Each device report can

be customized on a device-by-device basis. You can automatically generate reports at a per

device level, for all devices assigned to a device group, or for multiple individual devices. See

“Default device reports” on page 205 for more information.

Per device report generation

Reports can now be generated per device.

Email report option at the device level

The email report option is now available at the device level. A report template created for one

device can be pushed to other connected devices. Reports will be emailed per device, device

group, or for multiple individual devices. See “Email/upload remote output” on page 211 for

more information.

The following list is current as of FortiAnalyzer v4.0 MR3 Patch Release 7.

What’s New in FortiAnalyzer v4.0 MR3 Page 16 FortiAnalyzer v4.0 MR3 Patch Release 7 Administration Guide


Report and chart variables support

The following variables are now supported at both the report and chart levels:

• Device

• Time Period

• VDOM

• User (or Source IP)

• Group (LDAP User Group).

You can define these variables from the Web-based Manager, or from the CLI at the report

layout level. The variables defined at the chart level will override the report level values. If the

same variable is defined at both levels, the chart level value will have a higher priority. See

“Report settings” on page 207 for more information.

PDF report improvements

The FortiAnalyzer PDF report has been redesigned with layout and design improvements. The

reports have an updated text style and size, headers and footers, introduction pages, tables of

contents, and appendix pages.

Web-based Manager changes

Menu layout enhancements

The reports section has been updated to improve the user experience. The report menu

includes the following sections:

• Default Device Reports

• Predefined Reports

• Custom Reports

• Advanced (chart, dataset, calendar, language).

Operation mode changes

You can now select the FortiAnalyzer operation mode - Standalone, Analyzer, and Collector -

based on your requirements. For more information, see “System information widget” on

page 60.

Structured Query Language database

SQL database compatibility

FortiAnalyzer units now save logs received by the default proprietary indexed file storage

system and the Structured Query Language (SQL) database for generating reports. In this

release, the SQL database is the default database for log storage.

Performance improvements on SQL report generation

The speed to read log files and insert them into the SQL database has been increased to 10 000

logs per second on high end FortiAnalyzer units.



Local event logs in SQL database

The FortiAnalyzer local event logs are now supported by the SQL database.

Custom fields support in SQL database

In each FortiGate log type, you can define a maximum of five customized fields by using any

keyword as the field name. These custom fields can now be transferred into the SQL database

and are included in the reports created with them.

FortiWeb support

FortiWeb integration

You can add FortiWeb units to FortiAnalyzer units and view the FortiWeb logs on the

FortiAnalyzer units. You can also generate reports using the collected FortiWeb logs.

FortiMail, FortiWeb, and FortiClient logs in SQL database

In this release, similar to FortiGate logs, FortiMail, FortiWeb, and FortiClient logs can be inserted

into the SQL database and are supported by SQL-based reports.

FortiAnalyzer Virtual Machine support

VMware ESX/ESXi 5.0 Support

FortiAnalyzer VM now supports VMware ESX/ESXi versions 4.0, 4.1 and 5.0.

Logging enhancements

Log file integrity validation

You can use the execute log-integrity command to query a log file's MD5 checksum

and timestamp to ensure that the log file has not been modified. This command only applies for:

• rolled log files with MD5 hash recorded

• a local log containing the MD5 hash of the log files downloaded from the FortiAnalyzer

Web-based Manager.

You cannot apply this command on an active log file.

For more information, see the FortiAnalyzer v4.0 MR3 Patch Release 7 CLI Reference.

Retrieve FortiGate logs on demand

In addition to receiving logs sent from the devices, you can manually retrieve logs stored on a

FortiGate. For more information, see “To edit a device and retrieve the device’s logs:” on

page 164.




Log forwarding IP spoofing

You can select to retain a device's IP in the log packets when configuring log forwarding in the

CLI. For more information, see the config log forwarding command in the FortiAnalyzer

v4.0 MR3 Patch Release 7 CLI Reference.

UTM logs consolidation

IPS (Attack), Application Control, Web Filter, Antivirus, Data Leak (DLP), and Email Filter logs are

merged into a Unified Threat Management log when you enable the option in System > Admin >

Settings. For more information, see “Log & Archive” on page 173.

Additional enhancements

Secure communication between devices

SSL FTP secure communications can be established between a FortiAnalyzer unit and a

FortiGate or FortiManager unit. In the FortiAnalyzer CLI, you can choose the encryption

algorithm for secure communications.

Network vulnerability scan

Network Vulnerability Scan replaces Vulnerability Management to configure vulnerability scans

and view the scan results. For more information, see “Network Vulnerability Scan” on page 254.

SNMP v3 support

The FortiAnalyzer SNMP v3 implementation includes support for queries, traps, authentication,

and privacy. This is configured only with the CLI. For more information, see config system snmp in the FortiAnalyzer v4.0 MR3 Patch Release 7 CLI Reference.

TACACS+ server

You can configure the FortiAnalyzer unit to have a TACACS+ server perform the user

authentication. For more information, see “Configuring TACACS+ servers” on page 114.

DNS log consolidation

The logs can be consolidated under a single domain instead of the specific uniform resource

identifier (URI) of the server when users visit websites that use multiple DNS servers, such as

google.com and yahoo.com. This leads to better report consolidation.

Email filters for reports

Email filters for senders and recipients are added to the report data filters. These new filters

behave similarly to the existing filters. Each new filter can support a list of email addresses.





Compatibility with ConnectWise

The FortiAnalyzer unit integrates with the ConnectWise Management Services Platform (MSP)

by providing statistics from FortiGate logs and reports for the MSP’s Executive Summary report.

The statistics include:

• Top 10 web sites

• Top 10 intrusions prevented

• Top 10 web filter categories

• Total bandwidth usage

• Total number of events

For more information, see “FortiAnalyzer compatibility with ConnectWise” on page 369.

SMP support and large storage

The FortiAnalyzer unit’s filesystem and kernel have been upgraded to support:

• 64-bit kernel.

• ext4, enabling the FortiAnalyzer unit to utilize the storage more than the current limit of 16TB

(for information on enabling or disabling ext4, see the execute formatlogdisk-ext4 command

in the FortiAnalyzer v4.0 MR3 Patch Release 7 CLI Reference. Backup log and quarantine

files before running this command, as this operation will erase all data on the hard disk,

including quarantine and log files.The ext4 formatting time is longer than the ext3 formatting

time).

• SMP in kernel/build environment, enabling the FortiAnalyzer processing to scale up when

using multi-core CPUs.

Federal Information Processing Standard

A FIPS compliant firmware image is now available for FortiAnalyzer v4.0 MR3.




Key Concepts and Workflow

This chapter defines basic FortiAnalyzer concepts and terms.

If you are new to FortiAnalyzer, this chapter can help you to quickly understand this document

and your FortiAnalyzer platform.

This topic includes:

• Administrative Domains

• Operation mode

• Log storage

• Workflow

Administrative Domains

FortiAnalyzer Administrative Domains (ADOMs) enable the admin administrator to constrain

other FortiAnalyzer unit administrators’ access privileges to a subset of devices in the device

list. For Fortinet devices with virtual domains (VDOMs), ADOMs can further restrict access to

only data from a specific device’s VDOM.

For more information, see “Administrative Domains” on page 21.

Operation mode

The FortiAnalyzer unit has three operation modes:

• Standalone: The default mode that supports all FortiAnalyzer features.

• Analyzer: The mode used for aggregating logs from one or more log collectors. In this mode,

the log aggregation configuration function is disabled.

• Collector: The mode used for saving and uploading logs. For example, instead of writing

logs into the database, the collector can retain the logs in original (binary) format for

uploading. In this mode, the report function and some functions under System and Tools are

disabled.

The analyzer and collector modes are used together to increase the analyzer’s performance.

The collector provides a buffer to the analyzer by off-loading the log receiving task from the

analyzer. Since log collection from the connected devices is the dedicated task of the collector,

its log receiving rate and speed are maximized.

The mode of operation that you choose will depend on your network topology and individual

requirements.

The FortiAnalyzer 100 and 400 series do not support the analyzer mode.

Key Concepts and Workflow Page 21 FortiAnalyzer v4.0 MR3 Patch Release 7 Administration Guide


Log storage

The FortiAnalyzer unit saves logs received to the default proprietary indexed file storage system

which is always ready to accept log data. It can also insert the log data into the Structured

Query Language (SQL) database for generating reports. Both local and remote SQL database

options are supported.

For more information, see “Reports” on page 201.

Workflow

Once you have successfully deployed the FortiAnalyzer device on your network, using and

maintaining your FortiAnalyzer unit involves the following:

• Configuration of optional features, and re-configuration of required features if required by

changes to your network

• Backups

• Updates

• Monitoring reports, logs, and alerts

Figure 1 illustrates the process of data logging, data analyzing, and report generation by the

FortiAnalyzer unit in standalone or analyzer mode.

Figure 1: Logging, analyzing, and reporting workflow

FortiAnalyzer data receiving server

Devices monitored by the FortiAnalyzer unit in standalone mode

Indexing & file storage/database

Report engine

Log file index/database

The FortiAnalyzer unit collects logs from the devices or collectors that it monitors.

The FortiAnalyzer unit buffers, reorganizes, and stores the logs to generate temporary log files.

The FortiAnalyzer unit indexes the log files for easy search and report generation.

The FortiAnalyzer unit generatesreports based on user configurationsand requests.

The administrator configures and requests for reports.

The administratorviews reports.

Administrator

The administrator views log files.

Reports

FortiAnalyzer unit in collector mode monitored by the FortiAnalyzer unit

in analyzer mode

Or

Key Concepts and Workflow Page 22 FortiAnalyzer v4.0 MR3 Patch Release 7 Administration Guide


Setting up the FortiAnalyzer

After physically installing your FortiAnalyzer unit, you need to set up the unit by performing

some basic configuration so that the FortiAnalyzer unit can receive logs from Fortinet devices,

analyze the logs, and generate reports.

You can set up your FortiAnalyzer unit in standalone, analyzer, or collector mode, depending on

your network topology and requirements. For more information, see “The operation mode” on

page 28.

This setup serves as a road map for making the FortiAnalyzer unit up and running. Detailed

configuration is described in the other chapters of this guide.

Only the configuration procedures through the Web-based Manager are provided. For

configuration procedures through the CLI, see the FortiAnalyzer v4.0 MR3 Patch Release 7 CLI

Reference.

This chapter includes:

• Connecting to the Web-based Manager or CLI

• Updating the firmware

• The operation mode

• Changing the administrator password

• Configuring the system time and date

• Configuring basic network settings

• Configuring global settings

• Configuring administrative domains

• Connecting to FortiGuard services

• Collecting device logs

• Testing the setup

• Backing up the configuration

Connecting to the Web-based Manager or CLI

To configure, maintain, and administer your FortiAnalyzer unit, you need to connect to it. There

are two methods that you can use:

• the Web-based Manager from within a web browser

• the command line interface (CLI), an interface similar to DOS or UNIX commands, from a

Secure Shell (SSH) or Telnet terminal.

Access to the CLI and/or Web-based Manager will not yet be configured if:

• you are connecting for the first time

• you have just reset the configuration to its default state

• you have just restored the firmware.

Setting up the FortiAnalyzer Page 23 FortiAnalyzer v4.0 MR3 Patch Release 7 Administration Guide



In these cases, you must access either interface using the default settings.

After you connect, you can use the Web-based Manager or CLI to configure basic network

settings and access the CLI and/or Web-based Manager through your network. However, if you

want to update the firmware, you may want to do so before continuing. See “Updating the

firmware” on page 27.

Connect to the Web-based Manager

To connect to the Web-based Manager using its default settings, you must have:

• a computer with an RJ-45 Ethernet network port

• a web browser such as Microsoft Internet Explorer or Mozilla Firefox

• a crossover network cable

To connect to the Web-based Manager:

1. On your management computer, configure the Ethernet port with the static IP address

192.168.1.2 with a netmask of 255.255.255.0.

2. Using the Ethernet cable, connect your computer’s Ethernet port to the FortiAnalyzer unit’s

port1.

3. Start your browser and enter the URL https://192.168.1.99.

To support HTTPS authentication, the FortiAnalyzer unit ships with a self-signed security

certificate, which it presents to clients whenever they initiate an HTTPS connection to the

FortiAnalyzer unit. When you connect, depending on your web browser and prior access of

the FortiAnalyzer unit, your browser might display two security warnings related to this

certificate:

• The certificate is not automatically trusted because it is self-signed, rather than being

signed by a valid certificate authority (CA). Self-signed certificates cannot be verified with

a proper CA, and therefore might be fraudulent. You must manually indicate whether or

not to trust the certificate.

• The certificate might belong to another web site. The common name (CN) field in the

certificate, which usually contains the host name of the web site, does not exactly match

the URL you requested. This could indicate server identity theft, but could also simply

If the above conditions do not apply, access the Web-based Manager using the IP address,

administrative access protocol, administrator account, and password already configured,

instead of the default settings.

Until the FortiAnalyzer unit is configured with an IP address and connected to your network, you

may prefer to connect the FortiAnalyzer unit directly to your management computer, or through

a switch, in a peer network that is isolated from your overall network. However, isolation is not

required.

Table 1: Default settings for connecting to the Web-based Manager

Network Interface port1

URL https://192.168.1.99/

Administrator Account admin

Password (none)


https://192.168.1.99/

https://192.168.1.99


indicate that the certificate contains a domain name while you have entered an IP

address. You must manually indicate whether this mismatch is normal or not.

Both warnings are normal for the default certificate.

4. Verify and accept the certificate, either permanently (the web browser will not display the

self-signing warning again) or temporarily. You cannot log in until you accept the certificate.

For details on accepting the certificate, see the documentation for your web browser.

5. In the Name field, type admin, then select Login. (In its default state, there is no password

for this account.)

Login credentials entered are encrypted before they are sent to the FortiAnalyzer unit. If your

login is successful, the Web-based Manager appears.

To continue by updating the firmware, see “Updating the firmware” on page 27. Otherwise,

to continue by configuring the basic settings, see “The operation mode” on page 28.

Connect to the CLI

Using its default settings, you can access the CLI from your management computer in two

ways:

• a local serial console connection

• an SSH connection, either local or through the network

To connect to the CLI using a local serial console connection, you must have:

• a computer with a serial communications (COM) port

• the RJ-45-to-DB-9 serial or null modem cable included in your FortiAnalyzer package

• terminal emulation software, such as HyperTerminal for Microsoft Windows

To connect to the CLI using an SSH connection, you must have:

• a computer with an RJ-45 Ethernet port

• a crossover Ethernet cable

• an SSH client, such as PuTTY

For more information on available CLI commands, see the FortiAnalyzer v4.0 MR3 Patch

Release 7 CLI Reference.

Table 2: Default settings for connecting to the CLI by SSH

Network Interface port1

IP Address 192.168.1.99

SSH Port Number 22

Administrator Account admin

Password (none)

If you are not connecting for the first time, or have not just reset the configuration to its default

state or restored the firmware, administrative access settings may have already been

configured. In this case, access the CLI using the IP address, administrative access protocol,

administrator account and password already configured instead of the default settings.


http://www.chiark.greenend.org.uk/~sgtatham/putty/



To connect to the CLI using a local serial console connection:

1. Using the RJ-45-to-DB-9 or null modem cable, connect your computer’s COM port to the

FortiAnalyzer unit’s console port.

2. Verify that the FortiAnalyzer unit is powered on.

3. On your management computer, start HyperTerminal.

4. On Connection Description, enter a Name for the connection and select OK.

5. On Connect To, from Connect using, select the COM port to which you connected the

FortiAnalyzer unit.

6. Select OK.

7. Select the following Port settings and select OK.

8. Press Enter.

The terminal emulator connects to the CLI and the CLI displays a login prompt.

9. Type admin and press Enter twice. (In its default state, there is no password for this

account.)

The CLI displays a prompt, such as:

FortiAnalyzer #

You can now enter commands.

To continue by updating the firmware, see “Updating the firmware” on page 27. Otherwise, to

continue by configuring the basic settings, see “The operation mode” on page 28. For

information about how to use the CLI, see the FortiAnalyzer v4.0 MR3 Patch Release 7 CLI

Reference.

To connect to the CLI using an SSH connection:

1. On your management computer, configure the Ethernet port with the static IP address

192.168.1.2 with a netmask of 255.255.255.0.

2. Using the Ethernet cable, connect your computer’s Ethernet port to the FortiAnalyzer unit’s

port1.

The following procedure uses Microsoft HyperTerminal. Steps may vary with other terminal

emulators.

Bits per second 9600

Data bits 8

Parity None

Stop bits 1

Flow control None

The following procedure uses PuTTY. Steps may vary with other SSH clients.




http://www.chiark.greenend.org.uk/~sgtatham/putty/

3. Verify that the FortiAnalyzer unit is powered on.

4. On your management computer, start your SSH client.

5. In Host Name (or IP Address), type 192.168.1.99.

6. In Port, type 22.

7. From Connection type, select SSH.

8. Select Open.

The SSH client connects to the FortiAnalyzer unit.

The SSH client may display a warning if this is the first time you are connecting to the

FortiAnalyzer unit and its SSH key is not yet recognized by your SSH client, or if you have

previously connected to the FortiAnalyzer unit but it used a different IP address or SSH key.

If your management computer is directly connected to the FortiAnalyzer unit with no network

hosts between them, this is normal.

9. Select Yes to verify the fingerprint and accept the FortiAnalyzer unit’s SSH key. You cannot

log in until you accept the key.

The CLI displays a login prompt.

10.Type admin and press Enter. (In its default state, there is no password for this account.)

The CLI displays a prompt, such as:

FortiAnalyzer #

You can now enter commands.

To continue by updating the firmware, see “Updating the firmware” on page 27. Otherwise, to

continue by configuring the basic settings, see “The operation mode” on page 28. For

information about how to use the CLI, see the FortiAnalyzer v4.0 MR3 Patch Release 7 CLI

Reference.

Updating the firmware

Your new FortiAnalyzer appliance comes with the latest firmware when shipped. However, if a

new version has been released since your appliance was shipped, you should install it before

you continue the installation.

Fortinet periodically releases FortiAnalyzer firmware updates that include enhancements and

address issues. After you register your FortiAnalyzer unit, FortiAnalyzer firmware is available for

download at https://support.fortinet.com.

New firmware can also introduce new features which you must configure for the first time.

For information specific to the firmware release version, see the Release Notes available with

that release.

If three incorrect login attempts occur in a row, you will be disconnected. Wait for one minute,

then reconnect to attempt the login again.

Before you can download firmware updates for your FortiAnalyzer unit, you must first register

your FortiAnalyzer unit with Customer Service & Support. For details, go to

https://support.fortinet.com/ or contact Customer Service & Support.





https://support.fortinet.com/

For more information, see “Maintaining Firmware” on page 286.

The operation mode

Once the FortiAnalyzer unit is installed, powered on, physically connected to your network, and

you have connected to either the FortiAnalyzer unit’s Web-based Manager or CLI, you must

configure the operation mode.

The FortiAnalyzer unit has three operation modes: standalone, analyzer, and collector. The

analyzer and collector modes are used together to increase the analyzer’s performance. For

more information, see “The operation mode” on page 28 and “The operation mode” on

page 28.

Standalone mode

The standalone mode is the default mode that supports all FortiAnalyzer features. If your

network log volume is reasonable and does not compromise the performance of your

FortiAnalyzer unit, you can choose this mode.

Figure 2 illustrates the network topology of the FortiAnalyzer unit in standalone mode.

Figure 2: Topology of the FortiAnalyzer unit in standalone mode

Analyzer and collector mode





LAN

Monitored devices that send logs to the FortiAnalyzer unit for analyzing and reporting.

FortiAnalyzer unitExternal SQL

database for

log storage

(optional)



In most cases, the volume of logs fluctuates dramatically during a day or week. You can deploy

a collector to receive and store logs during the high traffic periods and transfer them to the

analyzer during the low traffic periods. As a result, the performance of the analyzer is

guaranteed as it will only deal with log insertion and reporting when the log transfer process is

over.

As illustrated in Figure 5: company A has two remote branch networks protected by multiple

FortiGate units. The networks generate large volumes of logs which fluctuate significantly

during a day. It used to have a FAZ-4000A in standalone mode to collect logs from the FortiGate

units and generate reports. To further boost the performance of the FAZ-4000A, the company

deploys a FAZ-400B in collector mode in each branch to receive logs from the FortiGate units

during the high traffic period and transfer bulk logs to the analyzer during the low traffic period.

To set up the analyzer/collector configuration:

1. On the FortiAnalyzer unit, go to System > Dashboard > Status.

2. In the System Information widget, in the Operation Mode row, select Change.

3. Select Analyzer and enter the password for the analyzer server and confirm it.

Figure 3: Change operation mode

4. Select OK.

5. On the first collector unit, go to System > Dashboard > Status.


7. Select Collector.

The FAZ-100 and FAZ-400 series do not support the analyzer mode.

Accept Real-time Log Forwarding from Collectors

Select to allow collectors to forward logs in real-time to the

analyzer. Normally, logs are collected and uploaded on

schedule, but you may want some critical logs to be sent

immediately.

Automatically Delete (Reconcile) Real-time Logs During Collector Upload

After the logs are uploaded on schedule, those ones that

were forwarded in real-time become duplicate. Select this

option to automatically delete the duplicate logs.



Figure 4: Change operation mode

8. Select OK.

9. On the second collector unit, repeat step 5 to 8.

Remote IP Enter the IP address of the analyzer unit to which this log

collector uploads logs. For example, 100.10.1.2.

Password Enter the password of the analyzer unit.

Upload Daily at Select 00:00 to upload logs on a daily basis because network

traffic starts to drop from this time on.

During the uploading, if the connection with the analyzer fails,

the collector will keep trying to reconnect until the connection

restores.

The collector archives all logs that are uploaded.

Enable Real-time Forwarding of Priority Logs

Select to upload priority logs in real time, then set the priority

level to Critical in Minimum Severity. This action will upload

critical level logs and the logs of the levels before Critical in the

list.



Figure 5: Topology of the FortiAnalyzer units in analyzer/collector mode

Changing the administrator password

The default administrator account, named admin, initially has no password.

Unlike other administrator accounts, the admin administrator account exists by default and

cannot be deleted. The admin administrator account is similar to a root administrator account.

This administrator account always has full permission to view and change all FortiAnalyzer

configuration options, including viewing and changing all other administrator accounts. Its

name and permissions cannot be changed.

Before you connect the FortiAnalyzer unit to your overall network, you should configure the

admin account with a password to prevent others from logging in to the FortiAnalyzer and

changing its configuration.

LANLAN

Monitored devices that send logs to collectors.

High-end FortiAnalyzer

unit in analyzer mode

FortiAnalyzer unit in

collector mode (optimized

for storing & forwarding

logs)

FortiAnalyzer unit in

collector mode

(optimized for storing

& forwarding logs)

External SQL

database for log

storage (optional)

Set a strong password for the admin administrator account, and change the password

regularly. Failure to maintain the password of the admin administrator account could

compromise the security of your FortiAnalyzer unit.



To change the admin administrator password:

1. Go to System > Admin > Administrator.

2. Select the admin administrator account.

3. Select Change Password.

4. In the Old Password field, do not enter anything. (In its default state, there is no password for

the admin account.)

5. In the New Password field, enter a password with sufficient complexity and number of

characters to deter brute force and other attacks.

6. In the Confirm Password field, enter the new password again to confirm its spelling.

7. Select OK.

8. Select Logout.

The FortiAnalyzer appliance logs you out. To continue using the Web-based Manager, you

must log in again. The new password takes effect the next time that administrator account

logs in.

Configuring the system time and date

You can either manually set the FortiAnalyzer system time, or configure the FortiAnalyzer unit to

automatically keep its system time correct by synchronizing with a Network Time Protocol (NTP)

server.

For more information, see “Configuring the system time and date” on page 32.

Configuring basic network settings

When shipped, each network interface associated with a physical network port of the

FortiAnalyzer unit has a default IP address and netmask.

These IP addresses and netmasks may not be compatible with the design of your unique

network. In addition, you must configure the FortiAnalyzer unit with the IP address of your DNS

servers and gateway router.

You can configure these basic network settings to ensure that your FortiAnalyzer unit is

connected to your network:

• Network interfaces: See “Configuring the network interfaces” on page 91.

• DNS settings: See “Configuring DNS” on page 98.

• Default route: See “Configuring static routes” on page 98.

Configuring global settings

System > Config enables you to configure log storage databases and the mail server for alerts

and reports.

This option is available for standalone and analyzer mode only.

For more information, see “Configuring SQL database storage” on page 118 and “Configuring

an email server for alerts & reports” on page 124.



Configuring administrative domains

Administrative Domains (ADOMs) enable the admin administrator to constrain other

FortiAnalyzer unit administrators’ access privileges to a subset of devices in the device list. For

Fortinet devices with virtual domains (VDOMs), ADOMs can further restrict access to only data

from a specific device’s VDOM.

For more information, see “Administrative Domains” on page 48.

Connecting to FortiGuard services

After the FortiAnalyzer unit is physically installed and configured to operate on your network, if

you have subscribed to FortiGuard services, connect the FortiAnalyzer unit to the FortiGuard

Distribution Network (FDN).

Connecting your FortiAnalyzer unit to the FDN or override server ensures that your FortiAnalyzer

unit can:

• verify its FortiGuard Vulnerability Management license

• download the latest FortiGuard Vulnerability Compliance Management definition and engine

packages in order to scan hosts and block attacks using the most up-to-date protection

The FDN is a world-wide network of FortiGuard Distribution Servers (FDS). When a

FortiAnalyzer unit connects to the FDN to download FortiGuard engine and definition updates,

by default, it connects to the nearest FDS based on the current time zone setting. You can also

override the FDS to which the FortiAnalyzer unit connects.

Your FortiAnalyzer unit may be able to connect using the default settings. However, you should

confirm this by verifying connectivity.

To determine your FortiGuard license status:

1. Go to System > Dashboard > Status.

2. In the License Information widget (Figure 6), look at the status icon to determine the unit‘s

license status:

• Expired or Not Registered (orange X icon ): At the last attempt, the FortiAnalyzer unit

was able to contact the FDN. However, its FortiGuard license was not valid. To purchase

a license, select Subscribe.

You must first register the FortiAnalyzer unit with the Customer Service & Support web site,

https://support.fortinet.com/, to receive service from the FDN. The FortiAnalyzer unit must also

have a valid support contract which includes service subscriptions, and be able to connect to

the FDN or the FDS that you will configure to override the default FDS addresses.

Your FortiAnalyzer unit cannot detect the latest vulnerabilities and compliance violations unless

it is licensed and has network connectivity to download current definitions from the FortiGuard

service.




• Licensed (green check mark icon ): At the last attempt, the FortiAnalyzer unit was able

to successfully contact the FDN and validate its FortiGuard license.

• Unreachable (grey X icon ): Unable to determine license status due to network

connection errors. Check the configuration of the FortiAnalyzer unit and any NAT or

firewall devices that exist between the FortiAnalyzer appliance and the FDN or override

server. For example, you may need to add static routes.

Figure 6: License information widget

To verify FortiGuard update connectivity:

Before performing this procedure, if your FortiAnalyzer appliance connects to the Internet

using a proxy, configure the FortiAnalyzer appliance to connect to the FDN through the proxy

(go to System > Maintenance > FortiGuard).

1. Go to System > Maintenance > FortiGuard.

Figure 7: FortiGuard Distribution Network window



2. If you want your FortiAnalyzer appliance to connect to a specific FDS other than the default

for its time zone, enable Use override server address, and enter the fully qualified domain

name (FQDN) or IP address of the FDS.

3. Select Apply.

4. Select Request Update Now.

The FortiAnalyzer appliance tests the connection to the FDN and, if applicable, the server

you specified to override the default FDN server. The amount of time required varies based

on the speed of the FortiAnalyzer unit’s network connection, and the number of timeouts

that occur before the connection attempt is successful or the FortiAnalyzer appliance

determines that it cannot connect. Test results are indicated in the local logs in

Log & Archive > Log Access > Event, such as this log message:

VCM upgrade: no new update available

which indicates that the connection succeeded.

If the connection test did not succeed due to license issues, you would instead see this log

message:

VCM upgrade: Invalid VM license.

If the connection test did not succeed due to failed connectivity with the proxy, you would

instead see this log message:

VCM upgrade: failed connecting to 192.168.1.10:443

For more troubleshooting information, see the command diagnose debug application fortiguard in the FortiAnalyzer v4.0 MR3 Patch Release 7 CLI Reference.

Configuring scheduled updates

You can configure the FortiAnalyzer unit to periodically request FortiGuard Vulnerability

Compliance Management (VCM) engine and definition updates from the FDN or override server.

You can manually initiate updates as alternatives or in conjunction with scheduled updates. For

additional/alternative update methods, see “Manually requesting updates” on page 36.

For example, you might schedule updates every night at 2 AM, or weekly on Sunday, when

traffic volume is light.

To configure scheduled updates:

Before scheduling updates, verify that the FortiAnalyzer unit has a valid license and can connect

to the FDN or override server. For details, see “To determine your FortiGuard license status:” on

page 33 and “To verify FortiGuard update connectivity:” on page 34.

1. Go to System > Maintenance > FortiGuard (Figure 7 on page 34).

2. Under Vulnerability Management, enable Scheduled Update.

3. Select one of the following:

Every Select to request updates once per interval, in hours.

Daily Select to request updates once a day, then configure the time of day.

Weekly Select to request updates once a week, then configure the day of the

week and the time of day.



http://docs.fortinet.com/

4. Select Apply.

The FortiAnalyzer unit next requests an update according to the schedule. If you have

enabled logging, when the FortiAnalyzer unit requests an update, the event is recorded in

the local logs in Log & Archive > Log Access > Event, such as this log message:

VM upgrade: no new update available

Manually requesting updates

You can manually trigger the FortiAnalyzer unit to connect to the FDN or override server to

request available updates for its FortiGuard packages.

You can manually initiate updates as an alternative or in addition to other update methods. For

details, see “Configuring scheduled updates” on page 35.

To manually request updates:

Before manually initiating an update, first verify that the FortiAnalyzer appliance has a valid

license and can connect to the FDN or override server. For details, see “To determine your

FortiGuard license status:” on page 33 and “To verify FortiGuard update connectivity:” on

page 34.

1. Go to System > Maintenance > FortiGuard (Figure 7 on page 34).

2. Under Vulnerability Management, select Request Update Now.

The Web-based Manager displays the following message:

3. Select OK.

The page refreshes.

4. After a few minutes, select the FortiGuard submenu to refresh the page, or go to System >

Dashboard > Status and look at the License Information widget.

If an update was available, the packages that were updated have new version numbers. If

you have enabled logging, when the FortiAnalyzer unit requests an update, the event is

recorded in the local logs in Log & Archive > Log Access > Event Log, such as this log

message:

VCM upgrade: no new update available



Collecting device logs

The power of the FortiAnalyzer unit centers on reporting and network analysis capability

collated from log data. The FortiAnalyzer unit can collect log messages from multiple FortiGate,

FortiManager, FortiClient, FortiMail, and FortiWeb devices and syslog servers, to enable you to

generate many different report types from the log data.

If you have a analyzer/collector setup, your analyzer will collect logs from the collector, which in

turn collects logs from the devices and transfers them to the analyzer. In this case, you need to

configure the collector and the devices for log collection. For more information on

analyzer/collector setup, see “Analyzer and collector mode” on page 28.

This section describes a simple example you can use to test the installation by configuring the

FortiAnalyzer unit and a FortiGate unit for log collection. For information on collecting log data

from other Fortinet products, see “Devices” on page 155.

To collect logs from a FortiGate unit, you must do the following:

• Configuring FortiAnalyzer connection attempt handling

• Configuring disk quota and device privileges

• Configuring a FortiGate unit to send logs to the FortiAnalyzer unit

Configuring FortiAnalyzer connection attempt handling

On the FortiAnalyzer unit, you can control how to deal with other devices’ connection attempts.

For more information, see “Configuring unregistered device options” on page 167.

Configuring disk quota and device privileges

If you choose to allow and automatically register known devices when you configure the

FortiAnalyzer’s device connection attempt handling settings, once a FortiGate unit begins

sending log data to the FortiAnalyzer unit, the FortiGate unit will be automatically added to the

allowed device list. You can then configure the following settings for the FortiGate unit.

To configure disk quota and privileges for a FortiGate unit:

1. On the FortiAnalyzer unit, go to Devices > All Devices > Allowed.

Figure 8: Allowed devices window

2. Select the FortiGate device from the device list and select the Edit icon.



Figure 9: Edit device window

3. Configure the Disk Allocation quota to be used by the FortiGate device.

4. Configure the Device Privileges settings to allow the FortiGate unit to send and view its log

files, archived content, and quarantined files.

5. Select OK.

For more information, see “Configuring connections with devices & their disk space quota” on

page 155.

Configuring a FortiGate unit to send logs to the FortiAnalyzer unit

A FortiGate unit must be configured to send log messages to a FortiAnalyzer unit. This

configuration can occur before or after the FortiAnalyzer unit’s configuration to receive those

logs.

The following procedure uses the default options and configures a FortiGate unit running

FortiOS v4.0.

Remotely accessing logs, content logs, and quarantined files is available on FortiGate units

running firmware v4.0 or later.

Due to the nature of connectivity for certain HA modes, full content archiving and quarantining

may not be available for FortiGate units in an HA cluster. For details, see the FortiOS 4.0

Handbook.



http://docs.forticare.com/fgt.html




To send FortiGate logs to a FortiAnalyzer unit:

1. On the FortiGate unit, go to Log & Report > Log Config > Log Setting.

2. Select the Expand Arrow for Remote Logging and Archiving to expand the options.

3. Select FortiAnalyzer and enter the IP Address of the FortiAnalyzer unit.

4. Select a security level to log.

5. Select Apply.

For more information on the logging options, see the Log & Report chapter in the FortiGate v4.0

MR3 Administration Guide.

Configuring log types

You must also configure the FortiGate unit for the type of data that you want the FortiGate unit

to log and send to the FortiAnalyzer unit. There are two main locations for configuring log types:

• configure the event logs by going to Log & Report > Log Config > Event Log.

• enable feature logs by going to Firewall > Protection Profile, and editing a profile.

Further reading

The FortiGate unit and FortiAnalyzer unit are now configured to send and receive log

information. Using this log collection, you can view traffic and vulnerability statistics, and run

reports from a selection of over 200 reports in 15 categories.

To help you in further configuration and data analysis, see these other Fortinet documents,

available from the Technical Documentation web site, http://docs.fortinet.com.

• This guide includes further configuration and technical information on your FortiAnalyzer

unit.

• FortiAnalyzer v4.0 MR3 Patch Release 7 CLI Reference describes all the CLI commands you

can use to configure the FortiAnalyzer unit.

• FortiAnalyzer v4.0 MR3 Log Reference describes the FortiAnalyzer local log messages,

which can be used for analysis and troubleshooting purposes.

• FortiOS v4.0 MR3 Handbook includes steps for enabling the various logging options and

details on the logging levels.

• FortiOS v4.0 MR3 Log Message Reference describes what each log messages means and

its components.






http://docs.forticare.com/fa.html



http://kc.forticare.com/default.asp?id=895

Testing the setup

When the setup is complete, test it by forming connections between your FortiAnalyzer unit and

network hosts at various points within your network topology.

• Devices in the device list such as FortiGate, FortiCarrier, FortiMail, or FortiWeb units;

• FDN servers for FortiGuard services;

• DNS server;

• NTP server, if any;

• Authentication servers, if any;

• SMTP email server for alerts, if any;

• LDAP servers for report queries, if any;

• SNMP manager for traps and queries, if any;

• Remote SQL database server, if any;

• Syslog servers for alerts or log forwarding, if any;

• FortiAnalyzer units acting as aggregators or collectors, if any.

To test connections with devices, you must configure each device to send logs, and then cause

some kind of event that will trigger a log.

If the FortiAnalyzer unit is operating as a log aggregator, your test should include receiving logs

from other FortiAnalyzer units.

Troubleshooting tools

To locate network errors and other issues that may prevent logs from passing to or through the

FortiAnalyzer unit, FortiAnalyzer units feature several troubleshooting tools. You may also be

able to perform additional tests from your management computer or the computers of SMTP

clients and servers.

This section includes the following topics:

• Ping and traceroute

• Log messages

• Packet capture

Ping and traceroute

If your FortiAnalyzer unit cannot connect to other hosts, you may be able to use ICMP (ping and

traceroute) to determine if the host is reachable or locate the node of your network at which

connectivity fails, such as when static routes are incorrectly configured. You can do this from

the FortiAnalyzer unit using CLI commands.

For example, you might use ICMP ping to determine that 172.16.1.10 is reachable. (Commands

that you would type are highlighted in bold; responses from the FortiAnalyzer unit are not in

bold.)

If the device keeps a local log buffer for performance reasons, and only sends logs periodically

or when the buffer is full, you may need to generate multiple logs and/or wait for the

FortiAnalyzer unit to receive the log message from the remote device. For information on

periodic log uploads or buffering behavior, consult the documentation for each device.



FortiAnalyzer # execute ping 172.16.1.10PING 172.16.1.10 (172.16.1.10): 56 data bytes64 bytes from 172.16.1.10: icmp_seq=0 ttl=64 time=2.4 ms64 bytes from 172.16.1.10: icmp_seq=1 ttl=64 time=1.4 ms64 bytes from 172.16.1.10: icmp_seq=2 ttl=64 time=1.4 ms64 bytes from 172.16.1.10: icmp_seq=3 ttl=64 time=0.8 ms64 bytes from 172.16.1.10: icmp_seq=4 ttl=64 time=1.4 ms

--- 172.20.120.167 ping statistics ---5 packets transmitted, 5 packets received, 0% packet lossround-trip min/avg/max = 0.8/1.4/2.4 ms

or that 192.168.1.10 is not reachable:

FortiAnalyzer # execute ping 192.168.1.10PING 192.168.1.10 (192.168.1.10): 56 data bytesTimeout ...Timeout ...Timeout ...Timeout ...Timeout ...

--- 192.168.1.10 ping statistics ---5 packets transmitted, 0 packets received, 100% packet loss

If the host is not reachable, you can use traceroute to determine the router hop or host at which

the connection fails:

FortiAnalyzer # execute traceroute 192.168.1.10traceroute to 192.168.1.10 (192.168.1.10), 32 hops max, 72 byte

packets1 192.168.1.2 2 ms 0 ms 1 ms2 * * *

For more information on CLI commands, see the FortiAnalyzer v4.0 MR3 Patch Release 7 CLI

Reference.

Log messages

Log messages often contain clues that can aid you in determining the cause of a problem.

FortiAnalyzer units can record log messages when errors occur that cause failures, upon

significant changes, and upon processing events.

Depending on the type, log messages may appear in one of several log files. For example:

• To determine when and why a FortiGuard update connection failed, you might examine the

Message field in the event log.

• To determine why an email was blocked by a firewall, you might examine logs whose Type

field is dlp in the UTM log.

Both ping and traceroute require that network nodes respond to ICMP ping. If you have

disabled responses to ICMP on your network, hosts may appear to be unreachable to ping and

traceroute even if connections using other protocols can succeed.




During troubleshooting, you may find it useful to reduce the logging severity threshold for more

verbose logs to include more information on less severe events.

For example, when the FortiAnalyzer unit cannot reach the FDN or override server for

FortiGuard updates, the associated log message in the event log has a severity level of Error. If

your severity threshold is currently greater than Error (such as Critical or Alert), the Alert

Message Console widget in the Web-based Manager will not record that log message, and you

will not be notified of the error. Often this error might occur due to temporary connectivity

problems and is not critical. However, if you are frequently encountering this issue, you may

want to lower the severity threshold to determine how often the issue is occurring and whether

the cause of the problem is persistent.

Packet capture

Packet capture, also known as sniffing, records some or all of the packets seen by a network

interface. By recording packets, you can trace connection states to the exact point at which

they fail, which may help you to diagnose some types of problems that are otherwise difficult to

detect.

FortiAnalyzer units have a built-in sniffer. Packet capture on FortiAnalyzer units is similar to that

of FortiGate units. To use the built-in sniffer, connect to the CLI and enter the following

command:

diagnose sniffer packet [<interface_name>] [{none | '<filter_str>'}] [{1 | 2 | 3}] [<count_int>]

where:

• <interface_name> is the name of a network interface, such as port1,or any for all

interfaces.

• '<filter_str>' is the sniffer filter that specifies the protocols and port numbers that you

do or do not want to capture, such as 'tcp port 25',or none for no filters.

• {1 | 2 | 3} is an integer indicating the depth of packet headers and payloads to display.

• <count_int> is the number of packets the sniffer reads before stopping. Packet capture

output is printed to your CLI display until you stop it by pressing Ctrl + C, or until it reaches

the number of packets that you have specified to capture.

For example, you might capture all TCP port 443 (typically HTTPS) traffic occurring through

port1, regardless of its source or destination IP address. The capture uses a high level of

verbosity (indicated by 3).

A specific number of packets to capture is not specified. As a result, the packet capture

continues until the administrator presses CTRL + C. The sniffer then confirms that five packets

were seen by that network interface.

(Verbose output can be very long. As a result, output shown below is truncated after only one

packet. Commands that you would type are highlighted in bold; responses from the

FortiAnalyzer appliance are not in bold.)

Packet capture can be very resource intensive. To minimize the performance impact on your

FortiAnalyzer unit, use packet capture only during periods of minimal traffic, with a serial

console CLI connection rather than a Telnet or SSH CLI connection, and be sure to stop the

command when you are finished.



FortiAnalyzer# diagnose sniffer packet port1 'tcp port 443' 3interfaces=[port1]filters=[tcp port 443]10.651905 192.168.0.1.50242 -> 192.168.0.2.443: syn 7617148980x0000 0009 0f09 0001 0009 0f89 2914 0800 4500

..........)...E.0x0010 003c 73d1 4000 4006 3bc6 d157 fede ac16

.<s.@.@.;..W....0x0020 0ed8 c442 01bb 2d66 d8d2 0000 0000 a002

...B..-f........0x0030 16d0 4f72 0000 0204 05b4 0402 080a 03ab

..Or............0x0040 86bb 0000 0000 0103 0303 ..........

Instead of reading packet capture output directly in your CLI display, you should usually save

the output to a plain text file using your CLI client. Saving the output provides several

advantages: packets can arrive more rapidly than you may be able to read them in the buffer of

your CLI display, and many protocols transfer data using encodings other than US-ASCII. It is

usually preferable to analyze the output by loading it into in a network protocol analyzer

application such as Wireshark (http://www.wireshark.org/).

For example, you could use PuTTY or Microsoft HyperTerminal to save the sniffer output.

Methods may vary. See the documentation for your CLI client.

Requirements:

• terminal emulation software such as PuTTY

• a plain text editor such as Notepad

• a Perl interpreter

• network protocol analyzer software such as Wireshark

To view packet capture output using PuTTY and Wireshark:

1. On your management computer, start PuTTY.

2. Use PuTTY to connect to the FortiAnalyzer appliance using either a local serial console,

SSH, or Telnet connection. For details, see the FortiAnalyzer v4.0 MR3 Patch Release 7 CLI

Reference.

3. Type the packet capture command, such as:

diagnose sniffer packet port1 'tcp port 25' 3

but do not press Enter yet.

4. In the upper left corner of the window, select the PuTTY icon to open its drop-down menu,

then select Change Settings.



http://www.wireshark.org/


http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

http://www.perl.org/get.html



Figure 10:Putty console window

A dialog appears where you can configure PuTTY to save output to a plain text file.

5. In the Category tree on the left, go to Session > Logging.

6. In Session logging, select Printable output.

7. In Log file name, select the Browse button, then choose a directory path and file name such

as C:\Users\MyAccount\packet_capture.txt to save the packet capture to a plain

text file. (You do not need to save it with the .log file extension.)

8. Select Apply.

9. Press Enter to send the CLI command to the FortiAnalyzer unit, beginning packet capture.

10.If you have not specified a number of packets to capture, when you have captured all

packets that you want to analyze, press Ctrl + C to stop the capture.

11.Close the PuTTY window.

12.Open the packet capture file using a plain text editor such as Notepad.

Figure 11:Packet capture in Notepad



13.Delete the first and last lines, which look like this:

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.07.25 11:34:40 =~=~=~=~=~=~=~=~=~=~=~=

FortiAnalyzer-2000 #

These lines are a PuTTY timestamp and a command prompt, which are not part of the

packet capture. If you do not delete them, they could interfere with the script in the next

step.

14.Convert the plain text file to a format recognizable by your network protocol analyzer

application.

You can convert the plain text file to a format (.pcap) recognizable by Wireshark using the

fgt2eth.pl Perl script. To download fgt2eth.pl, see the Knowledge Base article Using the

FortiOS built-in packet sniffer.

To use fgt2eth.pl, open a command prompt, then enter a command such as the following:

fgt2eth.pl -in packet_capture.txt -out packet_capture.pcap

where:

• fgt2eth.pl is the name of the conversion script; include the path relative to the current

directory, which is indicated by the command prompt

• packet_capture.txt is the name of the packet capture’s output file; include the

directory path relative to your current directory

• packet_capture.pcap is the name of the conversion script’s output file; include the

directory path relative to your current directory where you want the converted output to

be saved.

Figure 12:Converting sniffer output to .pcap format

The fgt2eth.pl script is provided as-is, without any implied warranty or technical support, and

requires that you first install a Perl module compatible with your operating system.

Methods to open a command prompt vary by operating system.

On Windows XP, go to Start > Run and enter cmd.

On Windows 7, select the Start (Windows logo) menu to open it, then enter cmd.



http://kb.fortinet.com/kb/documentLink.do?externalId=11186


15.Open the converted file in your network protocol analyzer application. For further

instructions, see the documentation for that application.

Figure 13:Viewing sniffer output in Wireshark

For additional information on packet capture, see the Knowledge Base article Using the FortiOS

built-in packet sniffer.

For more information on CLI commands, see the FortiAnalyzer v4.0 MR3 Patch Release 7 CLI

Reference.

Backing up the configuration

Once you have tested your basic setup and verified that it functions correctly, create a backup.

This “clean” backup can be used to:

• troubleshoot a non-functional configuration by comparing it with this functional baseline

• rapidly restore your installation to a simple yet functional point.

Your deployment’s configuration is comprised of a few separate components. To make a

complete configuration backup, you must include all of the following:

• core configuration file (see “To back up the configuration file:” on page 47)

• configuration files of the web servers on each virtual or physical host (for a suitable backup

method, see the documentation for the host’s operating system or your preferred third-party

backup software).

Configuration backups do not include data such as logs and reports.






To back up the configuration file:

1. Log in to the Web-based Manager as the admin administrator.

Other administrator accounts do not have the required permissions.

2. Go to System > Maintenance > Backup & Restore.

Figure 14:Backup and restore window

3. In the Backup area, select Backup.

Your browser downloads the configuration file and saves it to your local PC. Time required

varies by the size of the configuration and the specifications of the appliance’s hardware as

well as the speed of your network connection, but could take several minutes.

For more information, see “Backing up your configuration” on page 287.



Administrative Domains

Administrative domains (ADOMs) enable the admin administrator to constrain other

FortiAnalyzer unit administrators’ access privileges to a subset of devices in the device list. For

FortiGate devices with virtual domains (VDOMs), ADOMs can further restrict access to only data

from a specific FortiGate VDOM.

Enabling ADOMs alters the structure and available functionality of the Web-based Manager and

CLI according to whether or not you are logging in as the admin administrator, and, if you are

not logging in as the admin administrator, the administrator account’s assigned access profile.

• If ADOMs are enabled and you log in as admin, you first access the Global ADOM where

you have full access to the menus, except the Report menu, and can configure other

ADOMs in System > ADOM > ADOM. At the end of the menu list, the Current ADOM menu

appears, enabling you to enter into another ADOM or return to the Global ADOM.

The Global ADOM contains settings used by the FortiAnalyzer unit itself, as well as settings

shared by ADOMs, such as the device list, RAID, and administrator accounts. It does not

include ADOM-specific settings or data, such as logs and reports. When configuring other

administrator accounts, an additional option appears allowing you to restrict other

administrators to an ADOM. For more information, see “Assigning administrators to an

ADOM” on page 55. The admin administrator can further restrict other administrators’

access to specific configuration areas within their ADOM by using access profiles. For more

information, see “Configuring access profiles” on page 110.

ADOMs are not supported on FAZ-100B and FAZ-100C models.

Table 3: Characteristics of the CLI and Web-based Manager when ADOMs are enabled

admin administrator account Other administrators

Access to Global Configuration Yes No

Access to Administrative Domain Configuration (can create ADOMs)

Yes No

Can create administrator accounts Yes No

Can enter all ADOMs Yes No

By default, some menus are hidden. To make them visible, you can enable the menus in System

> Admin > Settings. See “To enable ADOMs:” on page 49 for more information.

Administrative Domains Page 48 FortiAnalyzer v4.0 MR3 Patch Release 7 Administration Guide


• If ADOMs are enabled and you log in as any other administrator, you enter the ADOM

assigned to your account. You can only access the menu items assigned to you in your

access profile. You cannot access the Global ADOM or enter other ADOMs.

By default, administrator accounts other than the admin account are assigned to the root

ADOM, which includes all devices in the device list. By creating ADOMs that contain a

subset of devices in the device list, and assigning them to administrator accounts, you can

restrict other administrator accounts to a subset of the FortiAnalyzer unit’s total devices or

VDOMs.

The maximum number of ADOMs varies by FortiAnalyzer model. For details, see “Maximum

Value Matrix” on page 318.

This chapter includes the following:

• Configuring ADOMs

• Accessing ADOMs as the admin administrator

• Assigning administrators to an ADOM

Configuring ADOMs

ADOMs are disabled by default.

To use ADOMs:

1. Login as admin.

Other administrators cannot enable, disable, or configure ADOMs.

2. Enable the feature by going to System > Admin > Settings. See “To enable ADOMs:” on

page 49.

3. Create ADOMs by going to System > ADOM > ADOM. See “Add or edit an ADOM:” on

page 51.

4. Assign other FortiAnalyzer administrators to an ADOM by going to System > Admin >

Administrator. See “To assign an administrator to an ADOM:” on page 56.

To enable ADOMs:

1. Log in as admin.

Other administrators cannot enable, disable, or configure ADOMs.

2. Go to System > Admin > Settings.

3. Enable (select) Admin Domain Configuration.

ADOMs are not supported on FAZ-100B and FAZ-100C models.

Enabling ADOMs moves non-global configuration items to the root ADOM. Back up the

configuration before beginning the following procedure. For more information about backing up

your configuration, see “Maintaining Firmware” on page 286.



Figure 15:Enabling ADOM configuration

4. Select Apply.

The following dialog box appears:

5. Select OK.

The FortiAnalyzer unit logs you out.

6. To confirm that ADOMs are enabled, log in again as admin.

System > ADOM should now be available. At the end of the menu list, the Current ADOM

menu also appears, enabling you to enter into an ADOM or return to the Global ADOM.

Continue with “Add or edit an ADOM:” on page 51 to create ADOMs.

If other administrators are also logged in at the same time, they will not be automatically logged

out. Notify them that ADOMs have been enabled, and that they may need to log out and log in

again for display changes to take effect.



Figure 16:FortiAnalyzer system menu

Add or edit an ADOM:

Before you can add an ADOM, you must first enable the feature. For details, see “To enable

ADOMs:” on page 49.

1. From Current ADOM in the left-hand navigation menu, select Global.

2. Go to System > ADOM > ADOM.

Figure 17:Create new ADOM

3. Select Create New, or, to modify an existing ADOM, mark its check box, then select Edit.

Figure 18:New Administrative Domain window



4. In Name field, type a name for the ADOM.

This field cannot be modified if you are editing an existing entry. To modify the name, delete

the entry, then recreate it using the new name.

5. From Available Devices, select which devices to associate with the ADOM, then select the

right arrow to move them to Selected Devices.

You can move multiple devices at once. To select multiple devices, select the first device,

then hold the Shift key while selecting the last device in a continuous range, or hold the Ctrl

key while selecting each additional device.

To remove a device from Selected Devices, select one or more devices, then select the left

arrow to move them to Available Devices.

6. If the ADOM includes a FortiGate unit, and you want to include only a specific VDOM, enable

Restrict to Virtual Domain(s), then enter the VDOM name. If the ADOM includes a FortiMail

unit and you want to include only a specific email domain, enable and configure Restrict to

Email Domain(s).

7. Select OK.

Continue with “Assigning administrators to an ADOM” on page 55.

To disable ADOMs:

1. From Current ADOM in the left-hand navigation menu, select Global.

Figure 19:Switching to the global ADOM

2. Go to System > ADOM > ADOM.

3. Mark the check boxes next to each ADOM except root (Management Administrative

Domain), then select Delete.

Back up the configuration before beginning this procedure. Deleting ADOMs, which can occur

when disabling the ADOM feature, removes administrator accounts assigned to ADOMs other

than the root ADOM. For more information, see “Maintaining Firmware” on page 286.

If you do not wish to delete these administrator accounts, assign them to the root ADOM

before disabling ADOMs.



Figure 20:Administrative Domain name

If any other ADOMs except the root ADOM remain, the option to disable ADOMs will not

appear.

4. Go to System > Admin > Settings.

5. Disable (deselect) Admin Domain Configuration.

You cannot delete an ADOM if an administrator is currently assigned to it. You must first

reassign the administrator to the root ADOM (see “Assigning administrators to an ADOM” on

page 55).



Figure 21:Administrative settings window

6. Select Apply.

The following dialog box appears:

7. Select OK.

The FortiAnalyzer unit logs you out.



Accessing ADOMs as the admin administrator

When ADOMs are enabled, additional ADOM items become available to the admin

administrator and the structure of the web-based manager menu changes. After logging in,

other administrators implicitly access the subset of the Web-based Manager that pertains only

to their ADOM, while the admin administrator accesses the root of the Web-based Manager

and can use all menus. The admin administrator must explicitly enter the part of the Web-based

Manager that contains an ADOM’s settings and data to configure items specific to an ADOM.

To access an ADOM:

1. Log in as admin.

Other administrators can access only the ADOM assigned to their account.

2. From Current ADOM in the left-hand navigation menu, select the name of the ADOM that

you want to enter.

Figure 22:FortiAnalyzer system window

The ADOM-specific menu subset appears. While in this menu subset, any changes you

make affect this ADOM only, and do not affect devices in other ADOMs or global

FortiAnalyzer unit settings.

You can return to global settings by selecting Global from Current ADOM.

Assigning administrators to an ADOM

The admin administrator can create other administrators and assign an ADOM to their account,

constraining them to configurations and data that apply only to devices in their ADOM.

By default, when ADOMs are enabled, existing administrator accounts other than admin are

assigned to the root ADOM, which contains all devices in the device list. For more information

about creating other ADOMs, see “Configuring ADOMs” on page 49.

The admin administrator account cannot be restricted to an ADOM.



To assign an administrator to an ADOM:

1. Log in as admin.

Other administrators cannot configure administrator accounts when ADOMs are enabled.

2. From Current ADOM in the left-hand navigation menu, select Global (see Figure 19 on

page 52).


Figure 23:FortiAnalyzer system menu

4. Configure the administrator account as described in “Configuring administrator accounts”

on page 107. In Admin Domain, select which ADOM the administrator will be allowed to

access.



System

The System menu displays a dashboard with widgets that indicate statuses and perform basic

functions, such as rebooting the FortiAnalyzer unit.

This menu also contains submenus that enable you to make configuration backups, and

configure administrator accounts, system time, network and FortiGuard connectivity, and other

system-wide features such as RAID and log forwarding.

This topic includes:

• Viewing the dashboard

• Configuring network settings

• Configuring network shares

• Configuring administrator related settings

• Configuring the Web-based Manager’s global settings

• Monitoring administrators

• Configuring log storage & query features

• Backing up the configuration and installing firmware

• Scheduling & uploading vulnerability management updates

• Migrating data from one FortiAnalyzer unit to another

• Importing a local server certificate

Viewing the dashboard

When you log in to the FortiAnalyzer Web-based Manager, it automatically opens at the System

> Dashboard > Status page; see Figure 24.

The Dashboard page displays widgets that provide performance and status information, and

enable you to configure basic system settings. The dashboard also contains a CLI widget that

enables you to use the command line through the Web-based Manager. These widgets appear

on a single dashboard.

System Page 57 FortiAnalyzer v4.0 MR3 Patch Release 7 Administration Guide


Figure 24:FortiAnalyzer system dashboard

Customizing the dashboard

The dashboard is customizable. You can select which widgets to display, where they are

located on the page, and whether they are minimized or maximized. You can also create

additional dashboards.

To add a dashboard

To add a dashboard, select Dashboard, then select Add Dashboard and type its name. The

dashboard is added to the left-hand navigation menu. (For example, for a dashboard named

“Summary Reports”, System > Dashboard > Summary Reports would be added to the menu.)

The new dashboard is empty until you add the widgets that you want to show on that new

dashboard.

To move a widget

To move a widget, position your mouse cursor on the widget’s title bar, then select and drag the

widget to its new location.

To show or hide a widget

To show widget, in the upper left hand corner, select Widget, then select the names of the

widgets that you want to show. To hide a widget, in its title bar, select Close.



Figure 25:Adding a widget

To see the available options for a widget, position your mouse cursor over the icons in the

widget’s title bar. Options vary slightly from widget to widget, but always include options to

close or show/hide the widget.

Figure 26:Widget title bar

Table 4: Widget values

When the SQL database is enabled, Top Traffic, Top Web Traffic, Top Email Traffic, Top FTP

Traffic, Top IM/P2PTraffic, Virus Activity, and Intrusion Activity will not appear in the widget list.

For information on enabling the SQL database, see “Configuring SQL database storage” on

page 118.

Web-based Manager item Description

Widget title The name of the widget.

Show/Hide arrow Select to show or hide the widget.

More alerts Show the Alert Messages dialog box.

This option appears only on the Alert Message Console widget.

Reset Reset the collected statistics. See “Statistics widget” on page 70.

This option appears only on the Statistics widget.

Detach Detach the CLI Console widget from the dashboard and open it in

a separate window. See “CLI console widget” on page 79.

This option appears only on the CLI Console widget.

Console Preferences Show the Console Preferences window, which allows you to

customize the look of the CLI Console widget. See “CLI console

widget” on page 79.

This option appears only on the CLI Console widget.



The available dashboard widgets are:

• System information widget

• License Information widget

• Unit operation widget

• System resources widget

• Logs/data received widget

• Statistics widget

• Report engine widget

• Disk monitor widget

• Log Receive Monitor widget

• Alert message console widget

• CLI console widget

• Top traffic widget

• Top web traffic widget

• Top email traffic widget

• Top FTP traffic widget

• Top IM/P2P traffic widget

• Virus activity widget

• Intrusion activity widget

System information widget

The System Information widget (System > Dashboard > Status) displays the serial number and

basic system statuses, such as the firmware version, system time, host name, and up time.

In addition to displaying basic system information, the System Information widget enables you

to configure the system time, host name, operation mode, and to update the firmware.

RAID settings Show the RAID Settings dialog box, which displays the current

RAID settings and allows for configuration of the RAID level if

available. See “Disk monitor widget” on page 73.

This option appears only on the RAID Monitor widget.

Edit Select to change settings for the widget.

Refresh Select to update the displayed information.

Close Select to hide the widget on the dashboard. You will be prompted

to confirm the action. To show the widget again, select Widget

near the top of the dashboard.



Figure 27:System information widget

The widget displays the following information:

Configuring the time & date

You can either manually set the FortiAnalyzer system time, or configure the FortiAnalyzer unit to

automatically keep its system time correct by synchronizing with a Network Time Protocol (NTP)

server.

To configure the date and time:

1. Go to System > Dashboard > Status. In the System Information widget, in the System Time

row, select Change.

Serial Number The serial number of the FortiAnalyzer unit. The serial number is

specific to the FortiAnalyzer unit’s hardware and does not change with

firmware upgrades. Use this number when registering the hardware

with Customer Service & Support.

Uptime The time in days, hours, and minutes since the FortiAnalyzer unit was

started.

System Time The current date and time according to the FortiAnalyzer unit’s internal

clock.

Select Change to change the time or configure the FortiAnalyzer unit to

get the time from an NTP server. See “Configuring the time & date” on

page 61.

Host Name The host name of the FortiAnalyzer unit.

Select Change to change the host name. See “Configuring the

FortiAnalyzer unit’s host name” on page 63.

Firmware Version The version of the firmware currently installed on the FortiAnalyzer unit.

Select Update to install firmware. See “Maintaining Firmware” on

page 286.

Operation Mode The current operation mode of the FortiAnalyzer unit.

Select Change to switch to another operation mode. See “Selecting the

operation mode” on page 63.

This option is not available on FortiAnalyzer-100B, -100C models.

For many features to work, including scheduling, logging, and SSL-dependent features, the

FortiAnalyzer system time must be accurate.




2. From Time Zone, select the time zone in which the FortiAnalyzer unit is located.

3. Configure the following to either manually configure the system time, or automatically

synchronize the FortiAnalyzer unit’s clock with an NTP server:

Figure 28:Time settings

4. Configure the following settings:

5. Select OK.

System Time The date and time according to the FortiAnalyzer unit’s clock at the time

that this tab was loaded, or when you last selected the Refresh button.

Refresh Select to update the System Time field with the current time according

to the FortiAnalyzer unit’s clock.

Time Zone Select the time zone in which the FortiAnalyzer unit is located.

Set Time Select this option to manually set the date and time of the FortiAnalyzer

unit’s clock, then select the Hour, Minute, Second, Year, Month and Day

fields before you select OK.

Synchronize with NTP Server

Select this option to automatically synchronize the date and time of the

FortiAnalyzer unit’s clock with an NTP server, then configure the Server

and Sync Interval fields before you select OK.

Server Enter the IP address or domain name of an NTP server. To find an NTP

server that you can use, go to http://www.ntp.org.

Sync Interval Enter how often in minutes the FortiAnalyzer unit should synchronize its

time with the NTP server. For example, entering 1440 causes the

FortiAnalyzer unit to synchronize its time once a day.


http://www.ntp.org


Configuring the FortiAnalyzer unit’s host name

The host name of the FortiAnalyzer unit is used in several places.

• It appears in the System Information widget on the Status tab. For more information about

the System Information widget, see “System information widget” on page 60.

• It is used in the command prompt of the CLI.

• It is used as the SNMP system name. For information about SNMP, see “Configuring the

SNMP agent” on page 126.

The System Information widget and the get system status CLI command will display the

full host name. However, if the host name is longer than 16 characters, the CLI and other places

display the host name in a truncated form ending with a tilde (~) to indicate that additional

characters exist, but are not displayed.

For example, if the host name is FortiAnalyzer1234567890, the CLI prompt would be

FortiAnalyzer123456~#.

To change the host name:


2. In the System Information widget, in the Host Name row, select Change.

Figure 29:System information widget

3. In the Host Name field, type a new host name.

The host name may be up to 35 characters in length. It may include US-ASCII letters,

numbers, hyphens, and underscores. Spaces and special characters are not allowed.

4. Select OK.

Selecting the operation mode

The FortiAnalyzer unit has three operation modes:

• Standalone: The default mode that supports all FortiAnalyzer features.

• Analyzer: The mode used for aggregating logs from one or more log collectors.

• Collector: The mode used for saving and uploading logs. For example, instead of writing

logs into the database, the collector can retain the logs in original (binary) format for

uploading.







Which mode of operation you choose will vary by its appropriateness to your network topology

and other requirements.

For more information, see “The operation mode” on page 28.

To select the operation mode:



Figure 30:Change operation mode

The FortiAnalyzer 100 series and 400 series models do not have the analyzer mode.

Table 5: Unavailable features in each operation mode

Mode Unavailable feature in Web-based Manager

Standalone N/A

Analyzer System > Config > Log aggregation

Collector • System > Config

• Report

• Tools > Network Analyzer




4. Select OK.

License Information widget

The License Information widget displays information on features that vary by a purchased

license or contract, such as FortiGuard subscription services.

It also displays how many devices are connected or attempting to connect to the FortiAnalyzer

unit.

Figure 31:License information widget

Standalone The default operation mode.

Analyzer If you choose this mode, enter the password for the analyzer server and

confirm it.

Select Accept Real-time Log Forwarding from Collectors to allow collectors to

forward logs in real-time to the analyzer. Normally, logs are collected and

uploaded on schedule, but users may want some critical logs to be sent

immediately.

After the logs are uploaded on schedule, those ones that were forwarded in

real-time become duplicate. You can select Automatically Delete (Reconcile)

Real-time Logs During Collector Upload to automatically delete the duplicate

logs.

Collector If you choose this mode, configure the following:

• Remote IP - Enter the IP address of the FortiAnalyzer unit to which this log

collector uploads logs.

• Password - Enter the password of the FortiAnalyzer unit to which this log

collector uploads logs.

• Upload Daily at - Select the time to upload logs on a daily basis.

• Enable Real-time Forwarding of Priority Logs - Select to upload priority

logs in real time, then set the priority level in Minimum Severity.




Unit operation widget

The Unit Operation widget indicates the connectivity status for each physical network port. It

also enables administrators to perform basic system operations such as rebooting the

FortiAnalyzer unit.

Color indicates whether or not a port has detected a physical connection. If a port’s color is

gray, there is no connectivity, but if a port’s color is green, it is connected.

Additional system-wide operations, such as formatting the log disk or resetting the

configuration to the firmware’s default values, are available from the CLI. For details, see the

FortiAnalyzer v4.0 MR3 Patch Release 7 CLI Reference.

Figure 32:Unit operation widget

Vulnerability Management

Indicates whether or not this FortiAnalyzer unit is licensed for

FortiGuard Vulnerability Management Service. If it is not, you can

select Subscribe to register for the service.

VCM Plugins The version of the vulnerability compliance management plug-in, and

the date of its last update. Select Update to upload a new version of

the plug-in. For more information on vulnerability management, see

“Scheduling & uploading vulnerability management updates” on

page 147.

Device Registration Summary

A total of the number of each device type connecting or attempting to

connect to the FortiAnalyzer unit. For more information about the

maximum numbers of devices of each type and/or VDOMs that are

permitted to connect to the FortiAnalyzer unit, see “Maximum number

of devices” on page 159 and “Maximum Value Matrix” on page 318.

The Registered column is the number of devices that you have added

to the FortiAnalyzer unit’s device list, either manually or automatically.

The Unregistered column is the number of devices attempting to

connect to the FortiAnalyzer unit that are not yet registered. To

configure the FortiAnalyzer unit to accept data from a device, see “To

manually add a device or HA cluster:” on page 161.

For more information about registered and unregistered device, see

“Unregistered vs. registered devices” on page 159.

These operations are available only to users with the read and write access profile.





System resources widget

The System Resources widget displays the CPU and memory usage levels over time.

Figure 33:System resources widget


Reboot Select to halt and restart the operating system of the FortiAnalyzer unit.

ShutDown Select to halt the operating system of the FortiAnalyzer unit, preparing its

hardware to be powered off.

Memory Usage

The current memory (RAM) usage displayed as a dial gauge or graph.

The web-based manager displays memory usage for core processes only.

Memory usage for management processes (for example, for HTTPS

connections to the web-based manager) is excluded.

Session The number of sessions over the specified historical time period. Sessions are

the current communications sessions on the FortiAnalyzer unit which includes

devices that connect to send logs or quarantine files.

This item does not appear when viewing current (Real Time) system resources.

Network Utilization

The network utilization over the specified historical time period.

This item does not appear when viewing current (Real Time) system resources.



To configure settings for the widget, in its title bar, select Edit to open the Edit System

Resources Settings window.

Figure 34:Edit system resources settings window

CPU Usage The current CPU usage displayed as a dial gauge or graph.

The Web-based Manager displays CPU usage for core processes only. CPU

usage for management processes (for example, for HTTPS connections to the

web-based manager) is excluded.

The FortiAnalyzer CPU utilization can appear to be continually high due to the

amount of work the FortiAnalyzer is tasked to perform.

There are two key CPU-intensive operations on a FortiAnalyzer unit:

• indexing log messages

• report generation and other enhanced features

Log indexing

A FortiAnalyzer unit deployed in a network can receive hundreds of log

messages per second throughout the day. The FortiAnalyzer unit indexes

nearly all fields in a log message to include in the database. This process can

be very CPU intensive, as the indexing component is continually running to

keep up with the incoming log messages.

Report generation and other enhanced features

The FortiAnalyzer unit has many reporting functions. Various report

generations can be running at any time during the day including:

• security event reports

• traffic summary reports

• regular reports whose complexity can vary depending on the requirements

• quota checking with log rolling

• network sniffing

• vulnerability scan.

All these tasks can be CPU intensive, especially when several occur at the

same time. This can cause the CPU to stay at 90% or more a lot of the time. It

is important to note that the indexing operation is set to the lowest priority, so

as to not affect the critical processes, such as receiving log messages. These

operation will take all the available CPU cycles, it is normal to expect high CPU

utilization at times.

On smaller devices, such as the FortiAnalyzer-100C, where the CPU and disk

speed are not as fast as the higher-end models, the CPU usage can appear

more pronounced.



• To view only the most current information about system resources, from View Type, select

Real Time.

• To view historical information about system resources, from View Type, select History.

• To change the time range, from Time Period, select one of the following: Last 10 Minutes,

Last Hour, or Last Day.

• To automatically refresh the widget at intervals, in Refresh Interval, type a number between

10 and 240 seconds. To disable the refresh interval feature, type 0.

Logs/data received widget

The Logs/Data Received widget displays the rate over time of the logs and data, such as DLP

archives and quarantined files, received by the FortiAnalyzer unit. This widget display varies on

different models.

Figure 35:Logs/data received widget


To configure settings for the widget, in its title bar, select Edit to open the Edit Logs/Data

Received Settings window.

Figure 36:Edit logs/data received settings window

• To view only the most current information about system resources, from View Type, select

Real Time.

• To view historical information about system resources, from View Type, select History.

• To change the time range, from Time Period, select one of the following: Last 10 Minutes,

Last Hour, or Last Day.

• To automatically refresh the widget at intervals, in Refresh Interval, type a number between

10 and 240 seconds. To disable the refresh interval feature, type 0.

For information on how much disk space is currently consumed, see “Disk monitor widget” on

page 73.

Logs Received Number of logs received per second.

Data Received Volume of data received.



Statistics widget

The Statistics widget displays the numbers of sessions, volume of log files, and number of

reports handled by the FortiAnalyzer unit.

Figure 37:Statistics widget


To view session details:


2. In the Statistics widget, next to Sessions, select Details.

Figure 38:Statistics widget

When viewing sessions, you can search or filter to find specific content. For more information

about filtering information, see “Filtering logs” on page 179.

(Since yyyy-mm-dd hh:mm:ss)

The date and time when the statistics were last reset.

To rest the date and time, hover your mouse cursor over the widget’s title

bar area, then select Reset.

Sessions The number of communication sessions occurring on the FortiAnalyzer

unit, including those with devices that connect to send logs or quarantine

files. Select Details for more information on the connections. For more

information, see “To view session details:” on page 70.

Logs & Reports

Logs The number of new log files received from a number of devices since the

statistics were last reset. For more information, see “To view log details:”

on page 71.

Log Volume The average log file volume received per day over the past seven days.

Select Details to view the log file volume received per day. For information

on total disk space consumption, see “Disk monitor widget” on page 73.

Reports The number of reports generated for a number of devices. Select Details

for more information on the reports.



Figure 39:Logs window

The window displays the following information:

To view log details:


2. In the Statistics widget, next to Logs, select Details.

Refresh Select to refresh the page with current, updated session information.

Search Enter a word or words to find specific information. Press Enter to initiate

the search process.

Protocol The protocol used during that session.

Source The session’s source IP address.

Source Port The session’s source port number.

Destination The session’s destination IP address.

Destination Port The session’s destination port number.

Expires(secs) The number of seconds before the session expires.



Figure 40:Log details window

The window displays the following information:

Display Mark the check box of a log file whose messages you want to view, then

select this button. Only one log file can be selected each time. For more

information about viewing log details, see “Viewing log messages” on

page 173.

Download Mark the check box of a log file that you want to download, select this

button, then select one of the following.

• Log file format: Downloads the log file in text (.txt), comma-separated

value (.csv), or standard .log (native) file format.

• Compress with gzip: Compress the downloaded log file with GZIP

compression. Downloading a log-formatted file with GZIP compression

results in a download with the file extension .log.gz.

Import Select to import a device’s log files. This can be useful when restoring

data or loading log data for temporary use.

From the Device field, select the device to which the imported log file

belongs, or select Take From Imported File to read the device ID from the

log file.

If you select Take From Imported File, your log file must contain a

device_id field in its log messages.

In Filename, select Browse to find the log file.

For more information, see “Importing a log file” on page 190.

Device Type Select the type of devices whose log files you want to view.

Show Log File Names

Enable to show the log file names under each log type.

Log Files A list of available log files for each device or device group. Select the

group name to expand the list of devices within the group, and to view

their log files.

The current, or active, log file appears as well as rolled log files. Rolled log

files include a number in the file name, such as vlog.1267852112.log.

If you configure the FortiAnalyzer unit to delete the original log files after

uploading rolled logs to an FTP server, only the current log will exist.



Report engine widget

You can only add a Report Engine widget when you select the proprietary indexed file storage

system. For information on switching file storage systems, see “Configuring SQL database

storage” on page 118.

This widget indicates report generation activity. Report engine activities include whether the

report engine is active or inactive, what reports are running when active, and the percentage

completed.

When a report is being generated as scheduled, the report engine status changes from inactive

to active.

To generate a report, select the Generate report icon in the title bar, and then configure a new

report schedule. For more information, see “Configuring report schedules” on page 233.

Figure 41:Report engine widget

Disk monitor widget

The Disk Monitor widget displays information about the status of RAID disks as well as what

RAID level has been selected. It also displays how much disk space is currently consumed.

To configure settings for the widget, in its title bar, select RAID Settings. For more information,

see “Configuring RAID” on page 137.

# Number of log files for each type.

From The date and time when the FortiAnalyzer unit starts to generate the log

file.

To The date and time when the FortiAnalyzer unit completes generating the

log file when the file reaches its maximum size or the scheduled time. For

more information, see “Configuring rolling and uploading of devices’ logs”

on page 193.

Size (bytes) The size of the log file.

The RAID Settings icon does not appear on FAZ-100B and FAZ-100C units, because RAID is

not supported on these models. Only disk space usage information is displayed on these

models.



Figure 42:Disk monitor widget


RAID Status Icons and text indicate one of the following RAID disk statuses:

• (OK): Indicates that the RAID disk has no problems

• (Warning): Indicates that there is a problem with the RAID

disk, such as a failure, and needs replacing. The RAID disk is also

in reduced reliability mode when this status is indicated in the

widget.

• (Rebuilding): Indicates that a drive has been replaced and

the RAID array is being rebuilt; it is also in reduced reliability mode.

• (Failure): Indicates that one or more drives have failed, the

RAID array is corrupted, and the drive must be re-initialized. This is

displayed by both a failure symbol and text. The text appears

when you hover your mouse over the warning symbol; the text

also indicates the amount of space in GB.

Rebuild Status A percentage bar indicating the progress of the rebuilding of a RAID

array. The bar appears only when a RAID array is being rebuilt.

Estimated rebuild time [start and end time]

The time remaining to rebuild the RAID array, and the date and time

the rebuild is expected to end. This time period appears only when an

array is being rebuilt.

This time period will not display in hardware RAID, such as FAZ-2000,

FAZ-2000A, FAZ-2000B, and FAZ-4000A, FAZ-4000B.



FortiAnalyzer units allocate most of their total disk space for the FortiAnalyzer units’ own logs,

as well as logs and quarantined files from connecting devices. Disk space quota is assigned to

each device and the FortiAnalyzer unit itself. If the quota is consumed, the FortiAnalyzer unit will

either overwrite the oldest files saved or stop collecting new logs, depending on your settings.

For devices’ disk space quota settings, see “Manually adding a FortiGate unit using the Fortinet

Discovery Protocol” on page 165. For the FortiAnalyzer unit’s local log disk space quota

settings, see the FortiAnalyzer v4.0 MR3 Patch Release 7 CLI Reference.

Remaining disk space is reserved for devices, FortiAnalyzer reports, and any temporary files,

such as configuration backups and log files that are currently queued for upload to a server. The

size of the reserved space varies by the total RAID/hard disk capacity. For more information,

see “Disk space usage” on page 75.

For more information about RAID, see “Configuring RAID” on page 137. For more information

on the volume of logs being received, see “Logs/data received widget” on page 69.

Swapping hard disks

If a hard disk on a FortiAnalyzer unit fails, it must be replaced.

Figure 43:Status of a failed hard disk on a FAZ-800 unit as shown in the Disk Monitor widget

Rebuild Warning Text reminding you the system has no redundancy protection until the

rebuilding process is complete. This text appears only when an array

is being rebuilt.

Disk space usage The amount of disk used, displayed as a percentage and a

percentage bar.

The FortiAnalyzer unit reserves some disk space for compression

files, upload files, and temporary reports files.

The total reserved space is:

• 25% of total disk space if total < 500G, with MAX at 100G

• 20% of total disk space if 500G< total <1000G, with MAX at 150G

• 15% of total disk space if 1000G < total < 3000G, with MAX at

300G

• 10% of total disk space if total > 3000G

This is therefore to be deducted from the total capacity.




To replace a hard disk:


2. In the Unit Operation widget, select Shutdown.

3. Select OK.

4. Remove the faulty hard disk and replace it with a new one.

5. Restart the FortiAnalyzer unit.

The FortiAnalyzer unit will automatically add the new disk to the current RAID array. The

status appears on the console. After the FortiAnalyzer unit boots, the widget will display a

green check mark icon for all disks and the RAID Status area will display the progress of the

RAID re-synchronization/rebuild.

Adding new disks for FAZ-2000B and FAZ-4000B

The FAZ-2000B unit is shipped with two hard disks. You can add up to four more disks to

increase the storage capacity. The FAZ-4000B unit is shipped with six hard disks. You can add

up to 18 more disks to increase the storage capacity.

To add more hard disks:

1. Obtain the same disks as those supplied by Fortinet.

2. Back up the log data on the FortiAnalyzer 2000B/4000B unit. You can also migrate the data

to another FortiAnalyzer unit if you have one. Data migration reduces system down time and

risk of data loss.

For information on data backup, see “Backing up the configuration and installing firmware”

on page 145. For information on data migration, see “Migrating data from one FortiAnalyzer

unit to another” on page 150.

3. Install the disks in the FortiAnalyzer unit. You can do so while the FortiAnalyzer unit is

running.

4. Configure the RAID level. See “Configuring RAID” on page 137.

Electrostatic discharge (ESD) can damage FortiAnalyzer equipment. Only perform the

procedures described in this document from an ESD workstation. If no such station is available,

you can provide some ESD protection by wearing an anti-static wrist or ankle strap and

attaching it to an ESD connector or to a metal part of a FortiAnalyzer chassis.

When replacing a hard disk, you need to first verify that the new disk has the same size as those

supplied by Fortinet and has at least the same capacity as the old one in the FortiAnalyzer unit.

Installing a smaller hard disk will affect the RAID setup and may cause data loss. Due to

possible differences in sector layout between disks, the only way to guarantee that two disks

have the same size is to use the same brand and model.

The size provided by the hard drive manufacturer for a given disk model is only an

approximation. The exact size is determined by the number of sectors present on the disk.

Once a RAID array is built, adding another disk with the same capacity will not affect the array

size until you rebuild the array by restarting the FortiAnalyzer unit.

Fortinet recommends that you use the same disks as those supplied by Fortinet. Disks of other

brands will not be supported by Fortinet. For information on purchasing extra hard disks,

contact your Fortinet reseller.




5. If you have backed up the log data, restore the data. For more information, see “Backing up

the configuration and installing firmware” on page 145.

Log Receive Monitor widget

The Log Receive Monitor widget displays the rate at which logs are received over time.

Figure 44:Log receive monitor widget

To configure settings for the widget, in its title bar, select Edit.

Figure 45:Editing log receive monitor settings

Configure the following settings:

Widget Name The current widget name.

Type Select either:

• Log Type: Display the type of logs that are received from all registered

devices and separates them into categories, such as top 5 traffic logs or

antivirus logs.

• Device: Display the logs that received by each registered device and

separates the devices into the top number of devices.

No. Entries Select the number of either log types or devices in the widget’s graph,

depending on your selection in the Type field.



Alert message console widget

The Alert Message Console widget displays log-based alert messages for both the

FortiAnalyzer unit itself and connected devices.

Alert messages help you track system events on your FortiAnalyzer unit, such as firmware

changes, and network events, such as detected attacks. Each message shows the date and

time that the event occurred.

Figure 46:Alert message console widget

The widget displays only the most current alerts. For a complete list of unacknowledged alert

messages, in the widget’s title bar, select More alerts. To sort the columns by either ascending

or descending order, select the column headings.

Time Period Select one of the following time ranges over which to monitor the rate at

which log messages are received:

• Hour

• Day

• Week

Refresh Interval To automatically refresh the widget at intervals, in Refresh Interval, type a

number between 10 and 240 seconds. To disable the refresh interval

feature, type 0.

Alert messages can also be delivered by email, syslog or SNMP. For more information, see

“Configuring alerts” on page 121.



Figure 47:List of all alert messages

The following information is displayed:

CLI console widget

The CLI Console widget enables you to enter command lines through the Web-based Manager,

without making a separate Telnet, SSH, or local console connection to access the CLI.

To use the console, first select within the console area. Doing so will automatically log you in

using the same administrator account you used to access the Web-based Manager. You can

Acknowledge Mark the check boxes of alert messages that you want to remove

from the list of alerts, then select Acknowledge.

Include...and higher Select a severity threshold. Log messages equal to or greater than

that severity will appear in the list of alerts.

Remove unacknowledged alerts older than [n days]

Select a number of days to remove the alert messages older than that

number.

formatted | raw Select either:

• formatted: Display the alert messages in columnar format.

• raw: Display the information without formatting, as it actually

appears in the log messages.

Device The device where the log message originated.

Event The Message (msg=) field of the log message, which usually contains

a description of the event.

Level The severity level of the log message.

Time The date and time when the log message was generated. To sort in

ascending or descending order, select the arrow in the column

heading.

Counter The number of occurrences of the event.

The CLI Console widget requires that your web browser support JavaScript.



then enter commands by typing them. Alternatively, you can copy and paste commands from or

into the CLI Console.

For information on available commands, see the FortiAnalyzer v4.0 MR3 Patch Release 7 CLI

Reference.

Figure 48:CLI console widget

To configure settings for the widget, in its title bar, select Console Preferences.

Figure 49:CLI console widget settings

The prompt, by default the model number such as FortiAnalyzer-800B #, contains the

host name of the FortiAnalyzer unit. To change the host name, see “Configuring the

FortiAnalyzer unit’s host name” on page 63.





Top traffic widget

You can only add a Top Traffic widget when you select the proprietary indexed file storage



This widget displays a bar chart of the total volume of traffic handled by FortiGate units, based

on their traffic logs.

Figure 50:Top traffic widget

To expand details for one of the widget’s items, select its + button, then select which log field

you want to use to categorize its results.

For example, for one of the items, you might select Device to display and categorize that item’s

results by which devices recorded those log messages. To further subcategorize one of the

device’s results by protocol, you could then select its + button and select Service. The resulting

widget display would show reflect traffic volume for each service on that one device, from that

source IP address.

To collapse details and return to higher-level items, select a parent item’s X button.


Preview A preview of your changes to the CLI Console widget’s appearance.

Text Select the current color swatch to the left of this label, then select a color

from the color palette to the right to change the color of the text in the CLI

Console.

Background Select the current color swatch to the left of this label, then select a color

from the color palette to the right to change the color of the background in

the CLI Console.

Use external command input box

Enable to display a command input field below the normal console

emulation area. When this option is enabled, you can enter commands by

typing them into either the console emulation area or the external

command input field.

Console buffer length

Enter the number of lines the console buffer keeps in memory. The valid

range is from 20 to 9999.

Font Select a font type from the list. There are only three font types to choose

from: Lucida Console, Courier New, and the default font.

Size Select a font from the list to change the display font of the CLI Console.

Reset Defaults Select the size in points of the font. The default size is 10 points.



Figure 51:Top traffic widget settings


Top web traffic widget

You can only add a Top Web Traffic widget when you select the proprietary indexed file storage



This widget displays a bar chart of the total volume of web traffic handled by FortiGate units,

based on either their traffic logs (if you select By Volume in the widget’s settings) or web filtering

logs (if you select By Request in the widget’s settings).

Widget Name Type a name for the widget. It will appear in the widget’s title bar.

Device Select the name of either a device or device group for which you want to

display traffic volumes.

Display by Select which attribute to use in order to rank the top results:

• Top Sources (to any): Rank results according to the total volume for each

source IP address.

• Top Destinations (from any): Rank results according to the total volume

for each destination IP address.

Filter Port Select whether to include TCP or UDP protocols, then type the port number.

The valid range is from 1 to 65,535.

Time Scope Select one of the following time ranges: Hour, Day, Week, or Month.

No. Entries Select the number of entries to display.



Figure 52:Top web traffic widget





device’s results by protocol, you could then select its + button, then select Service. The

resulting widget display would show reflect web traffic volume for each service on that one

device, from that source IP address.



Figure 53:Top web traffic widget settings



Device Select the name of either a device or device group for which you want

to display traffic volumes.


• Top Sources (to any): Rank results according to the total volume

for each source IP address.

• Top Destinations (from any): Rank results according to the total

volume for each destination IP address.

FIlter Source IP Address or User

Type the traffic’s source IP address or user name.



Top email traffic widget

You can only add a Top Email Traffic widget when you select the proprietary indexed file storage



This widget displays a bar chart of the total volume of email traffic handled by FortiGate units,

based on either their traffic logs (if you select By Volume in the widget’s settings) or content logs

(if you select By Request in the widget’s settings).

Figure 54:Top email traffic widget






resulting widget display would show reflect email traffic volume for each service on that one




Filter Destination IP Address

Type the traffic’s destination IP address.

By Volume Select to gather the information for this widget from the traffic logs.

By Requests Select to gather the information for this widget from the Web Filter

logs.





Figure 55:Top email traffic widget settings


Top FTP traffic widget

You can only add aTop FTP Traffic widget when you select the proprietary indexed file storage



This widget displays a bar chart of the total volume of FTP traffic handled by FortiGate units,

based on their traffic logs.






source IP address.



Filter Protocol Select a protocol to filter by email protocol.

Filter Address Enter the email server IP address for filtering the information.

By Volume Select to gather the total amount of email traffic for this widget from the

traffic logs.

By Requests Select to gather the total amount of email traffic for this widget from the

content logs.





Figure 56:Top FTP traffic widget






resulting widget display would show reflect FTP traffic volume for each service on that one




Figure 57:Top FTP traffic widget settings







source IP address.







Top IM/P2P traffic widget

You can only add a Top IM/P2P Traffic widget when you select the proprietary indexed file

storage system. For information on switching file storage systems, see “Configuring SQL

database storage” on page 118.

This widget displays a bar chart of, depending on your selection in the widget’s settings, either

the total number of instant message (IM) or peer-to-peer (P2P) sessions handled by FortiGate

units, based on their DLP logs.

Figure 58:Top IM/P2P traffic widget






resulting widget display would show reflect IM/P2P traffic volume for each service on that one




Figure 59:Top IM/P2P traffic widget settings



Type Select either instant messaging (IM) or peer-to-peer (P2P) traffic.





Virus activity widget

You can only add a Virus Activity widget when you select the proprietary indexed file storage



This widget displays a bar chart of the total number of virus detections in traffic handled by

FortiGate units, based on their antivirus logs.

Figure 60:Virus activity widget






resulting widget display would show reflect detected viruses for each service on that one






source IP address.



Protocol Select a protocol for filtering the traffic. If you select All, all of the protocols

will be included.





Figure 61:Virus activity widget settings


Intrusion activity widget

You can only add an Intrusion Activity widget when you select the proprietary indexed file

storage system. For information on switching file storage systems, see “Configuring SQL

database storage” on page 118.

This widget displays a bar chart of the total number of attack attempts in traffic handled by

FortiGate units, based on their attack logs.





• Time Period: Rank results according to the total number of incidents for

each 24-hour time period, from 00:00:00 to 23:59:59.

• Top Viruses: Rank results according to the total number of incidents for

each virus.

• Top Sources (to any): Rank results according to the total number of

incidents for each source IP address.

• Top Destinations (from any): Rank results according to the total number

of incidents for each destination IP address.

• Protocol break down for virus incidents: Rank results according to the

total number of incidents for each protocol.





Figure 62:Intrusion activity widget






resulting widget display would show reflect detected intrusion attempts for each service on that

one device, from that source IP address.



Figure 63:Intrusion activity widget settings






• Time Period: Rank results according to the total number of incidents for

each 24-hour time period, from 00:00:00 to 23:59:59.

• Top Intrusions: Rank results according to the total number of incidents for

each virus.

• Top Sources (to any): Rank results according to the total number of

incidents for each source IP address.

• Top Destinations (from any): Rank results according to the total number of

incidents for each destination IP address.



Configuring network settings

The Network menu allows you to configure the FortiAnalyzer unit to operate on your network.

You can configure basic network settings, including configuring interfaces, DNS settings, and

static routes.

Configuring the network interfaces

To view a list of the FortiAnalyzer unit’s network interfaces, go to System > Network > Interface.

See Figure 64.

You must configure at least one of the FortiAnalyzer unit’s network interfaces for you to connect

to the CLI and Web-based Manager, which require an IP address.

Depending on your network topology and other considerations, to enable the FortiAnalyzer unit

to connect to your network and to the devices whose logs it receives, you may need to

configure one or more of the FortiAnalyzer unit’s other network interfaces. You can configure

each network interface separately, with its own IP address, netmask, and accepted

administrative access protocols.

Unlike other administrative protocols, SNMP access is not configured individually for each

network interface. Instead, see “Configuring the SNMP agent” on page 126.

Figure 64:Interface list window

This window displays the following information:


No, Entries Select the number of entries to display.

You can restrict which IP addresses are permitted to log in as a FortiAnalyzer administrator

through the network interfaces. For details, see “Configuring administrator accounts” on

page 107.

Enable administrative access only on network interfaces connected to trusted private networks

or directly to your management computer. If possible, enable only secure administrative access

protocols such as HTTPS or SSH. Failure to restrict administrative access could compromise

the security of your FortiAnalyzer unit.

Bring Up Mark the check box of the network interface that you want to enable, then

select Bring Up. The new status appears in Status.

Bring Down Mark the check box of the network interface that you want to disable, then

select Bring Down. The new status appears in Status.



To edit a network interface:

1. Go to System > Network > Interface.

2. Mark the check box next to the interface whose settings you want to modify, then select

Edit.

Figure 65:Network interfaces

The edit interface window opens

Name The name of the network interface, usually directly associated with one

physical link as indicated by its name, such as port1.

IP/Netmask The IP address and netmask of the network interface, separated by a slash

( / ).

Access The administrative access services that are enabled on the network interface,

such as HTTPS for the Web-based Manager.

FDP Indicates whether Fortinet Discovery Protocol (FDP) is enabled. When FDP is

enabled for an interface, a green check appears. For more information about

FDP, see “About Fortinet Discovery Protocol” on page 95 and “Manually

adding a FortiGate unit using the Fortinet Discovery Protocol” on page 165.

Status Indicates the “up” (available) or “down” (unavailable) administrative status of

the network interface.

• Green up arrow: The network interface is up and permitted to receive or

transmit traffic.

• Red down arrow: The network interface is down and not permitted to

receive or transmit traffic.



Figure 66:Edit interface window


Interface Name The name (such as port2) and media access control (MAC) address

of this network interface.

Fortinet Discovery Protocol

Select Enabled to respond to Fortinet Discovery Protocol (FDP) on

this interface, allowing FortiGate devices to find the FortiAnalyzer unit

automatically. For more information about FDP, see “About Fortinet

Discovery Protocol” on page 95 and “Manually adding a FortiGate

unit using the Fortinet Discovery Protocol” on page 165.

IP/Netmask Enter the IP address/subnet mask. The IP address must be on the

same subnet as the network to which the interface connects.

Administrative Access

Enable the types of administrative access that you want to permit on

this interface.

HTTPS Enable to allow secure HTTPS connections to the web-based

manager through this network interface.

For information on configuring the port number on which the

FortiAnalyzer listens for these connections, see “Configuring the

Web-based Manager’s global settings” on page 116.

PING Enable to allow ICMP ping responses from this network interface.

HTTP Enable to allow HTTP connections to the web-based manager

through this network interface.

For information on configuring the port number on which the

FortiAnalyzer listens for these connections, see “Configuring the


Caution: HTTP connections are not secure, and can be intercepted

by a third party. If possible, enable this option only for network

interfaces connected to a trusted private network, or directly to your

management computer. Failure to restrict administrative access

through this protocol could compromise the security of your

FortiAnalyzer unit.

SSH Enable to allow SSH connections to the CLI through this network

interface.



4. Select OK.

If you were connected to the Web-based Manager through this network interface, you are

now disconnected from it.

5. To access the Web-based Manager again, in your web browser, modify the URL to match

the new IP address of the network interface. For example, if you configured the network

interface with the IP address 172.16.1.20, you would browse to https://172.16.1.20.

If the new IP address is on a different subnet than the previous IP address, and your

computer is directly connected to the FortiAnalyzer unit, you may also need to modify the IP

address and subnet of your computer to match the FortiAnalyzer unit’s new IP address.

TELNET Enable to allow Telnet connections to the CLI through this network

interface.

Caution: Telnet connections are not secure, and can be intercepted

by a third party. If possible, enable this option only for network

interfaces connected to a trusted private network, or directly to your

management computer. Failure to restrict administrative access

through this protocol could compromise the security of your

FortiAnalyzer unit.

AGGREGATOR Enable to allow sending and receiving log aggregation transmissions.

For more information about aggregation, see “Configuring log

aggregation” on page 131.

WEBSERVICES Enable to allow web service (SOAP) connections.

FortiManager units require web service connections for remote

management of FortiAnalyzer units. If this option is not enabled, the

FortiManager unit cannot install a configuration on the FortiAnalyzer

unit. For more information, see “Configuring and using FortiAnalyzer

web services” on page 95.

Web services can also be used by third-party tools to access logs

and reports stored on the FortiAnalyzer unit. For more information

about web services, see the FortiAnalyzer v4.0 MR3 Patch Release 7

CLI Reference.

MTU Enable Override default MTU value (1500) to change the maximum

transmission unit (MTU) value, then enter the maximum packet size

in bytes.

To improve network performance, adjust the MTU so that it equals

the smallest MTU of all devices between this interface and the

traffic’s final destinations.

If the MTU is larger than other devices’ MTU, other devices through

which the traffic travels must spend time and processing resources

to break apart large packets to meet their smaller MTU. This process

slows down transmission.

The default value is 1500 bytes. The MTU size must be between 576

and 1500 bytes.




About Fortinet Discovery Protocol

FortiGate units running FortiOS v4.0 or greater can use Fortinet Discovery Protocol (FDP), a

UDP protocol, to locate a FortiAnalyzer unit.

When a FortiGate administrator selects Automatic Discovery, the FortiGate unit attempts to

locate FortiAnalyzer units on the network within the same subnet. If FDP has been enabled for

the FortiAnalyzer unit’s network interface to that subnet, the FortiAnalyzer unit will respond.

After discovering the FortiAnalyzer unit, the FortiGate unit automatically enables logging to the

FortiAnalyzer and begins sending log data.

Depending on its configuration, the FortiAnalyzer unit may then automatically register the

device and save its data, add the device but ignore its data, or ignore the device entirely. For

more information, see “Configuring unregistered device options” on page 167.

Configuring and using FortiAnalyzer web services

To manage FortiAnalyzer v4.0 MR1 or later, FortiManager v4.0 or later requires that you enable

web services on the FortiAnalyzer unit and obtain the Web Services Description Language

(WSDL) file that defines the XML requests you can make and the responses that the

FortiAnalyzer unit can provide. If web services are not enabled, the FortiManager unit cannot

send a configuration to the FortiAnalyzer unit.

In addition to enabling web services, you must also register the devices with each other. When

registering the FortiAnalyzer with the FortiManager unit, to guarantee full access to the

FortiAnalyzer unit’s entire configuration, you must provide the login for the FortiAnalyzer unit’s

admin administrator account. When registering the FortiManager with the FortiAnalyzer unit’s

device list, you must set connection permissions to allow remote management.

Web services can also be used by third-party tools to access logs and reports stored on the

FortiAnalyzer unit. For more information, see the FortiAnalyzer v4.0 MR3 Patch Release 7 CLI

Reference.

Web services are automatically encrypted with SSL (HTTPS). For information on the certificate

used to do so, see “Importing a local server certificate” on page 154.

To configure web services:

1. On the FortiAnalyzer unit, log in as admin.


3. Mark the check box of the network interface which will accept web services connections,

then select Edit.

4. In the Administrative Access area, enable WEBSERVICES.

Due to design changes, FortiManager v4.0 MR3 or later can not manage FortiAnalyzer units.





Figure 67:Edit interface window

If it is not already enabled, also enable HTTPS.

5. Select OK.


7. Mark the check box of the admin administrator account, then select Edit.

8. In Trusted Host, include the FortiManager unit's IP address. For additional security, restrict

the Trusted Host entry to include only the FortiManager unit's IP address (that is, a subnet

mask of 255.255.255.255) and your computer's IP address.

9. Select OK.

10.Go to Devices > All Devices > Allowed.

Figure 68:Allowed devices window

11.If the FortiManager unit appears as an unregistered device, mark its check box, then select

Register to complete the device registration.

If the FortiManager unit does not appear in the device list, select Create New to add the

device registration.

12.Select OK.

13.Register the FortiAnalyzer unit with the FortiManager unit’s device list. For details, see the

FortiManager v4.0 MR3 Patch Release 7 Administration Guide.


http://docs.fortinet.com/fmgr.html


To obtain the WSDL file:

Download the WSDL file directly from the following URL:

https://<FortiAnalyzer_ip_address>:8080/FortiAnalyzerWS?wsdl

The following is a section of the WSDL file:

<definitions name="FortiAnalyzerWS" targetNamespace="http://localhost:8080/FortiAnalyzerWS.wsdl">

<types><schema targetNamespace="urn:FortiAnalyzerWS"

elementFormDefault="qualified" attributeFormDefault="qualified">

<import namespace="http://schemas.xmlsoap.org/soap/encoding/"/>

<element name="FortiRequestEl" type="ns:FortiRequest"/><element name="FortiResponseEl" type="ns:FortiResponse"/><simpleType name="SearchContent">

<restriction base="xsd:string"><enumeration value="Logs"/><enumeration value="ContentLogs"/><enumeration value="LocalLogs"/>

</restriction></simpleType><simpleType name="ReportType">

<restriction base="xsd:string"><enumeration value="FortiGate"/><enumeration value="FortiClient"/><enumeration value="FortiMail"/>

</restriction></simpleType>…

<service name="FortiAnalyzerWS"><documentation>gSOAP 2.7.7 generated service

definition</documentation> <port name="FortiAnalyzerWS" binding="tns:FortiAnalyzerWS">

<SOAP:address location="https://localhost:8080/FortiAnalyzerWS"/>

</port></service>

</definitions>



Configuring DNS

System > Network > DNS enables you to configure the FortiAnalyzer unit with the IP addresses

of the domain name system (DNS) servers that the FortiAnalyzer unit will query to resolve

domain names such as www.example.com into IP addresses.

Figure 69:DNS configuration

FortiAnalyzer units require connectivity to DNS servers for DNS lookups. Your Internet service

provider (ISP) may supply IP addresses of DNS servers, or you may want to use the IP

addresses of your own DNS servers.

Configuring static routes

The route list displays the static routes on the FortiAnalyzer unit. Static routes provide the

FortiAnalyzer unit with the information it needs to forward a packet to a particular destination

other than the default gateway.

To view the routing list, go to System > Network > Routing.

Figure 70:Route list


For improved performance, use DNS servers on your local network. Features such as NFS

shares can be impacted by poor DNS connectivity.

Move Select to change the route’s order in the route list.

Insert Select to add a route before the selected one in the list.

Destination IP/Netmask Displays the destination IP address and netmask of packets that

the FortiAnalyzer unit wants to send to.



To add a static route:

1. Go to System > Network > Routing.

2. Select Create New.

The new routing entry window opens.

Figure 71:New routing entry window


4. Select OK to save the setting.

Configuring network shares

The FortiAnalyzer hard disk can be used as an NFS or Windows network share to store users’

files and/or FortiAnalyzer reports and logs.

By default, this option is not available. To make it appear, select Show Network Sharing in

System > Admin > Settings.

When selecting a network share style, consider the access methods available to your users:

• Microsoft Windows users could connect to a FortiAnalyzer Windows network share by

mapping a drive letter to a network folder

• Apple Mac OS X, Unix or Linux users:

• could mount a FortiAnalyzer Windows network share using SMBFS

• could mount a FortiAnalyzer NFS network share

Gateway Displays the IP address of the router where the FortiAnalyzer unit

forwards packets.

Interface Displays the names of the FortiAnalyzer interfaces through which

intercepted packets are received and sent.

Destination IP/Mask Enter the destination IP address network mask of packets that the

FortiAnalyzer unit has to intercept.

Enter a netmask to associate with the IP address.

Gateway Enter the IP address of the gateway where the FortiAnalyzer unit

will forward intercepted packets.

Interface Select a port through which intercepted packets are received and

sent.



Before a user can access files on the FortiAnalyzer network share:

• network share user accounts and groups must be created (for Windows share only)

• network sharing (Windows or NFS) must be enabled

• the share folder and its file permissions (user access) must be set

Configuring share users

You can create Windows network share user accounts to provide non-administrative access to

the log, reports and hard disk storage of the FortiAnalyzer unit.

Users that are added will not have administrative access to the FortiAnalyzer hard disk or

FortiAnalyzer unit. For information about how to add administrative users, see “Configuring

administrator related settings” on page 107.

To view the network user list, go to System > Network Sharing > User.

Figure 72:Network share user list


To add an user account:

1. Go to System > Network Sharing > User.


3. Enter the appropriate information for the network share user account and select OK.

Create New Select to create a Windows network share user. See “To add an user account:”

on page 100.

Edit Change a selected user’s current settings.

Delete Remove a selected user’s current settings.

Username The name of the user.

UID The user’s identification. This is useful for NFS shares only.

Description A comment about the user account.



Figure 73:User configuration window



Username Enter a user name.

The name cannot include spaces.

UID (NFS only) Leave this field empty.

This field is for NFS shares only. The NFS protocol uses the UID to

determine the permissions on files and folders.

Password Enter a password for the user.

Description Enter a description of the user. For example, you might enter the user’s

name or a position such as IT Manager.



Configuring share user groups

You can create Windows network share user groups to maintain access privileges for a large

number of users at once. You need to add users before you can create groups.

To view the user group list, go to System > Network Sharing > Group.

Figure 74:User group list


To add a user group:

1. Go to System > Network Sharing > Group.


The group configuration window opens.

Group The name of the group. For example, Finance. The name cannot include spaces.

GID The group ID. This is useful for NFS shares only.

Members The users that are members of that group.



Figure 75:Group configuration window



Configuring Windows shares

You can configure the FortiAnalyzer unit to provide folder and file sharing using Windows

sharing.

To view users with Windows share access to the FortiAnalyzer unit, go to System > Network

Sharing > Windows Share.

Figure 76:Windows network share user list

Group Enter the name of the group.

GID (NFS only) Leave this field empty.

This field is for NFS shares only. The GID is the numerical unique

identification for a group. The NFS protocol uses the GID to determine the

permissions on files and folders.

Available Users The available users that you can add to the group. Select a user and then

select the right arrow to move that user to the Members area.

Members The users that are included in the group. If you do not want a user

included as a member, select a user and then select the left arrow to

move that user back to the Available Users area.




To configure a Windows share:

1. Go to System > Network Sharing > Windows Share.


The Windows share configuration window opens.

Figure 77:Windows share configuration window

Enable Windows Network Sharing

Select the check box to enable Windows network sharing.

Workgroup Enter the name of the work group and then select Apply.

Local Path The shared file or folder path.

Share as The share name.

Read Only User A list of users or groups that have read-only access to the folder or

files.

Read Write User A list of users or groups that have read-write access to the folder or

files.





Configuring NFS shares

You can configure the FortiAnalyzer unit to provide folder and file sharing using NFS sharing.

To view a list of users with NFS share access to the FortiAnalyzer unit, including access

privileges, go to System > Network Sharing > NFS Export.

Figure 78:List of users with NFS share access


Local Path Type a folder directory, such as /Storage/Mail, or select the local path

icon to choose a folder to share on the FortiAnalyzer hard disk. If you type

a directory, you must start with /Storage.

The default permission for files and folders is read and execute privileges.

The owner of the document also has write privileges. You must select the

write permission for the folder, user and the group to enable write

permissions. For more information, see “Default file permissions on NFS

shares” on page 107.

Share Name The name of the share configuration.

Available Users & Group

The list of users and groups that are available for Windows network

shares. For information on adding users and groups, see “Configuring

share users” on page 100.

Select a user and then select the right arrow that points to the permission

list that you want that user or group to be under, either Read-Only Access

or Read-Write Access.

Ready-Only Access

Users or groups that do not have permission to edit or change settings.

To remove a user or group from either access list, select the user or group

and then select the left arrow to move it back to the Available Users &

Groups list.

Read-Write Access

Users or groups that have permission to edit or change settings.

To remove a user or group from either access list, select the user or group

and then select the left arrow to move it back to the Available Users &

Groups list.

Enable NFS Exports Select the check box beside Enable NFS Exports and then select Apply

to enable NFS shares.

Local Path The path the user has permission to connect to.



To add a new NFS share configuration:

1. Configure DNS and a default route. For information, see “Configuring network settings” on

page 91.

NFS exports are file system-level mounts. Bad DNS or routing connectivity can cause very

slow access or 'hangs' when trying to write a file using NFS.

2. Go to System > Network Sharing > NFS Export.

3. Select Enable NFS Exports and select Apply.


Figure 79:NFS export configuration window


Remote Clients A list of users that have access to the folder or files.

Read Only User A list of users or groups that have read-only access to the folder or files.

Read Write User A list of users or groups that have read-write access to the folder or

files.

Local Path Type a folder directory, such as /Storage/Mail, or select the

local path icon to choose a folder to share on the FortiAnalyzer hard

disk. If you type a directory, you must start with /Storage.

The default permissions for files and folders is read and execute

privileges. The owner of the document also has write privileges. You

must select the write permission for the folder and for the user and

the group to enable write access for users and groups. For more

information, see “Default file permissions on NFS shares” on

page 107.

Remote Client: (Host, subnet, FQDN)

Enter the IP address or domain name of an NFS client, such as a

FortiMail unit configured for NFS storage. This client can access the

NFS share folder.



6. Select OK.

7. Configure the NFS client to connect to the FortiAnalyzer unit and mount the share.

Default file permissions on NFS shares

By default, when a user adds a new file or folder, the permissions are:

• read, write, and execute for the owner (user)

• read and execute for the Admin group and Others group.

You can set file permissions in the CLI. For more information, see the config nas share

command in the FortiAnalyzer v4.0 MR3 Patch Release 7 CLI Reference.

Configuring administrator related settings

The Admin menu manages administrator accounts, access profiles, and RADIUS

authentication. It also controls settings for the Web-based Manager that apply to all

administrator accounts, and enables you to monitor which administrator accounts are currently

logged in.

Configuring administrator accounts

System > Admin > Administrator displays the list of FortiAnalyzer administrator accounts.

In its factory default configuration, a FortiAnalyzer unit has one administrator account, named

admin. The admin administrator has permissions that grant full access to the FortiAnalyzer

configuration and firmware. After connecting to the Web-based Manager or the CLI using the

admin administrator account, you can configure additional administrator accounts with various

levels of access to different parts of the FortiAnalyzer configuration.

Administrators may be able to access the Web-based Manager and/or the CLI through the

network, depending on administrator account’s trusted hosts, and the administrative access

protocols enabled for each of the FortiAnalyzer unit’s network interfaces. For details, see

“Configuring the network interfaces” on page 91 and “Trusted Host” on page 110.

To determine which administrators are currently logged in, see “Monitoring administrators” on

page 117.

Permissions Select the type of permissions. The type of permission selected

determines which list the NFS client will be put in.

• Read Only – users connecting to the share can list and read files.

• Read Write – users connecting to the share can list, read, create,

modify, and delete files.

Add Select to add the NFS client to either the Read-only Access list or the

Read Write Access list, depending on the permission selected.

Delete Select the check box beside the NFS client in either the Read Only

Access list or the Read Write Access list, and then select Delete to

remove it.

Read-Only Access The list of remote clients that have read-only access.

Read-Write Access The list of remote clients that have both read and write access.




Figure 80:Administrator account list

The following information is available:

To add an administrator account:



The new administrator window opens.

Change Password

Change the account password. For more information, see “Changing an

administrator’s password” on page 110.

Update Column Settings

Define log columns for an administrator account. You can revert the column

settings to the system default one if they have been customized, or copy the

settings from another administrator account.

For information about configuring column settings, see “Displaying and

arranging log columns” on page 178.

Name The assigned name for the administrator.

Trusted Hosts The IP address and netmask of acceptable locations for the administrator to

log in to the FortiAnalyzer unit.

If you want the administrator to have access the FortiAnalyzer unit from any

address, use the IP address and netmask 0.0.0.0/0.0.0.0. To limit the

administrator to only access the FortiAnalyzer unit from a specific network or

host, enter that network’s IP and netmask.

Profile The access profile assigned to the administrator. For more information, see

“Configuring access profiles” on page 110.

Type Type can be either Local, as a configured administrator on the FortiAnalyzer

unit, or Remote Auth if you are using a RADIUS or TACACS+ server on your

network.



Figure 81:New administrator window


Administrator Enter the administrator name.

You can add the ‘@’ symbol in the name. For example,

admin_1@headquarters, could identify an administrator that will access

the FortiAnalyzer unit from the headquarters office of their organization.

The ‘@’ symbol is also useful to those administrators who require RADIUS

authentication. You can also configure an administrator account for

remote authentication and associate an authentication group as well.

Remote Auth Select if you are authenticating a specific account on a RADIUS or

TACACS+ server.

Wild Card This option appears only if Remote Auth is enabled. Select if you do not

want to set a password for the account on a RADIUS or TACACS+ server.

Auth Group This option appears only if Remote Auth is enabled. You also need to

create an authentication group so that you can select it from the list. For

more information about creating an authentication group, see

“Configuring authentication groups” on page 112.

Select which RADIUS server group to use when authenticating this

administrator account.

Backup Password

This option appears only if Remote Auth is enabled and Wildcard is not

selected.

Optionally, enter a password for the account on a RADIUS or TACACS+

server.

Password Enter a password for the administrator account. For security reasons, a

password should be a mixture of letters and numbers and longer than six

characters.

If a user attempts to log in and mis-types the password three times, the

user is locked out of the system from that IP address for a short period of

time.

This option does not appear if you select Wildcard and when editing the

account.




Changing an administrator’s password

The admin administrator and administrators with read and write permissions can change their

own account passwords. Administrator passwords should be at least six characters long, use

both numbers and letters, and be changed regularly.

Administrators with read-only permissions cannot change their own password. Instead, the

admin administrator must change the password for them.

To change the administrator account password:


2. Select an administrator account.

3. Select Change Password.

4. Enter the old password for confirmation.

5. Enter the new password and confirm the spelling by entering it again.

6. Select OK.

Configuring access profiles

Access profiles define administrator privileges to parts of the FortiAnalyzer configuration. For

example, you can have a profile where the administrator only has read and write access to the

reports, or assign read-only access to the DLP archive logs.

Only the admin administrator has access to all configuration areas of a FortiAnalyzer unit by

default. Every other administrator must be assigned an access profile.

Confirm Password

Re-enter the password for the administrator account to confirm its

spelling.

This option does not appear if you select Wildcard and when editing the

account.

Trusted Host Enter the IP address and netmask of acceptable locations for the

administrator to log in to the FortiAnalyzer unit.

If you want the administrator to have access to the FortiAnalyzer unit from

any address, use the IP address and netmask 0.0.0.0/0.0.0.0. To

limit the administrator to only access the FortiAnalyzer unit from a specific

network, enter that network’s IP and netmask.

Access Profile Select an access profile from the list. Access profiles define

administrative access permissions to areas of the configuration by menu

item. For more information, see “Configuring access profiles” on

page 110.

This option does not appear for the admin administrator.

Admin Domain Select an administrative domain (ADOM) from the list. ADOMs define

administrative access permissions to areas of the configuration and

device data by device or VDOM. For more information, see

“Administrative Domains” on page 48.

This option does not appear when ADOMs are disabled, nor for the

admin administrator.



You can create any number of access profiles. For each profile, you can define what access

privileges are granted. Administrator accounts can only use one access profile at a time.

To view the list of access profiles, go to System > Admin > Access Profile.

Figure 82:Access profile list


To create an access profile:

1. Go to System > Admin > Access Profile.


3. The new access profile window opens.

Figure 83:New access profile window


Profile Name The name of the access profile.

Profile Name Enter a name for the new access profile.

Access Control Lists the FortiAnalyzer configuration components to which you can set

administrator access.

None The administrator has no access to the function.

Read Only The administrator can view pages, menus and information, but cannot

modify any settings.

Read-Write The administrator can view pages, menus and information as well as

change configurations.




Configuring authentication groups

Auth Group enables you to group RADIUS servers into logical arrangements for administrator

authentication.

You must first configure at least one RADIUS server before you can create an authorization

group. For information on creating RADIUS servers, see “Configuring RADIUS servers” on

page 113.

To view the list of auth groups, go to System > Admin > Auth Group.

Figure 84:Authentication group list

To add a group:

1. Go to System > Admin > Auth Group.


Administrator accounts can also be restricted to specific devices or FortiGate units with

VDOMs in the FortiAnalyzer device list. For more information, see “Administrative Domains” on

page 48.

Group Name The name of the authentication group.

Members RADIUS servers in the group.



Figure 85:new Auth Group window

3. Enter a name for the group.

4. Select the servers from Available Auth Servers to add to the group and select the right arrow.

5. Select OK.

Configuring RADIUS servers

If you already have a RADIUS server for authentication, you can configure the FortiAnalyzer unit

to have it perform the authentication. RADIUS servers authenticate administrators.

To view the RADIUS server list, go to System > Admin > RADIUS Server.

Figure 86:RADIUS server list

To add a RADIUS server:

1. Go to System > Admin > RADIUS Server, select Create New.

The new RADIUS server window opens.

Name The name that identifies the server.

Server Name/IP The server name or IP address of that server.



Figure 87:New RADIUS server window



Configuring TACACS+ servers

If you already have a TACACS+ server for authentication, you can configure the FortiAnalyzer

unit to have it perform the user authentication. TACACS+ servers authenticate administrators.

Terminal Access Controller Access-Control System (TACACS+) is a remote authentication

protocol that provides access control for routers, network access servers, and other networked

computing devices via one or more centralized servers. TACACS+ allows a client to accept a

user name and password and send a query to a TACACS+ authentication server. The server

host determines whether to accept or deny the request and sends a response back that allows

or denies network access to the user.

There are several different authentication protocols that TACACS+ can use during the

authentication process:

• ASCII

This machine-independent technique that uses representations of English characters. It

requires user to type a user name and password that are sent in clear text (unencrypted) and

matched with an entry in the user database stored in ASCII format.

• PAP (password authentication protocol)

PAP is used to authenticate PPP connections. It transmits passwords and other user

information in clear text.

• CHAP (challenge-handshake authentication protocol)

Name Enter a name to identify the server.

Primary Server Name/IP

Enter the primary IP address for the server.

Primary Server Secret

Enter the password for the primary server.

Secondary Server Name/IP

Enter the secondary IP address for the server. This is in case the

primary one goes out of service.

Secondary Server Secret

Enter the password for the secondary server.

Authentication Protocol

Select which protocol the FortiAnalyzer unit will use to

communicate with the RADIUS server.



CHAP provides the same functionality as PAP, but is more secure as it does not send the

password and other user information over the network to the security server.

• MS-CHAP (Microsoft challenge-handshake authentication protocol v1)

This is the Microsoft-specific version of CHAP.

The default protocol configuration, Auto, uses PAP, MS-CHAP, and CHAP, in that order.

To view the TACACS+ server list, go to System > Admin > TACACS+ Server.

Figure 88:TACACS+ server list

To add a TACACS+ server:

1. Go to System > Admin > TACACS+ Server, select Create New.

2. Enter the appropriate information for the server and select OK.

Figure 89:New TACACS+ Server window

Name The name that identifies the server.

Server The IP address of that server.

Authentication Type The authentication protocol that a TACACS+ server uses during the

authentication process.

Name Enter a name to identify the server.

Server Name/IP Enter the server domain name or IP address of the TACACS+ server.

Server Key Enter the key to access the TACACS+ server.

Authentication Type Select the authentication type to use for the TACACS+ server.



Configuring the Web-based Manager’s global settings

Administrators settings allows you to configure some common settings for all administrator

accounts, including the idle timeout (how much time must pass without activity before the

FortiAnalyzer unit logs out an administrator), the language for the Web-based Manager, and the

Web-based Manager menu customization (showing or hiding the menu items). You can also

enable or disable administrative domains (ADOMs).

To configure administrators, go to System > Admin > Settings.

Figure 90:Administrators’ settings

Only the admin administrator can change administrators’ settings.




Monitoring administrators

The Monitor page enables the admin administrator to view a list of other administrators that are

currently logged in to the FortiAnalyzer unit. The admin administrator can disconnect other

administrators’ sessions, should the need arise.

To monitor current administrators, go to System > Admin > Monitor.

Figure 91:Monitoring administrators

To disconnect an administrator, mark the check box next to an administrator’s account name,

then select Disconnect.

Idle Timeout Set the idle timeout to control the amount of inactive time before the

administrator must log in again. For better security, keep the idle

timeout to a low value (for example, five minutes).

When viewing real-time logs, a pop-up window appears 60 seconds

before the set idle timeout value is reached, prompting you to keep or

cancel the value. If you choose to cancel the set idle timeout value,

you will not be logged out after the idle timeout value is reached.

Web Administration [Language]

Select the language for the Web-based Manager.

Web-based Manager Menu Customization

Be default, these menu items are hidden. Select one to make it appear

in the menu list.

Admin Domain Configuration

Enable or disable administrative domains (ADOMs). For more

information on ADOMs, see “Administrative Domains” on page 48.

This option does not appear if ADOMs are currently enabled and

ADOMs other than the root ADOM exist.

This option does not appear on FortiAnalyzer-100B/100C models.

Login Disclaimer Select Enable to enter a login disclaimer message and select Apply.

When you log in next time, you will be asked to accept or decline the

disclaimer.



Configuring log storage & query features

System > Config allows you to configure features such as SQL database, log based alerts, log

aggregation, log forwarding, remote syslog, SNMP, and RAID.

Configuring SQL database storage

The FortiAnalyzer unit saves logs received to the default proprietary indexed file storage system

which is always ready to accept log data. It can also insert the log data into the Structured

Query Language (SQL) database for generating reports. Both local and remote SQL database

options are supported. The advantages of using the SQL database are:

• Flexibility: Through the use of standard SQL queries, more flexible reporting capabilities can

be offered.

• Scalability: Through the use of a remote SQL database, any upper limit on the amount of

available log storage is removed. Furthermore, the hardware of an external SQL database

server can be more easily upgraded to support growing performance needs.

The FortiAnalyzer unit inserts logs into a remote SQL database but is not responsible for

deleting logs from that database nor for enforcing any type of size quotas. These tasks are the

responsibility of the remote SQL database administrator.

The FortiAnalyzer unit stores the log data into the SQL database according to a pre-determined

structure called the SQL schema. The schema contains all the possible log fields of every log

type and allows the extraction of log data on a per-device and/or per-VDOM basis for any

continuous time period.

For each FortiAnalyzer model, the storage limit of the remote SQL database is the same as the

size of its local disk. When the log storage level reaches 75, 90, and 95% of the total database

capacity, an event alert will appear in the Alert Message Console on the dashboard respectively.

For more information, see “Alert message console widget” on page 78.

Table 6: Remote SQL database storage limit

FortiAnalyzer Model Remote SQL database storage limit

FAZ-100B, FAZ-100C 1 TB

FAZ-200D 2 TB

FAZ-400B 2 TB

FAZ-400C 2 TB

FAZ-800, FAZ-800B 4 TB

FAZ-1000B, FAZ-1000C 4 TB

FAZ-2000, FAZ-2000A, FAZ-2000B 6 TB

FAZ-4000A, FAZ-4000B 24 TB



To configure the SQL database:

1. Go to System > Config > SQL Database.

Figure 92:SQL database


Location Select Disabled to save log data to the proprietary indexed file storage

system instead of the SQL database, Local Database to save log data into

the local SQL database, and Remote Database to save log data into the

remote MySQL database.

By default, the local SQL database is PostgreSQL.

The selection of location affects the way to configure reports. For more

information, see “Reports” on page 201.

Start Time Select the time when the FortiAnalyzer unit can start to insert log data into

the SQL database.

This field activates when Local Database or Remote Database is selected.

Type Select the remote SQL database from the supported list of databases.

This field only appears when Remote Database is selected.

Server Enter the IP address or FQDN of the server on which the remote SQL database is installed.This field only appears when Remote Database is selected.

Database Name

Enter the name for the database in which log tables will be stored. This

database should already exist on the MySQL server. If it does not, the

FortiAnalyzer unit cannot connect.

This field only appears when Remote Database is selected.



3. Complete the fields and select Apply.

Upgrade notice

If you choose the proprietary indexed file system for log storage, an upgrade notice appears

when you log in to the Web-based Manager, asking if you want to switch to the SQL database

and migrate all logs to the SQL database.

Figure 93:Database upgrade notice

If you want to switch to the SQL database, select Upgrade Now and select local or remote SQL

database, then select OK. For more information about SQL database configuration, see “To

configure the SQL database:” on page 119.

Your logs stored in the proprietary indexed file system will still be kept after the switch.

Database switch affects report configuration. For more information, see “Reports” on page 201.

User NamePassword

Enter the login information for a user on the database that has permissions

to read and write data, and to create tables.

Log Type Select the log type(s) that you want to save to the SQL database.

This field activates when Local Database or Remote Database is selected.



Configuring alerts

Log-based alerts define log message types, severities, and sources which trigger administrator

notification. For example, you could configure a trigger on the attack logs with an SMTP server

output, if you want to receive an alert by email when your network detects an attack attempt.

You can notify administrators by email, SNMP, or syslog, as well as the Alert Message Console

widget. For information on viewing alerts through the Web-based Manager, see “Alert message

console widget” on page 78.

To view configured log-based alerts, go to System > Config > Log-based Alerts.

Figure 94:Alert events list

This page displays the following information:

To add a log-based alert:

1. Go to System > Config > Log-based Alerts, select Create New, enter the appropriate

information, then select OK.

Name The name given to the log-based alert configuration.

Devices The devices the FortiAnalyzer unit is monitoring for the log-based alerts.

Triggers The log message packets the FortiAnalyzer unit is monitoring for the

log-based alerts.

Destination The location where the FortiAnalyzer unit sends the alert message. This can

be an email address, SNMP Trap or syslog server.



Figure 95:Add alert event window


Alert Name Enter a name indicating the type of alert the FortiAnalyzer is monitoring

for.

Device Selection Select the devices the FortiAnalyzer unit monitors for the alert event.

Select from the Available Devices list and select the right arrow to

move the device name to the Selected Devices list. Hold the SHIFT or

CTRL keys while selecting to select multiple devices.



Trigger(s) Select the triggers that the FortiAnalyzer unit uses to indicate when to

send an alert message. Select the following:

• a log type to monitor, such as Event Log or Attack Log

• the severity level to monitor for within the log messages, such as >=

• the severity of the log message to match, such as Critical

For example, selecting Event Log >= Warning, the FortiAnalyzer unit

will send alerts when an event log message has a level of Warning,

Error, Critical, Alert and Emergency.

These options are used in conjunction with Generic Text (located under

Log Filters) and Device Selection to specify which log messages will

trigger the FortiAnalyzer unit to send an alert message.

Log Filters(Generic Text)

Select Generic Text to enable log filters, and then enter log message

filter text.

This text is used in conjunction with Trigger(s) and Device Selection to

specify which log messages will trigger the FortiAnalyzer unit to send

an alert message.

Enter an entire word, which is delimited by spaces, as it appears in the

log messages that you want to match. Inexact or incomplete words or

phrases may not match. For example, entering log_i or log_it may

not match; entering log_id=0100000075 will match all log messages

containing that whole word.

Do not use special characters, such as quotes (‘) or asterisks (*). If the

log message that you want to match contains special characters,

consider entering a substring of the log message that does not contain

special characters. For example, instead of entering, User 'admin' deleted report 'Report_1', you might enter admin.

Threshold Set the threshold or log message level frequency that the FortiAnalyzer

unit monitors before sending an alert message. For example, set the

FortiAnalyzer unit to send an alert only after it receives five emergency

messages in an hour.

Destination(s) Select where the FortiAnalyzer unit sends the alert message.

Send Alert To Select an email address, SNMP trap or syslog server from the list. You

must configure the SNMP traps or syslog server, before you can select

them from the list.

For the FortiAnalyzer unit to send an email message, you must

configure a DNS server and mail server account. For information, see

“Configuring an email server for alerts & reports” on page 124.

For information on configuring SNMP traps, see “Configuring the

SNMP agent” on page 126.

For information on configuring syslog servers, see “Configuring syslog

servers” on page 130.

From When configuring the FortiAnalyzer unit to send an email alert

message, enter the sender’s email address.

This option only appears after you populate the Send Alert To field.



Configuring an email server for alerts & reports

When the FortiAnalyzer unit receives a log message meeting the alert event conditions, it can

send an alert message to an email address via SMTP, informing an administrator of the issue

and where it is occurring.

You must first configure an SMTP server so that the FortiAnalyzer unit can send email alert

messages.

If the mail server is defined by a domain name, the FortiAnalyzer unit will query the DNS server

to resolve the IP address of that domain name. In this case, you must also define a DNS server.

For details, see “Configuring DNS” on page 98.

If sending an email by SMTP fails, the FortiAnalyzer unit will re-attempt to send the message

every 10 seconds, and never stop until it succeeds in sending the message, or the administrator

reboots the FortiAnalyzer unit.

To view the mail server list, go to System > Config > Mail Server.

Figure 96:Mail server list

To add a mail server for alerts:

1. Go to System > Config > Mail Server and select Create New.

The mail server settings window opens.

To When configuring the FortiAnalyzer unit to send an email alert

message, enter the recipients’ email address.

This option only appears after you populate the Send Alert To field.

Add Select to add the destination for the alert message. Add as many

recipients as required.

Delete Select a recipient from the Destination list and select Delete to remove

a recipient.

Include Alert Severity

Select the alert severity value to include in the outgoing alert message

information.

Test Verify if the email server is correctly configured. For more information, see

“To verify mail server connectivity:” on page 125.

SMTP Server The name of the email server.

E-Mail Account The email address used for accessing the account on the email server.

Password The password used in authentication of that server. The password appears

as ******.



Figure 97:Mail server settings window



To verify mail server connectivity:

1. Go to System > Config > Mail Server.

2. Select the mail server that you want to verify, then select Test.

SMTP Server The name/address of the SMTP email server.

Enable Authentication Select to enable SMTP authentication. When set, you must enter

an email user name and password for the FortiAnalyzer unit to

send an email with the account.

E-Mail Account Enter the user name for logging in to the SMTP server to send alert

mails. You only need to do this if you have enabled the SMTP

authentication. The account name must be in the form of an email

address, such as [email protected].

Password Enter the password for logging in to the SMTP server to send alert

email. You only need to do this if you enabled the SMTP

authentication.

Mail servers configured to send FortiAnalyzer alerts can also be selected when configuring

report profiles and vulnerability scan jobs to email report output. For more information, see

“Network Vulnerability Scan” on page 254 and“Indexer based reports” on page 231.



Figure 98:Test mail server window

3. Enter an email address in the Send test email to field.

To verify complete connectivity from the FortiAnalyzer unit to the administrator’s inbox, this

should be the administrator’s email address.

4. Select Test.

A message appears, indicating the success or failure of sending email to the SMTP server. If

the message was successfully sent, verify that it reached the email address.

Configuring the SNMP agent

Simple Network Management Protocol (SNMP) allows you to monitor hardware on your

network. You can configure the hardware, such as the FortiAnalyzer SNMP agent, to report

system information and send traps (alarms or event messages) to SNMP managers. An SNMP

manager, or host, is typically a computer running an application that can read the incoming trap

and event messages from the agent and send out SNMP queries to the SNMP agents. A

FortiManager unit can act as an SNMP manager, or host, to one or more FortiAnalyzer units.

By using an SNMP manager, you can access SNMP traps and data from any FortiAnalyzer

interface configured for SNMP management access. Part of configuring an SNMP manager is to

list it as a host in a community on the FortiAnalyzer unit it will be monitoring. Otherwise the

SNMP monitor will not receive any traps from that FortiAnalyzer unit, or to query that unit.

You can configure the FortiAnalyzer unit to respond to traps and send alert messages to SNMP

managers that were added to SNMP communities. When you are configuring SNMP, you need

to first download and install both the FORTINET-CORE-MIB.mib and

FORTINET-FORTIANALYZER-MIB.mib files so that you can view these alerts in a readable

format. The Fortinet MIB contains support for all Fortinet devices, and includes some generic

SNMP traps; information responses and traps that FortiAnalyzer units send are a subset of the

total number supported by the Fortinet proprietary MIB.

Your SNMP manager may already include standard and private MIBs in a compiled database

which is all ready to use; however, you still need to download both the

FORTINET-CORE-MIB.mib and FORTINET-FORTIANALYZER-MIB.mib files regardless.

FortiAnalyzer SNMP is read-only: SNMP v1 and v2 compliant SNMP managers have read-only

access to FortiAnalyzer system information and can receive FortiAnalyzer traps. RFC support

includes most of RFC 2665 (Ethernet-like MIB) and most of RFC 1213 (MIB II). FortiAnalyzer

units also use object identifiers from the Fortinet proprietary MIB.

For more information about the MIBs and traps that are available for the FortiAnalyzer unit, see

“SNMP MIB Support” on page 317.

SNMP traps alert you to events that happen, such as an a log disk being full or a virus being

detected.

SNMP fields contain information about your FortiAnalyzer unit, such as percent CPU usage or

the number of sessions. This information is useful to monitor the condition of the unit, both on

an ongoing basis and to provide more information when a trap occurs.

To configure the SNMP agent, go to System > Config > SNMP.



Figure 99:SNMP access list


SNMP Agent Select to enable the SNMP agent.

Description Enter a descriptive name for this FortiAnalyzer unit.

Location Enter the physical location of the FortiAnalyzer unit, such as a city or

floor number.

Contact Enter the contact information for the person responsible for this

FortiAnalyzer unit.

Trap Type The type of available SNMP trap.

Trigger Enter a number (percent) for the trap type usage that will trigger a trap.

The number can be between 1 to 100.

Threshold Enter the number of times a trigger value is reached before triggering a

trap.The number can be between 1 and 100.

Sample Period(s) Enter a time period, in seconds. The number can be between 1 and

28800. The default number is 600 seconds, which is 10 minutes.

During the configured time period, the SNMP agent evaluates the trap

type, for example, CPU, at every same frequency. For example, during

600 seconds (10 minutes), the SNMP agent evaluates memory every

60 seconds (1 minute).

Sample Frequency(s) Enter a number for the frequency of triggers. The number can be

between 1 and 100.

Apply Select to save the configured settings. Selecting Apply will not save

the SNMP communities because they are automatically saved after

being configured.



Configuring an SNMP community

An SNMP community is a grouping of devices for network administration purposes. Within that

SNMP community, devices can communicate by sending and receiving traps and other

information. One device can belong to multiple communities, such as one administrator

terminal monitoring both a firewall SNMP community and a printer SNMP community.

You can add an SNMP community to define a destination IP address that can be selected as the

recipient (SNMP manager) of FortiAnalyzer unit SNMP alerts. Defined SNMP communities are

also granted permission to request FortiAnalyzer unit system information using SNMP traps.

Each community can have a different configuration for SNMP queries and traps. Each

community can be configured to monitor the FortiAnalyzer unit for a different set of events. You

can also add the IP addresses of up to 10 SNMP managers to each community.

To add an SNMP community:

1. Go to System > Config > SNMP.

2. Under Communities, select Create New.

The new SNMP community window opens.

Communities The list of SNMP communities added to the FortiAnalyzer

configuration.

Create New Select to add a new SNMP community. See “Configuring an SNMP

community” on page 128.

Edit Change the selected SNMP community configuration.

Delete Remove the selected SNMP community configuration. You cannot

delete a community if it is used in an alert event. For more information,

see “Configuring alerts” on page 121.

Test Verify the selected SNMP community configuration by sending a test

SNMP trap to the SNMP manager. This option only shows if the test

SNMP trap is successfully sent by the FortiAnalyzer unit. You need to

go to the SNMP manager to check if the trap has been successfully

received. If the test fails, you need to reconfigure the SNMP

community that you want to verify.

This option is inactive if the SNMP agent configuration is not saved.

See “Apply” on page 127.

# The sequential order of the communities.

Community Name The name of the SNMP community.

Queries The status of SNMP queries for each SNMP community. The query

status can be enabled (green check mark) or disabled (gray cross).

Traps The status of SNMP traps for each SNMP community. The trap status

can be enabled (green check mark) or disabled (gray cross)

Enable Select to enable the SNMP community. By default, an SNMP

community is enabled when it is configured.



Figure 100:New SNMP community window


Community Name Enter a name to identify the SNMP community.

Hosts Enter the IP address and Identify the SNMP managers that can use

the settings in this SNMP community to monitor the FortiAnalyzer

unit.

Host Name The IP address of an SNMP manager than can use the settings in this

SNMP community to monitor the FortiAnalyzer unit. You can also set

the IP address to 0.0.0.0 to so that any SNMP manager can use this

SNMP community.

Interface Optionally select the name of the interface that this SNMP manager

uses to connect to the FortiAnalyzer unit. You only have to select the

interface if the SNMP manager is not on the same subnet as the

FortiAnalyzer unit. This can occur if the SNMP manager is on the

Internet or behind a router.

Delete Select a Delete icon to remove an SNMP manager.

Add Add a blank line to the Hosts list. You can add up to 10 SNMP

managers to a single community.




Configuring syslog servers

By default, this option is not available. To make it appear, you need to enable it in System >

Admin > Settings.

You can configure syslog servers where the FortiAnalyzer unit can send alerts by the syslog

protocol. You must add the syslog server before you can select it as a way for the FortiAnalyzer

unit to communicate an alert.

To view the syslog servers, go to System > Config > Remote Syslog.

Figure 101:Syslog server list

To add an syslog server:

1. Go to System > Config > Remote Syslog.

2. Select Create New, enter the appropriate information, then select OK.

Queries Enter the port number (161 by default) that the SNMP managers in

this community use for SNMP v1 and SNMP v2c queries to receive

configuration information from the FortiAnalyzer unit. Select the

Enable check box to activate queries for each SNMP version.

Note: The SNMP client software and the FortiAnalyzer unit must use

the same port for queries.

Traps Enter the local and remote port numbers (port 162 for each by default)

that the FortiAnalyzer unit uses to send SNMP v1 and SNMP v2c

traps to the SNMP managers in this community. Select Enable to

activate traps for each SNMP version.

Note: The SNMP client software and the FortiAnalyzer unit must use

the same port for traps.

SNMP Events Enable each SNMP event for which the FortiAnalyzer unit should send

traps to the SNMP managers in this community.

Test Verify the syslog server configuration by sending a test message to the

server. See “To verify a syslog server configuration:” on page 131.

Name The name of the syslog server.

IP or FQDN: Port The IP address or fully qualified domain name (FQDN) for the SNMP

server, and port number.



Figure 102:New syslog server window

To verify a syslog server configuration:

1. Go to System > Config > Remote Syslog.

2. Select the syslog server configuration you want to verify.

3. Select Test.

Table 7: Test syslog server

4. In the Syslog Message field, enter a syslog message such as “This is a test”.

Figure 103:Test syslog server window

5. Select Test.

You need to go to the syslog server to check if the message has been successfully received.

If the test fails, reconfigure the syslog server.

Configuring log aggregation


Admin > Settings.

Log aggregation is a method of collecting log data from one or more FortiAnalyzer units to a

central FortiAnalyzer unit.

Name Enter a name for the SNMP server.

IP address (or FQDN) Enter the IP address or fully qualified domain name for the SNMP

server.

Port Enter the syslog server port number. The default syslog port is 514.



Log aggregation involves one or more FortiAnalyzer units configured to act as aggregation

clients, and a FortiAnalyzer unit configured to act as an aggregation server. The aggregation

client sends all of its device logs, including quarantined or archived files, to the aggregation

server. The transfer includes the active log to the point of aggregation (for example, tlog.log)

and all rolled logs stored on the aggregation client (tlog.1.log, tlog.2.log, tlog.3.log

…). Subsequent log aggregations include only changes; the aggregation client does not re-send

previously aggregated logs.

For example, a company may have a headquarters and a number of branch offices. Each

branch office has a FortiGate unit and a FortiAnalyzer-100B to collect local log information.

Those branch office FortiAnalyzer units are configured as log aggregation clients. The

headquarters has a FortiAnalyzer-2000/2000A which is configured as a log aggregator. The log

aggregator collects logs from each of the branch office log aggregation clients, enabling

headquarters to run reports that reflect all offices.

All FortiAnalyzer models can be configured as a log aggregation client, but log aggregation

server support varies by FortiAnalyzer model, due to storage and resource requirements.

A device logging to a log aggregator client cannot send its logs to the aggregation server since

the server will refuse them. This device will appear in the device list of the aggregation server.

You can easily identify these devices as they do not have Rx and Tx permissions.

Configuring an aggregation client:

An aggregation client is a FortiAnalyzer unit that sends logs to an aggregation server.

By default, log aggregation is disabled on the FortiAnalyzer unit.

For more information about log aggregation port numbers, see the Knowledge Base article

Traffic Types and TCP/UDP Ports used by Fortinet Products.

Table 8: FortiAnalyzer models that support either an aggregation client or server, or both

FortiAnalyzer Model Aggregation Client Aggregation Server

FAZ-100B, FAZ-100C -

FAZ-200D -

FAZ-400B -

FAZ-400C -

FAZ-800, FAZ-800B

FAZ-1000B, FAZ-1000C

FAZ-2000, FAZ-2000A, FAZ-2000B

FAZ-4000A, FAZ-4000B

On the aggregation server, configure the device quotas to be equal to or more than those on the

aggregation client to avoid log data loss.

When using log aggregation, all the FortiAnalyzer units must be running the same firmware

release and their system time must be synchronized.



http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=10773&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=665850&stateId=0%200%20667110

To configure the aggregation client, go to System > Config > Log Aggregation, select Enable log

aggregation TO remote FortiAnalyzer and enter the appropriate information. Select Apply.

Figure 104:Log aggregation client configuration


Enable log aggregation TO remote FortiAnalyzer

Select to enable log aggregation to a remote FortiAnalyzer unit.

Remote FortiAnalyzer IP

Enter the IP address of the FortiAnalyzer unit acting as the

aggregation server.

Password Enter the password for the aggregation server. This password is set

when configuring the aggregation server. See “Password” on

page 134.

Confirm Password Enter the password again for the aggregation server.

Aggregation daily at [hh:mm]

Select the time of the day when the aggregation client uploads the

logs to the aggregation server.

Aggregation Now Select to start a log aggregation operation.

Depending on the amount of new logs since the previous

sychronization, the aggregation operation can take some time. It is

recommended to perform the aggregation during off-peak hours.



Configuring an aggregation server:

An aggregation server is a FortiAnalyzer unit that receives the logs sent from an aggregation

client. FortiAnalyzer-800/800B and higher can be configured as aggregation servers.

By default, log aggregation is disabled on the FortiAnalyzer unit.

To configure the aggregation server, go to System > Config > Log Aggregation, select Enable

log aggregation TO this FortiAnalyzer, enter the password and confirm it, and then select Apply.

Figure 105:Log aggregation server configuration


Configuring log forwarding


Admin > Settings.

Log forwarding sends duplicates of log messages received by the FortiAnalyzer unit to a

separate syslog server. This can be useful for additional log storage or processing.

The log forwarding destination (remote device IP) may receive either a full duplicate or a subset

of those log messages that are received by the FortiAnalyzer unit. Log messages are forwarded

only if they meet or exceed the Minimum Severity threshold.

The aggregration server needs to have device quotas at least as large as the aggregation client.

If the device quotas are not correctly configured, log data will be lost.

Enable log aggregation TO this FortiAnalyzer

Select to enable log aggregation to this FortiAnalyzer unit.

Password Enter a password for access to this FortiAnalyzer unit.

Confirm Password Enter the password again to confirm it.



Log forwarding is similar to log uploading or log aggregation, but log-forwards are sent as

individual syslog messages, not whole log files over FTP, SFTP, or SCP, and not as batches of

log files.

By default, log forwarding is disabled on the FortiAnalyzer unit.

To forward logs:

1. Go to System > Config > Log Forwarding.

2. Select Enable log forwarding to remote log server.

Figure 106:Log forwarding


4. Select Apply to save the setting.

Configuring IP aliases


Admin > Settings.

Use IP Alias to assign meaningful names to IP addresses. When configuring reports, or viewing

logs and DLP archives, select Resolve Host Name to view the alias rather than the IP address.

Enable log forwarding to remote log server

Select to enable log forwarding to a syslog server.

Remote device IP Enter the IP address of the external syslog server.

Forward all incoming logs

Select to forward all incoming logs.

Forward only authorized logs

Select to forward only authorized logs (authorized according to a

device’s permissions).

Minimum Severity Select the minimum severity threshold. All log events of equal or

greater severity will be transmitted. For example, if the selected

minimum severity is Critical, all Emergency, Alert and Critical log

events will be forwarded; other log events will not be forwarded.



IP aliases can make logs and reports easier to read and interpret. For example, you could create

an IP alias to display the label mailserver1 instead of its IP address, 10.10.1.54.

When adding an IP alias, you can also include an IP address range. For example:

• 10.10.10.1 - 10.10.10.50

• 10.10.10.1 - 10.10.20.100

To view the IP Alias list, go to System > Config > IP Alias.

Figure 107:List of IP aliases

To add an IP alias:

1. Go to System > Config > IP Alias.


3. Enter a nickname for the IP address in Alias.

4. Enter the IP address or range in Host(Subnet / IP Range).

5. Select OK.

Importing IP aliases

If you have a text file with IP addresses and aliases mapping, you can import the file instead of

mapping them one by one on the FortiAnalyzer unit. This is a quick way to add the mappings to

the FortiAnalyzer unit.

The contents of the text file should be in the following format:

<alias_ipv4> <alias_name>

For example:

10.10.10.1 User_1

There can be only one IP address and user name entry per line.

To import the alias file:

1. Go to System > Config > IP Alias.

Import If you have a text file with IP addresses and aliases mapping, you can import the

file instead of mapping them one by one on the FortiAnalyzer unit. See “Importing

IP aliases” on page 136.

Alias The name of the IP alias.

Host The IP address or range for the IP alias.



2. Select Import.

3. Enter the path and file name, or select Browse to locate the file.

4. Select OK.

Configuring RAID

RAID (Redundant Array of Independent Disks) helps to divide data storage over multiple disks

which provides increased data reliability. FortiAnalyzer units that contain multiple hard disks can

configure the RAID array for capacity, performance and availability.

From System > Dashboard > Status, you can view the status of the RAID array from the Disk

Monitor widget. The Disk Monitor widget displays the status of each disk in the RAID array,

including the disk’s RAID level. This widget also displays how much disk space is being used.

For more information, see “Disk monitor widget” on page 73.

The Alert Message Console widget, located in System > Dashboard > Status provides detailed

information about RAID array failures. For more information see “Alert message console widget”

on page 78.

If you need to remove a disk from the FortiAnalyzer unit, you can hot swap it. Hot swapping

means that you can remove a failed hard disk and replace it with a new one even while the

FortiAnalyzer unit is still in operation. Hot swapping is a quick and efficient way to replace hard

disks. For more information about hot swapping, see “Swapping hard disks” on page 75.

System > Config > RAID allows you to change the RAID level of the RAID array. Changing the

RAID level will remove all log data from the disks, and the device disk quota may be reduced to

accommodate the available disk space in the new RAID array.

Figure 108:RAID settings




To change the RAID levels:

1. Go to System > Config > RAID.

2. From RAID Level, select a RAID level.

3. Select Apply to begin the process of changing the RAID level.

The following message appears:

4. Select OK to continue with the process.

RAID Level Select a RAID level and select Apply.

The FortiAnalyzer unit will reboot, destroy the existing RAID array,

create a new RAID array with the specified level, and then create a new

file system on the array. All existing data is lost.

Total Disk Space The amount of disk space available within the RAID array.

Free Disk Space The amount of free disk space.

Disk # The number identifying the disk. These numbers reflect what disks are

available on the FortiAnalyzer unit.For example, on a

FortiAnalyzer-4000A, there would be 1-12, whereas on a

FortiAnalyzer-2000A there would be 1-6.

Size (GB) The size of the individual hard disk.

Status The current status of the hard disk. For example, OK indicates that the

hard disk is okay and working normally; Not Present indicates that the

hard disk is not being detected by the FortiAnalyzer unit or has been

removed and no disk is available; Failed indicates that the hard disk is

not working properly.

Alternatively, go to System > Dashboard > Status and, on the Disk Monitor widget, select RAID

Settings in the title bar.



Supported RAID levels

RAID levels vary between FortiAnalyzer units. The following table explains the recommended

RAID levels for each unit, the supported RAID levels, and any additional information.

When changing the RAID level, the available levels depend on the number of working disks that

are actually present in the unit. For example, RAID5 is not available on FortiAnalyzer units with

fewer than three disks. With a full complement of working disks, the default level is the

recommended level in the above table. The following sections assume a full complement except

where noted.

You can find out information about RAID from the get system status or diag raid info

commands in the CLI.

Linear

A linear RAID level combines all hard disks into one large virtual disk. It is also known as

concatenation or JBOD (Just a Bunch of Disks). The total space available in this option is the

capacity of all disks used. There is very little performance change when using this RAID format.

If any of the drives fails, the entire set of drives is unusable until the faulty drive is replaced. All

data will be lost.

RAID 0

A RAID 0 array is also referred to as striping. The FortiAnalyzer unit writes information evenly

across all hard disks. The total space available is that of all the disks in the RAID array. There is

Table 9: RAID levels

FortiAnalyzer Platform Supported Levels Recommended Level Note

FAZ-100B, FAZ-100C RAID is not supported.

FAZ-400B, FAZ-400C 0, 1 1 RAID 0 is supported for only two-disk

configuration.

FAZ-800, FAZ-800B Linear, 0, 1, 5, 10 10 RAID 5 can be configured in the CLI;

however, using RAID 5 may decrease

performance.

FAZ-1000B 0, 1 1 RAID 0 is supported for only two-disk

configuration.

FAZ-1000C Linear, 0, 1, 10 10

FAZ-2000, FAZ-2000A,

FAZ-2000B

0, 5, 5 plus spare,

10, 50

50 RAID 5 is supported on 2000B with

more than three disks.

FAZ-4000A 0, 5, 5 plus spare,

10, 50

50

FAZ-4000B 0, 5, 5 plus spare,

10, 50, 6, 6 plus

spare, 60

50

Fortinet recommends having an uninterruptible power supply (UPS) to reduce the possibility of

data inconsistencies when power failures occur.



no redundancy available. If any of the drives fails, the data cannot be recovered. This RAID level

is beneficial because it provides better performance, since the FortiAnalyzer unit can distribute

disk writing across multiple disks.

RAID 1

A RAID 1 array is also referred to as mirroring. The FortiAnalyzer unit writes information to one

hard disk, and writes a copy (a mirror image) of all information to all other hard disks. The total

disk space available is that of only one hard disk, as the others are solely used for mirroring.

This provides redundant data storage with no single point of failure. Should any of the hard

disks fail, there are several backup hard disks available. With a FortiAnalyzer-800 for example, if

one disk fails, there are still three other hard disks the FortiAnalyzer unit can access and

continue functioning.

RAID 5

A RAID 5 array employs striping with a parity check. The FortiAnalyzer unit writes information

evenly across all drives. Additional parity blocks are written on the same stripes. The parity

block is staggered for each stripe. The total disk space is the total number of disks in the array,

minus one disk for parity storage. For example, on a FortiAnalyzer-800 with four hard disks, the

total capacity available is actually the total for three hard disks. RAID 5 performance is typically

better with reading than writing, although performance is degraded when one disk has failed or

is missing. With RAID 5, one disk can fail without the loss of data. If a drive fails, it can be

replaced and the FortiAnalyzer unit will restore the data on the new disk using reference

information from the parity volume.

RAID 10

RAID 10 (or 1+0), includes nested RAID levels 1 and 0, or a stripe (RAID 0) of mirrors (RAID 1).

The total disk space available is the total number of disks in the array (a minimum of 4) divided

by 2. One drive from a RAID 1 array can fail without loss of data; however, should the other drive

in the RAID 1 array fail, all data will be lost. In this situation, it is important to replace a failed

drive as quickly as possible.

• two RAID 1 arrays of two disks each (FortiAnalyzer-800/800B)

• three RAID 1 arrays of two disks each (FortiAnalyzer-2000/2000A/2000B)

• six RAID1 arrays of two disks each (FortiAnalyzer-4000A)

• twelve RAID1 arrays of two disks each (FortiAnalyzer-4000B)

RAID 50

RAID 50 (or 5+0) includes nested RAID levels 5 and 0, or a stripe (RAID 0) and stripe with parity

(RAID 5). The total disk space available is the total number of disks minus the number of RAID 5

sub-arrays. RAID 50 provides increased performance and also ensures no data loss for the

RAID 5 appears in the Web-based Manager only for FortiAnalyzer units with hardware RAID.

Fortinet recommends using RAID 10 for redundancy instead of RAID 5 on FortiAnalyzer units

with software RAID. RAID 5 can cause decreased performance.



same reasons as RAID 5. One drive in each RAID 5 array can fail without the loss of data. For

the following FortiAnalyzer units, data is recoverable when:

• two RAID 5 arrays of three disks each (FortiAnalyzer-2000/2000A/2000B)

• three RAID 5 arrays of four disks each (FortiAnalyzer-4000A)

• two RAID 5 arrays of twelve disks each (FortiAnalyzer-4000B)

RAID 5 with hot spare

FortiAnalyzer-2000/2000A/2000B and FortiAnalyzer-4000A/4000B units can use one of their

hard disks as a hot spare (a stand-by disk for the RAID), should any of the other RAID hard disks

fail. If a hard disk fails, within a minute of the failure, the FortiAnalyzer unit begins to

automatically substitute the hot spare for the failed drive, integrating it into the RAID array, and

rebuilding the RAID’s data.

When you replace the failed hard disk, the FortiAnalyzer unit uses the new hard disk as the new

hot spare. The total disk space available is the total number of disks minus two.

RAID 6

RAID 6 provides fault tolerance from two drive failures; array continues to operate with up to

two failed drives. This makes larger RAID groups more practical, especially for high-availability

systems. This becomes increasingly important as large-capacity drives lengthen the time

needed to recover from the failure of a single drive. Single-parity RAID levels are as vulnerable

to data loss as a RAID 0 array until the failed drive is replaced and its data rebuilt; the larger the

drive, the longer the rebuild will take. Double parity gives time to rebuild the array without the

data being at risk if a single additional drive fails before the rebuild is complete.

RAID 60

RAID 60 (or 6+0) includes nested RAID levels 6 and 0, or a stripe (RAID 0) and stripe with parity

(RAID 6). The total disk space available is the total number of disks minus the number of RAID 6

sub-arrays. RAID 60 provides increased performance and also ensures no data loss for the

same reasons as RAID 6. One drive in each RAID 6 array can fail without the loss of data. For

the following FortiAnalyzer unit, data is recoverable when:

• two RAID 6 arrays of twelve disks each (FortiAnalyzer-4000B)

RAID 6 with hot spare

FortiAnalyzer-4000B unit can use one of its hard disks as a hot spare (a stand-by disk for the

RAID), should any of the other RAID hard disks fail. If a hard disk fails, within a minute of the

failure, the FortiAnalyzer unit begins to automatically substitute the hot spare for the failed drive,

integrating it into the RAID array, and rebuilding the RAID’s data.

When you replace the failed hard disk, the FortiAnalyzer unit uses the new hard disk as the new

hot spare. The total disk space available is the total number of disks minus two.

RAID array capacity

Based on the hard disk numbers and sizes, the following table lists the RAID array capacity for

selected FortiAnalyzer platforms. You can use the table as a reference for choosing RAID levels.

Table 10:RAID array capacity for selected FortiAnalyzer platforms (All values are rounded)

Total Usable Disk Space (in GB)

Platform Number of Disks

Size per Disk (GB)

RAID 0 RAID 1 RAID 5 RAID 5 + Spare

RAID 10

RAID 50

RAID 6 RAID 6 + Spare

RAID 60

FAZ-400B 2 500 930 460



Configuring LDAP queries for reports


Admin > Settings.

A directory is a set of objects with similar attributes organized in a logical and hierarchical way.

Generally, an LDAP directory tree reflects geographic or organizational boundaries, with the

Domain Name System (DNS) names at the top level of the hierarchy. The common name

identifier for most LDAP servers is cn; however some servers use other common name

identifiers such as uid.

For example, you could use the following base distinguished name:

ou=marketing,dc=fortinet,dc=com

where ou is organization unit and dc is a domain component.

You can also specify multiple instances of the same field in the distinguished name, for

example, to specify multiple organization units:

ou=accounts,ou=marketing,dc=fortinet,dc=com

FAZ-400C 2 1000 1860 930

FAZ_800B 4 500 1860 465 1390 930

FAZ-1000B 2 1000 1860 930

FAZ-1000C 4 932 3668 917 1834

FAZ-2000A 6 250 1390 1160 930 695 930

6 400 2230 1863 1490 1110 1490

6 500 2790 2320 1860 1390 1860

FAZ-2000B 6 932 5500 4582 3666 2750 3666

FAZ-4000A 12 250 2790 2560 2320 1396 2320

12 400 4470 4090 3720 2330 3720

12 500 5580 5120 4650 2790 4650

FAZ-4000B 24 932 15380 15380 15380 10990 14653 15380 15380 1099

0

The FAZ-4000B supports up to 24 disks. Each disk size is 932 GB. In theory, The FAZ-4000B

can support a maximum disk space of 24 x 932 GB (close to 24 TB) when RAID level is 0.

However, the FortiAnalyzer unit uses filesystem ext3 which has a 16 TB limitation of disk space.

Therefore, even if the FAZ-4000B has 24 TB RAID array capacity, the total disk space is limited

to 16 TB. This is why the max disk space for the FAZ-4000B is 15380 GB.

Table 10:RAID array capacity for selected FortiAnalyzer platforms (All values are rounded) (continued)

By default, the LDAP query occurs over a standard LDAP connection. The FortiAnalyzer unit

does not support secure query (TLS or LDAPS) protocols.



Binding occurs when the LDAP server successfully authenticates the user and allows the user

access to the LDAP server based on the user’s permissions.

You can configure the FortiAnalyzer unit to use one of two types of binding:

• anonymous: bind using anonymous user search

• regular: bind using user name/password and then search

If your LDAP server requires authentication to perform searches, use the regular type and

provide values for user name and password.

In System > Config > LDAP, you can define a query to retrieve a list of LDAP users from a

remote LDAP server. LDAP queries are used in FortiAnalyzer reports as an additional filter for

the user field, providing a convenient way for filtering log data without having to list the user

names manually. For example, you need to create a scope in a report that is restricted to

include only log messages whose user= field matches user names retrieved from the network’s

main LDAP server.

For more information about LDAP queries in FortiAnalyzer reports, see “Indexer based reports”

on page 231.

To view the LDAP server list, go to System > Config > LDAP.

Figure 109:LDAP server list

To define an LDAP server query:

1. Go to System > Config > LDAP.

The new LDAP server window opens.

Name The name of the LDAP server.

Server Name/IP The server name or IP address of the LDAP server.

Port The port with which the server is exchanging information. The

default port is 389.

Common Name Identifier The name of the common name identifier.

Distinguished Name The name of the attribute identifier that is used in the LDAP query

filter.



Figure 110:New LDAP Server window


Name Enter the name for the LDAP server query.

Server Name/IP Enter the LDAP server domain name or IP address.

Server Port Enter the port number. By default, the port is 389.

Server Type Select whether to use anonymous or authenticated (regular) queries.

If selecting Anonymous, your LDAP server must be configured to

allow unauthenticated anonymous queries.

If selecting Regular, you must also enter the Bind DN and Bind

Password.

Bind DN Enter an LDAP user name in DN format to authenticate as a specific

LDAP user, and bind the query to a DN.

This option appears only when the Server Type is Regular.

Bind Password Enter the LDAP user’s password.

This option appears only when the Server Type is Regular.

Common Name Identifier

Enter the attribute identifier used in the LDAP query filter. By default,

the identifier is cn.

For example, if the Base DN contains several objects, and you want

to include only objects whose cn=Admins, enter the Common

Name Identifier cn and enter the Group(s) value Admins when

configuring report profiles. For more information, see “Indexer

based reports” on page 231.

Report scopes using this query require Common Name Identifier. If

this option is blank, the LDAP query for reports will fail.




Querying for the base DN

The LDAP Distinguished Name Query list displays the LDAP Server IP address, and all the

distinguished names associated with the Common Name Identifier for the LDAP server. The tree

helps you to determine the appropriate entry for the Base DN field.

In the Base DN field, enter the DN you choose from the list and select OK. The DN appears in

the Base DN field of the LDAP server configuration.

Figure 111:LDAP distinguished name query

Backing up the configuration and installing firmware

Backup & Restore displays the date and time of the last configuration backup and the last

firmware upload. It also enables you to:

• download and back up a FortiAnalyzer unit’s configuration

• upload and restore a FortiAnalyzer unit’s configuration

• upload a firmware update

Base DN Enter the Distinguished Name of the location in the LDAP directory

which will be searched during the query.

To improve query speed, enter a more specific DN to constrain your

search to the relevant subset of the LDAP tree.

For example, instead of entering dc=example,dc=com you might

enter the more specific DN ou=Finance,dc=example,dc=com.

This restricts the query to the “Finance” organizational unit within

the tree.

Report scopes using this query require Base DN. If this option is

blank, the LDAP query for reports will fail.

LDAP Distinguished Name Query

View the LDAP server Distinguished Name Query tree for the LDAP

server that you are configuring so that you can cross-reference to

the Distinguished Name.

Leave the Base DN field empty for this option to work.

For more information, see “Querying for the base DN” on page 145.



Backed up copies of the FortiAnalyzer unit configuration file can be encrypted with a password.

When restoring encrypted configuration files, the password must be entered to decrypt the file.

For additional information about backing up and restoring configuration, see “Maintaining

Firmware” on page 286.

To back up the configuration and install firmware, go to System > Maintenance > Backup &

Restore.

Figure 112:Backup & Restore page


Do not forget the password to the backed up configuration file. A password-encrypted backup

configuration file cannot be restored without the password.

System Configuration

Last Backup The date and time of the last backup to local PC

Backup configuration to:

Currently, the only option on the Web-based Manager is to back up

to your local PC. However, you can use the execute backup config command to back up the system configuration to a file on a

FTP, SFTP, SCP, or TFTP server. For more information, see the

FortiAnalyzer v4.0 MR3 Patch Release 7 CLI Reference.

Encrypt configuration file

Select to encrypt the backup file. Enter a password in the Password

field and enter it again in the Confirm field. You will need this

password to restore the file.

You must encrypt the backup file if you are using a secure

connection to a FortiGate or FortiManager device.

Password Enter a password to encrypt the configuration file. This password is

required when restoring the configuration file.

Confirm Enter the password again to confirm.

Backup Select to back up the configuration.



Scheduling & uploading vulnerability management updates

You can update the engine and vulnerability scan modules in one of the following ways:

• manually upload update packages to the FortiAnalyzer unit from your management

computer

• configure the FortiAnalyzer unit to periodically request updates from the FortiGuard

Distribution Network (FDN).

You must register and license the FortiAnalyzer unit and purchase and register vulnerability

management service with the Customer Service & Support web site,

https://support.fortinet.com/, to receive vulnerability management updates from the FDN. See

“(Vulnerability Management) Subscribe” on page 148. The FortiAnalyzer unit must also have a

valid support contract, which includes VM update subscriptions, and can connect to the FDN or

the IP address that you have configured to override the default FDN addresses. For port

numbers required for license validation and update connections, see the Knowledge Base

article FDN Services and Ports.

For more information about configuring vulnerability scan jobs and viewing vulnerability scan

reports, see “Network Vulnerability Scan” on page 254.

To manually upload vulnerability management updates or to configure scheduled vulnerability

management updates, go to System > Maintenance > FortiGuard.

Restore configuration from:

Currently the only option is to restore from a PC.

Filename Enter the configuration file name or use the Browse button if you are

restoring the configuration from a file on the management computer.

Password Enter the password if the backup file is encrypted.

Restore Select to restore the configuration from the selected file.

Firmware

Partition A partition can contain one version of the firmware and the system

configuration.

Active A green check mark indicates which partition contains the firmware

and configuration currently in use.

Last Upgrade The date and time of the last update to this partition.

Firmware Version The version and build number of the FortiAnalyzer firmware. If your

FortiAnalyzer model has a backup partition, you can:

• Select Upload to replace with firmware from the management

computer.

• Select Upload and Reboot to replace the existing firmware and

make this the active partition.





Figure 113:FortiGuard Distribution Network window


FortiGuard Subscription Services

Displays the VCM registration status, engine and module

version number, date of last update, and status of the

connection to the FortiGuard Distribution Network (FDN).

A green indicator means that the FortiAnalyzer unit can connect

to the FDN or override server.

An orange indicator means that the FortiAnalyzer unit cannot

connect to the FDN or override server. Check the configuration

of the FortiAnalyzer unit and any NAT or firewall devices that

exist between the FortiAnalyzer unit and the FDN or override

server. For example, you may need to add routes to the

FortiAnalyzer unit’s routing table.

(Vulnerability Management) Subscribe

Select to open the Customer Service & Support web site to

register the FortiAnalyzer unit and Vulnerability Management

Service to receive vulnerability management updates from the

FDN.



(VCM Plugin) Update Select to upload a VCM upgrade file from your management

computer. To obtain a VCM upgrade file, contact Customer

Service & Support.

You might upload a VCM file if you want to provide an

immediate update, or use a VCM version other than the one

currently provided by the FDN. If you want to use a VCM file

other than the one currently provided by the FDN, also disable

scheduled updates.

Note: Manual updates are not a substitute for a connection to

the FDN. As with scheduled updates, manual updates require

that the FortiAnalyzer unit can connect to the FDN to validate

its VCM license.

Service Configuration Options

FortiGuard Server Select the Expand arrow to display this FortiAnalyzer unit’s

FortiGuard’s server options for the subscription services.

Use override server address

Enable Use override server address and enter the IP address

and port number of an FDS in the format <IP>:<port>, such

as 10.10.1.10:8889.

If you want to connect to a specific FDN server other than the

one to which the FortiAnalyzer unit would normally connect,

you can override the default IP addresses by configuring an

override server.

If, after applying the override server address, the FDN status

icon changes to indicate availability (a green check mark), the

FortiAnalyzer unit has successfully connected to the override

server. If the icon still indicates that the FDN is not available, the

FortiAnalyzer unit cannot connect to the override server. Check

the FortiAnalyzer configuration and the network configuration

to make sure you can connect to the FDN override server from

the FortiAnalyzer unit.

Use Web Proxy Select to enable the FortiAnalyzer unit to connect to the FDN

through a web proxy, then enter the IP, Port, and (if required)

Name and Password.

IP: Enter the IP address of the web proxy.

Port: Enter the port number of the web proxy.

This is usually 8080.

Name: If your web proxy requires a login, enter the user name

that your FortiAnalyzer unit should use when connecting to the

FDN through the web proxy.

Password: If your web proxy requires a login, enter the

password that your FortiAnalyzer unit should use when

connecting to the FDN through the web proxy.

Vulnerability Management Select the Expand arrow to display this FortiAnalyzer unit’s

VCM options for the subscription services.



Migrating data from one FortiAnalyzer unit to another


Admin > Settings.

You can migrate configuration settings and log data from one FortiAnalyzer unit to another from

System > Maintenance > Migration. This is referred to as migrating data, and provides an easy

way to have the same information on multiple FortiAnalyzer units without having to manually

configure each one.

You can also test the connection between two FortiAnalyzer units before migrating the

configuration settings to verify that the connection is working properly.

Before you begin the migration process, you need to verify that each FortiAnalyzer unit is

upgraded to FortiAnalyzer v4.0 MR1 or higher. The migration feature is available only in

FortiAnalyzer v4.0 MR1 or higher. You also need to decide which FortiAnalyzer unit will be the

one used for migrating data to the other before proceeding. Migrating data should be done

during a low traffic time period, for example at night, because, depending on the amount of data

being transferred, it could take more than an hour to transfer.

Scheduled Update [Request Update Now]

Enable scheduled updates, then select the frequency of the

update (Every, Daily or Weekly).

Select Request Update Now if you want to immediately request

an update.

Every Select to update once every n hours, then select the number of

hours in the interval.

Daily Select to update once every day, then select the hour. The

update attempt occurs at a randomly determined time within

the selected hour.

Weekly Select to update once a week, then select the day of the week

and the hour of the day. The update attempt occurs at a

randomly determined time within the selected hour.

When migrating configuration settings and log data from one FortiAnalyzer unit to another, the

source FortiAnalyzer unit stops receiving logs from the managed devices as soon as it enters

into the migration mode. If you want to keep the logs from the devices during the migration

process, make sure that the managed devices send logs to the destination FortiAnalyzer unit or

another compatible log storage location. To send logs to the destination FortiAnalyzer unit,

simply swap the IP addresses of the source and destination units by going to System > Network

> Interface on each unit. You also need to perform step 5 on the destination unit. You can swap

the IP addresses back after the migration completes.

The destination FortiAnalyzer unit will lose all of the data received prior to the migration process

starts. Back up the important data on the destination unit if necessary.

To migrate data, the firmware release number and build number on the source and destination

FortiAnalyzer units must match. Otherwise the migration will fail.



You need to configure both the FortiAnalyzer unit that will be sending data (source FortiAnalyzer

unit) and the FortiAnalyzer unit that will be receiving data (destination FortiAnalyzer unit) for

migrating configuration settings.

To configure the source FortiAnalyzer unit:

1. On the source FortiAnalyzer unit, log in to the Web-based Manager.

Remember the login password. You will need it for configuring the destination FortiAnalyzer

unit. See “To configure the destination FortiAnalyzer unit for migrating configuration

settings:” on page 151.

2. Go to System > Maintenance > Migration.

3. Select Source to enable the FortiAnalyzer unit to send the configuration settings to the other

FortiAnalyzer unit.

Figure 114:Migration source

4. In Peer IP, enter the IP address of the FortiAnalyzer unit that will be receiving the data.

5. Select Apply, then select Enter Migration Mode.

A message similar to the following will be displayed:

6. Select OK to reboot the FortiAnalyzer unit in migration mode.

This may take a few minutes. You may need to refresh the page so that the login page

appears. You can then log back in to the Web-based Manager to verify that the FortiAnalyzer

unit is in migration mode. Only the admin user can log in to the FortiAnalyzer unit in

migration mode.

Only System > Admin > Settings (Read + Write) and System > Maintenance > Migration

(Read + Write) menu items appear under migration mode for a source FortiAnalyzer unit. You

can modify these settings and they will be migrated to the destination unit.

The migration will not start before the destination FortiAnalyzer unit is configured and starts

to query the source unit.

7. If you need to modify the Peer IP in migration mode, enter a new one and select Apply.

To configure the destination FortiAnalyzer unit for migrating configuration settings:

1. On the destination FortiAnalyzer unit, log in to the Web-based Manager and go to System >

Maintenance > Migration.

2. Select Destination to enable the FortiAnalyzer unit to receive the configuration settings.



Figure 115:Migrating configuration settings

3. Enter the IP address of the source FortiAnalyzer unit.

4. Enter the same password you used when logging in to the source FortiAnalyzer unit.

The destination FortiAnalyzer unit will use this password to log in to the source FortiAnalyzer

unit to get the configuration. The migration will fail if the passwords do not match.

5. If you want this FortiAnalyzer unit to receive logs and data from the registered devices during

the migration process, select Accept Logs & Reports.

The logs and data received from the managed devices during the migration process will not

be overridden by the migrated data.

You can also enable or disable this option during the migration process. For more

information, see “Actions during the migration process” on page 153.

6. To receive certain logs and files, expand All Categories and then select what you want to

receive. To receive all the categories, select the check box beside All Categories.

7. Select Apply, and then select Test Migration Mode.

This FortiAnalyzer unit contacts the source FortiAnalyzer unit to validate the migration. The

validation focuses on the following:

• If the source unit and destination unit have different versions of firmware, the destination

unit aborts the migration.

• If the destination unit has data, a warning appears. You may choose to proceed or not.

• If the source unit is not in migration mode, the destination unit aborts the migration.

• If the source unit’s IP is wrong or there is a network problem, Migration source is not reachable appears.



8. If the migration mode test is successful, select Enter Migration Mode.

Only the following menu items appear:

• System > Dashboard > Dashboard (Read-Only)

• System > Network > Interface/DNS/Routing (Read + Write)

• System > Admin > Settings (Read + Write)

• System > Admin > Maintenance > Migration (Read + Write)

• Device > All > Device (Read-Only)

• Log > Log Viewer > Real-time (Read + Write)

• Tools > File Explorer (Read-Only)

You can modify the settings with Read + Write privileges and they will not be overridden by

the migrated data.

9. If you modify the configurations in migration mode, select Apply.

10.Select Start Migration.

This may take a few minutes or several hours, depending on the amount of data that is being

transferred. For example, if there is 500 GB of data that is being transferred, it will take

several hours to send.

See “Actions during the migration process” on page 153 for actions that can be taken during

the migration process.

11.When the migration process is complete, go to the source and destination FortiAnalyzer

units.

12.Log in to the Web-based Manager and go to System > Maintenance > Migration.

13.Select Exit Migration Mode.

Actions during the migration process

During the migration process, the destination FortiAnalyzer unit displays and automatically

updates phase descriptions and results and progress bar with size (such as 123 of 480 GB) and

time (such as 18 mins. of estimated 4h14m) indicators. You can check the migration status from

both the Web-based Manager and CLI in real-time.

You can also:

• Choose Start/Stop Accepting New Data.

This action allows the destination unit to accept or deny data from the registered devices.

For example, if you want to speed up the data migration process and can afford to lose

some logs from the devices, you can select to stop accepting new data. When the

destination unit receives new logs and data, messages will appear in migration status

display.

• Choose to pause the ongoing migration process from destination unit. You can subsequently

start again or cancel the migration by selecting the respective button.

• If the destination unit is interrupted unexpectedly, for example, by a power or network failure:

• the message The migration destination became silent. Please verify its status. appears on the source unit. Select OK.

• when the destination unit is back alive in migration mode, resume or cancel the migration

by selecting the respective button.



Importing a local server certificate

You can change the FortiAnalyzer unit’s default HTTPS certificate to a new certificate (PKCS

#12 format) signed by a certificate authority (CA) other than Fortinet.

This feature is not available on the Web-based Manager. However, you can do it with the

following CLI command:

execute admin-cert import {ftp|sftp|scp|tftp} <server_ipv4> <argument1_str> <argument2_str> <argument3_str>

where:

• <argument1_str> – For FTP, SFTP or SCP, enter a user name. For TFTP, enter a directory

or file name.

• <argument2_str> – For FTP, SFTP or SCP, enter a password or “-”. For TFTP, enter a file

name or PKCS #12 file password or “-”.

• <argument3_str> – For FTP, SFTP or SCP, enter a directory or file name. For TFTP, enter a

PKCS #12 file password or “-”.

Web services are automatically encrypted with SSL (HTTPS). The FortiAnalyzer unit

automatically generates a self-signed public certificate. To view the public certificate, in the CLI,

enter the command:

get system ws-cert

You can use this auto-generated certificate, or you can replace it with your own certificate using

the associated set command. FortiManager units with which the FortiAnalyzer unit is registered

will automatically accept the new certificate.

For more information on HTTPS access to the Web-based Manager and web services, see

“Configuring the network interfaces” on page 91.



Devices

The Devices menu controls connection attempt handling, permissions, disk space quota, and

other aspects of devices that are connected to the FortiAnalyzer unit for remote logging, DLP

archiving, quarantining, and/or remote management.

For information on traffic types, ports and protocols that FortiAnalyzer units use to

communicate with other devices and services, see the Knowledge Base article Traffic Types and

TCP/UDP Ports used by Fortinet Products.

This section contains the following topics:

• Configuring connections with devices & their disk space quota

• Configuring device groups

• Classifying FortiGate network interfaces

Configuring connections with devices & their disk space quota

The device list displays devices that are allowed to connect to the FortiAnalyzer unit including

their connection permissions. The list may also display unregistered devices attempting to

connect.

Connection attempts occur when a device sends traffic to the FortiAnalyzer unit before you

have added the device to the FortiAnalyzer unit. FortiAnalyzer units either ignore the connection

attempt, or automatically add the device to its device list as either a registered or unregistered

device. This connection attempt handling depends on:

• the type of the device that is attempting to connect;

• your selections in Unregistered Options, and;

• whether the maximum number of devices has been reached on the FortiAnalyzer unit.

For more information on:

• connection attempt handling, see “Configuring unregistered device options” on page 167.

• the device number maximum, see “Maximum number of devices” on page 159.

• manually adding a device to the device list, see “Manually configuring a device or HA

cluster” on page 160.

Adding a device to the device list configures connections from the device but does not

automatically establish a connection. You need to configure the device to send traffic to the

FortiAnalyzer unit to establish a connection. For more information, see the FortiOS Handbook,

FortiMail Administration Guide, FortiManager Administration Guide, FortiClient Administrator’s

Guide, FortiWeb Administration guide, or your syslog server’s documentation.

Due to the nature of connectivity for certain high availability (HA) modes, FortiGate units in an

HA cluster may not be able to send full DLP archives and quarantine data. For more information,

see the FortiOS v4.0 MR3 Handbook.

Connection attempts not handled by the device list include log aggregation, log forwarding, and

SNMP traps. For more information about configuring connection handling for those types, see

“Configuring log aggregation” on page 131, “Configuring log forwarding” on page 134, and

“Configuring the SNMP agent” on page 126.

Devices Page 155 FortiAnalyzer v4.0 MR3 Patch Release 7 Administration Guide

http://docs.fortinet.com/fmail.html






http://docs.fortinet.com/fclnt.html

http://docs.fortinet.com/fclnt.html

http://docs.fortinet.com/fweb.html



You may want to block connection attempts from devices that you do not want to add to the

device list, since connection attempts must be reconsidered with each attempt. For more

information, see “Blocking unregistered device connection attempts” on page 168.

Devices may automatically appear on the device list when the FortiAnalyzer unit receives a

connection attempt, according to your configuration of Unregistered Options, but devices may

also automatically appear as a result of importing log files. For more information, see “Importing

a log file” on page 190.

To view the device list, go to Devices > All Devices > Allowed.

Figure 116:Device list

Hover your cursor over an item to display more information.

Depending on your column display settings, the columns appearing may vary.

Current page

Column Display Settings Search




Create New Select to manually add a new device to the device list.

For information about how to manually add devices, see “Manually

configuring a device or HA cluster” on page 160.

Edit Reconfigure the selected device connection and retrieve the device’s

logs if required. For more information, see “To edit a device and

retrieve the device’s logs:” on page 164.

Delete Remove the selected devices from the list. You cannot delete a device

that is referenced elsewhere in the configuration, such as by being

assigned to a device group. To delete the device, first remove all

configuration references to that device.

If you use the default proprietary indexed file storage system for log

storage, once a device is removed from the device list, the associated

logs and other data, such as DLP archives and the default report

profile for the device (that is, the device summary report

Default_<device_name>) are deleted. Reports that may have been

already generated from the device’s log data, however, are not

deleted.

If you use the local SQL file storage system for log storage, once a

device is removed from the device list, the associated logs are not deleted. To delete the logs, use the command execute sql-local remove-device. This command does not remove reports that may

have been already generated from the device’s log data.

If the device is still configured to attempt to connect to the

FortiAnalyzer unit and you have configured Unregistered Device

Options to display connection attempts from unregistered devices, the

device may reappear in the device list.

Register This option only appears if you select an unregistered device.

Change a selected unregistered device into an registered one.

When the Register Device page appears, enter a name for the device,

and modify other settings if required. Select OK. The device appears in

the Allowed device list.

For more information on registering a device, see “Manually


Block Stop further connection attempts. This option appears if the selected

device is an unregistered device. For more information about on

blocking a device, see “Blocking unregistered device connection

attempts” on page 168

Column Display Settings

Select to change the columns to view and the order they appear on the

page. For more information, see “Displaying and arranging log

columns” on page 178.

Search Enter the partial or the full name of a device and select the one you

want from the list to view or edit.



Name The name of the device in the device list. This can be any descriptive

name that you want assigned to it, and does not need to be its host

name.

Select the arrow beside Name to list the devices in either ascending or

descending order.

An orange exclamation point (!) icon before a device name indicates

that the device is connecting to the FortiAnalyzer unit and the device’s

time zone is not synchronized with the FortiAnalyzer unit’s time zone.

Model The model of the device. For example, the device list displays a

FortiGate-400A model as FGT400A.

IP Address The IP address of the device. If the device has not recently established

a connection, 0.0.0.0 appears.

Log DLP QuarIPS

Mouse over an icon to view when the last logs or data the

FortiAnalyzer unit received from the device, if

• there are any logs or data the FortiAnalyzer unit received from the

device

• logs are disabled on the device

• it is an unregistered device

Only FortiGate units can send DLP archives, quarantine files, and IPS

files to the FortiAnalyzer unit.

Secure Indicates whether IPsec VPN tunnelling has been enabled for secure

transmission of logs, content and quarantined files.

Caution: A locked icon indicates that secure connection is enabled,

but not necessarily fully configured, and the tunnel may not be up. For

more information, see “Manually configuring a device or HA cluster”

on page 160.

Quota Usage The amount of the FortiAnalyzer disk space allocated for the device

and how much of that space is used. For information on configuring

disk space usage by quarantined files, see the FortiAnalyzer v4.0 MR3

Patch Release 7 CLI Reference.

Virtual Domains The number of VDOMs on the device.

Type The type of the device: FortiGate unit, FortiManager unit, FortiMail unit,

FortiWeb unit, FortiClient installation, or syslog server.

ADOM The ADOMs to which the device is assigned.

This column does not appear:

• on FortiAnalyzer-100 models

• when ADOM is disabled on the FortiAnalyzer unit.

For more information about ADOM, see “Administrative Domains” on

page 48.

Mode Indicate if the device is a standalone one or in a cluster.




Unregistered vs. registered devices

Devices > All Devices > Allowed displays devices, both registered and unregistered, that have

attempted to connect to the FortiAnalyzer unit.

A registered device can use all features of the FortiAnalyzer unit, while an unregistered device

cannot use most of the FortiAnalyzer unit’s features unless you add/register it.

By default, all supported Fortinet devices are discovered and listed as registered devices. All

generic syslog devices are discovered and automatically listed as unregistered devices

automatically. You can configure these settings. For more information, see “Configuring

unregistered device options” on page 167.

You can also manually add/register a device. For more information, see “Manually configuring a

device or HA cluster” on page 160.

Maximum number of devices

Each FortiAnalyzer model is designed to support and provide effective logging and reporting

capabilities for up to a maximum number of devices (registered and unregistered combined).

The following table details these maximums.

Show Select the type of devices to display in the list. You can select devices

by type, or select Unregistered to display devices that are attempting

to connect but that have not yet been registered or added.

Current Page By default, the first page of the list of items is displayed. The total

number of pages displays after the current page number. For example,

if 2/10 appears, you are currently viewing page 2 of 10 pages.

To view pages, select the left and right arrows to display the first,

previous, next, or last page.

To view a specific page, enter the page number in the field and then

press Enter.

Generic syslog devices cannot be used for features such as reports or DLP archives, and

therefore cannot be registered.

Table 11:FortiAnalyzer device limits

FortiAnalyzer models

Maximum number of devices and/or VDOMs allowed

Maximum number of FortiClient installations allowed

FortiGate models supported

FortiManager models supported

FortiMail models supported

FortiWeb models supported

FAZ-100B,

FAZ-100C

100 100 All All All All

FAZ-200D 200 2000 All All All All

FAZ-400B 200 2000 All All All All

FAZ-400C 200 2000 All All All All



To view the number of devices currently attempting to connect, see “License Information

widget” on page 65.

For networks with more demanding logging scenarios, an appropriate device ratio may be less

than the allowed maximum. Performance will vary according to your network size, device types,

logging thresholds, and many other factors. When choosing a FortiAnalyzer model, consider

your network’s log frequency, and not only your number of devices.

A VDOM or HA cluster counts as a single device towards the maximum number of allowed

devices. Multiple FortiClient installations (which can number up to the limit of allowed FortiClient

installations) also count as a single device.

For example, a FAZ-100B could register up to either:

• 100 devices

• 99 devices and 100 FortiClient installations

• 99 devices and one HA pair

• 91 device and 9 VDOMs

When devices attempt to connect to a FortiAnalyzer unit that has reached its maximum number

of allowed devices, the FortiAnalyzer unit will reject connection attempts by excess devices,

and automatically add those excess devices to the list of blocked devices. For more information

about on blocked devices, see “Configuring device groups” on page 170.

When the FortiAnalyzer unit has exceeded its maximum number of allowed devices, you will not

be able to add devices to the device list. To resume adding devices, you must first block a

device that is currently on your device list, then unblock the device you want to add and add it

to the device list.

Manually configuring a device or HA cluster

You can add devices to the FortiAnalyzer unit’s device list either manually or automatically. If

you have configured Unregistered Options to automatically add known type devices, you may

only need to manually add unknown type devices such as a generic syslog server. If you have

configured Unregistered Options to list all devices as unregistered, you may be required to add

all devices manually. For more information, see “Configuring unregistered device options” on

page 167.

If the device has already been automatically added, the device was added to the device list

using default settings. You can reconfigure the device connection by manually editing the

device in the device list.

FAZ-800,

FAZ-800B

500 5000 All All All All

FAZ-1000B 2000 No restrictions All All All All

FAZ-1000C 2000 No restrictions All All All All

FAZ-2000,

FAZ-2000A

2000 No restrictions All All All All

FAZ-2000B 2000 No restrictions All All All All

FAZ-4000A,

FAZ-4000B

2000 No restrictions All All All All

Table 11:FortiAnalyzer device limits (continued)



All FortiClient installations are added as a single device, rather than as one device configuration

per FortiClient installation, and their log messages are stored together. Use the FortiAnalyzer

reporting features to obtain network histories for individual FortiClient installations.

You must add the FortiManager system to the FortiAnalyzer device list for the FortiAnalyzer unit

to be remotely administered by the FortiManager system. Additionally, you must also:

• enable web services on the FortiAnalyzer network interface that will be connected to the

FortiManager system. See “Configuring and using FortiAnalyzer web services” on page 95;

• register the FortiAnalyzer unit with the FortiManager system. See the FortiManager v4.0 MR3

Patch Release 7 Administration Guide;

• be able to connect from your computer to the Web-based Manager of both the FortiManager

system and the FortiAnalyzer unit.

To manually add a device or HA cluster:

1. Go to Devices > All Devices > Allowed.

2. Do one of the following:

• To add unregistered devices, at the bottom of the page, select Unregistered from Show.

Select an unregistered device and select Register.

• To add other devices, select Create New.

Figure 117:Add a device to an HA cluster

3. Enter the appropriate information.




Figure 118:Add device


Device Type Select the device type.

The type is automatically pre-selected if you are adding an

unregistered device from the device list, or if you are editing an

existing device.

Other device options vary by the device type.

Device Name Enter a name to represent the device, such as FG-1000-1.This can

be any descriptive name that you want assign to it, and does not

need to be its host name.

The device name is automatically pre-entered if you are adding a

FortiClient installation.

IP Address Enter the IP address of the device.

This option appears only if Device Type is Syslog.



Device ID Enter the device ID. Device IDs are usually the serial number of the

device, and usually appear on the dashboard of the device’s

web-based manager.

The device ID is automatically pre-entered if you are adding an

unregistered device from the device list, or if you are editing an

existing device.

This option does not appear if Device Type is Syslog or FortiClient.

Cluster ID (primary member)

Enter the ID of the primary member in an HA cluster.

This option appears only if Mode is HA.

Disk Allocation (MB) Enter the amount of hard disk space allocated to the device’s log

and content messages, including quarantined files.

The allocated space should be at least 10 times the log rolling size

for the Log and DLP archive. For example, if you set the log and

DLP archive log file roll size to 50 MB, allocate at least 500 MB of

disk space for the device.

Amounts following the disk space allocation field indicate the

amount of disk space currently being used by the device, and the

total amount of disk space currently available on the FortiAnalyzer

unit.

When Allocated Disk Space is All Used

Select to either Overwrite Oldest Files or Stop Logging to indicate

what the FortiAnalyzer unit should do when the allocated disk space

has been used. For more information about disk space allocation,

see “System resources widget” on page 67.

Device Privileges Select the connection privileges of the device, such as for sending

and viewing log files, DLP archives and quarantined files. Available

permissions vary by device type.

Note: Remotely accessing logs, DLP archive logs and quarantined

files is available on FortiGate units running firmware v4.0 or later.

Description Enter any additional information on the device. Description

information appears when you move the mouse over a device name

in the device list.



4. Select OK.

The device appears in the device list. After registration, some device types can be

configured for secure connection. For more information, see “Secure” on page 158.

To edit a device and retrieve the device’s logs:


2. Select a device and select Edit.

Mode If you are adding a single unit, select Standalone.

If you are adding an HA cluster, select HA, then select the devices

other than the primary member of the cluster from Available Devices

(devices on the FortiAnalyzer unit’s device list) and move them to

Membership using the right pointing arrow. The devices are added

to the HA cluster. You can also manually enter a device ID in the field

under Available Devices and select Add to put it into the HA cluster.

Although the manually entered devices will not appear in the device

list since they are not added to the FortiAnalyzer unit, they can

communicate with the FortiAnalyzer unit through the primary device

of the cluster because the primary device synchronizes the

configuration with its members.

All device models in an HA cluster must be the same. The

FortiAnalyzer unit will check each device ID’s first six digits to

ensure the consistency.

This option appears only if Device Type is FortiGate or FortiManager.



Figure 119:Edit device window

3. Modify the device configuration as required. For more information, see “To manually add a

device or HA cluster:” on page 161.

4. If you want to manually retrieve logs from this device, select Retrieve Logs.

5. Select OK.

Manually adding a FortiGate unit using the Fortinet Discovery Protocol

If you configure the FortiAnalyzer unit to respond to Fortinet Discovery Protocol (FDP) packets,

FortiGate units running FortiOS v4.0 MR1 or higher can use FDP to locate a FortiAnalyzer unit.

Both units must be on the same subnet to use FDP, and they also must be able to connect using

UDP. For more information, see “About Fortinet Discovery Protocol” on page 95.

When a FortiGate administrator selects Automatic Discovery, the FortiGate unit sends FDP

packets to locate FortiAnalyzer units on the same subnet. If FDP has been enabled for its

interface to that subnet, the FortiAnalyzer unit will respond. Upon receiving an FDP response,

the FortiGate unit knows the IP address of the FortiAnalyzer unit, and the administrator can

configure the FortiGate unit to begin sending log, DLP archive, and/or quarantine data to that IP

address. When the FortiGate unit attempts to send data to the FortiAnalyzer unit, the

FortiAnalyzer unit detects the connection attempt.

Connection attempts from devices not registered with the FortiAnalyzer unit’s device list may

not be automatically accepted. In this case, you may need to manually add the device to the

device list. For more information, see “Configuring unregistered device options” on page 167.

For a diagram of traffic types, ports and protocols that FortiAnalyzer units use to communicate

with other devices and services, see the Knowledge Base article Traffic Types and TCP/UDP

Ports used by Fortinet Products.




To enable the FortiAnalyzer unit to reply to FDP packets:


2. Select Edit for the network interface that should reply to FDP packets.

Figure 120:Enable FDP packets on an interface

3. Enable Fortinet Discovery Protocol.

Figure 121:Edit Interface

4. Select OK.

The FortiAnalyzer unit is now configured to respond to FDP packets on that network

interface, including those from FortiGate units’ Automatic Discovery feature. For more

information about connecting the FortiGate unit using FDP, see “To connect a FortiGate unit

to a FortiAnalyzer unit using FDP:” on page 166.

To connect a FortiGate unit to a FortiAnalyzer unit using FDP:

This procedure is based on the FortiOS v4.0 MR2 release and may change in future releases.

On the FortiGate unit CLI, enter

config log fortianalyzer settingset address-mode auto-discovery

end

The FortiGate unit sends FDP packets to other hosts on the FortiGate unit’s subnet. If a

FortiAnalyzer unit exists on the subnet and is configured to reply to FDP packets, it sends a

reply.

If your FortiGate unit is connecting to a FortiAnalyzer unit from another network, such as

through the Internet or through other firewalls, this may fail to locate the FortiAnalyzer unit, and

you may need to configure an IPsec VPN tunnel to facilitate the connection. For more

information and examples, see the Knowledge Base article Sending remote FortiGate logs to a

FortiAnalyzer unit behind a local FortiGate unit.




For more information about configuring FortiGate unit quarantining, DLP archiving, and/or

remote logging, see the FortiGate 4.0 mR3 Administration Guide.

Configuring unregistered device options

You can configure the FortiAnalyzer unit to accept and handle connection attempts from

Fortinet devices (known devices) or generic syslog devices (unknown devices) automatically.

To configure device connection attempt handling, go to Devices > All Devices > Unregistered

Options.

Figure 122:Unregistered device options window


Due to the nature of connectivity for certain high availability (HA) modes, full DLP archiving and

quarantining may not be available for FortiGate units in an HA cluster. For more information, see

the FortiGate HA Overview.

Unregistered Device Options apply to all device types attempting to connect, not just FortiGate

units.

Known Device Types (FortiGate, FortiManager, FortiClient, FortiMail, FortiWeb, FortiCache)

Ignore connection and log data

Select to deny any connection attempts and log-sending to the

FortiAnalyzer unit from Fortinet devices.

This option does not apply to manually added devices. For more

information on adding a device manually, see “Manually


Allow connection, add to unregistered table, but ignore log data

Select to allow the devices to connect but list them as

unregistered devices. The FortiAnalyzer unit will ignore any logs

sent from the devices until you manually register them.

Allow connection, register automatically, and store up to

Select to allow the connection and automatically register the

devices. The FortiAnalyzer unit will store a specified amount of log

data from the devices.

Unknown Device Type (Generic Syslog Devices)



http://docs.fortinet.com/fgt.html


Blocking unregistered device connection attempts

FortiAnalyzer units support a maximum number of devices, including registered and

unregistered devices combined. For more information, see “FortiAnalyzer device limits” on

page 159. Blocking unregistered devices prevents them from being able to connect to the

FortiAnalyzer unit and therefore can free up spots on the unit.

Devices may automatically appear on your list of blocked devices. This can occur when devices

attempt to connect after the maximum number of allowed devices has been reached.

To view, delete, or unblock blocked devices, go to Devices > All Devices > Blocked.

Figure 123:Blocked devices

Ignore all unknown unregistered devices

Select to deny any connection attempts from all unknown syslog

devices.

This option does not apply to manually added devices. For more

information on adding a device manually, see “Manually


Add unknown unregistered devices to unregistered table, but ignore data

Select to list unknown syslog devices as unregistered devices and

ignore any logs sent from these devices.

Add unknown unregistered devices to unregistered table, and store up to

Select to list unknown devices as unregistered, and allow the

FortiAnalyzer unit to store a specified amount of log data from

these devices. The default amount of storage space is 1 000 MB.

The available MB of data is determined by how much is currently

available on your FortiAnalyzer unit, which fluctuates and is never

a fixed number.

Many FortiAnalyzer features are not available for unregistered devices of unknown types. For

more information about the differences between unregistered and registered devices, see

“Unregistered vs. registered devices” on page 159.

Both registered and unregistered devices count towards the maximum number of devices

available for a FortiAnalyzer unit. Too many unregistered devices will prevent you from adding a

device. For more information, see “Manually configuring a device or HA cluster” on page 160.

When devices attempt to connect to a FortiAnalyzer unit that has reached its maximum number

of allowed devices, the FortiAnalyzer unit will reject connection attempts by excess devices,

and automatically add those excess devices to the list of blocked devices. For more information

about blocked devices, see “Blocking unregistered device connection attempts” on page 168.




To block a device:


2. At the bottom of the page, from Show, select Unregistered.

Figure 124:Block a device

3. Mark the check box of the unregistered device that you want to block, then select Block.

The device appears in the blocked devices list (Devices > All Devices > Blocked).

Unblock Register a selected device to the FortiAnalyzer unit’s device list.

When the Register Device page appears, enter a name for the device,

and modify other settings if required. Select OK. The device appears in

the Allowed device list.

For more information on registering a device, see “Manually configuring a


Delete Remove a selected device from the list of blocked devices. If the device

attempts to connect to the FortiAnalyzer unit, it may appear in the device

list as an unregistered device, according to your configuration of

Unregistered Device Options. For more information, see “Configuring

unregistered device options” on page 167.

Device ID The unique ID or serial number of the blocked device.

Hardware Model The type of device, such as FortiGate, FortiManager, FortiMail,

FortiClient, FortiWeb, or syslog server.

IP Address The IP address of the blocked device.



Figure 125:Blocked devices

Configuring device groups

When you have multiple devices belonging to a department or section of your organization, you

may want to create device groups to simplify log browsing or report configuration.

A device can belong to multiple groups; however, the device cannot be deleted from the device

list until it is removed from all groups.

To view device groups, go to Devices > Group > Device Group.

Figure 126:Device groups


To configure a device group:

1. Go to Devices > Group > Device Group.

The create new group window opens.

Show Select the device group type to display, such as FortiGate, FortiManager,

FortiMail or syslog groups.

Group Name The name of the device group.

Members The names of devices that belong to the device group.



Figure 127:Create new group


3. Select OK.

Group Name Enter a name for the device group.

Group Type Select the device group type that you want to create. You can choose

FortiGate Group, FortiMail Group, FortiManager Group, FortiWeb

Group, and Syslog Group. When you select a group type, the devices

that are available to that group appear in the Available Devices field.

FortiClient installations are treated as a single device, and so cannot be

configured as a device group.

Available Devices The available devices for the group type you select in Group Type.

Select a device and then use the right arrow to move it to the Members

field.

Members The devices that are available in the group you are creating. If you want

to remove a device from the Members field, select the device and then

select the left arrow to remove it.



Classifying FortiGate network interfaces

After a FortiGate unit is added to the FortiAnalyzer unit, you need to assign each FortiGate

network interface to a network interface class (None, LAN, WAN, or DMZ) based on your

FortiGate network interface usage. Traffic between classes determines traffic flow directionality

for reports.

Through the FortiAnalyzer CLI command config log device, you can classify network

interfaces and VLAN subinterfaces according to their connections in your network topology.

Functionally classifying the device’s network interfaces and VLAN subinterfaces as None, LAN,

WAN or DMZ indirectly defines the directionality of traffic flowing between those network

interfaces. For example, FortiAnalyzer units consider log messages of traffic flowing from a

WAN class interface to a LAN or DMZ class interface to represent incoming traffic.

Some report types for FortiGate devices include traffic direction, inbound or outbound traffic

flow. When the FortiAnalyzer unit generates reports involving traffic direction, the FortiAnalyzer

unit compares values located in the source and destination interface fields of the log messages

with your defined network interface classifications to determine the traffic directionality.

The table below illustrates the traffic directionality derived from each possible combination of

source and destination interface class.

For more information on classifying FortiGate network interfaces, see the FortiAnalyzer v4.0

MR3 Patch Release 7 CLI Reference.

Example:

Your FortiGate unit has four interfaces: port 1 to 4. Port 1 is connected to WAN; Port 2 and Port

3 are connected to LAN; and Port 4 is connected to DMZ.

In this case, traffic from Port 1 (WAN) to Port 2 (LAN) is considered as incoming, while traffic

from Port 2 to Port 1 is considered outgoing.

Table 12:Traffic directionality by class of the source and destination interface

Source interface class Destination interface class Traffic direction

None All types Unclassified

All types None Unclassified

WAN LAN, DMZ Incoming

WAN WAN External

LAN, DMZ LAN, DMZ Internal

LAN, DMZ WAN Outgoing





Log & Archive

The Log & Archive menu displays log messages and DLP archives from both other devices and

the FortiAnalyzer unit itself.

This sections includes the following topics:

• Viewing log messages

• Browsing log files

• Backing up logs and archived files

• Configuring rolling and uploading of devices’ logs

• Using eDiscovery

Viewing log messages

Log & Archive > Log Access displays logs for devices that were added to the device list, as well

as the FortiAnalyzer unit itself.

You can view log messages from all devices or a particular device in real-time or within a

specified time frame.

For more information about log messages from FortiGate units, see the FortiGate v4.0 MR3 Log

Message Reference.

To view all log messages, go to Log & Archive > Log Access > All Logs.

FortiAnalyzer units cannot display logs from unregistered devices of unknown types. Add the

device first to view the logs of an unknown type device. For more information about adding a

device to the device list, see “Configuring connections with devices & their disk space quota”

on page 155.

You may need to reschedule the time when logs are rolled because log file size is now reduced.

For example, log files that are rolled every two months now need to be rolled every four months.

Fortinet recommends upgrading both the FortiGate and FortiAnalyzer units to v4.0 MR1

firmware and later to take full advantage of this feature.

FortiGate units send log messages to the FortiAnalyzer unit only after a session is closed. All

real-time log messages you view on the FortiAnalyzer unit therefore do not reflect the real-time

activities on the FortiGate units.

The columns that appear reflect the content found in the log file. You can select an item in a

column to display more information.

Depending on your column display settings, the columns appearing may vary.

Log & Archive Page 173 FortiAnalyzer v4.0 MR3 Patch Release 7 Administration Guide



Figure 128:All device logs


Show Select the device or type of device that you want to view logs from.

You can select multiple devices.

Timeframe Select the time frame during which you want to display the logs.

Realtime Log Select to view the real-time device log messages.

After selecting Real time Log, the Historical Log icon appears. Select it

to go back to view logs within a specified time frame.

Column Settings Select to change the columns to view and the order they appear on the

page. For more information, see “Displaying and arranging log


Printable Version Select to download a HTML file containing all log messages that match

the current filters. The HTML file is formatted to be printable.

Time required to generate and download large reports varies by the

total amount of log messages, the complexity of any search criteria,

the specificity of your column filters, and the speed of your network

connection.

Download Current View

Select to download log files in text (.txt), comma-separated value

(.csv), or standard .log (Native) file format. You can also select to

compress the log files in gzipped format before uploading to the server.

The downloaded version will match the current log view, containing

only log messages that match your current filter settings.



To view a type of log, go to Log & Archive > Log Access and select a log type:

• Event Log: records all event activities such as an administrator adding a firewall policy on a

FortiGate unit.

• UTM Log: unified threat management log includes IPS (Attack), Application Control, Web

Filter, Antivirus, Data Leak (DLP), and Email Filter.

Search If you choose to use the proprietary indexed file storage system by

selecting Disabled under System > Config > SQL Database, enter a

keyword to perform a simple search on the available log information,

then press the Enter key to begin the search.

If you choose to use SQL database by enabling Local Database or

Remote Database under System > Config > SQL Database, you need

to enter <field_name>=value, such as device_id=FG600B3909601460 to perform a simple search on the

available log information, then press the Enter key to begin the search.

Log field names and values can be found in logs of raw format (see

“Change Display Options” on page 175), such as

device_id=FG600B3909601460, src_int=port1, or dstname=192.168.30.2.

Advanced Search Select to search the device logs for matching text using two search

types: Quick Search and Full Search. For more information, see

“Searching the logs” on page 180.

Last Activity The date and time the log was received by the FortiAnalyzer unit.

Device ID The ID of the device that sent the log.

Type The log type.

Level The severity level of the log.

Device Time The date and time when events occurred on the devices that sent the

logs.

Timestamp The date and time when logs were received by the FortiAnalyzer unit.

Details The detailed information of the log.

Other Columns There are over 100 other columns that can be selected, depending on

the log type selected.

View n per page Select the number of rows of log entries to display per page. You can

choose up to 1000 entries.

Current Page Enter a page number, then press Enter to go to the page.

Change Display Options

Select a view of the log file. Selecting Formatted (the default) displays

the log files in columnar format. Selecting Raw displays the log

information as it actually appears in the log file.

Log messages that are received from a log aggregation device are scheduled transfers, and not

real-time messages, because log aggregation devices do not appear in the Real-time log page.

Individual high availability (HA) cluster members also do not appear in the Real-time log page

because HA members are treated as a single device. For more information about log

aggregation, see “Configuring log aggregation” on page 131.




Admin > Settings.

• IPS (Attack): records all attacks that occur against your network. These log messages also

contain links to the Fortinet Vulnerability Encyclopedia where you can better assess the

attack.

This option does not appear if you enable Show Consolidated UTM Log in System > Admin

> Settings.

• Application Control: records the application traffic generated by the applications on the

device.


> Settings.

• Web Filter: records HTTP device log rating errors, including web content blocking actions

that the device performs.


> Settings.

• Antivirus: records virus incidents in Web, FTP, and email traffic.


> Settings.

• Data Leak (DLP): provides information concerning files, such as email messages and web

pages, that are archived on the FortiAnalyzer unit by the device.


> Settings.

• Email Filter: records IMAPS, POP3S, and SMTPS email traffic.


> Settings.

• Traffic log: records all traffic to and through the interfaces on a device.

• Vulnerability Scan Log: records the vulnerability scan activities on the device

• VoIP: provides information on VoIP traffic on the device.


Admin > Settings.

• History: records all mail traffic going through the FortiMail unit.


Admin > Settings.

• IM: records instant message text, audio communications, and file transfers attempted by

users.


Admin > Settings.

• Generic Syslog: provides syslog information for the device.


Admin > Settings.

• All Logs: records all logs received by the FortiAnalyzer unit.

The columns that appear reflect the content found in the log file. You can select an item in a




Viewing Log Details

Log details can be viewed for any of the collected logs.

To view log details, left-select on any log in the log list. A details window for the selected log will

open.

Figure 129:Log details window

Customizing the log view

Log messages can be displayed in either Raw or Formatted view.

• Raw view displays log messages exactly as they appear in the log file.

• Formatted view displays log messages in a columnar format. Each log field in a log message

appears in its own column, aligned with the same field in other log messages, for rapid visual

comparison. When displaying log messages in Formatted view, you can customize the log

view by hiding, displaying and arranging columns and/or by filtering columns, refining your

view to include only those log messages and fields that you want to see.

The details provided in the details window will vary depending on the type of log selected.

When selecting Change Display Options for some log types, Resolve Host Name, Resolve

Services, or both may appear in addition to Formatted and Raw.

Resolve Host Name: Select to display recognizable device names rather than IP addresses.

For more information about configuring IP address host names, see “Configuring IP aliases” on

page 135.

Resolve Services: Select to display the network service names rather than the port numbers,

such as HTTP rather than port 80.



To display logs in Raw or Formatted view, go to a page that displays log messages, such as Log

& Archive > Log Access > All Logs, and select Change Display Options > Raw/Formatted at the

bottom of the page. By default, log messages appear in Formatted view.

Figure 130:Change display options

If you select Formatted, options appear that enable you to display and arrange log columns

and/or filter log columns. For more information, see “Displaying and arranging log columns” and

“Filtering logs” on page 179.

Displaying and arranging log columns

When viewing logs in Formatted view, you can display, hide and re-order columns to display

only relevant categories of information in your preferred order.

For most columns, you can also filter data within the columns to include or exclude log

messages which contain your specified text in that column. For more information, see “Filtering

logs” on page 179.

To display or hide columns:

1. Go to a page which displays log messages, such as Log & Archive > Log Access > All Logs.

2. Select the Column Settings icon .

Lists of available and displayed columns for the log type appear.

Figure 131:Column display settings

3. Select which columns to hide or display.

• In the Available Fields area, select the names of individual columns you want to display,

then select the single right arrow to move them to the Display Fields area.

Alternatively, to display all columns, select the double right arrow.

• In the Display Fields area, select the names of individual columns you want to hide, then

select the single left arrow to move them to the Available Fields area.

Alternatively, to hide all columns, select the double left arrow.

• To return all columns to their default displayed/hidden status, select Default.

4. Select OK.



To change the order of the columns:

1. Go to a page which displays log messages, such as Log & Archive > Log Access > All Logs.

2. Select Column Settings.


3. In the Display Fields area, select a column name whose order of appearance you want to

change.

4. Select the up or down arrow to move the column in the ordered list.

Placing a column name towards the top of the Display Fields list will move the column to the

left side of the Formatted log view.

5. Select OK.

Filtering logs

When viewing log messages in Formatted view, you can filter columns to display only those log

messages that do or do not contain your specified content in that column. By default, most

column headings contain a gray filter icon, which becomes green when a filter is configured and

enabled.

Filters do not appear when viewing logs in Raw view, or for unindexed log fields in Formatted

view. When you are viewing real-time logs, filtering by time is not supported; by definition of the

real-time aspect, only current logs are displayed.

Figure 132:Filter icons

To filter log messages by column contents:

1. In the heading of the column that you want to filter, select the Filter icon to open the log

filtering window.

Figure 133:Filters window

2. If you want to exclude log messages with matching content in this column, select NOT.

If you want to include log messages with matching content in this column, deselect NOT.

3. Enter the text that matching log messages must contain.

Matching log messages will be excluded or included in your view based upon whether you

have selected or deselected NOT.



4. Select OK.

A column’s Filter icon is green when the filter is currently enabled. You can select Download

Current View to download only log messages which meet the current filter criteria.

Filtering tips

When filtering by source or destination IP, you can use the following in the filtering criteria:

• a single address (2.2.2.2)

• an address range using a wild card (1.2.2.*)

• an address range (1.2.2.1-1.2.2.100)

You can also use the Boolean operator (or) to indicate mutually exclusive choices:

• 1.1.1.1 or 2.2.2.2

• 1.1.1.1 or 2.2.2.*

• 1.1.1.1 or 2.2.2.1-2.2.2.10

Most column filters require that you enter the column’s entire contents to successfully match

and filter contents; partial entries do not match the entire contents, and so will not create the

intended column filter.

For example, if the column contains a source or destination IP address (such as

192.168.2.5), to create a column filter, enter the entire IP address to be matched. If you enter

only one octet of the IP address, (such as 192) the filter will not completely match any of the full

IP addresses, and so the resulting filter would omit all logs, rather than including those logs

whose IP address contains that octet.

Exceptions to this rule include columns that contain multiple words or long strings of text, such

as messages or URLs. In those cases, you may be able to filter the column using a substring of

the text contained by the column, rather than the entire text contained by the column.

Searching the logs

When viewing device logs and archived files, you may find that some have a button called

Advanced Search. You can use the button to search the device’s log files for matching text

using two search types: Quick Search and Full Search. For more information, see “Viewing log

messages” on page 173 and “Viewing DLP archives” on page 183.

You can use Quick Search to find results more quickly if your search terms are relatively simple

and you only need to search indexed log fields. Indexed log fields are those that appear with a

filter icon when browsing the logs in column view; unindexed log fields do not contain a filter

icon for the column or do not appear in column view, but do appear in the raw log view. Quick

Search keywords cannot contain:

• special characters such as single or double quotes (‘ or ") or question marks (?)

• wild card characters (*), or only contain a wild card as the last character of a keyword

(logi*)

You can use Full Search if your search terms are more complex, and require the use of special

characters or log fields not supported by Quick Search. Full Search performs an exhaustive

search of all log fields, both indexed and unindexed, but is often slower than Quick Search.

You can stop any search before the search is complete by selecting the Stop Search button

next to the Search button.



Figure 134:Log search


Device/Group Select to search logs from the FortiAnalyzer unit (Local Logs), a device, or a

device group.

Time Period Select to search logs from a time frame, or select Specify and define a

custom time frame by selecting the From and To date times.

From Enter the date (or use the calendar icon) and time of the beginning of the

custom time range.

This option appears only when you select Specify.

To Enter the date (or use the calendar icon) and time of the end of the custom

time range.

This option appears only when you select Specify.

Keyword(s) Enter search terms which will match to yield log message search results. To

specify that results must include all, any, or none of the keywords, select

these options in Match.

Search Select to perform a full search. Keywords for a full search may contain

special characters. Full Search examines all log message fields.

Stop Search Select to stop the search before it is completed. This option is grayed out

unless there is a search in progress.

More Options Select the Expand Arrow to hide or expand additional search options.

Match Select how keywords are used to match log messages which comprise

search results.

• All Words: Select to require that matching log messages must contain all

search keywords. If a log message does not contain one or more

keywords, it will not be included in the search results.

• Any Words: Select to require that matching log messages must contain at

least one of the search keywords. Any log message containing one or

more keyword matches will be included in the search results.

• Does Not Contain the Words: Select to require that matching log

messages must not contain the search keywords. If a log message

contains any of the search keywords, it will be excluded from the search

results.



Search tips

If your search does not return the results you expect, but log messages exist that should

contain matching text, examine your keywords and filter criteria using the following search

characteristics and recommendations.

• Separate multiple keywords with a space (type=webfilter subtype=activexfilter).

• Keywords cannot contain unsupported special characters. Supported characters vary by

selection of Quick Search or Full Search.

• Keywords must literally match log message text, with the exception of case insensitivity and

wild cards; resolved names and IP aliases will not match.

• Some keywords will not match unless you include both the log field name and its value

(type=webfilter).

• Remove unnecessary keywords and search filters which can exclude results. In More

Options, if All Words is selected, for a log message to be included in the search results, all keywords must match; if any of your keywords do not exist in the message, the match will

fail and the message will not appear in search results. If you cannot remove some keywords,

select Any Words.

• You can use the asterisk (*) character as a wild card (192.168.2.*). For example, you

could enter any partial term or IP address, then enter * to match all terms that have identical

beginning characters or numbers.

Other Filters Specify additional criteria, if any, that can be used to further restrict the

search criteria.

• Log Type: Select to include only log messages of the specified type. For

example, selecting Traffic would cause search results to include only log

messages containing type=traffic.

• Log Level: Select to include only log messages of the specified severity

level. For example, selecting Notice would cause search results to include

only log messages containing pri=notice.

• Src IP: Enter an IP address to include only log messages containing a

matching source IP address. For example, entering 192.168.2.1 would

cause search results to include only log messages containing

src=192.168.2.1 and/or content log messages containing a client IP

address of 192.168.2.1.

• Dst IP: Enter an IP address to include only log messages containing a

matching destination IP address. For example, entering 192.168.2.1

would cause search results to include only log messages containing

dst=192.168.2.1 and/or content log messages containing a server IP

address of 192.168.2.1.

• User Name: Enter a user name to include only log messages containing a

matching authenticated firewall user name. For example, entering userA


user=”userA”.

• Group Name: Enter a group name to include only log messages

containing a matching authenticated firewall group name. For example,

entering groupA would cause search results to include only log

messages containing group=”groupA”.



• If you have disabled an SQL database for log storage in System > Config > SQL Database,

you can search for IP ranges, including subnets. For example:

• 172.16.1.1/24 or 172.16.1.1/255.255.255.0 matches all IP addresses in the

subnet 172.16.1.1/255.255.255.0

• 172.16.1.1-140.255 matches all IP addresses from 172.16.1.1 to 172.16.140.255

• If you have disabled an SQL database for log storage in System > Config > SQL Database,

you can search for URLs in multiple ways, using part or all of the URL. SQL-based search

does not support part of the URL. You can use "*/part1/*/part2*/*" instead.

Searching for the full URL may not return enough results if the URL contains random

substrings, such as session IDs. If your search keywords do not return enough results, try

one of the following:

• using Full Search

• shortening your keyword to the smallest necessary substring of the URL

• shortening your keyword to a substring of the URL delimited by slash (/) characters

• The search returns results match all, any, or none of the search terms, according to the

option you select in Match.

For example, if you enter into Keyword(s):

srcaddr=192.168.* action=login

and if from Match you select All Words, log messages for attacks on 192.168.* by

W32/Stration.DU@mm do not appear in the search results. This is because although the

first keyword (the IP address) appears in attack log messages, the second keyword (the

name of the attack) does not appear, and so the match fails. If the match fails, the log

message is not included in the search results.

Viewing DLP archives

DLP archiving provides a method of simultaneously logging and archiving copies of content

transmitted over your network, such as email messages and web pages.

FortiGate units can log metadata for common user content-oriented protocols. DLP logs

include information such as the senders, recipients, and the content of email messages and

files. If full DLP archiving is enabled, FortiGate units can also archive a copy of the associated

file or message with the DLP log message. Both FortiGate DLP archive logs and their

associated copies of files or messages can be stored and viewed remotely on a FortiAnalyzer

unit, leveraging its large storage capacity for large media files that can be common with

multimedia content. When DLP archives are received by the FortiAnalyzer unit, you can use

data filtering similar to other log files to track and locate specific email or instant messages, or

to examine the contents of archived files.

For more information about how to configure the FortiGate unit to send DLP archives to the

FortiAnalyzer unit, see the FortiOS v4.0 MR3 Administration Guide.

You can view DLP archives of these types:

• IPS Packet

• Quarantine

• Web

• Email

• FTP

• IM

• VoIP Log

• MMS (By default, this option is not available. To make it appear, you need to enable it in

System > Admin > Settings.)




You can view full and/or summary DLP archives. Summary DLP archives are those which

contain only a log message consisting of summary metadata. Full DLP archives are those which

contain both the summary and a hyperlink to the associated archived file or message. For

example, if the FortiAnalyzer unit has a full DLP archive for an email message, the subject log

field of email DLP archives contains a link that enables you to view that email message. If the

FortiAnalyzer unit has only a DLP archive summary, the subject field does not contain a link.

A full or summary DLP archive varies by:

• whether the device is configured to send full DLP archives

• whether the content satisfies DLP archiving requirements

• whether the FortiAnalyzer unit has the file or message associated with the summary log

message (that is, full DLP archives do not appear if you have deleted the associated file or

message)

For more information about requirements and configuration of DLP archiving, see the FortiOS

v4.0 MR3 Administration Guide.

To view DLP archives, go to Log & Archive > Archive Access. Select a DLP archive type. Each

type has similar controls.

Figure 135:DLP log archive window

The columns that appear reflect the content found in the archive file. You can select an item in a







Show To view the archives from a single FortiGate unit, select the

FortiGate unit from the list. Select All FortiGates to view a combined

list of archives from all the configured FortiGate units.

Timeframe Select a time frame to display only the archived files from the

specified period. Select Any time to display all the archived files.

Column Settings Select to change the columns to view and the order they appear on

the page. For more information, see “Displaying and arranging log


Note: This option is not available for the Quarantine type.

Printable Version Select to download an HTML file containing all DLP archive

summaries that match the current filters. The HTML file is formatted

to be printable.

Time required to generate and download large reports varies by the

total number of log messages, the complexity of any search criteria,

the specificity of your column filters, and the speed of your network

connection.


Download Current View Select to download a copy of the archived file with the current filters

applied. For example, if you have a filter applied to display only the

entries with a particular URL, selecting Download Current View will

allow you to download a log file with only the entries related to the

URL configured in the filter.


Delete associated DLP archive files

Select to delete the links of all DLP archive files to the currently

selected device, not the file records.

Note: This option is not available for IPS Packet, Quarantine, and

VoIP archive.

Search If you choose to use the proprietary indexed file storage system by

selecting Disabled under System > Config > SQL Database, enter a

keyword to perform a simple search on the available log

information, then press Enter to begin the search.

If you choose to use SQL database by enabling Local Database or

Remote Database under System > Config > SQL Database, you

need to enter <field_name>=value, such as device_id=FG600B3909601460 to perform a simple search on

the available log information, then press the Enter key to begin the

search. Log field names and values can be found in logs of raw

format (see “Change Display Options” on page 186), such as

device_id=FG600B3909601460, log_id=32776, or pri=information.


View n per page Select the number of log entries to display per page.



Viewing quarantined files

FortiAnalyzer units can act as a central repository for files that are suspicious or known to be

infected by a virus, and have therefore been quarantined by your FortiGate units. This section

describes how to view quarantined files.

If a secure connection has been established with the FortiGate and FortiAnalyzer units, the

communication between them is the same IPsec tunnel that the FortiGate unit uses when

sending log files.

For more information about configuring the FortiGate unit to send quarantined files to the

FortiAnalyzer unit, see the FortiGate v4.0 MR3 Administration Guide.

To view the quarantine summary, go to Log & Archive > Archive Access > Quarantine.

Figure 136:Quarantine summary

Current Page Enter a page number, then press Enter to go to the page.

Change Display Options Select a view of the archive file. This option is not available for the

Quarantine type.

Resolve Host Name: Select to view the IP alias instead of the client’s

IP address. You must configure the IP aliases on the FortiAnalyzer

unit for this setting to take effect. For more information, see

“Configuring IP aliases” on page 135. This option is not available for

the Email type.

Resolve Service: Select to display the network service names rather

than the port numbers, such as HTTP rather than port 80. This

option is only available for the IPS Packet type.

Formatted (the default): Select to display the log files in columnar

format.

Raw: Select to display the log information as it actually appears in

the log file.

DLP Archives allow you to both view logged details and to download the archived files. If you

want to display only the DLP archive log file, instead go to Log & Archive > Log Browse > Log

Browse and select the device’s dlog.log file. For more information, see “Browsing log files”

on page 189.

Sending quarantine files to a FortiAnalyzer unit is available only on FortiGate units running

FortiOS v4.0 or later.

FortiAnalyzer units do not accept quarantine files from devices that are not registered with the

FortiAnalyzer unit’s device list. For more information about adding devices, see “Manually







To view the details of a quarantined file:

1. Go to Log & Archive > Archive Access > Quarantine.

2. Select a file and select on Details.

Delete Select to remove the selected quarantined file summary of this device and all

quarantined files under it from the hard disk.

Details Select to view the quarantined files for this device. For more information, see

“To view the details of a quarantined file:” on page 187.

Show Select a device from the list of available devices to display the list of

quarantined files for a specific device.

Timeframe Select a span of time when quarantined files were sent to the FortiAnalyzer

unit.

From Device The FortiGate unit from which the file originated. Select the expand arrow

next to a FortiGate unit to view the files sent from that unit.

Type The type of quarantined file. For example, and infected file is quarantined

because a virus is detected. A blocked file is quarantined because the file

matches a defined file pattern. The Reason field offers additional detail.

Reason The reason a file is quarantined. This elaborates on the information in the

Type field. For example, if the Type is listed as Infected, the virus name

appears in the Reason field.

First Detection Time

The date and time the FortiGate unit quarantined the first instance of this file,

in the format yyyy/mm/dd hh:mm:ss.

Last Detection Time

The date and time the FortiGate unit quarantined the last instance of this file,

in the format yyyy/mm/dd hh:mm:ss, if multiple copies of this file are

quarantined.

Unique The number of quarantined files from this device.

Count The number of duplicates of the same file that are quarantined. A rapidly

increasing number can indicate a virus outbreak.



Figure 137:Quarantine window


Delete Select to remove files whose check boxes are selected.

• To delete one or more files, select the check box next to their file

name, then select Delete.

• To delete all files, select the column heading check box. All files’

check boxes are selected, and then select Delete.

Download Select to save the file to another location when it is deemed safe for

the recipient to collect. You can enter a password to protect the file.

Caution: Quarantined files are suspected or known to contain a

virus or other network threat. Inspecting quarantine files involves a

significant security risk. Use caution when downloading quarantined

files.

Details Select to view the log for this quarantined file. For information on

viewing logs, see “Viewing log messages” on page 173.

Analyze Select to analyze a .sis file using the SIS Analyzer.

This option is only available if there is a quarantined .sis file.

Refresh Select to update the current page.

From Device The FortiGate unit from which the file originated.

File Name The processed file name of the quarantined file.

First Detection Time The date and time the FortiGate unit quarantined the first instance of

this file, in the format yyyy/mm/dd hh:mm:ss.

Last Detection Time The date and time the FortiGate unit quarantined the last instance of

this file, in the format yyyy/mm/dd hh:mm:ss, if multiple copies of

this file are quarantined.

Service The service by which the quarantined file was attempting to be

transmitted, such as SMTP.

Checksum A 32-bit checksum the FortiGate unit created from the file.

Type The type of quarantined file. For example, an infected file is

quarantined because a virus is detected. A blocked file is

quarantined because the file matches a defined file pattern. The

Reason field offers additional detail.

Reason The reason a file is quarantined. This elaborates on the information

in the Type field. For example, if the Type is listed as Infected, the

virus name appears in the Reason field.



Browsing log files

Log & Archive > Log Browse > Log Browse displays log files stored for both devices and the

FortiAnalyzer itself.


Admin > Settings.

When a log file reaches its maximum size, or reaches the scheduled time, the FortiAnalyzer rolls

the active log file by renaming the file. The file name will be in the form of xlog.N.log, where x

is a letter indicating the log type and N is a unique number corresponding to the time the first log

entry was received.

For information about setting the maximum file size and log rolling options, see “Configuring

rolling and uploading of devices’ logs” on page 193.

If you display the log messages in Formatted view, you can display and arrange columns and/or

filter log messages by column contents. For more information, see “Customizing the log view”

on page 177.

For more information about log messages, see the FortiGate v4.0 MR3 Log Message Reference

and “Viewing log messages” on page 173.

Figure 138:Log file list

DC Duplicate count. A count of how many duplicates of the same file

were quarantined. A rapidly increasing number can indicate a virus

outbreak.

View n per page Select the number of quarantine files to display per page.


number of pages displays after the current page number. For

example, if 2/10 appears, you are currently viewing page 2 of 10

pages.




press Enter.




The page displays the following settings:

Importing a log file

You can import devices’ log files. This can be useful when restoring data or loading log data for

temporary use.

For example, if you have older log files from a device, you can import these logs to the

FortiAnalyzer unit so that you can generate reports containing older data. Importing log files is

also useful when changing your RAID configuration. Changing your RAID configuration

reformats the hard disk, erasing log files. If you back up the log files, after changing the RAID

configuration, you can import logs to restore them to the FortiAnalyzer unit.

You can only import log files in native format.

To import a log file:

1. Go to Log & Archive > Log Browse > Log Browse.

2. Select the Device Type.

Delete Mark the check box of the file whose log messages you want to delete, then

select this button.

Display Mark the check box of the file whose log messages you want to view, then

select this button. For more information, see “Viewing log messages” on

page 173.

Import Select to import log files. You can only import log files in native format. For

more information about importing log files, see “Importing a log file” on

page 190.

Download Mark the check box of the log file that you want to download, select this

button, then select a format for saving the log files: text (.txt),

comma-separated value (.csv), or standard .log (native).

You can also select to compress the log files before saving them.

For more information, see “Downloading a log file” on page 191

Device Type Select the type of devices whose logs you want to view.

Show Log File Names

Enable to display the file names of log files in the Log Files column when their

log type is expanded.

Log Files A list of available log files for each device or device group. Select the group

name to expand the list of devices within the group, and to view their log

files.

The current, or active, log file appears as well as rolled log files. Rolled log

files include a number in the file name, such as vlog.1267852112.log.

If you configure the FortiAnalyzer unit to delete the original log files after

uploading rolled logs to an FTP server, only the current log will exist.

# The number of devices in a group, and the number of log files for a device.

From The start time when the log file was generated.

To The end time when the log file was generated.

Size (bytes) The size of the log file.



3. Expand the group name or device name to view the list of available log files under each log

type.

4. Select a log file in native format and then select Import.

Figure 139:Import log file window

5. Select from Device to which device in the device list the imported log file belongs, or select

Take From Imported File to read the device ID from the log file.

If you select Take From Imported File, your log file must contain a device_id field in its log

messages.

6. In Filename, enter the path and file name of the log file, or select Browse.

7. Select OK.

A message appears, stating that the upload is beginning, but will be cancelled if you leave

the page.

8. Select OK.

Upload time varies by the size of the file and the speed of the connection.

After the log file successfully uploads, the FortiAnalyzer unit inspects the log file.

• If the device_id field in the uploaded log file does not match the device, the import will

fail. Select Return to attempt another import.

• If you selected Take From Imported File, and the FortiAnalyzer unit’s device list does not

currently contain that device, a message appears after the upload. Select OK to import

the log file and automatically add the device to the device list, or select Cancel.

Downloading a log file

You can download a log file to save it as a backup or for use outside the FortiAnalyzer unit. The

download consists of either the entire log file, or a partial log file, as selected by your current log

view filter settings.

To download a whole log file:




type.

4. Select the specific log file (wlog.log, elog.log, etc.) that you want to download.

5. Select Download.



Figure 140:Download log file window

6. Select from the following the following download options:

7. Select OK.

8. If prompted by your web browser, select a location to save the file, or open it without saving.

To download a partial log file:




type.

4. Select the specific log file (wlog.log, elog.log, etc.) that you want to download.

5. Select Display.

6. Select a filter icon to restrict the current view to only items which match your criteria, then

select OK.

Filtered columns have a green filter icon, and Download Current View appears next to

Printable Version. For more information about filtering log views, see “Filtering logs” on

page 179.

7. Select Download Current View . The Download Log File window opens.

8. Select from the following download options:

9. Select OK.

10.If prompted by your web browser, select a location to save the file, or open it without saving.

Log File format Downloads the log in text (.txt), comma-separated value (.csv), or

standard .log (native) format. Each log element is separated by a

comma. CSV files can be viewed in spreadsheet applications.

Compress with gzip Compress the .txt, .log, or .csv file with gzip compression. For

example, downloading a log-formatted file with gzip compression

would result in a download with the file extension .log.gz.

Log File Format Downloads the log in text (.txt), comma-separated value (.csv), or

standard .log (native) format. Each log element is separated by a


Compress with gzip Compress the .txt, .log, or .csv file with gzip compression.

For example, downloading a log-formatted file with gzip

compression would result in a download with the file extension

.log.gz.



Backing up logs and archived files

To back up both logs and associated DLP archive files, enter the CLI command execute backup logs. To back up logs only, enter execute backup logs-only. For more

information, see the FortiAnalyzer v4.0 MR3 Patch Release 7 CLI Reference.

Configuring rolling and uploading of devices’ logs

You can control devices’ log file size and consumption of the FortiAnalyzer disk space by

configuring log rolling and/or scheduled uploads to a server.

As the FortiAnalyzer unit receives new log items, it performs the following tasks:

• verifies whether the log file has exceeded its file size limit

• checks to see if it is time to roll the log file if the file size is not exceeded.

Configure the time to be either a daily or weekly occurrence, and when the roll occurs.

When a current log file (tlog.log) reaches its maximum size, or reaches the scheduled time,

the FortiAnalyzer unit rolls the active log file by renaming the file. The file name will be in the

form of xlog.N.log (for example, tlog,1252929496.log), where x is a letter indicating the

log type and N is a unique number corresponding to the time the first log entry was received.

The file modification time will match the time when the last log was received in the log file.

Once the current log file is rolled into a numbered log file, it will not be changed. New logs will

be stored in the new current log called tlog.log.

If log uploading is enabled, once logs are uploaded to the remote server or downloaded via the

Web-based Manager, they are in the following format:

FG3K6A3406600001-tlog.1252929496.log-2009-09-14-14-00-14.gz

If you have enabled log uploading, you can choose to automatically delete the rolled log file

after uploading, thereby freeing the amount of disk space used by rolled log files. If the log

upload fails, such as when the FTP server is unavailable, the logs are uploaded during the next

scheduled upload.

To enable and configure log rolling or uploading, go to Log & Archive > Options > Log File

Options.

You can also configure rolling and uploading settings for the FortiAnalyzer unit’s own log files.

For details, see the FortiAnalyzer v4.0 MR3 Patch Release 7 CLI Reference.





Figure 141:Device log settings


Log file should not exceed

Enter the maximum size of each device log file.

Log file should be rolled

Set the time of day when the FortiAnalyzer unit renames the current

log file and starts a new active log file.

• Optional: Roll log files only when the log file reaches the maximum

file size, regardless of time interval.

• Daily: Roll log files daily, even if the log file has not yet reached

maximum file size.

• Weekly: Roll log files weekly, even if the log file has not yet reached

maximum file size.

Enable log uploading Select to upload log files to a server when a log file rolls.

Server type Select the protocol to use when uploading to a server:

• File Transfer Protocol (FTP)

• Secure File Transfer Protocol (SFTP)

• Secure Copy Protocol (SCP)

Server IP address Enter the IP address of the log upload server.

Username Enter the user name required to connect to the upload server.

Password Enter the password required to connect to the upload server.

Confirm Password Re-enter the password to verify correct entry.

Directory Enter a location on the upload server where the log file should be

saved.



Using eDiscovery

eDiscovery allows you to search through the bulk of stored email from the FortiGate units,

extract and download the search results, and share them with a third party if required in

situations such as a lawsuit or regulatory violation action.

To prove that shared data is an exact copy of the original, the FortiAnalyzer unit produces local

logs indicating when each search was executed, when the search results were downloaded,

and when they were deleted. In addition, the FortiAnalyzer unit generates SHA1 and MD5

digests for every search result. When a search result is downloaded to an external device, the

SHA1 or MD5 digest calculated on the downloaded file must match the same digest generated

by the FortiAnalyzer unit in order to prove that the search result has not been tampered with

since leaving the FortiAnalyzer unit.

Log & Archive > eDiscovery > Folders displays the list of eDiscovery folders containing search

results.

Figure 142:eDiscovery folders list page

Upload Files Select when the FortiAnalyzer unit should upload files to the server.

• When rolled: Uploads logs whenever the log file is rolled, based on

Log file should be rolled.

• Daily at: Uploads logs at the configured time, regardless of when

or what size it rolls at according to Log file should be rolled.

Uploaded log format Select a format for uploading the log files. The format is in text (.txt),

comma-separated value (.csv), or standard .log (Native) file.

Compress uploaded log files

Select to compress the log files before uploading to the server.

Delete files after uploading

Select to remove the log file from the FortiAnalyzer hard disk after the

FortiAnalyzer unit completes the upload.




To use eDiscovery, follow the general steps below:

• Set the disk quota for eDiscovery results out of the current disk space reserved for the

system (that is, space not allocated to the devices), since the search results may take

considerable amount of disk space. See “To set the eDiscovery disk quota:” on page 197.

• Create folders to store search results. Typically, you store search results that are part of a

single investigation under one folder. See “To create eDiscovery folders:” on page 197.

• Search email based on the search criteria and save the results to a folder where you will

view, download, delete, or clone the results. See “To search email:” on page 197.

Download Select to save the selected folder and the contained search results.

The saved information can be shared with a third party.

Run Now Select to refresh the search tasks in a selected folder. This will update the

email lists in the search tasks.

Clone Select to duplicate a folder to use as a basis for creating a new one.

Folder Name The names of the eDiscovery folders that you create. For more information,

see “To create eDiscovery folders:” on page 197.

Select the arrow beside a folder name to display the task names of the search

results saved in the folder. For more information, see “Task Name” on

page 198.

Select a task name to view the email list. See “To view a search task:” on

page 199.

Creation Date The date and time when the folder and search tasks were created.

Search Results

Each eDiscovery folder displays the number of search results contained in it.

Each search task displays the number of email extracted based on the search

criteria. See “To search email:” on page 197.

Size (bytes) The size of the folders and search tasks.

This column also displays the status of search results:

• Completed: Search is completed and results are available for viewing.

• Incomplete: Search was interrupted by a system shutdown.

• Running: Search is in progress.

• Pending: Search is queued and will run once other searches are completed.

• Quota Exceeded: Search was stopped because the disk quota has been

exceeded.



To set the eDiscovery disk quota:

1. Go to Log & Archive > eDiscovery > Config.

Figure 143:eDiscovery Config

2. Enter the maximum size of disk space for storing eDiscovery search results.

The used and available disk spaces also display. The size of the reserved space for

eDiscovery varies by the total disk space. You cannot adjust the disk quota below the size of

the existing eDiscovery results. eDiscovery results will not be saved if they exceed the disk

quota.

3. Select Apply.

To create eDiscovery folders:

1. Go to Log & Archive > eDiscovery > Folders.


Figure 144:New eDiscovery folder window

3. Enter a folder name.

4. Select OK.

To search email:

1. Go to Log & Archive > eDiscovery > Search.



Figure 145:eDiscovery search window

2. Complete the following search criteria:

3. Do one of the following:

• If you selected Don’t Save in the Save to Folder field, select Search.

The search results appear.

• If you selected a folder in the Save to Folder field, select Search & Save.

The search results are saved to the selected folder.

Device Select the FortiGate unit of which you want to search the archived email.

Timeframe Select the time period for the email that you want to search. If you select

Specify, enter the start and end time.

From Enter the sender’s email address that you want to search. This can be a full

or partial email address.

To Enter all or part of the recipient’s email address. For multiple recipients,

enter any one of the recipients, or enter multiple recipient addresses in the

order that they appear in the email address field, separated by a comma (,)

and a space, such as:

[email protected], [email protected]

Subject Enter all or part of the subject line of the email message.

Message Contains

Enter all or part of a word or phrase in the email message.

Save to Folder

If you want to save the search results, select a folder.

If you do not want to save the search results, select Don’t Save.

If you want to create a new folder for the search results, select Create New,

enter a folder name and select OK.

Task Name Enter a unique name for this search task. Such a name will help you identify

a particular search result in a folder. For more information, see “Folder

Name” on page 196.

This field appears only if you selected a folder in the Save to Folder field.

Description Enter a note to describe the task name. For more information, see

“Description” on page 199.

This field appears only if you selected a folder in the Save to Folder field.



To view a search task:

1. Go to Log & Archive > eDiscovery > Folders.

2. Select the arrow beside a folder that contains the task you want to view.

3. Left-select on the task name you want to view.

The task’s email list displays. Selecting an item displays its detailed information.

Figure 146:View eDiscovery search window


Task name The name of this search task. For more information, see “Task Name” on

page 198.

Description The note for this task. For more information, see “Description” on page 198.

Device The serial number(s) of the FortiGate unit(s) of which you have searched the

archived email. For more information, see “Device” on page 198.

Timeframe The date and time when the search task was created.

SHA1 The SHA1 digest for this search task.

When a search result is downloaded to an external device, the SHA1 digest

calculated on the downloaded file must match this digest in order to prove

that the search result was not tampered with since leaving the FortiAnalyzer

unit.

MD5 The MD5 digest for this search task.

When a search result is downloaded to an external device, the MD5 digest

calculated on the downloaded file must match this digest in order to prove

that the search result was not tampered with since leaving the FortiAnalyzer

unit.

Last Activity The date and time that the FortiAnalyzer unit received the email from the

FortiGate unit.

From The sender’s email address that was searched. This can be a full or partial

email address.

To The recipient’s email address that was searched. This can be a full or partial

email address.



Subject The subject line of an email.

The email list can display full and/or summary email archives. Summary

email archives contain only email messages with summary metadata. Full

email archives contain both the summary and a hyperlink to the associated

archived message.

For example, if the FortiAnalyzer unit has a full email archive for an email

message, the subject column of the email contains a link that enables you

to view the email message. If the FortiAnalyzer unit has only a email archive

summary, the subject column does not contain a link.

A full or summary email archive varies by:

• whether the FortiGate unit is configured to send full email archives

• whether the content satisfies email archiving requirements

• whether the FortiAnalyzer unit has the file or message associated with

the summary email message (that is, full email archives do not appear if

you have deleted the associated message)

For more information about requirements and configuration of DLP

archiving, see the FortiGate Administration Guide.

Size The size of the email message.

Attachment icon

If an email has an attachment, this icon appears.




Reports

FortiAnalyzer units can analyze information collected from the log files of connected FortiGate,

FortiMail, FortiWeb, and FortiCache devices, FortiClient End Point agents, and syslog

compatible devices. It then presents the information in tabular and graphical reports. These

reports provide a quick and detailed analysis of activity on your networks.

You can create reports based on logs from Structured Query Language (SQL) databases or from

the proprietary indexer file system.

By using reports, you can:

• minimize the effort required to identify attack patterns when customizing policies

• monitor Internet surfing patterns for compliance with company policies

• identify your web site visitors for potential customers.

FortiAnalyzer reports are also flexible, offering system administrators the choice to compile a

report layout based on pre-defined variables or specific information.

This chapter includes the following topics:

• SQL based reports

• Indexer based reports

SQL based reports

If you have selected the SQL database for log storage in System > Config > SQL Database, you

will configure reports based on logs from a SQL database.

Logs are the basis of all FortiAnalyzer reports and must be collected or uploaded before you

can generate a report. After logs are collected or uploaded, you can then configure reports

based on the default or customized chart templates. For more information on logs, see “Log &

Archive” on page 173.

In most cases, the default chart templates are sufficient for report configuration. However, you

can create customized chart templates by configuring the datasets to get the exact chart data

you want, see “Advanced report settings” on page 218. Reports are generated based on SQL

queries of log files.

FortiWeb reports are only available when logging to SQL databases.

Reports Page 201 FortiAnalyzer v4.0 MR3 Patch Release 7 Administration Guide


A report generated from an SQL query has the following components:

• report chart template

• report filters

• graphics and language

• report schedule.


• Enable/disable SQL database

• Enable/disable remote SQL database

• Left and right click menu tree

• Default device reports

• Email/upload remote output

• Predefined reports

• Custom reports

• Advanced report settings

• View report layout

Enable/disable SQL database

Go to System > Config > SQL Database and select Local Database to enable the SQL database

for logging. You can configure the FortiAnalyzer to use the indexer based database, a local SQL

database, or a remote SQL database. From this menu you can also specify the logging start

date and time, and configure the types of logs that you want the device to collect (see

Figure 147 and Figure 148). Configure the following variables and select Apply.

SQL Database based reports support FortiGate, FortiClient, FortiMail, FortiWeb and syslog

compatible devices.

FortiGate, when referenced in the Web-based Manager and supporting documentation,

includes FortiGate, FortiWifi, FortiGate-VM, FortiGate-One and FortiCarrier devices.



Figure 147:Enable the SQL local database

Figure 148:Start time options


Location

Disabled Select Disabled when logging to the proprietary indexer based

database.

Local Database Select Local Database when logging to a local SQL database.

Remote Database Select Remote Database when logging to a remote SQL database.

When selecting this option, a drop-down menu appears to allow you to

configure the database type, database name, username and

password.

Start Time Left-select on the calendar icon to set the log start date and time.

Log Type Select the required log types from the list.



Enable/disable remote SQL database

Go to System > Config > SQL Database and select Remote Database to enable the SQL

database for logging (see Figure 149). Configure the following variables and select Apply.

Figure 149:SQL database window


Location

Disabled Select Disabled when logging to the proprietary indexer based

database.

Local Database Select Local Database when logging to a local SQL database.

Remote Database Select Remote Database when logging to a remote SQL database.

When selecting this option, a drop-down menu appears to allow you

to configure the database type, database name, username and

password.

Start Time Left-select on the calendar icon to set the log start date and time.

Type Enter the server type. The default server type is MySQL.

Server Enter the server name.

Database Name Enter the database name.

User Name Enter the server user name.

Password Enter the server password.

Log Type Select the required log types from the list.



Left and right click menu tree

Figure 150 summarizes the menu functions available when left-clicking and right-clicking within

each level of the menu tree.

Figure 150:Left-click and right-click menu options

Default device reports

Each device that is connected to the FortiAnalyzer has a default device report associated with

it. Go to Report > Default Device Reports and select a hostname of a connected device to view

its default report. The default report consists of the following, pre-defined sections:

• Bandwidth and Application Usage

• Web Usage

• Emails

• Threats

• VPN Usage

12

3

4

78

No. Left-Click Right-Click

1

2

3

4

5

6

7

8

Show the device list in the left pane. You can expand/collapse and click to jump to devices.

Show the cover page, including a hyperlink ToC, for the device report.Show the available report sections.

N/A

- Edit the report options - Create a new report section - Copy the report

Show the selected report section. - Rename the report section - Delete the report section - Create a new report section - Move the report section up or down in the report

Show the predefined report list in the left pane. You can expland/collapse the report catagories.

N/A

Show the unclassified reports list in the left pane.

- Rename, Delete, Cut, Copy, Paste, or Clone the report

Show the indexer based reports list in the left pane.

N/A

Show the selected indexer based report in the right pane.

N/A

Show the custom report types list in the left pane.

N/A

56

2

2

3

2

Once a default device report is edited, you can not restore the report layout to the default

settings. Fortinet recommends using the right-click menu options to Copy the default device

report layout and Paste it to Custom Reports > Unclassified Reports. You can then use the right

click menu to edit and customize the report copy.



Figure 151:Default device reports


Add a section to the default device report

To add a new section to the default device report, go to Report > Default Device Report, and

select the serial number of the device from the list. Right-click on the serial number and select

New > Section from the drop-down list. See “Add a report section” on page 209 for more

information.

Edit Select to edit the report layout.

Run Select to generate a report immediately based on the current report

layout.

Historical Reports Select to display all the reports generated based on the current report

layout. You can select a report to view the detailed information.

Right-click menu

New Select New > Section to add a new section to the predefined report

layout. See “Add a report section” on page 209 for information on

configuring a new report section.

Edit Select to edit the Report Settings. See “Report settings” on page 207

for information on configuring report settings.

Copy Select to copy a predefined report layout. You can paste this report

layout under the Custom Reports > Unclassified Reports folder.



Figure 152:Add section to default device report

Report settings

Go to Report > Default Device Reports, right-click on the device serial number and select Edit

to display the Report Settings window. Report settings allow you to configure the Report

Schedule, Report Filters, and Advanced Settings options for the device report (see Figure 153).

Configure the below variables and select OK to save the report layout changes.



Figure 153:Report options window


Title The default title is Default Report for the serial number selected. This

field can be customized.

Description Optional description field.

Report Schedule Specify the frequency of report generation including the start and

send date and time.

Email/Upload Mark the check box if you want to apply a report output template from

the drop-down menu.

Print Table of Contents

Select if you want a table of contents for the report.

Print Device List Select the way to display the devices in a report. The result can only

be seen in PDF reports.

Compact: Display a compact comma-separated list of device names

included in the report.

Count: Display only the number of devices included in the report.

Detailed: Display a table of device information for each device

included in the report.

Report Filters

Device The default value is the serial number of the device.



Add a report section

To add a new report section to a Default Device Report, go to Report > Default Device Reports,

select a serial number of a connected device. Right-click on the serial number and select

New > Section.

Enter a name for the new section and press enter. Select Edit to configure the new report

section (see Figure 154). Configure the following variables, and select OK to save the new

section.

Time Period The default value is Last 7 days. Use the drop-down menu to select a

pre-configured time period or select Specify some other date and time

range to select a specific time period.

More Filters Additional options to specify VDOM, User, Group, Hostname, Source

Interface and Destination Interface.

Advanced Settings

Other Format Select MHT, MS Word, Text or XML

Language The default language is English. Use the drop-down menu to select:

• French;

• Japanese;

• Korean;

• Portuguese;

• Simplified Chinese;

• Spanish;

• Traditional Chinese.

Per-Device Reports

Enable to have a separate report generated for each connected

device.



Figure 154:Edit new report section


Text

Heading 1 Left-click the Heading 1 (H1) icon and drag and drop into the body of

the report to add a new heading to the section.

Enter the heading that you would like for the section.

Heading 2 Left-click the Heading 2 (H2) icon and drag and drop into the body of

the report to add a new heading to the section.

Enter the heading that you would like for the section.

Text Left-click the Text (T) icon and drag and drop into the header or body

of the report to add a new text to the section.

Enter the text that you would like for the section.

Chart

Bar Chart Drag and drop the bar chart icon into the body of the report to add a

new bar chart to the section. Configure the bar chart variables in the

pop-up window.

Select the chart type and one or more variables, then fill out the

required information and select OK.

Pie Chart Drag and drop the pie chart icon into the body of the report to add a

new pie chart to the section. Configure the pie chart variables in the

pop-up window.





Email/upload remote output

Before you can enable this feature in report settings, you need to configure a new report output.

Go to System > Config > Remote Output, configure the following variables, and select OK.

Table Chart Drag and drop the table chart icon into the body of the report to add a

new table chart to the section. Configure the table chart variables in

the pop-up window.



other

Image Drag and drop the image icon into the body of the report section to

add a new image to the section.

Select an image from the database or select Upload and browse your

local hard drive to upload a custom image to the section. Select OK to

import the image into the report section.

Page Break Drag and drop the page break icon into the body of the report section

to insert a page break.



Figure 155:New report output

Mail server settings window.

Figure 156:Mail server settings window


Name Enter a name for the new remote output.

Description Enter a description for the remote output. This field is optional.



Output Format Select the output format for the report. You can select more than

one output format.These options include the following:

• HTML

• PDF

• MS Word

• Text

• MIME HTML (MHT)

• Extensible Markup Language (XML)

• Connectwise

Send Report by Mail Select Send Report by Mail and/or Upload Report to Server and

configure the variables in the drop down menus.

Compress Report Files Select to compress the report before sending.

From Specify an email address that will be used in the From field in the

email.

Server Select a server from the drop down list or select Create New to

configure a new mail server.

SMTP Server Enter the name of the SMTP server.

Enable Authentication

Select to enable authentication for the new server configuration.

Email Account Enter the email account for the mail server.

Password Enter a password for the mail server.

Recipient Specify an email address that will be used in the To field in the email

and select Add. You can specify multiple recipient emails.

Add Add the recipient to the To list.

Delete Select an email defined under recipient and select Delete to remove

the email from the recipient list.

To The recipients who will be receiving the report.

Attachment Name Optionally enter a name for the attachment.

Use Default Select to use the default report name.

Subject Optionally enter a subject for the email containing the report.

Body Optionally enter body text for the email containing the report.

Upload Report to Server Select Send Report by Mail and/or Upload Report to Server and

configure the variables in the drop down menus.

Server type Select the server type. The options include the following:



• Secure Copy (SCP)



After configuring the remote output to email the report and/or upload it to a server, you can

enable this feature in report settings. See “Report settings” on page 207 for more information.

Figure 157:Report settings

Predefined reports

The Predefined Reports section includes a set of report layouts. Go to Report > Predefined

Reports to view, edit, and run these reports. Predefined reports can be edited, but not deleted.

To add a new section to a report layout, see “Add a section to the default device report” on

page 206. The predefined report layout includes the following reports:

IP address Enter the IP address of the server.

Username Enter the server username.

Password Enter the server password.

Directory Specify the directory to which you want to upload the file to.

Delete file(s) after uploading

Enable to delete the report file from the FortiAnalyzer upon

successful upload to the server.



• Overview

• Firewall_and_Bandwidth_Usage_Report

• Threat_and_Malware_Report

• Web_Filtering_and_Usage_Report

• Application_Usage_Report

• Virtual_Private_Networking_Usage_Report

• Email_Filtering_and_Usage_Report

• Wireless_PCI_Report

• Vulnerability_PCI_Report

• User_Activity_Summary

Figure 158:Report filters

For the User_Activity Summary predefined report, the User filter must be configured under

Report Options.

Once a predefined report is edited or changed, you can not restore the report layout to the

default settings. Fortinet recommends using the right-click menu options to Copy the

predefined report layout and Paste it to Custom Reports > Unclassified Reports. You can then

edit and customize the report copy.



Custom report filters

FortiAnalyzer v4.0 MR3 supports custom report filters in report settings. The custom variables

can be configured from the CLI, but once configured, the variable will be listed under Report

Settings > Report Filters. You can use this custom filter feature to create a filter for any log field.

config sql report layoutedit samplelayout

config filteredit action {Filter name is the log field to be filtered}

set description webfilter action {Description of filter name, can be any string}

set value block {Filter value}set status enable | disableset opcode equal | not_equal

endend

Figure 159:Predefined reports page




layout.

Historical Reports Select to display all the reports generated based on the current

report layout. You can select a report to view the detailed

information.

Right-click menu

New Select New > Section to add a new section to the predefined report

layout. See “Add a report section” on page 209 for information on

configuring a new report section.



Custom reports

The custom reports section includes unclassified and indexer based report classifications. Go

Report > Custom Reports to view, edit, and run these reports.

Figure 160:Custom reports window


Indexer based reports

If you used the proprietary indexer file system for log storage in v4.0 MR2 and have upgraded to

v4.0 MR3 and enabled the SQL database, you can still view the indexer based reports. Go to

Report > Custom Reports > Indexer Based Reports > Indexer Based Reports to view indexer

Based Reports that have been configured.

For more information on indexer based reports, see “Indexer based reports” on page 231.

Edit Select to edit the Report Settings. See “Report settings” on

page 207 for information on configuring report settings.

Copy Select to copy a predefined report layout. You can paste this report

layout under the Custom Reports > Unclassified Reports folder.



layout.

Historical Reports Select to display all the reports generated based on the current

report layout. You can select a report to view the detailed

information.



Figure 161:Indexer based reports view options

Create a new folder

To create a new folder, go to Report > Custom Reports, and right-click anywhere in the

drop-down menu. Select New > Folder, and enter the new folder name at the prompt. You can

then right-click on this new folder and select New > Report, to configure specific reports that

you would like listed within this folder.

Figure 162:Create a new folder

Advanced report settings

Go to Report > Advanced to configure charts, datasets, calendar, and report language.


• Configuring report chart templates

• Report datasets

• View report schedule with calendar

• Configuring report language

Configuring report chart templates

The FortiAnalyzer unit provides predefined report chart templates for each report category. You

can create customized report chart templates using your own dataset configuration.



Pre-defined charts

Go to Report > Advanced > Chart to view the list of both pre-defined and customized report

chart templates.

The FortiAnalyzer unit provides pre-defined chart templates for each supported device:

FortiClient, FortiGate, FortiMail, and FortiWeb.

Figure 163:Pre-defined charts window


Pre-defined charts

FortiClient Antivirus, EmailFilter, Traffic, WebFilter.

FortiGate Antivirus, Application Control, Attack, DLP, DLP Archive, EmailFilter,

Event, Network Scan, Traffic, WebFilter.

FortiMail History

FortiWeb Attack, Event, Traffic.

Create New Select to create a new chart template.

Edit Select to edit a custom chart. Pre-defined charts can not be edited.

Delete Select to delete a custom chart. Pre-defined charts can not be

deleted.



Create a new chart template

To create a new chart template, go to Report > Advanced > Chart and select Create New to

create a new chart template (see Figure 164). Configure the following and select OK to save.

Select Edit from the menu to edit variables on a custom chart template.

Figure 164:Create new chart template


Clone Create a duplicate of a report chart template to use as a basis for

creating a new one.

The cloned template shares the same name with

“Copy_<sequential-number>” appended to the end.

Favorite • Select Add to Favorite to add one or more selected report chart

templates to your favorite list.

The star icon (Toggle Favorite State) turns orange.

• Select Remove from Favorite to remove one or more selected

report chart templates from your favorite list.

The star icon (Toggle Favorite State) turns gray.

The favorite templates can be used to generate reports for quick

and easy access.

Search Enter a keyword and press Enter to search for charts.

Name Enter the name for the chart template.

Description Enter any comments or notes about the chart template.



Category Enter the log category for the chart template from the drop-down

list. The following log types are available: Antivirus, Application

Control, Data Leak (DLP), Email Filter, Event, FortiMail, FortiWeb,

FortiCache, IPS (Attack), Network Monitor, Network Scan, Traffic,

VPN, VoIP, or Web Filter.

Dataset Select the dataset for the selected category.

FortiAnalyzer datasets are a collection of the log files from the

devices monitored by the FortiAnalyzer unit. Reports are generated

based on the datasets.

Depending on the dataset selection, the values in the Field Output

and Data Bindings fields may vary.

Field Output Depending on the dataset selection, the values of this option may

vary. These values are used for marking the report graphs, such as

the X or Y axes in a bar graph, or column or row title in a table.

Graph Type Select the graph type from the drop-down menu. The available

graph types are bar, pie, and table.

Resolve Host Name Enable this option to display the device’s host name from an IP alias

or reverse DNS lookup, rather than an IP address.

Favorite Enable to add this chart template to the favorite list.

Data Bindings, Bar Depending on your selection in the Graph Type field, the values in

this section may vary.

X-axis Data Binding Data Binding: Select a value for the X-axis of the bar graph. The

values in this field change depending on your dataset selection.

Only Show First n Items: Select the check box and enter a number

to show the top ranked log information, such as the top number of

viruses, in the report chart. The default number is six. The rest of the

log information will be marked as “Others” in the chart.

Overwrite Label: Mark the check box to modify the default value for

the X-axis, if required.

Y-axis Data Binding Data Binding: Select a value for the Y-axis of the bar graph. The

values in this field change depending on your dataset selection.

Overwrite Label: Mark the check box to modify the default value for

the Y-axis, if required.

Group By: Mark the check box to group the log information

according to the dataset field output. This option appears only

when a dataset’s output contains more than three fields.

Only Show First n Items: Select the check box and enter a number

to show the top ranked log information, such as the top number of

viruses, in the report chart. The default number is three. The rest of

the log information will be marked as “Others” in the chart. This

option appears only when a dataset’s output contains more than

three fields.

Data Binding, Pie Depending on your selection in the Graph Type field, the values in




View custom chart templates

To view custom chart templates, go to Report > Advanced > Chart, and select Custom Charts

from the drop-down menu.

Data Binding Select a value to show the size of each segment of log information

in the pie chart. The values in this field change depending on your

dataset selection.

For example, in a pie chart called Top Services by Volume, one of

the top services is SMTP, and its percentage in the pie is 8.81. This

percentage is generated by the selection in this field.

Enable Only Show First n Items (Bundle rest into Others) and enter a

number to show the top ranked log information, such as the top

number of viruses, in the report chart. The default number is six.

The rest of the log information will be marked as Others in the chart.

Label Binding Select a value to label each segment of log information in the pie

chart. The values in this field change depending on your dataset

selection.

For example, in a pie chart called Top Services by Volume, one of

the top services is labeled as SMTP. This label is generated by the

selection in this field.

Data Binding, Table Depending on your selection in the Graph Type field, the values in


Display Data In Select Ranked to show the log information in ranked format, such

as top x, or top y of top x, in the table.

Select Raw to show the log information as an audit report which

displays the results only, such as all blocked sites and all sites

visited.

Add Column Select to add a column to the table. This option only appears after

you select the Remove the column icon.

The data display in the table will be in raw format after selecting the

Remove the column icon.

Field Output Select a value to show the column title for the log information in the

table. The values in these fields change depending on your dataset

selection.

Overwrite Header Mark the check box to modify the Field Output value, if required.

Only Show First n Items

Mark the check box and enter a number to show the top ranked log

information, such as the top number of viruses, in the table. The

default number is three. The rest of the log information will be

marked as Others in the table.

This option is only available if you select to display data in ranked

format.



Figure 165:Custom chart template

Report datasets

FortiAnalyzer datasets are the collection of log files from the devices monitored by the

FortiAnalyzer unit. Reports are generated based on the datasets. The FortiAnalyzer unit

provides pre-defined datasets for each supported device type. You can also create new

datasets by writing your own SQL queries.

Pre-defined datasets

Go to Report > Advanced > Dataset to view the pre-defined datasets for each supported device

type: FortiClient, FortiGate, FortiMail, and FortiWeb.

Figure 166:Pre-defined datasets

Custom datasets

Go to Report > Advanced > Dataset and select Create New to create a custom dataset for the

supported device type or local logs (see Figure 167). Configure the below variables and select

OK to save the new dataset.

Pre-defined datasets

FortiClient Antivirus, EmailFilter, Traffic, WebFilter.

FortiGate Antivirus, Application Control, Attack, DLP, DLP Archive, EmailFilter,

Event, Network Scan, Traffic, WebFilter.

FortiMail History

FortiWeb Attack, Event, Traffic.



Figure 167:New data set window


Name Enter the name for the custom dataset.

Device Type Select FortiGate, FortiClient, FortiMail, FortiWeb, or Local Logs from

the drop-down list.

Log Type ($log) Enter the type of logs to be used for the dataset. $log is used in the

SQL query to represent the log type you select. The log type options

include the following: Attack, DLP Archive, DLP, Event, Generic,

History, Network Scan, Application Control, Email Filter, Traffic,

Antivirus, and Web Filter.

Enable Variables for Dataset

Enable/Disable to include in $filter. Select to add variables for the

customized data used in a selected chart.

If you add a variable for a dataset and choose a chart that contains

this dataset, the name of the variable will appear. You can select the

variable name and enter a value to filter the dataset.

For example, if a variable name “username” appears and you enter

“John” as the value, your report chart will show John’s information

based on the filtered information in the dataset.

Variable Select a variable in the list. The variables are the same as log field

names.

Variable Name Enter a name for the variable selected.

Add Select to add the variable to the dataset.

SQL Query Enter the SQL query syntax to retrieve the log data you want from

the SQL database.

Test Select to test whether the SQL query is successful.



Figure 168:SQL query console window


View report schedule with calendar

The Calendar provides an overview of report schedules. You can select a past day to view the

generated reports or an upcoming day to preview the scheduled reports. Calendar is useful for

managing report generation. For example, you can avoid generating reports in the peak hours

to free up your system resources for network usage.

When you select a day, the report schedules for that day are listed under Tasks, together with

their status. You can open a finished report.

To view the calendar, go to Report > Advanced > Calendar.

Device Select a FortiGate unit, FortiMail unit, FortiWeb unit, or FortiClient

installation to apply the SQL query.

VDOM If you want to apply the SQL query to a FortiGate VDOM, enter the

name of the VDOM. Then use $filter in the “where” clause of the

SQL query to limit the results to the FortiGate VDom you specify.

Time Period Select the time period from the drop-down menu

SQL Query If necessary, modify the SQL query to retrieve the log data you want

from the SQL database.

Run Select to execute the SQL query.

If the query is not successful, check the SQL query you entered and

make sure that the SQL database is working properly on the

FortiAnalyzer unit.

Clear Select to remove the displayed query results.

Save Options Select to save the SQL query console configuration to the dataset

configuration.

The Device and VDOM configurations are not used by the dataset

configuration.

Close Select to return to the dataset configuration page.



Figure 169:View calendar and task list

Configuring report language

When creating a report layout, you can specify the report language. If your preferred language

requires modification, you can edit any of the pre-configured languages or create a new report

language. Go to Report > Advanced > Language to view the default report language options.

Report language components include:

• a string file, also known as a language resource file, containing report text;

• a format file specifying the language encoding, as well as file format specific settings;

• a font file whose glyphs support your encoding’s character set.

See “Configuring report language” on page 248 for more information about configuring the

report language.

Go to Report > Advanced > Language to view, and edit report language. You can also

download the language format file and string file.

Both format and string files use Unix-style line endings (LF characters, not CR-LF).



Figure 170:Language options window


Edit report language:

To edit the report language entry, go to Report > Advanced >Language and select a language

entry from the list (Figure 171). Select the Edit icon, configure the following variables, and select

OK to save the language entry.

Pre-configured languages

The pre-configured languages include the following:

• English (default report language);

• French;

• Japanese;

• Korean;

• Portuguese;

• Simplified Chinese;

• Spanish;

• Traditional Chinese.



Figure 171:Edit report language window


Language The language field displays the language entry that you have

selected.

Description Enter a description for the report language entry.

Format File If you changed the encoding of the string file, go to Download >

Download Format File and open the format file using a plain text

editor that supports Unix-style line endings, such as jEdit, and edit

the encoding and character set values for each file format. If you

have switched between a single-byte and a double-byte encoding,

also set the doublebytes value to true (1) or false (0).

For specifications on how to indicate encoding and character set,

refer to each file format’s specifications:

W3C HTML 4.01 Specification

Adobe PDF Reference

Microsoft Word 2003 Rich Text Format (RTF) Specification, version

1.8

Save the format file.

String File Open the string file using a plain text editor that supports Unix-style

line endings and the string file’s encoding, such as jEdit. Verify that

the correct encoding has been detected or selected.

Locate and edit text that you want to customize.

Do not change or remove keys. Modifiable text is located to the

right of the equal symbol (=) in each line.

Save the string file.

Font File (Optional) If you want to customize the font of report graph titles and Y-axis

labels, for Font File, select Browse and locate your font.

If your font is located in the system font folder, you may need to first

copy the font from the system font folder to another location, such

as a temporary folder or your desktop, to be able to select the font

for upload.


http://www.w3.org/TR/REC-html40/charset.html

http://www.adobe.com/devnet/pdf/pdf_reference.html

http://www.microsoft.com/downloads/details.aspx?familyid=AC57DE32-17F0-4B46-9E4E-467EF9BC5540&displaylang=en


Add a report language:

To add a report language go to Report > Advanced > Language and select Create New (see

Figure 172). Configure the below variables and select OK to save the language entry.

Figure 172:Add report language window


Some font licenses prohibit copying or simultaneous use on multiple hosts or by multiple users.

Verify your font’s license.

Language Enter the language name.

Description Enter a description for the language entry.

Format File For the Format File, select Browse and locate your customized

format file.

String File For the String File, select Browse and locate your customized string

file.






for upload.

The time required to upload the language customization files varies by the size of the files and

the speed of your connection. If there are any errors with your files, correct the errors, then

repeat this procedure.



The following table lists error messages that can result when adding a report language.

View report layout

To view a report layout, go to Report > Custom Reports > Unclassified Reports and select a

report layout.

Table 13:Language file error messages

Error message Description

Specified format file contains invalid syntax. Your format or string file contains syntax

errors. To locate the errors, compare your

customized file with a default language’s file.

Refer to file format specifications or view

default files for valid syntax.

Specified language string file is missing one or

more strings.

Your string file is missing strings for one or

more keys. To locate missing strings, compare

your customized format file with a default

language’s string file.

Specified font file is not a standard TrueType

font (*.ttf).

Your font file is not a TrueType font. Only

TrueType fonts are supported.

Specified format file contains invalid syntax. Your format or string file contains syntax

errors. To locate the errors, compare your

customized file with a default language’s file.

Refer to file format specifications or view




Figure 173:Report layout

Indexer based reports

If you have disabled the SQL database for log storage in System > Config > SQL Database, you

will configure reports based on logs from the proprietary indexer file system. See

“Enable/disable SQL database” on page 202 for more information.

Logs are the basis of all FortiAnalyzer reports and must be collected or uploaded before you

can generate a report, see “Log & Archive” on page 173 for more information about logs. After

logs are collected or uploaded, you can then define the three basic components that make up a

report based on logs from the proprietary indexed file system:

• report layout (the report template and the contents)

• output and data filter templates, language (optional components)

• report schedule (log data parameters and time range).

Indexer based reports support FortiGate, FortiClient, and FortiMail. FortiWeb is only supported

with SQL Database.




• Viewing scheduled reports

• Configuring report schedules

• Configuring reports

Viewing scheduled reports

To view reports that are generated by the FortiAnalyzer unit using log data from the proprietary

indexer file storage system, go to Report > Access > Scheduled Report. This page displays all

generated reports, including scheduled reports. See Figure 174.

Figure 174:Indexer based reports page


Delete Select to remove selected reports.

Refresh Select to refresh the list. If the FortiAnalyzer unit is in the process of

generating a report, use Refresh to update the status of the report

generation.

Report Files Select the report name to view the entire report in HTML format.

Select the Expand Arrow to view the individual reports in HTML

format.

Device Type The type of device of which the logs were used for generating the

report.

Started The date and time when the FortiAnalyzer unit generated the report.

Finished The date and time when the FortiAnalyzer unit completed the report.

If the FortiAnalyzer unit is in the process of generating a report, a

progress bar will appear in this column. If the FortiAnalyzer unit has

not yet started generating the report, which can occur when another

report is not yet finished, Pending appears in this column.

Size (bytes) The file size of the report’s HTML format output, if any.

The size does not reflect other output formats that may be present,

such as PDF.



Configuring report schedules

You configure report schedules after you configure report layouts. If you do not have a report

layout, you can not configure a report schedule.

Report schedules provide a way to schedule a daily, monthly, or weekly report so that the report

will be generated at a specific time. You can configure multiple report schedules.

View the report schedule

To view the report schedule list, go to Report > Schedule > Schedule.

Figure 175:View report schedule list window


Other Formats Select a file format, if any, to view the generated report in that

format.

In addition to HTML, if any, the generated reports may also be

available in PDF, RTF, XML/XSL, and ASCII text formats, depending

on the output configuration.


number of pages displays after the current page number. For

example, if 2/10 appears, you are currently viewing page 2 of 10

pages.




press Enter.

When configuring a report schedule that contains both an output template and selected file

formats in Output Types, the file formats sent by email are determined by the configuration

settings. Only those file formats that are enabled in both output template and schedule output

types are sent by email. For example, if PDF and Text formats are selected in the output

template, and PDF and MHT are selected in the report schedule, the report’s file format in the

email attachment will be PDF

Create New Select to create a new report schedule.

Edit Edit an existing report schedule.



Create a new report schedule

To create a new report schedule, go to Report > Schedule > Schedule, and select Create New

(Figure 176). Configure the following variables and select OK to save.

Figure 176:New report schedule window


Delete Delete a report schedule.

Run Run a report schedule immediately, (on demand), instead of waiting

for the scheduled time.

Name Enter a name for the schedule.

Description Enter a description for the schedule. This field is optional.

Layout Select a configured report layout from the drop-down list. You must

apply a report layout to a report schedule.

Language Select a language from the drop-down list or choose Default to use

the default language.

Schedule Select one of the following to have the report generated on demand,

once, daily, weekly, or monthly at a specified date and time.

Daily Select to generate the report every day at the same time. Enter the

start time and select a start and end date for the report.



Weekly Select to generate the report on specified days of the week. Select

the days of the week, enter the start time, and select a start and end

date for the report.

Monthly Select to generate the report on a specific day or days of the month.

Enter the days with a comma to separate the days. For example,

you want to generate the report on the first day, the 21st day and

30th day: 1, 21, 30, then enter the start time and select a start

and end date for the report.

Once Select to have the report generated only once on the specified date.

On Demand Select to have the report generated on demand.

Log Data Filtering You can specify the variables that were selected in the charts when

configuring the report layout.

If you did not specify any variables in the charts added to report

layout, proceed to Data Filter.

Device/Group Select a device or device group from the list.

If a layout is not selected, no FortiGate units or groups will appear in

the list.

Virtual Domain Select to create a report based on virtual domains. Enter a specific

virtual domain to include in the report.

User Select to create a report based on a network user. Enter the user or

users in the field.

Group Select to create a report based on a group network users, defined

locally. Enter the name of the group or groups in the field.

LDAP Query Select an LDAP directory from the drop-down list or select Create

New, to create a new LDAP server entry. See “Configuring LDAP

queries for reports” on page 142 for more information.

LDAP Group Enter an LDAP group. This option appears only when LDAP Query

is selected. See “Configuring LDAP queries for reports” on

page 142 for more information.

Data Filter Select a data filter template from the drop-down list to the report

schedule. Select Create New Data Filter to create a new data filter

entry.



Configuring reports


• To configure a report layout

• Edit an existing report layout

• Create a new report layout

• Run a report

To configure a report layout

Go to Report > Config > Layout to view the predefined report layouts. You can Edit, Delete,

Clone, or Run a default or custom report from this page.

You can configure and define multiple report layouts, which can then be applied to report

schedules or generated immediately. When configuring a report layout, you can choose and

specify which charts to include in the report.

Time Period Local Time for: Select to base the time period on the local time of

the FortiAnalyzer unit or the selected devices.

Log time stamps reflect when the FortiAnalyzer unit received the

message, not when the device generated the log message. If you

have devices located in different time zones, and are creating a

report layout based on a span of time, ensure that the time span is

relative to the device, not the FortiAnalyzer unit.

For example, if you have a device and a FortiAnalyzer unit located

three time zones apart, a report for the time frame from 9 AM to 11

AM will yield different results depending on whether the report time

frame is relative to the device’s local time, or to the FortiAnalyzer

unit’s local time.

From: Select the beginning date and time of the log time range.

To: Select the ending date and time of the log time range.

Output Select the type of output you want the report to be in and if you

want to apply an output template as well.

Output Type Select the type of file format you want the generated report to be.

You can choose from PDF, XML, HTML (default), MS Word, Text,

and MHT.

Note: Only those file formats that are enabled in both output

template and schedule output types are sent by email. For example,

if PDF and Text formats are selected in the output template, and

then PDF and MHT are selected in the report schedule, the report’s

file format in the email attachment is PDF.

Email/Upload Select the check box if you want to apply a report output template

from the drop-down list.



Figure 177:Predefined report layouts window


Edit an existing report layout

To edit an existing report layout, go to Report > Config > Layout, select one of the report layouts

and left-click Edit (Figure 178). Configure the following variables and select OK to save.

After adding charts, sections, and texts, you can edit charts in a report layout at any time as well

as rearrange the charts from within the Chart List. You can also edit Text and Section.

You can not edit the charts of predefined report layouts.

Default Layout

Bandwidth_Analysis

An overview of bandwidth consuming applications and users

Forensic_Analysis An overview of detailed network activity information such as instant

messaging programs and email.

Threat_Analysis An overview of user Antivirus, Intrusion Protection and AntiSpam

threats for the time period.

Web_Filtering-Group_Activity

An overview of user web site activity for a group of users while also

providing a summary and analysis information on usage and

behavior.

Web_Filtering-User_Activity

An overview of user web site activity plus detailed audit of all

blocked sites and all sites visited.

Create New Create a new report layout.

Edit Edit an existing report layout.

Delete Delete a report layout. The pre-configured report layouts can not be

deleted.

Clone Create a duplicate of a report layout to use as a basis for creating a

new report layout.

Run Run a report layout immediately (on demand), instead of waiting for

the report layout’s scheduled time.



Figure 178:Edit report layout window


Name Enter a name for the report.

Description Enter a description, for example, for what the report is about.

Company Name Enter the name of your company or organization.

Report Title Enter a title name for the report, for example, Report_1.

Header Enter a header name for the report.

Title Page Logo Select the Browse logo files icon to choose a logo that will appear

on the title page of the report. You need to select a logo file format

that is compatible with your selected file format outputs. The logo

will not appear if it is incompatible with the chosen file format.

You can choose JPG, PNG, and GIF logo formats for PDFs and

HTML; WMF is also supported for RTF.



Create a new report layout

You can add default or user-defined charts to your report. You can also add a section to a report

that keeps charts separate from each other, or add a note or comment about a section or to

include additional information about the charts that are in the report.

To create a new report layout, go to Report > Config > Layout and select Create New (see

Figure 179, Figure 180, Figure 181, and Figure 182). Configure the following variables and

select OK to save the layout.

Header Logo Select the Browse logo files icon to choose a logo that will appear

only in the header of the report. Logo formats for headers also need

to be compatible with the chosen file format. The same logo formats

for the title page also apply to headers.

Chart List Select to add default or user-defined charts to your report.

Device Type Select a device type from the drop-down list. The available types

are FortiGate, FortiClient and FortiMail. The report’s log information

will come from the selected device type. For example, if you

selected FortiMail, the log information used is only FortiMail logs.

Category Select a category or all categories of charts from the drop-down list.

Note: Customized charts (Custom Charts) are under Others

category.

Chart Name The names of the charts in each category. The category name is in

bold, and the charts associated within that category name and data

source are displayed beneath.

Action Select the plus (+) symbol in the row containing the main chart

name to add all charts of the category to the report.

Select the plus (+) symbol in each row to add charts individually.

When the plus (+) symbol is selected, a minus (-) symbol appears.

Select the minus (-) symbol in each row to remove the selected

chart or charts.



Figure 179:Create new report layout

Figure 180:Add chart to the new report layout



Figure 181:Add section to new report layout

Figure 182:Add text to new report layout dialog box




Run a report

To run a report with a default or custom layout, go to Report > Config > Layout and select the

layout from the list and select Run (see Figure 183). Configure the following variables and select

OK to run the report.

Name Enter a name for the report.

Description Enter a description of the report.

Company Name Enter the name of your company or organization.

Report Title Enter a title name for the report.

Header Enter a header name for the report.

Title Page Logo Select the Browse logo files icon to choose a logo that will appear

on the title page of the report. You need to select a logo file format

that is compatible with your selected file format outputs. The logo

will not appear if it is incompatible with the chosen file format.

You can choose JPG, PNG, and GIF logo formats for PDFs and

HTML; WMF is also supported for RTF.

Header Logo Select the Browse logo files icon to choose a logo that will appear

only in the header of the report. Logo formats for headers also need

to be compatible with the chosen file format. The same logo formats

for the title page also apply to headers.

Chart List

Add Chart (s) Select to add default or user-defined charts to your report.

Add Section Select to add a section to a report that keeps charts separate from

each other.

• Title: Enter a name to describe the charts and information.

• Description: Enter a description, if applicable, to describe the

charts.

Add Text Select to add a note or comment about a section or to include

additional information about the charts that are in the report.

Report layouts can not be deleted if they are associated with a report schedule; if you want to

delete a report layout, remove that layout from the schedule it is associated with, and then

delete it.



Figure 183:Run report now window


Name Name of report. For example, Bandwidth_Analysis.

Layout This field is greyed out, but displays the report layout selected.

Language The default language is English. Select an alternate language using

the drop down menu.

Log Data Filtering You can specify the variables that were selected in the charts when

configuring the report layout.

If you did not specify any variables in the charts added to report

layout, proceed to Data Filter.

Device/Group Select a device or device group from the list. If a layout is not

selected, no FortiGate units or groups will appear in the list.

Virtual Domain Select to create a report based on virtual domains. Enter a specific

virtual domain to include in the report.

User Select to create a report based on a network user. Enter the user or

users in the field.

Group Select to create a report based on a group network users, defined

locally. Enter the name of the group or groups in the field.

LDAP Query Select an LDAP directory from the drop-down menu, or select

Create New to configure a new LDAP server.

Data Filter Select a data filter from the drop-down menu, or select Create New

Data Filter to configure a new data filter.

Time Period Select local time for either the FortiAnalyzer or Selected Devices.

Specify the time period from the drop-down menu.



Configuring data filter templates

Data filters are configured to sort through and omit specific log information, enabling you to

include or exclude log messages to focus your report on certain types of log messages that

match your criteria. You can configure multiple data filter templates for reports.

For example, you want to include a specific range of IP addresses. In the Sources field you

input the IP addresses range, 172.16.110.0-255, which will match all IP addresses in the

172.16.110.0/255.255.255.0 or 172.16.120.110/24. If you do not want to match this specific IP

address range, you would enter the IP address range and mark the not check box.

Data filter options operate on specific log message fields. For information about log message

fields, see the FortiGate Log Message Reference.

To view and configure the data filter templates, go to Report > Config > Data Filter.

Figure 184:Data filter template menu


Create new data filter

To create a new Data Filter, go to Report > Config > Data Filter, and select Create New

(Figure 185). Configure the following variables and select OK to save.

Output Specify the report output type. These include the following:

• HTML (enabled by default);

• PDF;

• MS Word;

• Text;

• MHT; and

• XML.

Email/Upload Enable and select report output or select Create New Report Output

from the drop-down list.

Create New Select to create a new data filter template.

Edit Select to edit an existing data filter template.

Delete Select to delete an existing data filter template.



Figure 185:New data filter

Name Enter a name for the new data filter.

Description Enter a description for the data filter. This is optional.

Filter Logic Select all to include only the logs in the report that match all data

filter criteria. If the logs does not match all criteria, the FortiAnalyzer

will exclude the log message from the report.

Select any to include the logs in the report that match any of the

data filter criteria. If the logs match any of the criteria, the

FortiAnalyzer will include the log message in the report.

Source (s) Enter the source IP or a range of source IP addresses to include

matching logs. You can also select from the alias list. Separate

multiple sources with a comma.

You can filter on IP ranges or subnets. The following formats are

supported:

• IP Range: xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx;

• Subnet: xxx.xxx.xxx.xxx/xxx.xxx.xxx.xxx; or

xxx.xxx.xxx.xxx/cidr.

Note: you cannot use the format 172.20.110.0-255.

Alias Select the appropriate alias from the drop-down list.



not Select to include the log messages that do not match this criterion.

For example, you might includes logs except those matching a

specific source IP address.

Destination (s) Enter the destination IP or a range of destination IP addresses to

include matching logs. You can also select from the alias list.

Separate multiple destinations with a comma.

You can filter on IP ranges or subnets. The following formats are

supported:

• IP Range: xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx;

• Subnet: xxx.xxx.xxx.xxx/xxx.xxx.xxx.xxx; or

xxx.xxx.xxx.xxx/cidr.

Note: you cannot use the format 172.20.110.0-255.

Alias Select the appropriate alias from the drop-down list.

not Select to include the log messages that do not match this criterion.

For example, you might want to include logs except those matching

a specific destination IP address.

Interface (s) Enter the network interface or interfaces to include matching logs.

Separate multiple interface names with a comma.

not Select to instead include only log messages that do not match this

criterion. For example, you might include logs except those

matching a specific network interface.

Policy ID (s) Enter the device policy ID numbers to include matching logs. The

report will include logs from all device log files containing policy ID

numbers, which excludes event and DLP archive logs. Separate

multiple policy IDs with a comma.



matching a specific policy ID.

Service (s) Enter specific services to include matching logs. Separate multiple

services with a comma.



matching a specific service.

Email Domain (s) Enter the email domain or domains that you want included in the

filter.

An email domain is a set of email accounts that reside on a

particular email server. The email domain is the portion of the user’s

email address following the “@” symbol. For more information about

email domains, see the FortiMail Administration Guide.

This field is used only when creating FortiMail reports.



matching a specific email domain.



Email Direction (s) Enter one of the following types of email directions:

• IN: The incoming email traffic direction;

• OUT: The outgoing email traffic direction;

• UNKNOWN: The unknown email traffic direction.




matching a specific email direction.

Email Sender (s) Enter one or more senders of the email.




matching a specific email sender.

Email Recipient (s) Enter one or more receivers of the email.




matching a specific email recipient.

Day of Week Select specific days of the week to include matching logs.

Web Category Select the categories you want to filter logs by selectively including

web filtering logs that match your criteria, then indicate included

categories by selecting one or more category check box.

You can select a whole category by selecting the check box beside

the Expand Arrow of the category. You can also select the individual

subcategories that are within the category by selecting the Expand

Arrow to display the sub-categories. For example, you might select

to include all web filtering logs with a category of Potentially

Bandwidth Consuming, or you might select only Internet Radio and

TV within that category.

not Select to instead include only logs that do not match the criterion.

For example, you might include logs except those matching a

specific web category.

Priority Priority Select a severity level from the Available Levels column and

then use the -> arrow to move the level to the Selected Levels

column.

If you want to remove a severity level from the Selected Levels

column, select the level first and then use the <- arrow to move the

level back to the Available Levels column.

Generic Filter (s) Enter a generic filter for the data filter template.

Key Enter a keyword in this field.

Value Enter a number for the value.



Configuring report language

When creating a report layout, you can specify the report language. If your preferred language

requires modification, you can edit any of the pre-configured languages or create a new report

language. Go to Report > Config > Language to view the default report language options.

Report language components include:

• a string file, also known as a language resource file, containing report text

• a format file specifying the language encoding, as well as file format specific settings

• a font file whose glyphs support your encoding’s character set.

The font file is used to render graph titles and Y-axis labels in a font of your choice. Some fonts,

particularly for double-byte languages, do not support character rotation, which is required by

the Y-axis label. Compatible fonts must be a TrueType (.ttf) font, and must support character

rotation. Examples of known compatible fonts include Arial, AR PL Mingti2L Big5, AR PL

SungtiL GB, DFPHSGothic-W5, and Verdana.

The string file specifies pieces of text that may be used in various places throughout the report.

Each string line consists of a key followed by an equal symbol (=) and its value. You can add

comments to the string file by preceding them with a number symbol (#).

For example, in these lines:

# Printed in place of report when zero log messages matched report filter.

no_match=No matching log data for this report

the comment is:

# Printed in place of report when zero log messages matched report filter.

the key is no_match, and the string value for that key is No matching log data for this report.

Keys are required and must not be removed or changed. Keys map a string to a location in the

report, and are the same in each language file. If you change or remove keys, the FortiAnalyzer

unit can not associate your string with a location in the report, string file validation will fail, and

the string file upload will not succeed.

String values may be changed to customize report text. If your custom string values use a

different encoding or character set than the default language file, customize your format file to

reflect your new character set and/or encoding.

Comment lines are optional; you can add them throughout the file to provide notes on your

work.

The format file contains settings for the file format renderers, including encodings. The format

file contains sections that are preceded by an output type label, consisting of the file format

name followed by a colon (:). Within each output type’s section, one or more settings exist,



matching a specific generic filter.

Add Select Add to add the keyword and value number to the generic

filter list. The generic filter list displays all configured generic filters

in the field beside both Add and Delete.

Delete Select to delete the generic filter. Select the generic filter first, and

then select Delete.



consisting of a variable name followed by an equal symbol (=) and its value, contained by

quotes (“”). You can add comments to the format file by preceding them with a number symbol

(#).

For example, in these lines:

# Localization uses a Latin character set.html:html_charset="iso-8859-1"

The comment is:

# Localization uses a Latin character set.

The output type label is html:, the variable name is html_charset, and the variable’s value is

iso-8859-1.

Variables are required and must not be removed or changed. If you change or remove variables,

the FortiAnalyzer unit may not be able to properly format your reports.

If your custom string values use a different encoding or character set than the default language

file, you must customize your format file to reflect your new character set and/or encoding. If

your string file requires double-byte encoding, set doublebytes="1", otherwise, set

doublebytes="0". The variable’s value must be in a pattern acceptable by the output type. If the

variable value syntax is not correct, format file validation will fail, and the format file upload will

not succeed.

Supported encodings used by the string file and referenced in the format file include those

specified by the PDF, RTF, and HTML standards. For character set, encoding syntax, and other

specifications, see the following documents:

• W3C HTML 4.01 Specification;

• Adobe PDF Reference;

• Microsoft Word 2003 Rich Text Format (RTF) Specification, version 1.8.

Comment lines are optional; you can add them throughout the file to provide notes on your

work.

If you require further format file customization, including adjustments to PDF objects, contact

Customer Service & Support.

Go to Report > Config > Language to view the default report language options.

Both format and string files use Unix-style line endings (LF characters, not CR-LF).




Figure 186:Configure report languageTo edit the report language

To edit the report language, go to Report > Config > Language, choose the language entry from

the list and select Edit (Figure 187). Configure the below variables and select OK to save.

Create New Select to create a new report language type.

Edit Select to edit a language entry.

Delete Select to delete a customized language entry. The option to delete

is not available for the pre-configured language entries.

Delete Font File Remove the font file from the selected report language.

Download Select Download Format File to download the file format settings.

Select Download String File to download the language resource.

Select Download Font File to download the custom font file. This

option is disabled for default languages and report language

customizations using a default font.

The string file contains many keys, and each report type uses a subset of those keys. If your

language modification does not appear in your report, verify that you have modified the string of

a key used by that report type.



Figure 187:Edit report language window


Language The language field displays the language entry that you have

selected.

Descrition Enter a description for the report language entry.

Format File If you changed the encoding of the string file, go to Download >

Download Format File and open the format file using a plain text

editor that supports Unix-style line endings, such as jEdit, and edit

the encoding and character set values for each file format. If you

have switched between a single-byte and a double-byte encoding,

also set the doublebytes value to true (1) or false (0).

For specifications on how to indicate encoding and character set,

refer to each file format’s specifications:

W3C HTML 4.01 Specification

Adobe PDF Reference

Microsoft Word 2003 Rich Text Format (RTF) Specification, version

1.8

Save the format file.

String File Open the string file using a plain text editor that supports Unix-style

line endings and the string file’s encoding, such as jEdit. Verify that

the correct encoding has been detected or selected.

Locate and edit text that you want to customize.

Do not change or remove keys. Modifiable text is located to the

right of the equal symbol (=) in each line.

Save the string file.






for upload.


http://www.w3.org/TR/REC-html40/charset.html

http://www.adobe.com/devnet/pdf/pdf_reference.html

http://www.microsoft.com/downloads/details.aspx?familyid=AC57DE32-17F0-4B46-9E4E-467EF9BC5540&displaylang=en


To add a report language

To add a report language, go to Report > Config > Language and select Create New to create a

new language entry (Figure 188). Configure the below variables and select OK to save.

Figure 188:Add report language window


Some font licenses prohibit copying or simultaneous use on multiple hosts or by multiple users.

Verify your font’s license.

Language Enter the language name.

Description Enter a description for the language entry.

Format File For the Format File, select Browse and locate your customized

format file.

String File For the String File, select Browse and locate your customized string

file.






for upload.

Time required to upload the language customization files varies by the size of the files and the

speed of your connection. If there are any errors with your files, correct the errors, then repeat

this procedure.



The following table lists error messages that can result when adding a report language.

Table 14:Language file error messages

Error message Description

Specified format file contains

invalid syntax.

Your format or string file contains syntax errors. To locate

the errors, compare your customized file with a default

language’s file. Refer to file format specifications or view


Specified language string file is

missing one or more strings.

Your string file is missing strings for one or more keys. To

locate missing strings, compare your customized format

file with a default language’s string file.

Specified font file is not a

standard TrueType font (*.ttf).

Your font file is not a TrueType font. Only TrueType fonts

are supported.

Specified format file contains

invalid syntax.

Your format or string file contains syntax errors. To locate

the errors, compare your customized file with a default

language’s file. Refer to file format specifications or view




Network Vulnerability Scan

The Network Vulnerability Scan menu configures vulnerability scans and displays the scan

results.

New vulnerabilities appear in any organization's network due to problems such as flaws in

software or faulty application configuration. The vulnerability management feature can

determine whether your organization’s computers are vulnerable to attacks. With this feature,

you can define your host assets or discover hosts in the network, configure vulnerability

management scans, generate reports, and interpret the results.

FortiAnalyzer units come with a default database of more than 2 500 vulnerabilities. For

FortiGuard Vulnerability Management Service subscribers, this database can be periodically

updated via the FortiGuard Distribution Network (FDN) to receive definitions of the most

recently discovered vulnerabilities. For details, see “Scheduling & uploading vulnerability

management updates” on page 147.

The vulnerability scan is suitable for scanning many types of hosts, including those running

Microsoft Windows or Unix variants such as Linux and Mac OS X, as well as a variety of

applications and services/daemons.

The workflow of vulnerability scan is as following:


• Model support

• How to use the network vulnerability scan feature

• Configuring host assets

• Discovering network host assets

• Preparing for authenticated scanning

• Configuring vulnerability scans

• Viewing scan results

SQL database storage must be enabled to perform network vulnerability scans. See

“Configuring SQL database storage” on page 118 for more information.

Parsing Scan Settings Detecting Live Hosts Scanning Ports if Required

Scanning OS if Required

Performing Service Scan

Performing Vulnerability Scan with Specified FIDs

Network Vulnerability Scan Page 254 FortiAnalyzer v4.0 MR3 Patch Release 7 Administration Guide


Model support

The following table lists the maximum hosts to scan and number of concurrent scans per

FortiAnalyzer model.

How to use the network vulnerability scan feature

The following instructions will allow you to configure the network vulnerability scan feature on

your FortiAnalyzer device.

To configure vulnerability scan, follow these general steps:

1. Define which host assets that you want to scan. You can do this either manually or

automatically, by performing a discovery scan. For details, see “Configuring host assets” on

page 256 or “Discovering network host assets” on page 258.

2. Prepare for network vulnerability scan. For more information, see “Preparing for

authenticated scanning” on page 258.

3. Schedule network vulnerability scans. For more information, see “Configuring vulnerability

scans” on page 261.

4. View scan results. For more information, see “Viewing scan results” on page 265.

Table 15:Model support

Model Supported Max. Hosts to Scan No. Concurrent Scans

FAZ-100B 200 4

FAZ-100C 200 4

FAZ-200D 500 8

FAZ-400B 500 8

FAZ-400C 500 8

FAZ-800 1000 8

FAZ-800B 1000 8

FAZ-1000B 2000 16

FAZ-1000C 2000 16

FAZ-2000 Unlimited (65535) 20

FAZ-2000A Unlimited (65535) 20

FAZ-2000B Unlimited (65535) 20

FAZ-4000A Unlimited (65535) 32

FAZ-4000B Unlimited (65535) 32

FAZ-VM Unlimited (65535) 32

FAZ-VM64 Unlimited (65535) 32



Configuring host assets

Network Vulnerability Scan > Asset Definition > Asset Definition displays the list of known host

assets. An asset is a server or workstation computer on your network.

Before the FortiAnalyzer unit can scan your hosts for vulnerabilities, you must define your host

assets. You can either add hosts to this list manually, or, alternatively, discover them through a

network map scan. For details, see “Discovering network host assets” on page 258.

Figure 189:Host asset list page


Create New Select to add a host asset. See “To add a host asset:” on page 257.

View Select an asset and select View to displace the scan result of this asset,

including the host IP address and host discovery method.

Discover Assets Select one or more assets and select Discover Assets to discover these

assets. See “Discovering network host assets” on page 258.

Start Scan Select one or more assets and select Start Scan to scan these assets.

• Quick: check only the most commonly used ports

• Standard: check the ports used by most known applications

• Full: check all TCP and UDP ports

For a detailed list of the TCP and UDP ports examined by each scan mode,

see Table 16 on page 262.

Name The host name.

Type The type of the host: IP address or IP address range.

IP Address/Range

The IP address of the host, or the IP address range of the hosts.

Right-click Menu Right-click a row to show context menu for performing some actions.



To add a host asset:

1. Go to Network Vulnerability Scan > Asset Definition > Asset Definition.


3. Enter the appropriate information and select OK.

Figure 190:Create asset window


Name The name of the host. Names can not contain spaces.

Type Select Host for a single host, or Range for multiple hosts in a

contiguous IP address range.

Host If you set Type to Host, enter the host IP address.

IP Address If you set Type to Range, enter the first and last IP addresses of the

range. All the hosts within the range will be included in the host

asset.

Windows Authentication

Select to use authentication on a Windows operating system.

Enter the username and password in the fields provided.

For more information, see “Preparing for authenticated scanning”

on page 258.

UNIX Authentication Select to use authentication on a Unix operating system.

Enter the username and password in the fields provided.

For more information, see “Preparing for authenticated scanning”

on page 258.



Discovering network host assets

The simplest way to build the asset list is to perform a discovery scan on the range of IP

addresses where your network assets are installed. A discovered host can be scanned for

vulnerability.

Asset discovery scans the following ports:

• TCP: 21-23, 25, 53, 80, 88,110-111, 135, 139, 443, 445

• UDP: 53, 111, 135, 137, 161, 500

To discover assets:

1. Go to Network Vulnerability Scan > Asset Definition > Asset Definition and select one or

more assets you added. See “To add a host asset:” on page 257.

2. Select Discover Assets.

Three discovery options appear:

• Quick: This option uses ARP and PING to quickly discover hosts on a local network, or

through a gateway (PING only).

• Standard: This is the default option. It is a more advanced scanning to discover hosts

running with other standard open ports. In addition to ARP and PING, other standard

ports are tested to determine if a host is present.

• Full: This option tests the full port range from1 to 65535, attempting to identify hosts

running any open ports.

3. Select an option and select Start Scan.

Depending on the number of computers to be discovered, the scan can take several

minutes, until the Web-based Manager reports Discover Is Completed. You can select Scan

Results to view the discovered host IP address and the discovery method used.

Customize discovery method

Basic: ARP and ping are used to quickly find hosts on a local network or through a gateway

(ping only).

Extended: More advanced scanning to discover hosts running with standard open ports. In

addition to ARP and ping, other standard ports are tested to determine of a host is present.

Preparing for authenticated scanning

You can configure the FortiAnalyzer unit to perform authenticated network scan which can

provide you with authenticated host-level configuration and security data.

Authenticated scan is optional but recommended. With authenticated scan, the FortiAnalyzer

unit can log in to a target host and obtain system information that would otherwise not be

available. For example, the FortiAnalyzer unit can detect installed service packs, hot fixes,

security upgrades, and package versions and patches. It can more accurately detect the

operating system, such as Windows version, and the particular distribution and product on

each host, such as various Linux distributions. With the information gathered, the FortiAnalyzer

unit can perform more in-depth vulnerability analysis since many vulnerabilities can only be

detected via authenticated scan.

Depending on your configurations, a regular network scan may not be thorough as it may be

limited to a port scan or unable to accurately complete certain probes.

The effectiveness of an authenticated scan is determined by the level of access the

FortiAnalyzer unit obtains to the host operating system. Rather than using the system



administrator’s account, it might be more convenient to set up a separate account for the

exclusive use of the vulnerability scanner with a password that does not change.

This section describes the requirements by Microsoft Windows hosts and Unix hosts for

authenticated scan.

Microsoft Windows hosts domain scanning

The user account provided for authentication must

• have administrator rights

• be a Security type of account

• have global scope

• belong to the Domain Administrators group

• meet the Group Policy requirements listed below:

Group Policy - Security Options

In the Group Policy Management Editor, go to Computer Configuration > Windows Settings >

Security Settings > Local Policies > Security Options.

Group Policy - System Services

In the Group Policy Management Editor, go to Computer Configuration > Windows Settings >

Security Settings > System Services.

Group Policy - Administrative Templates

In the Group Policy Management Editor, go to Computer Configuration > Administrative

Templates > Network > Network Connections > Windows Firewall > Domain Profile.

Setting Value

Network access: Sharing and security model for local accounts Classic

Accounts: Guest account status Disabled

Network access: Let Everyone permissions apply to anonymous

users

Disabled

Setting Value

Remote registry Automatic

Server Automatic

Windows Firewall Automatic

Setting Value

Windows Firewall: Protect all network connections Disabled



or

1Windows prompts you for a range of IP addresses. Enter either “*” or the IP address of the

FortiAnalyzer unit that is performing the vulnerability scan.

Microsoft Windows hosts local (non-domain) scanning

The user account provided for authentication must:

• be a local account

• belong to the Administrators group

The host must also meet the following requirements:

• Server service must be enabled. (Windows 2000, 2003, XP)

• Remote Registry Service must be enabled.

• File Sharing must be enabled.

• Public folder sharing must be disabled. (Windows 7)

• Simple File Sharing (SFS) must be disabled. (Windows XP)

Windows firewall settings

• Enable the Remote Administration Exception in Windows Firewall. (Windows 2003,

Windows XP)

• Allow File and Print sharing and Remote Administration traffic to pass through the firewall.

Specify the IP address or subnet of the FortiAnalyzer unit that is performing the vulnerability

scan. (Windows Vista, 2008)

• For each of the active Inbound Rules in the File and Printer Sharing group, set the Remote IP

address under Scope to either Any IP address or to the IP address or subnet of the

FortiAnalyzer unit that is performing the vulnerability scan. (Windows 7)

Setting Value

Windows Firewall: Protect all network connections Enabled

Windows Firewall: Allow remote administration exception Enabled

Allow unsolicited messages from1 *

Windows Firewall: Allow file and printer sharing exception Enabled


Windows Firewall: Allow ICMP exceptions Enabled




Unix hosts

The user account provided for authentication must be able at a minimum to execute these

commands:

• The account must be able to execute uname in order to detect the platform for packages.

• If the target is running Red Hat, the account must be able to read /etc/redhat-release and execute rpm.

• If the target is running Debian, the account must be able to read /etc/debian-version and execute dpkg.

Configuring vulnerability scans

You can configure regular network scans on a daily, weekly, or monthly basis. There are three

scan modes. Full scan checks every TCP and UDP port and takes the most time. Standard scan

checks the ports used by most known applications. Quick scan checks only the most

commonly used ports. For a detailed list of the TCP and UDP ports examined by each scan

mode, see Table 16 on page 262.

You can also initiate the configured scan manually.



The following table outlines ports scanned in each scan mode.

Table 16:Ports scanned in each scan mode

Standard Scan

TCP: 1-3, 5, 7, 9, 11, 13, 15, 17-25, 27, 29, 31, 33, 35, 37-39, 41-223, 242-246, 256-265,

280-282, 309, 311, 318, 322-325, 344-351, 363, 369-581, 587, 592-593, 598, 600, 606-620,

624, 627, 631, 633-637, 666-674, 700, 704-705, 707, 709-711, 729-731, 740-742, 744,

747-754, 758-765, 767, 769-777, 780-783, 786, 799-801, 860, 873, 886-888, 900-901, 911,

950, 954-955, 990-993, 995-1001, 1008, 1010-1011, 1015, 1023-1100, 1109-1112, 1114, 1123,

1155, 1167, 1170, 1207, 1212, 1214, 1220-1222, 1234-1236, 1241, 1243, 1245, 1248, 1269,

1313-1314, 1337, 1344-1625, 1636-1774, 1776-1815, 1818-1824, 1901-1909, 1911-1920,

1944-1951, 1973, 1981, 1985-2028, 2030, 2032-2036, 2038, 2040-2049, 2053, 2065, 2067,

2080, 2097, 2100, 2102-2107, 2109, 2111, 2115, 2120, 2140, 2160-2161, 2201-2202, 2213,

2221-2223, 2232-2239, 2241, 2260, 2279-2288, 2297, 2301, 2307, 2334, 2339, 2345, 2381,

2389, 2391, 2393-2394, 2399, 2401, 2433, 2447, 2500-2501, 2532, 2544, 2564-2565, 2583,

2592, 2600-2605, 2626-2627, 2638-2639, 2690, 2700, 2716, 2766, 2784-2789, 2801,

2908-2912, 2953-2954, 2998, 3000-3002, 3006-3007, 3010-3011, 3020, 3047-3049, 3080,

3127-3128, 3141-3145, 3180-3181, 3205, 3232, 3260, 3264, 3267-3269, 3279, 3306,

3322-3325, 3333, 3340, 3351-3352, 3355, 3372, 3389, 3421, 3454-3457, 3689-3690, 3700,

3791, 3900, 3984-3986, 4000-4002, 4008-4009, 4080, 4092, 4100, 4103, 4105, 4107,

4132-4134, 4144, 4242, 4321, 4333, 4343, 4443-4454, 4500-4501, 4567, 4590, 4626, 4651,

4660-4663, 4672, 4899, 4903, 4950, 5000-5005, 5009-5011, 5020-5021, 5031, 5050, 5053,

5080, 5100-5101, 5145, 5150, 5190-5193, 5222, 5236, 5300-5305, 5321, 5400-5402, 5432,

5510, 5520-5521, 5530, 5540, 5550, 5554-5558, 5569, 5599-5601, 5631-5632, 5634,

5678-5679, 5713-5717, 5729, 5742, 5745, 5755, 5757, 5766-5767, 5800-5802, 5900-5902,

5977-5979, 5997-6053, 6080, 6103, 6110-6112, 6123, 6129, 6141-6149, 6253, 6346, 6387,

6389, 6400, 6455-6456, 6499-6500, 6515, 6558, 6588, 6660-6670, 6672-6673, 6699, 6767,

6771, 6776, 6831, 6883, 6912, 6939, 6969-6970, 7000-7021, 7070, 7080, 7099-7100, 7121,

7161, 7174, 7200-7201, 7300-7301, 7306-7308, 7395, 7426-7431, 7491, 7511, 7777-7778,

7781, 7789, 7895, 7938, 7999-8020, 8023, 8032, 8039, 8080-8082, 8090, 8100, 8181, 8192,

8200, 8383, 8403, 8443, 8450, 8484, 8732, 8765, 8886-8894, 8910, 9000-9001, 9005, 9043,

9080, 9090, 9098-9100, 9400, 9443, 9535, 9872-9876, 9878, 9889, 9989-10000, 10005, 10007,

10080-10082, 10101, 10520, 10607, 10666, 11000, 11004, 11223, 12076, 12223, 12345-12346,

12361-12362, 12456, 12468-12469, 12631, 12701, 12753, 13000, 13333, 14237-14238, 15858,

16384, 16660, 16959, 16969, 17007, 17300, 18000, 18181-18186, 18190-18192, 18194,

18209-18210, 18231-18232, 18264, 19541, 20000-20001, 20011, 20034, 20200, 20203, 20331,

21544, 21554, 21845-21849, 22222, 22273, 22289, 22305, 22321, 22555, 22800, 22951, 23456,

23476-23477, 25000-25009, 25252, 25793, 25867, 26000, 26208, 26274, 27000-27009, 27374,

27665, 29369, 29891, 30029, 30100-30102, 30129, 30303, 30999, 31336-31337, 31339, 31554,

31666, 31785, 31787-31788, 32000, 32768-32790, 33333, 33567-33568, 33911, 34324, 37651,

40412, 40421-40423, 42424, 44337, 47557, 47806, 47808, 49400, 50505, 50766, 51102, 51107,

51112, 53001, 54321, 57341, 60008, 61439, 61466, 65000, 65301, 65512

UDP: 7, 9, 13, 17, 19, 21, 37, 53, 67-69, 98, 111, 121, 123, 135, 137-138, 161, 177, 371, 389,

407, 445, 456, 464, 500, 512, 514, 517-518, 520, 555, 635, 666, 858, 1001, 1010-1011, 1015,

1024-1049, 1051-1055, 1170, 1243, 1245, 1434, 1492, 1600, 1604, 1645, 1701, 1807, 1812,

1900, 1978, 1981, 1999, 2001-2002, 2023, 2049, 2115, 2140, 2801, 3024, 3129, 3150, 3283,

3527, 3700, 3801, 4000, 4092, 4156, 4569, 4590, 4781, 5000-5001, 5036, 5060, 5321,

5400-5402, 5503, 5569, 5632, 5742, 6073, 6502, 6670, 6771, 6912, 6969, 7000, 7300-7301,

7306-7308, 7778, 7789, 7938, 9872-9875, 9989, 10067, 10167, 11000, 11223, 12223,

12345-12346, 12361-12362, 15253, 15345, 16969, 20001, 20034, 21544, 22222, 23456, 26274,

27444, 30029, 31335, 31337-31339, 31666, 31785, 31789, 31791-31792, 32771, 33333, 34324,

40412, 40421-40423, 40426, 47262, 50505, 50766, 51100-51101, 51109, 53001, 61466, 65000

Full Scan All TCP and UDP ports (1-65535)



The following table outlines ports used in Quick scan:

To view the scheduled scan list, go to Network Vulnerability Scan > Scan Schedule.

Figure 191:Scan schedule list page


Quick Scan TCP: 11, 13, 15, 17, 19-23, 25, 37, 42, 53, 66, 69-70, 79-81, 88, 98, 109-111, 113, 118-119, 123,

135, 139, 143, 220, 256-259, 264, 371, 389, 411, 443, 445, 464-465, 512-515, 523-524, 540,

548, 554, 563, 580, 593, 636, 749-751, 873, 900-901, 990, 992-993, 995, 1080, 1114, 1214,

1234, 1352, 1433, 1494, 1508, 1521, 1720, 1723, 1755, 1801, 2000-2001, 2003, 2049, 2301,

2401, 2447, 2690, 2766, 3128, 3268-3269, 3306, 3372, 3389, 4100, 4443-4444, 4661-4662,

5000, 5432, 5555-5556, 5631-5632, 5634, 5800-5802, 5900-5901, 6000, 6112, 6346, 6387,

6666-6667, 6699, 7007, 7100, 7161, 7777-7778, 8000-8001, 8010, 8080-8081, 8100, 8888,

8910, 9100, 10000, 12345-12346, 20034, 21554, 32000, 32768-32790

UDP: 7, 13, 17, 19, 37, 53, 67-69, 111, 123, 135, 137, 161, 177, 407, 464, 500, 517-518, 520,

1434, 1645, 1701, 1812, 2049, 3527, 4569, 4665, 5036, 5060, 5632, 6502, 7778, 15345

Create New Select to add a scan schedule. See “To schedule a scan:” on page 264.

Start Scan Select a schedule and select Start Scan to initiate an on-demand scan and

override the schedule.

Stop Select to stop an on-demand scan.

Pause Select to pause an on-demand scan.

Resume Select to resume an on-demand scan.

Name The name of the scheduled scan.

Target The assets selected for scanning.

Schedule The scheduled scan time.

Status The status of the scan process.

Progress The progress of the scan process.



To schedule a scan:

1. Go to Network Vulnerability Scan > Scan Schedule.

2. Select Create New and enter the following information.

Figure 192:New scan schedule window


Name Enter a name for this scan schedule.

Available Assets The current host assets. See “Configuring host assets” on page 256.

Select an asset and select the right arrow to move it into the Member

Assets field to be scanned.

Member Assets The host assets are moved from the Available Assets field into this field

for scanning.

Vulnerability Scan Mode

Select a scan mode.

• Quick: check only the most commonly used ports

• Standard: check the ports used by most known applications

• Full: check all TCP and UDP ports

For a detailed list of the TCP and UDP ports examined by each scan

mode, see Table 16 on page 262.

Schedule



4. Select OK.

Viewing scan results

The results of network scanning are available as summary graphs and log entries.

To view the scan result list, go to Network Vulnerability Scan > Vulnerability Result >

Vulnerability Result.

Figure 193:Scan result list page


Enable Schedule

Select to enable the scan schedule.

Recurrence Select Daily, Weekly, or Monthly.

If you select Weekly, the Day of Week drop-down list appears. If you

select Monthly, the Day of Month drop-down list appears.

Suspend scan between

If you want to stop scanning for a certain time period, enter the time.

Advanced Select to enable the following scan options if required:

• TCP port scan

• UDP port scan

• OS detection

• Service detection

View Select to display a selected scan result.

Name The name of the scan result. The results include on-demand and scheduled

scans.

Start Time The time when the scan started.

End Time The time when the scan ended.

Status The progress of the scan.

Total Hosts The total number of hosts scanned.



To view a scan result:

1. Go to Network Vulnerability Scan > Vulnerability Result > Vulnerability Result.

2. Select a scan result and select View.

The network vulnerability scan report appears in the right-hand pane.

Figure 194:Vulnerability scan results page


(Scan) Name The name of the scan result.

Start Time The time when the scan started.

End Time The time when the scan ended.

Status The progress of the scan.

Total Hosts The total number of hosts scanned.

(Host) Name The name of the scanned host. If the scanned host’s type is Host, one

host name appears. If the scanned host’s type is Range, the names of

the hosts in the IP range appear. For more information about host type,

see “Configuring host assets” on page 256.

IP Address The IP address of the scanned host.



OS Version The version of the operation system of the scanned host.

Vulnerability Level The vulnerability rating of the scanned host.

Total Vulnerabilities

The total number of vulnerabilities found on the host.

Vulnerability The name of the vulnerability detected.

ID Select the ID to view the details of the vulnerability in the FortiGuard

Center.

Category The category that the vulnerability belongs to.

Severity The severity level of the vulnerability.

Port The port of the host that was scanned to detect the vulnerability.



Tools

The Tools menu provides the ability to view the files on your FortiAnalyzer unit using the File

Explorer, and to view packets on your network using the Network Analyzer.

By default, the Tools menu is hidden. To make it visible, go to System > Admin > Settings and

enable Show Network Analyzer, and enable Show File Explorer. For details, see “Configuring the



• Network analyzer

• File explorer

Network analyzer

Network Analyzer can be used as an enhanced local network traffic sniffer to diagnose areas of

the network where firewall policies may require adjustment, or where traffic anomalies occur.

Network Analyzer logs all traffic seen by the interface for which it is enabled. If that network

interface is connected to the span port of a switch, observed traffic will include all traffic sent

through the switch by other hosts. You can then locate traffic that should be blocked, or that

contains other anomalies.

All captured traffic information is saved to the FortiAnalyzer hard disk. You can then display this

traffic information directly, search it, or generate reports from it.

This section describes how to enable and view traffic captured by the Network Analyzer. It also

describes Network Analyzer log storage configuration options.

Network Analyzer is not visible under the Tools menu until it is enabled in System > Admin >

Settings.

Connecting the FortiAnalyzer unit to analyze network traffic

You usually first connect your FortiAnalyzer unit to a hub or the span (or mirroring) port of an

Ethernet switch to sniff traffic with your FortiAnalyzer unit. Both the management and sniffing

ports can be connected to the same switch.

Tools Page 268 FortiAnalyzer v4.0 MR3 Patch Release 7 Administration Guide


Figure 195:Example network topology for Network Analyzer use

To connect the FortiAnalyzer unit for use with the network analyzer feature:

1. Connect an Ethernet cable to a port on the FortiAnalyzer unit other than the port used to

collect device logs.

For example, if you receive logs and quarantined files on port1, you might use Network

Analyzer on port2. Using a separate port for sniffing prevents log and quarantine traffic from

cluttering Network Analyzer messages, and enables you to analyze networks without

tampering with network settings related to normal logging and quarantine activity.

2. Connect the other end of the Ethernet cable to the span or mirroring port of an Ethernet

switch.

If connected to the span or mirror port of a switch, Network Analyzer can observe all traffic

passing through the switch.

3. In the Web-based Manager, go to System > Admin > Settings > GUI Menu Customization,

enable Show Network Analyzer and select Apply.

Figure 196:Enable Network Analyzer in GUI Menu Customization

4. In the Web-based Manager, go to System > Network > Interface.

5. If the interface you will use with Network Analyzer is currently down, select Bring Up to

enable it.

6. Select Edit for the interface you will use with Network Analyzer.

Internal Network

Internet

FortiAnalyzer

FortiGateHub orSwitch

Span/mirror port is connectedto the Network Analyzer port



7. In the IP/Netmask field, enter the IP address and netmask for the interface, such as

100.20.10.110/255.255.255.0.

8. Select OK.

You can now configure Network Analyzer settings in Tools > Network Analyzer > Config.

Figure 197:Configure Network Analyzer settings

Viewing network analyzer log messages

After attaching a FortiAnalyzer unit interface to the network and enabled the Network Analyzer

for that interface, traffic information appears.

The Network Analyzer’s log viewers display logs of traffic seen by the network interface you

have configured for use with Network Analyzer, focusing on specific time frames.

The Network Analyzer has two types of log viewing options:

• Realtime displays the Network Analyzer log messages of traffic most recently observed by

the network interface for which Network Analyzer is enabled. The display refreshes every few

seconds, and contains only the most current activity.

• Historical displays all Network Analyzer log messages whose time stamps are within your

specified time frame.

Viewing current network analyzer log messages

The realtime logs in Network Analyzer update continually, displaying the most recent traffic

observed by the Network Analyzer.

To view the most recent traffic, go to Tools > Network Analyzer > Historical and select the

Real-ime Log icon.

You can view the details of a log message by double-clicking any of its columns.



Figure 198:Real time Network Analyzer logs page


Type The type of log you are viewing.

Historical Log Select to view the historical Network Analyzer log messages. For more

information, see “Viewing historical network analyzer log messages” on

page 272.

Pause Select to stop updating the realtime logs.


page. For more information, see “Displaying and arranging log columns” on

page 276.

Search Enter a keyword to perform a simple search on the available log

information, then press the Enter key to begin the search.

Last Activity The date and time the traffic was transmitted.

Src The IP address of the sender of the traffic.

Dst The IP address of the recipient of the traffic.

Src Port The port a UDP or TCP packet was being sent from.

Dst Port The port a UDP or TCP packet was being sent to.

Protocol The protocol used when sending the traffic.

Message Information payload of the traffic sent through the switch.

View n per page Select the number of rows of log entries to display per page.


Resolve Host Name

Select to display host names by a recognizable name rather than IP

addresses. For more information about on configuring IP address host

names, see “Configuring IP aliases” on page 135.

Resolve Service

Select to display the network service names rather than the port numbers,




Viewing historical network analyzer log messages

The Historical tab in Tools > Network Analyzer displays Network Analyzer logs for a specific time

range. When viewing log messages, you can filter the information to find specific traffic informa-

tion.

To view a historical Network Analyzer log, go to Tools > Network Analyzer > Historical and then

select the log you want to view. You can view the details of a log message by double-clicking

any of its columns.

Figure 199:Historical network analyzer logs page


Formatted Select to display the Network Analyzer log files in columnar format. This is

the default view. For more information, see “Customizing the network

analyzer log view” on page 276.

Raw Select to display the Network Analyzer log information as it actually

appears in the log file. For more information, see “Customizing the network


Type The type of log you are viewing.

Timeframe Select the time frame during which you want to view the logs.

Realtime Log Select to view the realtime Network Analyzer log messages. For more

information, see “Viewing current network analyzer log messages” on

page 270.


page. For more information, see “Displaying and arranging log columns” on

page 276.

Printable Version Select to download an HTML file containing all log messages that match

the current filters. The HTML file is formatted to be printable.

Time required to generate and download large reports varies by the total

amount of log messages, the complexity of any search criteria, the

specificity of your column filters, and the speed of your network

connection.

Download Current View

Select to download only those log messages which are currently visible,

according to enabled filters.



Browsing network analyzer log files

The Browse tab in Tools > Network Analyzer lets you see all stored Network Analyzer log files,

view the Network Analyzer logs, download log files to your hard disk or delete unneeded files.

When a log file reaches its maximum size, or reaches the scheduled time, the FortiAnalyzer rolls

the active log file by renaming the file. The file name will be in the form of xlog.N.log, where x

is a letter indicating the log type and N is a unique number corresponding to the time the first log

entry was received.

Search Enter a keyword to perform a simple search on the log information

available. Press Enter to begin the search.

Advanced Select to search the Network Analyzer log files for matching text using two

search types: Quick Search and Full Search. For more information, see

“Searching the network analyzer logs” on page 279.

Last Activity The date and time the traffic was transmitted.

Src The IP address of the sender of the traffic.

Dst The IP address of the recipient of the traffic.

Src Port The port a UDP or TCP packet was being sent from.

Dst port The destination port of the traffic.

Protocol The protocol used when sending the traffic.

Message Information payload on the traffic sent through the switch.

View n per page Select the number of rows of log entries to display per page.

Current page By default, the first page of vulnerabilities is displayed. The total number of

pages appears after the current page number. For example, if 2 of 10

appears, you are currently viewing page 2 of 10 pages.

To view pages, select the left and right arrows to display the first, previous,

next, or last page.

To view a specific page, enter the page number in the field and then press

Enter.


Resolve Host Name

Select to display host names by a recognizable name rather than IP

addresses. For more information about on configuring IP address host

names, see “Configuring IP aliases” on page 135.

Resolve Service

Select to display the network service names rather than the port numbers,


Formatted Select to display the Network Analyzer log files in columnar format. This is

the default view. For more information, see “Customizing the network


Raw Select to display the Network Analyzer log information as it actually

appears in the log file. For more information, see “Customizing the network




For more information about setting the maximum file size and log rolling options, see “Rolling

and uploading network analyzer logs” on page 282.

To view the log file list, go to Tools > Network Analyzer > Browse.

Figure 200:Network analyzer log file list page


Viewing network analyzer log file contents

The Browse tab enables you to view all log messages within Network Analyzer log files.

If you display the log messages in formatted view, you can display and arrange columns and/or

filter log messages by column contents. For more information, see “Customizing the network


To view a log file:

1. Go to Tools > Network Analyzer > Browse.

2. Select a log file and then select Display.

The log file’s contents appear. For more information on understanding the log file contents,

see “Viewing network analyzer log messages” on page 270.

Downloading a network analyzer log file

You can download a log file to save it as a backup or for use outside the FortiAnalyzer unit. You

can choose to download either the entire file or only log messages selected by filtering.

To download a whole log file:


2. Select a log file.

3. Select Download.

Display Select to view the contents of the selected log file.

Download Select to save the selected log file to your local hard disk.

From The date and time when the FortiAnalyzer unit starts to generate the log file.

To The date and time when the FortiAnalyzer unit completes generating the log file

when the file reaches its maximum size or the scheduled time.

Size (bytes)

The size of the log file.



4. Select any of the following download options you want and select OK.

Figure 201:Download log file window



To download a partial (filtered) log file:


2. Select a log file.

3. Select Display.

Figure 202:Download a partial (filtered) log file

4. Select a filter icon to restrict the current view to only items which match your criteria, then

select OK. For more information about filtering information, see “Filtering logs” on page 179.

5. Select Download Current View.

6. Select any of the download options you want and select OK.

Log file format

Downloads the log in text (.txt), comma-separated value (.csv), or

standard .log (native) format. Each log element is separated by a comma.

CSV files can be viewed in spreadsheet applications.

Compress with gzip

Compress the .log or .csv file with gzip compression. For example,

downloading a log-formatted file with gzip compression would result in a

download with the file extension .log.gz.

Log file format

Downloads the log in text (.txt), comma-separated value (.csv), or

standard .log (native) format. Each log element is separated by a comma.

CSV files can be viewed in spreadsheet applications.

Compress with gzip







Customizing the network analyzer log view

Log messages can be displayed in either raw or formatted view.

• Raw view displays log messages exactly as they appear in the log file.

• Formatted view displays log messages in a columnar format. Each log field in a log message

appears in its own column, aligned with the same field in other log messages, for rapid visual

comparison. When displaying log messages in formatted view, you can customize the log

view by hiding, displaying and arranging columns and/or by filtering columns, refining your

view to include only those log messages and fields that you want to see.

To display logs in raw or formatted view:

1. Go to a page which displays log messages, such as Tools > Network Analyzer > Historical.

2. Select Change Display Options.

Figure 203:Change display options

3. Select Formatted or Raw.

If you select Formatted, options appear that enable you to display and arrange log columns

and/or filter log columns.

Displaying and arranging log columns

When viewing logs in formatted view, you can display, hide and re-order columns to display only

relevant categories of information in your preferred order.

For most columns, you can also filter data within the columns to include or exclude log mes-

sages which contain your specified text in that column. For more information, see “Filtering

logs” on page 278.

To display or hide columns:





Figure 204:Column display settings window


3. Select which columns to hide or display.

• In the Available Fields area, select the names of individual columns you want to display,

then select the single right arrow to move them to the Display Fields area.

Alternatively, to display all columns, select the double right arrow.

• In the Display Fields area, select the names of individual columns you want to hide, then

select the single left arrow to move them to the Available Fields area.

Alternatively, to hide all columns, select the double left arrow.

• To return all columns to their default displayed/hidden status, select Default.

4. Select OK.

To change the order of the columns:




3. In the Display Fields area, select a column name whose order of appearance you want to

change.

4. Select the up or down arrow to move the column in the ordered list.

Placing a column name towards the top of the Display Fields list will move the column

toward the left side of the formatted log view.

5. Select OK.



Filtering logs

When viewing log messages in formatted view, you can filter columns to display only those log

messages that do or do not contain your specified content in that column. By default, most col-

umn headings contain a gray filter icon, which becomes green when a filter is configured and

enabled.

Figure 205:Filter icons in Network Analyzer

To filter log messages by column contents:

1. In the heading of the column that you want to filter, select the filter icon.

Figure 206:Filters window

2. If you want to exclude log messages with matching content in this column, select NOT.

If you want to include log messages with matching content in this column, deselect NOT.

3. Enter the text that matching log messages must contain.

Matching log messages will be excluded or included in your view based upon whether you

have selected or deselected NOT.

4. Select OK.

A column’s filter icon is green when the filter is currently enabled.

To disable a filter:

1. In the heading of the column whose filter you want to disable, select the filter icon.

A column’s filter icon is green when the filter is currently enabled.

2. To disable the filter on this column, select the Remove Filter icon (x).

Alternatively, to disable the filters on all columns, select Clear all filters. This disables the

filter; it does not delete any filter text you might have configured.

3. Select OK.

A column’s filter icon is gray when the filter is currently disabled.

Filters do not appear in raw view, or for unindexed log fields in formatted view.

When viewing real time logs, you cannot filter on the time column: by definition of the real time

aspect, only current logs are displayed.

Filter icon



Filtering tips

When filtering by source or destination IP, you can use the following in the filtering criteria:

• a single address (2.2.2.2);

• an address range using a wild card (1.2.2.*);

• an address range (1.2.2.1-1.2.2.100).

You can also use a Boolean operator (or) to define mutually exclusive choices:

• 1.1.1.1 or 2.2.2.2;

• 1.1.1.1 or 2.2.2.*;

• 1.1.1.1 or 2.2.2.1-2.2.2.10.

Most column filters require that you enter the column’s entire contents to successfully match

and filter contents; partial entries do not match the entire contents, and so will not create the

intended column filter.

For example, if the column contains a source or destination IP address (such as

192.168.2.5), to create a column filter, enter the entire IP address to be matched. If you enter

only one octet of the IP address, (such as 192) the filter will not completely match any of the full

IP addresses, and so the resulting filter would omit all logs, rather than including those logs

whose IP address contains that octet.

Exceptions to this rule include columns that contain multiple words or long strings of text, such

as messages or URLs. In those cases, you may be able to filter the column using a substring of

the text contained by the column, rather than the entire text contained by the column.

Searching the network analyzer logs

You can search the Network Analyzer log files for matching text using two search types: quick

search and full search.

You can use quick search to find results more quickly if your search terms are relatively simple

and you only need to search indexed log fields. Indexed log fields are those that appear with a

filter icon when browsing the logs in column view; unindexed log fields do not contain a filter

icon for the column or do not appear in column view, but do appear in the raw log view. quick

search keywords cannot contain:

• special characters such as single or double quotes (' or ") or question marks (?);

• wild card characters (*), or only contain a wild card as the last character of a keyword

(logi*).

You can use Full Search if your search terms are more complex, and require the use of special

characters or log fields not supported by Quick Search. Full Search performs an exhaustive

search of all log fields, both indexed and unindexed, but is often slower than Quick Search.

To search the logs, go to Tools > Network Analyzer > Historical. Select Advanced Search.

Figure 207:Network Analyzer log search window




Search tips

If your search does not return the results you expect, but log messages exist that should con-

tain matching text, examine your keywords and filter criteria using the following search charac-

teristics and recommendations.

• Separate multiple keywords with a space (arp who-has 1.1.1.1).

• Keywords cannot contain unsupported special characters. Supported characters vary by

selection of Quick Search or Full Search.

• Keywords must literally match log message text, with the exception of case insensitivity and

wild cards; resolved names and IP aliases will not match.

• Some keywords will not match unless you include both the log field name and its value,

surrounded by quotes (“Ack=2959769124”).

• Remove unnecessary keywords and search filters which can exclude results. For a log

message to be included in the search results, all keywords must match; if any of your

Time Period Select to search logs from a time frame, or select Specify and define a

custom time frame by selecting the From and To date and times.

From Enter the date and select the time of the beginning of the custom time range.

This option appears only when Date is Specify.

To Enter the date and select the time of the end of the custom time range.

This option appears only when Date is Specify.

Keyword(s) Enter search terms which will be matched to yield log message search

results. To specify that results must include all, any, or none of the keywords,

select from Match.

Quick Search Select to perform a Quick Search, whose keywords cannot contain special

characters and that searches only indexed fields.

Full Search Select to perform a Full Search, whose keywords may contain special

characters, and searches all log message fields. The time of the search

varies by the complexity of the search query and the amount of log

messages to be searched.

Stop Search Select to stop the search process.

More Options Select the blue arrow to hide or expand additional search options.

Other Filters Specify additional criteria, if any, that can be used to further restrict the

search criteria.

• Src IP: Enter an IP address to include only log messages containing a

matching source IP address. For example, entering 192.168.2.1 would

cause search results to include only log messages containing

src=192.168.2.1.

• Dst IP: Enter an IP address to include only log messages containing a

matching destination IP address. For example, entering 192.168.2.1


dst=192.168.2.1.



keywords does not exist in the message, the match will fail and the message will not appear

in search results.

• You can use the asterisk (*) character as a wild card (192.168.2.*). For example, you

could enter any partial term or IP address, and then enter * to match all terms that have

identical beginning characters or numbers.

• You can search for IP ranges, including subnets. For example:

• 172.168.1.1/24 or 172.168.1.1/255.255.255.0 matches all IP addresses in the

subnet 172.168.1.1/255.255.255.0

• 172.168.1.1-140.255 matches all IP addresses from 172.168.1.1 to 172.168.140.255

• The search returns results that match all of the search terms.

For example, consider two similar keyword entries: 172.20.120.127 tcp and

172.20.120.127 udp. If you enter the keywords 172.20.120.127 tcp, UDP traffic

would not be included in the search results, since although the first keyword (the IP address)

matches, the second keyword, tcp, does not match.

Printing and downloading the search results

After completing a search, a Printable Version and a Download Current View button appears.

You can use the Printable Version button to download and print an HTML copy of the search

results. You can also use the Download Current View button to download the search results in

text (.txt), comma-separated value (.csv), or standard log (.log) format (native format).

To download and print search results, select the Printable Version button to download the

results. You can print this file immediately, save it to your computer for later use, or email it.

To download log search results:

1. Go to Tools > Network Analyzer > Historical.

2. Perform a search using either simple or advanced search.

If your search finds one or more matching log events, a Download Current View button

appears next to the Printable Version button.

3. Select Download Current View.

Options appear for the download’s file format and compression.

4. Select the download options that you want, then select OK.


Large logs require more time to download. Download times can be improved by selecting

Compress with gzip.

Log file format

Downloads the log file in text (.txt), comma-separated value (.csv), or

standard .log (Native) file format.

Compress with gzip

Compress the downloaded log file with gzip compression. For example,





Rolling and uploading network analyzer logs

You can control log file size and manage log file consumption of the hard disk space with log

rolling and uploading.

The Network Analyzer captures a very detailed network traffic information, and its log volume

can consume the FortiAnalyzer unit’s hard disk space more rapidly than standard logs. Rolling

and uploading logs frees hard disk space to collect further data.

As the FortiAnalyzer unit receives new log items, it performs the following tasks:

• verifying whether the log file has exceeded its file size limit

• checking if it is time to roll the log file if the file size is not exceeded.

You configure the time to be either a daily or weekly occurrence, and when the roll occurs.

When a current log file (tlog.log) reaches its maximum size, or reaches the scheduled time,

the FortiAnalyzer unit rolls the active log file by renaming the file. The file name will be in the

form of xlog.N.log (for example, tlog,1252929496.log), where x is a letter indicating the

log type and N is a unique number corresponding to the time the first log entry was received.

The file modification time will match the time when the last log was received in the log file.

Once the current log file is rolled into a numbered log file, it will not be changed. New logs will

be stored in the new current log called tlog.log.

If log uploading is enabled, once logs are uploaded to the remote server or downloaded via the

Web-based Manager, they are in the following format:

FG3K6A3406600001-tlog.1252929496.log-2009-09-14-14-00-14.gz

If you have enabled log uploading, you can choose to automatically delete the rolled log file

after uploading, thereby limiting the amount of disk space used by rolled log files.

To enable log rolling, or to disable Network Analyzer, go to Tools > Network Analyzer > Config.

Figure 208:Traffic log settings page




Enable Network Analyzer on

Enable and select the port on which Network Analyzer observes traffic.

If you disable this option and log out, Network Analyzer will be hidden in

the web-based manager menu. For more information about on

re-enabling Network Analyzer and making it visible again, see

“Connecting the FortiAnalyzer unit to analyze network traffic” on

page 268.

Allocated Disk Space (MB)

Enter the amount of disk space reserved for Network Analyzer logs. The

dialog also displays the amount used of the allocated space.

When Allocated Disk Space is All Used

Select what the FortiAnalyzer unit does when the allocated disk space is

filled up. Select to either overwrite the older log file or stop logging until

you can clear some room.

To avoid completely filling the hard disk space, use the log rolling and

uploading options.

Reuse settings from standard logs

Select to use the same log rolling and uploading settings that you set for

standard logs files in Logs > Config.

This option is selected by default.

Log rolling settings Define when the FortiAnalyzer unit should roll its Network Analyzer log

files. This option becomes active only if you deselect Reuse Settings

from Standard Logs.

Log file should not exceed

Enter the maximum size of each Network Analyzer log file.

When the log file reaches the specified maximum size, the FortiAnalyzer

unit saves the current log file with an incremental number and starts a

new active log file. For example, if the maximum size is reached, the

current xlog.log is renamed to xlog.n.log, then a new xlog.log

is created to receive new log messages.

Log file should be rolled... even if size is not exceeded

Set the time of day when the FortiAnalyzer unit renames the current log

file and starts a new active log file.

• Daily: Roll log files daily, even if the log file has not yet reached

maximum file size.

• Weekly: Roll log files weekly, even if the log file has not yet reached

maximum file size.

• Optional: Roll log files only when the log file reaches the maximum

file size, regardless of time interval.

Enable log uploading

Select to upload log files to an server when a log file rolls.

Server type Select the protocol to use when uploading to the server:



• Secure Copy Protocol (SCP)

Server IP address

Enter the IP address of the log upload server.



File explorer

File Explorer is not enabled by default. To enable File Explorer, go to System > Admin > Settings

and enable Show File Explorer under GUI Menu Customization. File Explorer displays the

FortiAnalyzer unit’s directories and files.

There are two main directories:

• Archive: Contains files associated with eDiscovery, full DLP archiving, and the quarantine.

• Storage: Contains information unlikely to change once written, like logs and reports.

To expand or hide the two main directories or their subdirectories, select the plus or minus icon

located beside each directory name.

For details, see “Configuring the Web-based Manager’s global settings” on page 116.

Username Enter the user name required to connect to the upload server. By

default, the user name is anonymous; select the field to enter a different

user name.

Password Enter the password required to connect to the upload server.

Confirm Password

Re-enter the password to verify correct entry.

Directory Enter a location on the upload server where the log file should be saved.

Upload Files Select when the FortiAnalyzer unit should upload files to the server.

• When rolled: Uploads logs whenever the log file is rolled, based on

Log file should be rolled.

• Daily at: Uploads logs at the configured time, regardless of when or

what size it rolls at according to Log file should be rolled.

Uploaded log format

Select to upload the log file in text (.txt), comma-separated value

(.csv), or standard .log (native) file format.

Compress uploaded log files

Select to compress the log files in gzip format before uploading to the

server.

Delete files after uploading

Select to remove the log file from the FortiAnalyzer hard disk once the

FortiAnalyzer unit completes the upload.

The file explorer lists log files stored using the Proprietary Index file system only. If you have

enabled SQL database storage, logs stored using that method will not appear in the file

explorer.



Figure 209:File explorer window



Maintaining Firmware

Fortinet recommends reviewing this section before upgrading or downgrading the FortiAnalyzer

firmware because it contains important information about how to properly back up your current

configuration settings and log data, including what to do if the upgrade or downgrade is

unsuccessful.

In addition to firmware images, Fortinet releases patch releases: maintenance release builds

that resolve important issues. Fortinet strongly recommends reviewing the release notes for the

patch release before upgrading the firmware. Installing a patch release without reviewing

release notes or testing the firmware may result in changes to settings or unexpected issues.


• Firmware upgrade path and general firmware upgrade steps

• Backing up your configuration

• Testing firmware before upgrading/downgrading

• Installing firmware from the BIOS menu in the CLI

• Upgrading your FortiAnalyzer unit

Firmware upgrade path and general firmware upgrade steps

Follow the path below to upgrade your FortiAnalyzer firmware. Failing to do so may cause

unexpected problems.

For more information about your specific firmware release, see the Release Notes for the

release.

Fortinet recommends upgrading the FortiAnalyzer unit during a low traffic period, for example at

night, to re-index log data. During the upgrade process, the FortiAnalyzer unit re-indexes log

data, which takes time to complete if there is a large amount of log data. You can verify that the

indexing of log data is complete by viewing the Alert Message console on the Dashboard.

Downgrading from FortiAnalyzer v4.0 to FortiAnalyzer v3.0 MR7 is not supported.

FortiAnalyzer v3.0 MR7 is no longer supported (EOS) as of July 18, 2011.

FortiAnalyzer v4.0 is no longer supported (EOS) as of February 24, 2012

FortiAnalyzer v4.0 MR1 is no longer supported (EOS) as of August 24, 2012.

FortiAnalyzer v4.0 MR2 is no longer supported (EOS) as of April 7, 2013.

Maintaining Firmware Page 286 FortiAnalyzer v4.0 MR3 Patch Release 7 Administration Guide


Figure 210:Firmware upgrade path

Follow the general upgrade steps below:

• Download and review the release notes for the firmware release;

• Download the firmware release;

• Back up the current configuration; See “Backing up your configuration” on page 287.

• Testing the firmware; See “Testing firmware before upgrading/downgrading” on page 289

and “Installing firmware from the BIOS menu in the CLI” on page 291.

• Upgrade the firmware. See “Upgrading your FortiAnalyzer unit” on page 291.

Backing up your configuration

Fortinet recommends backing up all configuration settings from your FortiAnalyzer unit before

upgrading. This ensures all configuration settings are retained if you later want to downgrade

and want to restore those configuration settings.

Backing up your configuration through the Web-based Manager

The following procedures describe how to back up your current configuration through the

Web-based Manager.

V3.0 MR6 V3.0 MR7 V4.0

V4.0 MR1 V4.0 MR2 V4.0 MR3

Always back up your configuration and log data before installing a patch release,

upgrading/downgrading firmware, or resetting configuration to factory defaults



To back up your configuration file through the Web-based Manager:

1. Go to System > Maintenance > Backup & Restore.

Figure 211:Backup & Restore menu

2. Select Local PC from the Backup Configuration to list.

3. If you want to encrypt your configuration file, select Encrypt configuration file, enter a

password, and enter the password again to confirm.

4. Select Backup.

Backing up your configuration through the CLI

The following procedure describes how to back up your current configuration through the CLI.

You can enter a password for added security.

Enter the following to back up the configuration:

execute backup config <filename_str> <address_ipv4> <password_str>

This may take a few minutes.

Backing up your log files

Backing up your log files uses the same procedure as downloading log files. You can back up

log files through either the Web-based Manager or CLI. Fortinet recommends backing up all log

files before upgrading/downgrading, resetting to factory defaults, or when testing a new

firmware image.

To back up FortiAnalyzer v4.0 MR1, v4.0 MR2 log files through the Web-based Manager:


2. Select the device type from the Device Type list.

3. In the Log Files column, locate a device and log type. Select the Expand arrows to reveal the

specific log file (wlog.log, elog.log, etc.) that you want to back up.

4. Select a log and select Download.



5. Select one of the following:

6. Select OK.

7. Select a location when prompted by your web browser to save the file.

To back up log files through the CLI

Enter the following to back up all log files:

execute backup logs all {ftp | sftp | scp} <server_ipv4> <username_str> <password_str> <directory_str>

After successfully backing up your configuration file, either from the CLI or the Web-based

Manager, proceed with upgrading.

Testing firmware before upgrading/downgrading

You may want to test the firmware you want to install before upgrading to a new firmware

version, maintenance or patch release. By testing the firmware image, you can familiarize

yourself with the new features and changes to existing features, as well as understand how your

configuration works with the firmware. You can test a firmware image by installing it from a

system reboot and saving it to system memory. After the firmware is saved to system memory,

the FortiAnalyzer unit operates using the firmware with the current configuration.

The procedure does not permanently install the firmware; the next time the FortiAnalyzer unit

restarts, it operates using the firmware originally installed on the FortiAnalyzer unit. You can

install the firmware permanently using the procedures in “Upgrading your FortiAnalyzer unit” on

page 291.

You can use the following procedure for either a regular firmware image or a patch release. The

following procedure assumes that you have already downloaded the firmware image to your

management computer.

To test the firmware image before upgrading/downgrading:

1. Copy the new firmware image file to the root directory of the TFTP server.

2. Start the TFTP server.

3. Log in to the CLI.

4. Enter the following command to ping the computer running the TFTP server:

execute ping <server_ipaddress>

Pinging the computer running the TFTP server verifies that the FortiAnalyzer unit and TFTP

server are successfully connected.

Log file format

Select to download log files in text (.txt), comma-separated value (.csv), or

standard .log (native) file format. Each log element is separated by a


Compress with gzip




After you test the firmware, and reboot the FortiAnalyzer unit, the original configuration is

cleared. You need to restore the configuration after testing the firmware.



5. Enter the following to restart the FortiAnalyzer unit.

execute reboot

6. As the FortiAnalyzer unit reboots, a series of system startup messages appears. When the

following message appears,

Press any key to display configuration menu…

7. Immediately press any key to interrupt the system startup.

If you successfully interrupt the startup process, the following message appears:

[G]: Get firmware image from TFTP server.

[F]: Format boot device.

[B]: Boot with backup firmware and set as default.

[C]: Configuration and information.

[Q]: Quit menu and continue to boot with default firmware.

[H]: Display this list of options.

8. Type G to get the new firmware image from the TFTP server.


Enter TFTP server address [192.168.1.168]:

9. Type the address of the TFTP server and press Enter.


Enter Local Address [192.168.1.188]:

10.Type the internal IP address of the FortiAnalyzer unit.

This IP address connects the FortiAnalyzer unit to the TFTP server. This IP address must be

on the same network as the TFTP server, but make sure you do not use an IP address of

another device on the network.


Enter firmware image file name [image.out]:

11.Enter the firmware image file name and press Enter.

The TFTP server uploads the firmware image file to the FortiAnalyzer unit and the following

appears:

Save as Default firmware/Backup firmware/Run image without saving: [D/B/R]

12.Type R.

The FortiAnalyzer firmware image installs and saves to system memory. The FortiAnalyzer

unit starts running the new firmware image with the current configuration.

When you are done testing the firmware, you can reboot the FortiAnalyzer unit and resume

using the original firmware. You will need to restore the original configuration file after the

testing.

You have only three seconds to press any key. If you do not press a key soon enough, the

FortiAnalyzer unit reboots and you must log in and repeat steps 3 to 7 again.



Installing firmware from the BIOS menu in the CLI

If you encounter access problems to the Web-based Manager after upgrading the firmware, you

can re-install the previous firmware image from the BIOS menu in the CLI. During some

upgrades, the firmware image may not successfully install on the FortiAnalyzer unit, which may

be caused by the corrupted firmware image.

To install firmware from the BIOS menu, use the procedure in “Testing firmware before

upgrading/downgrading” on page 289. At step 12 in the procedure, enter D instead of R. The

option D installs the firmware permanently on the FortiAnalyzer unit, as the default firmware.

Upgrading your FortiAnalyzer unit

After backing up your current configuration, you can now upgrade the firmware on your

FortiAnalyzer unit. The following procedures are used every time you upgrade the firmware,

whether it is a maintenance release or patch release.

You can also use the following procedure when installing a patch release. A patch release is a

maintenance release build that resolves important issues. You can install a patch release

whether the FortiAnalyzer unit was upgraded to the current firmware version or not.

Upgrading/downgrading through the Web-based Manager

The following procedure uses the Web-based Manager for upgrading the FortiAnalyzer unit from

v4.0 MR2 to v4.0 MR3. The following procedure assumes that you have already downloaded

the firmware image to your management computer.

To upgrade through the Web-based Manager:

1. Copy the firmware image file to your management computer.

2. Log in to the Web-based Manager as the administrative user.


4. In the System Information area, select Update for Firmware Version.

You must back up your current configuration before using the following procedure. The

following procedure resets all settings to their default state, which includes interface IP

addresses, HTTP, HTTPS, SSH, and Telnet access.

The FortiAnalyzer upgrade path is as following: v3.0 MR6 > v3.0 MR7 > v4.0 > v4.0 MR1 > v4.0

MR2 > v4.0 MR3. However, the RVS configuration will not be carried forward and the

FortiGuard configuration will be reset to its defaults.


upgrading/downgrading firmware, or resetting configuration to factory defaults.



Figure 212:Firmware version [Update] page

5. Enter the path of the firmware image file, or select Browse and locate the file.

6. Select OK.

7. The FortiAnalyzer unit uploads the firmware image file, upgrades to the new firmware

version, restarts, and displays the FortiAnalyzer login. This process may take a few minutes.

When the upgrade is successfully installed:

• Ping to your FortiAnalyzer unit to verify there is still a connection;

• Clear the browser’s cache and log in to the Web-based Manager.

After logging back in to the Web-based Manager, you should save the configuration settings

that are carried forward. Go to System > Maintenance > Backup & Restore to save the

configuration settings that are carried forward.

Upgrade notice

If you use the proprietary indexed file system for log storage in v4.0 MR2, after upgrading to

v4.0 MR3, an upgrade notice appears when you log in to the Web-based Manager, asking if you

want to switch to the SQL database and migrate all logs to the SQL database.

Figure 213:Database upgrade notice

If you want to switch to the SQL database, select Upgrade Now and select local or remote SQL

database, then select OK. For more information about SQL database configuration, see

“Configuring SQL database storage” on page 118.

Your logs stored in the proprietary indexed file system will still be kept after the switch.

Database switch affects report configuration. For more information, see “Reports” on page 201.



Upgrading/downgrading through the CLI

The following procedure uses the CLI and a TFTP server to upgrade the FortiAnalyzer unit. The

CLI upgrade procedure reverts all current firewall configurations to factory default settings.

The following procedure assumes that you have already downloaded the firmware image to

your management computer.

The procedures may vary depending on the firmware versions you use for the upgrade.

To upgrade the FortiAnalyzer unit through the CLI:

1. Copy the new firmware image file to the root directory of the TFTP server.

2. Start the TFTP server.

3. Log in to the CLI.

4. Enter the following command to ping the computer running the TFTP server:

execute ping <server_ipaddress>

Pinging the computer running the TFTP server verifies that the FortiAnalyzer unit and TFTP

server are successfully connected.

5. Enter the following command to copy the firmware image from the TFTP server to the

FortiAnalyzer unit:

execute restore image tftp <name_str> <tftp_ip4>

Where <name_str> is the name of the firmware image file and <tftp_ip> is the IP

address of the TFTP server. For example, if the firmware image file name is image.out and

the IP address of the TFTP server er is 192.168.1.168, enter:

execute restore image tftp image.out 192.168.1.168

The FortiAnalyzer unit responds with a message similar to the following:

This operation will replace the current firmware version!

Do you want to continue? (y/n)

6. Type y.

The FortiAnalyzer unit uploads the firmware image file, upgrades to the new firmware

version, and restarts. This process takes a few minutes.

7. Reconnect to the CLI.

8. Enter the following command syntax to confirm the firmware image installed successfully:

get system status

Verifying the upgrade

After upgrading, you should verify that the configuration settings have been carried forward.

Verifying your configuration settings also enables you to familiarize yourself with the new

features and changes in the new firmware.

You can verify your configuration settings by:

• going through each menu and tab in the Web-based Manager

• using the show command in the CLI.


upgrading/downgrading firmware, or resetting configuration to factory defaults.



Troubleshooting

This chapter provides troubleshooting techniques for some frequently encountered problems. It

includes general troubleshooting methods and specific troubleshooting tips using both the

command line interface (CLI) and the Web-based Manager.

Some CLI commands provide troubleshooting information not available through the Web-based

Manager. The Web-based Manager is better suited for viewing large amounts of information on

screen, reading logs and archives, and viewing status through the dashboard.

For more information on troubleshooting, see the Knowledge Base.


• Troubleshooting process

• Troubleshooting FortiAnalyzer issues

Troubleshooting process

Before you begin troubleshooting, you need to prepare. Doing so will shorten the time to solve

your issue.


• Establish a baseline

• Define the problem

• Gathering facts

• Search for a solution

• Create a troubleshooting plan

• Gather system information

• Check port assignments

• Troubleshoot connectivity issues

• Obtain any required additional equipment

• Ensure you have administrator access to required equipment

• Contact customer service & support

Establish a baseline

Note that many of these questions compare the current situation to normal operation. For this

reason Fortinet recommends that you know what your normal operating status is. This can

easily be accomplished through logs, or regularly running information gathering commands and

saving the output. Then when there is a problem, this regular operation data will enable you to

determine what is different.

It is a good idea to back up the FortiAnalyzer configuration for your unit on a regular basis. Apart

from troubleshooting, if you accidently change something the backup can help you restore

normal operation efficiently.

Troubleshooting Page 294 FortiAnalyzer v4.0 MR3 Patch Release 7 Administration Guide

http://kb.fortinet.com/


Define the problem

Before starting to troubleshoot a problem, answer the following questions:

• What is the problem?

Do not assume that the problem is being experienced is the actual problem. First determine

that the problem does not lie elsewhere on the network before starting to troubleshoot the

FortiAnalyzer unit.

• Has it worked before?

If the device never worked from the first day, you may not want to spend time

troubleshooting something that could be defective.

• Can the problem be reproduced at will or is it intermittent?

If the problem is intermittent, it may be dependent on system load. Also an intermittent

problem can be very difficult to troubleshoot due to the difficulty reproducing the issue.

• What has changed?

Do not assume that nothing has changed in the network. Use the FortiAnalyzer event log to

see if any configuration changes were made.

If something has changed, see what the effect is if the change is rolled back.

• After you have isolated the problem, what applications, users, devices, and operating

systems does it effect?

Before you can solve a problem, you need to understand it. Often this step can be the

longest in this process.

Answer questions such as:

• What is not working? Be specific.

• Is there more than one thing not working?

• Is it partly working? If so, what parts are working?

• Is it a connectivity issue for the whole device, or is there an application that is not able to

connect to the Internet?

Be as specific as possible with your answers, even if it takes awhile to find the answers.

These questions will help you define the problem. Once the problem is defined, you can search

for a solution and then create a plan on how to solve it.

Gathering facts

Fact gathering is an important part of defining the problem.

Consider the following:

• Where did the problem occur?

• When did the problem occur and to whom?

• What components are involved?

• What is the affected application?

• Can the problem be traced using a packet sniffer?

• Can the problem be traced in the session table?

• Can log files be obtained that indicate that a failure has occurred?

Answers to these questions will help you narrow down the problem, and what you have to

check during your troubleshooting. The more things you can eliminate, the fewer things you

need to check during troubleshooting.



Search for a solution

An administrator can save time and effort during the troubleshooting process by first checking if

the issue has been experienced before. Several resources are available to provide valuable

information about FortiAnalyzer technical issues, including:

• Technical documentation;

• Release notes;

• Knowledge Base;

• Technical discussion forums;

• Training services online campus.

Create a troubleshooting plan

Once you define the problem, and search for a solution, you can create a plan to solve that

problem. Even if your search did not find a solution to your problem you may have found some

additional things to check to further define your problem.

The plan should list all the possible causes of the problem, and how to test for each possible

cause.

The plan will act as a checklist so that you know what you have tried and what is left to check.

This is important to have if more than one person will be troubleshooting. Without a written plan,

people will become easily confused and steps will be skipped. Also if you have to hand over the

problem to someone else, providing them with a detailed list of what data you gathered and

what solutions you tried, demonstrates a good level of professionalism.

Be ready to add to your plan as needed. After you are part way through, you may discover that

you forgot some tests or a test you performed discovered new information. This is normal.

Also if you contact support, they will require information about your problem as well as what you

have already tried to fix the problem. This should all be part of your plan.

Providing supporting elements

If Customer Service & Support needs to be contacted to help you with your issue, be prepared

to provide the following information:

• the firmware build version (use the get system status command);

• a recent configuration file;

• a recent debug log;

• a network topology diagram;

• what troubleshooting steps you have performed and the results.

Gather system information

Your FortiAnalyzer unit provides many features to aid in troubleshooting and performance

monitoring.

Use the Web-based Manager's dashboard and the CLI commands to define the scope and

details of your problem. Keep track of the information you gather, Customer Service & Support

may request it if you contact them for assistance.








https://support.fortinet.com/forum/

http://campus.training.fortinet.com


Table 17:Web-based Manager information gathering features

Table 18:CLI information gathering features

The above CLI commands explain how to display data. Many of these commands also have

options for modifying data. For CLI command syntax details for these and other commands,

see the FortiAnalyzer v4.0 MR3 Patch Release 7 CLI Reference.

System > Dashboard > Status Displays a dashboard with widgets that each indicates

performance level or other status.

By default, widgets display the serial number and current

system status of the FortiAnalyzer unit, including uptime,

system resource usage, host name, firmware version, system

time, and log throughput. The dashboard also contains a CLI

widget that enables you to use the command line through the

Web-based Manager. These widgets appear on a single

dashboard.

System > Network > Interface Displays details about each configured system interface (port).

System > Network > Routing Displays a list of configured static routes including their IPs,

masks, and gateways.

diagnose debug crashlog list

Displays details on application proxies that have backtraces,

traps, and registration dumps.

diagnose debug report Displays the FortiAnalyzer configuration.

diagnose fortiguard status

Displays the running status of the FortiGuard daemon.

diagnose netlink Displays the netlink information, including the FortiAnalyzer

unit’s interface statistics, interface status and parameters, the

physical and virtual IP addresses associated with the network

interfaces of the FortiAnalyzer unit, routing table contents,

routing cache information, TCP socket information, and UDP

sockets information.

diagnose sniffer packet Performs a packet trace on a specified network interface.

diagnose sys Displays the system information.

diagnose test Tests the connectivity of the remote LDAP authentication

server.

execute ping Tests connectivity to other devices on your network or

elsewhere.

execute traceroute Traces the route of packets between the FortiAnalyzer unit

and a specified server.

get system performance Displays CPU usage, memory usage, and uptime.

get system status Provides the firmware version, serial number, bios, and host

name.




Check port assignments

There are 65 535 ports available for each of the TCP and UDP stacks that applications can use

when communicating with each other. If someone recently changed a FortiAnalyzer or network

port, that may be part of your problem.

For information on FortiAnalyzer port assignment, see “Port Numbers” on page 367.

In addition, some ports may be assigned to other Fortinet appliances on your network. See the

Knowledge Base article, Traffic Types and TCP/UDP Ports used by Fortinet Products at:


Many UDP and TCP port numbers have internationally recognized IANA port assignments and

are commonly associated with specific applications or protocols.

Troubleshoot connectivity issues

This section includes troubleshooting questions related to connectivity issues.

• Are all cables and interfaces connected properly?

See “Check hardware connections” on page 298.

• Are you experiencing packet loss or device connectivity problems?

See “Run ping and traceroute” on page 299.

• Are there routes in the routing table for default and static routes? Do all connected subnets

have a route in the routing table?

See “Verify the contents of the routing table” on page 302.

• Are the ARP table entries correct for the next-hop destination?

See “Verify the contents of the ARP table” on page 302.

• Is traffic entering the FortiAnalyzer unit and, if so, does it arrive on the expected interface? Is

the traffic exiting the FortiAnalyzer unit to the expected destination? Is the traffic being sent

back to the originator?

Perform a sniffer trace. See “What can sniffing packets tell you” on page 302.

Check hardware connections

If there is no traffic flowing from the FortiAnalyzer unit, it may be a hardware problem.

To check hardware connections

• Ensure the network cables are properly plugged in to the interfaces on the FortiAnalyzer unit.

• Ensure there are connection lights for the network cables on the unit.

• Change the cable if the cable or its connector are damaged or you are unsure about the

cable’s type or quality.

• Connect the FortiAnalyzer unit to different hardware to see if that makes a difference.

• In the Web-based Manager, select System > Network > Interface and ensure the link status

is up (up arrow on green circle) for the interface.

If the status is down (down arrow on red circle), select Bring Up next to it in the Status

column.

You can also enable an interface in CLI, for example:

config system interfaceedit port2

set status upend



http://www.iana.org/assignments/port-numbers


If any of these checks solve the problem, it was a hardware connection issue. You should still

perform some basic software tests to ensure complete connectivity.

If the hardware connections are correct and the unit is powered on but you cannot connect

using the CLI or Web-based Manager, you may be experiencing bootup problems. See “Bootup

issues” on page 312.

Run ping and traceroute

Ping and traceroute are useful tools in network troubleshooting. Both tools accept either IP

addresses or fully-qualified domain names as parameters. This can help you determine why

particular services, such as email or web browsing, are not working properly.

Both ping and traceroute require particular ports to be open on firewalls to function. Since you

typically use these tools to troubleshoot, you can allow them in the firewall policies and on

interfaces only when you need them, and otherwise keep the ports disabled for added security.

Check connections with ping

The ping command sends a small data packet to the destination and waits for a response. The

response has a timer that may expire, indicating the destination is unreachable.

Ping is part of Layer-3 on the Open Systems Interconnection (OSI) Networking Model. Ping

sends Internet Control Message Protocol (ICMP) “echo request” packets to the destination, and

listens for “echo response” packets in reply. However, many public networks block ICMP

packets because ping can be used in a denial of service (DoS) attack, or by an attacker to find

active locations on the network. By default, FortiAnalyzer units have ping enabled.

If ping does not work from your FortiAnalyzer unit, make sure it was not disabled. Go to

System > Network > Interface. Examine the list of allowed protocols in the Access column for

the port used by the Web-based Manager (usually port1). If ping is not in the list, enable it.

To enable ping:

1. Go to System >Network >Interface.

2. Select the Edit icon in the applicable row. A dialog window appears.

3. Select PING on the Edit Interface dialog window.

4. Select OK.

If ping does not work, you likely have it disabled on at least one of the interface settings, and

firewall policies for that interface.



Figure 214:Enable administrative access on the interface

What ping can tell you

Beyond the basic connectivity information, ping tells you the amount of packet loss (if any), how

long it takes the packet to make the round trip, and the variation in that time from packet to

packet.

If ping shows any packet loss, you should investigate:

• possible ECMP, split horizon, or network loops;

• cabling to ensure no loose connections.

If ping shows total packet loss, you should investigate:

• hardware to ensure cabling is correct;

• all equipment between the two locations to determine they are properly connected;

• addresses and routes to ensure all IP addresses and routing information along the route is

configured as expected;

• firewalls to ensure they are set to allow ping to pass through.

How to use ping

You can ping from the FortiAnalyzer unit in the CLI Console widget of the Web-based Manager

or through CLI. For example:

execute ping 172.20.120.169

See the execute ping command in the FortiAnalyzer v4.0 MR3 Patch Release 7 CLI

Reference for an explanation of the command output and see execute ping-options for a

description of the many options to tailor the ping response to your needs.

If the FortiAnalyzer Web-based Manager and CLI are not available, you can run ping on a

Windows or Linux PC.

To ping a device from a Windows PC:

1. Open a command window.

• In Windows XP, select Start > Run, enter cmd, and select OK.

• In Windows 7, select the Start icon, enter cmd in the search box, and select cmd.exe from

the list.




2. In the command window, enter the ping command and an IP address, for example:

ping 172.20.120.169

Ping options include:

• -t, to send packets until you press Control-C

• -a, to resolve addresses to domain names where possible

• -n x, where x is an integer stating the number of packets to send

To ping a device from a Linux PC:

1. Go to a command line prompt.

2. Enter:

/bin/etc/ping 172.20.120.169

Check routes with traceroute

Traceroute sends ICMP packets to test each hop along the route. It sends three packets, and

then increases the time to live (TTL) setting by one each time. This effectively allows the packets

to go one hop farther along the route. This explains why most traceroute commands display

their maximum hop count before they start tracing the route; that is the maximum number of

steps it will take before declaring the destination unreachable. The TTL setting may result in

steps along the route timing out due to slow responses. There are many possible reasons for

this to occur.

Traceroute by default uses UDP with destination ports numbered from 33434 to 33534. The

traceroute utility usually has an option to specify use of ICMP echo request (type 8) instead, as

used by the Windows tracert utility. If you have a firewall and you want traceroute to work from

both machines (Unix-like systems and Windows) you will need to allow both protocols inbound

through your firewall (UDP with ports from 33434 to 33534 and ICMP type 8).

What traceroute can tell you

Where ping only tells you if the signal reached its destination and came back successfully,

traceroute shows each step of its journey to its destination and how long each step takes. If

ping finds an outage between two points, use traceroute to locate exactly where the problem is.

The traceroute output can identify other problems, such as an inability to connect to a DNS

server.

How to use traceroute

You can run a route trace from the FortiAnalyzer unit in the CLI Console widget of the

Web-based Manager or through CLI, for example:

execute traceroute docs.fortinet.com

See the execute traceroute command in the FortiAnalyzer v4.0 MR3 Patch Release 7 CLI

Reference for an explanation of the command output.

If the FortiAnalyzer Web-based Manager and CLI are not available, you can trace a route on a

Windows or Linux PC.

To use traceroute on a Windows PC:

1. Open a command window.

• In Windows XP, select Start > Run, enter cmd, and select OK.

• In Windows 7, select the Start icon, enter cmd in the search box, and select cmd.exe from

the list.




2. Enter the tracert command to trace the route from the host PC to the destination web site,

for example:

tracert fortinet.com

In the tracert output, the first, or left column, is the hop count, which cannot go over 30 hops.

The second, third, and fourth columns are how long each of the three packets takes to reach

this stage of the route. These values are in milliseconds and normally vary quite a bit. Typically a

value of <1ms indicates a local connection.

The fifth, or far right column, is the domain name of that device and its IP address or possibly

just the IP address.

To use traceroute on a Linux PC:

1. Go to a command line prompt.

2. Enter:

/bin/etc/traceroute fortinet.com

The Linux traceroute output is very similar to the MS Windows tracert output.

Verify the contents of the routing table

When you have little connectivity, a good place to look for information is the routing table.

The routing table is where the FortiAnalyzer unit stores currently used static routes. If a route is

in the routing table, it saves the time and resources of a lookup. If a route was not used for a

while and a new route needs to be added, the oldest, least-used route is bumped if the routing

table is full. This ensures the most recently used routes stay in the table.

To check the routing table in the CLI, enter:

diagnose network route list

Verify the contents of the ARP table

When you have poor connectivity, another good place to look for information is the address

resolution protocol (ARP) table. A functioning ARP is especially important in high-availability

configurations.

To check the ARP table in the CLI, enter:

diagnose system arp

What can sniffing packets tell you

Packet sniffing can tell you if the traffic is reaching its destination, what the port of entry is on

the FortiAnalyzer unit, if the ARP resolution is correct, and if the traffic is being sent back to the

source as expected. Packet sniffing can also tell you if the FortiAnalyzer unit is silently dropping

packets.

If you configure virtual IP addresses on your FortiAnalyzer unit, it will use those addresses in

preference to the physical IP addresses. You will notice this when you are sniffing packets

because all traffic will use the virtual IP addresses. This is due to the ARP update that is sent

out when the virtual IP address is configured.



Perform a sniffer trace

When troubleshooting networks and routing in particular, it helps to look inside the headers of

packets to determine if they are traveling along the route you expect. Packet sniffing is also

called a network tap, packet capture, or logic analyzing.

To sniff packets

The CLI syntax of the internal FortiAnalyzer packet sniffer command is:

diagnose sniffer packet <interface_name> <filter_str> <verbose-level> <count_int>

This example checks network traffic on port1, with no filter, and captures 10 packets:

diagnose network sniffer packet port1 none 1 10

See the FortiAnalyzer v4.0 MR3 Patch Release 7 CLI Reference for an explanation of the

command and its parameters.

Obtain any required additional equipment

You may require additional networking equipment, computers, or other equipment to test your

solution.

Normally network administrators have additional networking equipment available either to loan

you, or a lab where you can bring the FortiAnalyzer unit to test.

If you do not have access to equipment, check for shareware applications that can perform the

same task. Often there are software solutions when hardware is too expensive.

Ensure you have administrator access to required equipment

Before troubleshooting your FortiAnalyzer unit, you will need administrator access to the

equipment.

Also, you may need access to other networking equipment such as switches, routers, and

servers to help you test. If you do not normally have access to this equipment, contact your

network administrator for assistance.

Contact customer service & support

After you define your problem, researched a solution, created a plan, and executed that plan,

and if you have not solved the problem, it is time to contact Customer Service & Support for

assistance.

To receive technical support and service updates, your Fortinet product must be registered and

reflect a valid support contract. Registration, support programs, assistance, and regional phone

contacts are available at the following URL:





When you are registered and ready to contact support:

1. Prepare the following information first:

• your contact information;

• the firmware version;

• a recent server policy configuration;

• access to recent event, traffic and attack logs;

• a network topology diagram and IP addresses;

• a list of troubleshooting steps performed so far and the results.

For bootup problems:

• provide all console messages and output;

• if you suspect a hard disk issue, provide your evidence.

2. Document the problem and the steps you took to define the problem.

3. Open a support ticket.

Troubleshooting FortiAnalyzer issues

This section lists the common issues you may encounter in using the FortiAnalyzer unit and the

solutions.

• File system issue

• Report issue

• Binary files issue

• CPU usage issue

• HA log issue

• NFS server connection issue

• Vulnerability management issues

• Upgrade issue

• Web-based Manager issue

• Disk usage issue

• Device IP issue

• Running an HQIP for hardware integrity control

• Packet capture (CLI sniffer) best practice

• No logs received with encryption enabled between a FortiGate unit and a FortiAnalyzer unit

• Bootup issues

File system issue

You see “Read Only” on top of the Web-based Manger or “Maintenance Mode” during the

FortiAnalyzer system bootup.

Solution

If the FortiAnalyzer unit loses its file system at run time, you will see “Read Only” on top of the

Web-based Manger. If the unit cannot mount its file system as “Read + Write” during bootup,

the unit will boot in maintenance mode.

Both the read-only mode and maintenance mode are either caused by a hard disk failure for

FortiAnalyzer units without RAID or complete RAID failure for FortiAnalyzer units with RAID.



If this happens, you must contact Customer Service & Support.

Report issue

FortiAnalyzer reports show the same users twice (name in uppercase and lowercase).

Solution

When a FortiGate unit is set to require authentication, it may use two methods to authenticate:

Lightweight Directory Access Protocol (LDAP) and Fortinet Single Sign On (FSSO).

The behavior is different depending on the method used and this will cause the FortiAnalyzer

unit to have two different log entries for the same user: one with upper case name and one with

lower case name.

The FortiAnalyzer reports will show the same user twice. This is because the FortiAnalyzer filter

is case-sensitive.

This issue was resolved in FortiOS 4.0 MR1 with the addition of a new CLI command to allow

ALL user names logged to be in upper case. This is useful when the same servers are shared by

LDAP and FSSO.

Binary files issue

The Alert Message Console on the Dashboard may display a message similar to the following:

2 of 70 binary files need to be regenerated.

Solution

The binary files indicated in the message are used by the FortiAnalyzer report engine to

generate reports. During a firmware upgrade, the binary files may have changed due to some

new features. In such a case, the affected binary files are regenerated. This message means

that some of the binary file have not yet regenerated.

The speed of regeneration (how long it takes to complete) depends on the activity of the

FortiAnalyzer unit, such as the logging rate and number of reports running.

The number displayed in the message will steadily decrease. It may briefly increase when log

files are manually imported, or in some cases during log rolling on a non-processed file.

This is a normal process, and will resolve itself once the regeneration is complete.

CPU usage issue

The FortiAnalyzer unit’s CPU usage can appear to be continually high.

Solution

There are three key CPU-intensive operations on a FortiAnalyzer unit:

• Log indexing;

A FortiAnalyzer unit deployed in a network can receive hundreds of log messages per

second throughout the day. The FortiAnalyzer unit indexes nearly all fields in a log message



to include it in the database. This process can be very CPU intensive, as the indexing

component is continually running to keep up with the incoming log messages.

• Report generation and other enhanced features;

Due to the many reporting functions, various report generations can be running at any time

during the day, including:

• security event reports;

• traffic summary reports;

• regular reports whose complexity can vary depending on the requirements;

• quota checking with log rolling;

• network sniffing;

• vulnerability scan.

• Summary reports daemon.

The summary reports daemon (sumreportsd) is responsible for computing data for drill

down widgets configured on the dashboard.

The widgets are:

• Top Web Traffic;

• Intrusion Activity;

• Virus Activity;

• Top FTP Traffic;

• Top Email Traffic;

• Top IM/P2P Traffic;

• Top Traffic.

By default, none of these drilldown widgets are enabled.

Depending on the hardware platform or the amount of logs present in the FortiAnalyzer unit,

sumreportsd may consume a considerable amount of CPU when running and may run for

a considerable amount of time (from a few minutes, to hours, or even longer if it has to

compute new data while still processing old ones). The resulting effect is that drilldown

widgets may be empty or not up to date.

All these tasks can be CPU intensive, especially when a combination of them is occurring at the

same time. This often can cause the CPU usage to stay at 90% or more. It is important to set

the indexing operation to the lowest priority so that the critical processes, such as receiving log

messages, are not affected.

On smaller devices, such as the FortiAnalyzer-100C, where the CPU and disk speeds are not as

fast as the higher-end models, the CPU usage can appear more pronounced.

In case of high CPU usage and depending on the current environments on the FortiAnalyzer

unit, it is suggested to:

• reduce the devices being monitored to only the ones needed;

• reduce the Time Scope of a widget to a lower value (Hour or Day);

• disable all drill down widgets from all admin accounts.



HA log issue

When sending FortiGate logs to the FortiAnalyzer unit with a secure connection, only the

primary unit's logs are successfully received by the FortiAnalyzer unit.

Solution

When configuring a secure connection to send log information, you need to set the secure

connection for all units in an HA cluster on the FortiAnalyzer unit.

If the FortiAnalyzer unit will still not accept log information from the FortiGate unit for which you

have enabled secure connection, check if you entered the preshared key and the device

information correctly.

NFS server connection issue

When attempting to connect to the FortiAnalyzer unit as an NFS server, the connection times

out or does not connect.

Solution

The FortiAnalyzer unit uses the DNS settings to enable connections for network file sharing. If

the DNS settings are not configured correctly, or have incorrect DNS entries, the FortiAnalyzer

unit cannot perform reverse lookups for users attempting to connect. If the FortiAnalyzer unit

cannot perform this check, the operation times out, appearing to the user as being unable to

connect.

To verify your DNS configuration, go to System > Network > DNS. For more information, see

“Configuring DNS” on page 98.

The FortiAnalyzer unit uses the DNS settings for a number of network functions. The DNS

settings must be valid to ensure the system functions correctly.

Vulnerability management issues

On the Dashboard, Vulnerability Management (VM) under License Information showing as not

registered.

Solution

Vulnerability Management is an additional service which, similar to FortiGuard Services, must

be purchased and registered.

Even if the FortiAnalyzer unit is registered and licensed, Vulnerability Management Service will

show as “Not Registered” if not purchased and registered.

Vulnerability management updates are not working.

Solution

1. Make sure you have a valid license

Vulnerability management is a separate subscription that must be purchased. Make sure

that there is a valid VM subscription before starting to troubleshoot. For more information,

see “Scheduling & uploading vulnerability management updates” on page 147.



2. Check the default gateway.

The FortiAnalyzer unit needs a default gateway to be able to access the Internet and

download updates. Go to System > Network > Routing and make sure the default gateway is

configured correctly.

If the default gateway is configured correctly, it should be possible to ping IP addresses on

the Internet (assuming that nothing is blocking the pings). This can be tested by using the

command:

execute ping <IP address on the Internet>

3. Make sure nothing is blocking port 443 from the FortiAnalyzer unit.

The FortiAnalyzer unit will contact the update servers on port 443. If something (usually a

firewall) is blocking port 443 from the FortiAnalyzer unit, it will not be able to receive updates.

Check if something is blocking port 443 by sniffing the traffic using the command:

diagnose sniff packet any 'port 443' 4

If something is blocking port 443, TCP SYNs will be seen going out but with no TCP

SYN/ACKs coming back in.

4. Enable Debug.

There are a number of other issues that may be causing a problem with VM updates. The

easiest way to check all of them is to enable debugging and check the output for errors. Run

the commands below:

diagnose debug output enablediagnose debug application fortiguard 8execute update-vm

The output will show any errors that are happening with the update process. Once the

update is complete, it is important to disable debug using the commands:

diagnose debug application fortiguard 0diagnose debug output disable

Upgrade issue

The message Upload file is too big or invalid may appear when upgrading a

FortiAnalyzer unit from the Web-based Manager.

Solution

Assuming that the correct firmware image has been downloaded from support.fortinet.com, a

possible cause of this problem is related to the free memory on a FortiAnalyzer unit that has had

a long uptime. In order to load the required firmware image, it is necessary to reboot the

FortiAnalyzer unit so that more system resources become available. Once the device has been

rebooted, the upgrade will proceed as required.

Web-based Manager issue

After logging in to the Web-based Manager, the following occurs:

• console access window opens blank;

• menu, tabs and button bar do not work;

• log view settings are not saved.

Solution

Enable cookies and JavaScript in your browser. Make sure that cookies are not erased when

you close your browser.


http://support.fortinet.com


Cookies store preferences for the browser you use to access the Web-based Manager. If the

cookies are erased when you close the browser (session cookies), the preferences are not

saved, and will not be available the next time you open the browser.

JavaScript is used for navigation of the menus and tabs in the Web-based Manager.

The following procedures describe how to enable cookies and JavaScript in Internet Explorer

and Firefox.

In Microsoft Internet Explorer versions 7 and 8:

1. Go to Tools > Internet Options.

2. Select the Privacy Tab.

3. Select a level of Medium or lower for the Privacy level.

4. Select OK.

5. Select the Security Tab.

6. Select Custom Level.

7. In Settings, under Scripting, enable Active Scripting and Scripting of Java Applets.

8. Select OK.

In Mozilla Firefox:

1. Go to Tools > Options.

2. Select Privacy.

3. Select Use custom settings for history.

4. Select Accept cookies from sites.

5. Select Accept third-party cookies and Keep until: they expire.

6. Select Content.

7. Select Enable JavaScript.

8. Select OK.

Disk usage issue

Disk usage on a FortiAnalyzer unit shows different values than on a monitored FortiGate unit.

Solution

The disk usage on a FortiGate unit shows the usage of the allocated space for that particular

FortiGate unit configured on the FortiAnalyzer unit. While the disk usage on the FortiAnalyzer

unit represents the total disk usage on the FortiAnalyzer unit as a whole.

For information about configuring allocated space for a device, see “Manually configuring a


Device IP issue

Device IP address displays as 0.0.0.0 on the FortiAnalyzer unit device list (Devices > All

Devices > Allowed) even if the FortiGate unit is already registered on the FortiAnalyzer unit.

Solution

The FortiAnalyzer unit will change the IP once it receives logs from the FortiGate unit. The IP

address of the FortiGate unit is 0.0.0.0 if the FortiAnalyzer unit has not received logs from the

FortiGate unit.



The FortiAnalyzer unit may not be receiving logs even if the Test Connectivity test on the

FortiGate unit shows that the FortiGate unit is connected to the FortiAnalyzer unit (on the

FortiGate unit: Log&Report > Log Config > Log Settings > FortiAnalyzer > Test Connectivity).

This can be due to the fact that the FortiGate unit is configured to send logs to the FortiAnalyzer

unit but is not generating any logs yet or that a connectivity problem between the FortiGate unit

and the FortiAnalyzer unit on port 514 UDP (Test connectivity runs on port 514 TCP).

Non-encrypted connection

You can use sniffer commands to check if the FortiGate unit is generating logs and if the

FortiAnalyzer unit is receiving them. Note that the commands below are for a non-encrypted

traffic.

On the FortiGate unit:

diagnose sniffer packet any 'host <IP address of FortiAnalyzer> and port 514' 4

On the FortiAnalyzer unit:

diagnose sniffer packet any 'host <IP address of the FortiGate> and port 514'

This shows whether the FortiGate unit is sending traffic and whether the FortiAnalyzer unit is

receiving it. The TCP sessions in the sniffer outputs are for content archive logs while UDP

session are for normal logs just about everything else.

Common cases:

1. The FortiGate unit is generating logs but the FortiAnalyzer unit is not receiving them. This is

usually due to something dropping (filtering) out port 514 (UDP or TCP) between the

FortiGate and the FortiAnalyzer units.

2. The FortiGate unit is not generating logs. Check the logging options on the firewall policies

and the protection profiles. Make sure they are set to send logs to the FortiAnalyzer unit.

Also check the logging level on the FortiGate unit and make sure it is not set too high

(Log&Report > Log Config > Log Settings > FortiAnalyzer > Minimum log level). If these are

set correctly, you can check the filters on the FortiGate unit by running the CLI command:

show full log fortianalyzer filters

Encrypted connections

You can sniff the connection between the FortiGate unit and the FortiAnalyzer unit using the

commands:


diagnose sniffer packet any 'host <IP address of FortiAnalyzer>'4


diagnose sniffer packet any 'host <IP address of FortiGate>'

UDP port 500 is for IKE trying to create the VPN tunnel between the FortiGate unit and the

FortiAnalyzer unit. If this is the only thing you see between the two devices, then the encryption

settings between the FortiGate unit and FortiAnalyzer unit are not correct and the tunnel cannot

be established.

IP protocol 50 is for ESP which carries the encrypted traffic. If you see IP protocol 50 leaving the

FortiGate unit but not reaching the FortiAnalyzer unit, then something is dropping the packets in

the middle, although seeing IP protocol 50 means that the connection settings are correct

between the two devices.



Running an HQIP for hardware integrity control

The Hardware Quick Inspection Package (HQIP) test image can be used to check the

FortiAnalyzer unit's system function and its interfaces. HQIP will check almost all components,

including CPU, memory, Compact Flash, hard disk and PCI devices (NIC/ASIC). It will also

check the critical benchmarks and system configurations.

HQIP cannot detect all hardware malfunctions. If the FortiAnalyzer unit is rebooting or unstable,

HQIP cannot detect the issues.

If an HQIP test is required, follow the instructions in Knowledge Base.

Packet capture (CLI sniffer) best practice

Fortinet devices include a built-in sniffer that you can use for debugging purposes. Details on its

usage are explained in the Knowledge Base.

The following are suggestions to improve the usability of this tool:

• Always include ICMP in the sniffer filter. You may capture an ICMP error message that can

help identify the cause of the problem. For example:

diagnose sniff packet interface wan1 'tcp port 3389 or icmp' 3.

• Use the any interface if you want to confirm that a specific packet is received or sent by the

Fortinet device, without specifically knowing on which interface this may be. This will

essentially enable the sniffer for all interfaces. For example:

diagnose sniff packet interface any 'tcp port 3389' 3.

• The Fortinet device may not display all packets if too much information is requested to be

displayed, or the traffic being sniffed is significant. When this occurs, the unit will log the

following message once the trace is terminated:

12151 packets received by filter3264 packets dropped by kernel

When this occurs, it is possible that what you were attempting to capture was not actually

captured. In order to avoid this, you may try to tighten the display filters, reduce the verbose

level, or perform the trace during a lower traffic period.

• The packet timestamps as displayed by the sniffer may become skewed or delayed under

high-load conditions. This may occur even if no packets were dropped (as mentioned

above). Therefore, it is not recommended that you rely on these values in order to

troubleshoot or measure performance issues that require absolute precise timing.

• Enabling the sniffer will consume additional CPU resources. This can be as high as an

additional 25% of CPU usage on low-end models. Therefore, enabling it on a unit that is

experiencing excessively high CPU usage can only render the situation worse. If you must

perform a sniff, keep the sniffing sessions short.

• The Ethernet source and/or destination MAC addresses may be incorrect when using the

any interface. They may be displayed as all zeros (00:00:00:00:00:00) or 00:00:00:00:00:01.

No logs received with encryption enabled between a FortiGate unit and a FortiAnalyzer unit

Logs are being sent correctly from the FortiGate unit to the FortiAnalyzer unit when encryption is

disabled but no logs are received once encryption is enabled.

Sniffing the traffic between the FortiGate unit and the FortiAnalyzer unit only shows UDP port

500 (IKE) but does not show IP protocol 50 (ESP):


http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD30363&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=1304868&stateId=0%200%201306618



On the FortiGate unit, run the command:

diagnose sniff packet any 'host <IP address of FortiAnalyzer> and port 514' 4

On the FortiAnalyzer unit, run the command:

diagnose sniff packet any 'host <IP address of the FortiGate> and port 514' 4

The VPN monitor on the FortiGate unit (VPN > IPsec > Monitor) also shows the tunnel as down.

The most common cause of this problem is that the Local ID on the FortiGate unit is not

configured correctly.

Use the following commands to enable encryption between the FortiGate unit and the

FortiAnalyzer unit:


config log fortianalyzer settingset encrypt enableset psksecret <presharedkey_str>set localid <devname_str>

end


config log deviceedit <devname_str>

set secure pskset psk <presharedkey_str>set id <devid_str>

end

The local ID on the FortiGate unit (line 4) needs to match the device name on the FortiAnalyzer

unit (line 2). If these values do not match, the IPsec tunnel will not be established.

Bootup issues

When powering on your FortiAnalyzer unit, you may experience problems. Bootup issues, while

rare, can be very difficult to troubleshoot due to the lack of information about your issue. When

the unit not running, you do not have access to your typical tools such as diagnose CLI

commands. This section walks you through some possible issues to give you direction in these

situations.

To troubleshoot a bootup problem with your unit, go to the section that lists your problem. If you

have multiple problems, go the problem closest to the top of the list first, and work your way

down the list.

It is rare that units experience any of the symptoms listed here. Fortinet hardware is reliable with

a long expected operation life



The issues covered in this section all refer to various potential bootup issues including:

• You have text on the screen, but you have problems.

• You do not see the boot options menu.

• You have problems with the console text.

• You have visible power problems.

• You have a suspected defective FortiAnalyzer unit.

• Examples: Error message "EXT3-fs error (device...)"

You have text on the screen, but you have problems.

Solution

1. If the text on the screen is garbled, ensure your console communication parameters are

correct. Check your QuickStart Guide for settings specific to your model.

2. If that fixes your problem, you are done.

3. If not, go to You do not see the boot options menu.

You do not see the boot options menu.

Solution

1. Ensure your serial communication parameters are set to no flow control, and the proper

baud rate and reboot the FortiAnalyzer unit by powering off and on.

2. If that fixes your problem, you are done.

3. If it doesn’t fix your problem, go to You have a suspected defective FortiAnalyzer unit.

You have problems with the console text.

1. Do you have any console message?

• If Yes, go to You have visible power problems.

• If No, continue.

2. Is there garbage text on screen?

• If Yes, ensure console communication parameters are ok.

• If that fixes the problem, you are done.

3. If no, does the unit stop before the Press Any Key to Download Boot Image prompt?

• If Yes, go to You have a suspected defective FortiAnalyzer unit..

• If No, go to Step 4.

4. Console Message Press any key to Download Boot Image

FortiAnalyzer units ship with a baud rate of 9600 by default. If you have access, verify this with

the CLI command config system console get, or parse an archived configuration file for

the term baudrate.



5. When pressing a key do you see one of the following messages?

[G] Get Firmware image from TFTP server[F] Format boot device[B] Boot with backup firmware and act as default[Q] Quit menu and continue to boot with default firmware[H] Display this list of options

• If Yes, go to You have a suspected defective FortiAnalyzer unit..

6. If No, ensure you serial communication parameters are set to no flow control, and the

proper baud rate and reboot the FortiAnalyzer unit by powering off and on.

7. Did the reboot fix the problem?

• If that fixes your problem, you are done.

• If that doesn’t fix your problem, go to You have a suspected defective FortiAnalyzer unit..

You have visible power problems.

1. Is there any LED activity?

• If No, ensure power is on. If that fixes the problem you are done.

• If Yes, continue.

2. Do you have an external power adapter?

• If No, go to You have a suspected defective FortiAnalyzer unit..

• If Yes, try replacing the power adapter.

3. Is the power supply defective or you cannot determine one way or the other?

• If No, go to You have a suspected defective FortiAnalyzer unit.

• If Yes, go to You have text on the screen, but you have problems.

You have a suspected defective FortiAnalyzer unit.

If you have followed these steps and determined there is a good chance your unit is defective,

follow these steps.

1. Open a support ticket through Customer Service & Support at https://support.fortinet.com.

2. In the ticket, document the problem or problems, and these steps that you have taken.

3. Provide all console messages and output.

4. Indicate if you have a suspected hard disk issue, and provide your evidence.

Customer Service & Support will contact you to help you with your ticket and issue.

Examples: Error message "EXT3-fs error (device...)"

FortiAnalyzer unit does not boot properly and/or some errors are displayed on console during

the boot.

FortiAnalyzer units ship with a baud rate of 9600 by default. If you have access, parse an

archived configuration file for the term baudrate or verify this setting with the CLI command:

config system console, get



Example 1:

Reading boot image 1463602 bytes.Initializing firewall...System is started.EXT3-fs error (device md(9,0)): ext3_readdir: bad entry in directory

#1474561: rec_len is smaller than minimal - offset=0, inode=0, rec_len=0,

name_len=0EXT3-fs error (device md(9,0)): ext3_readdir: bad entry in directory

#1474561: rec_len is smaller than minimal - offset=0, inode=0, rec_len=0,

name_len=0

Example 2:

Reading boot image 1463602 bytes.Initializing firewall...System is started.EXT3-fs error (device ide0(3,1)): ext3_get_inode_loc: unable to read

inode block - inode=65409, block=131074EXT3-fs error (device ide0(3,1)) in ext3_reserve_inode_write: IO

failureEXT3-fs error (device ide0(3,1)): ext3_get_inode_loc: unable to read






failure

Some error details may vary from a device to another, but the EXT3-fs error indicates there is an

issue with the local file system.

Solution

This issue appears to be due to some corruption in the file system that affects the boot device

and/or firmware loading.

In most cases the issue may be resolved by reformatting the boot device and then reinstalling

the firmware via TFTP.

Make sure to reload the same firmware version as the one used to save the configuration

backup file. In case there is no configuration backup file, the unit needs to be reconfigured from

scratch.



To reload the firmware

1. Connect to the FortiAnalyzer unit on the serial console.

2. Reboot the unit and press any key to enter the Boot Menu.

3. Select format boot device.

4. Select Reload Firmware via TFTP.

5. When the unit is up, open the Web-based Manager and go to System > Maintenance >

Backup & Restore and restore the latest configuration from backup.



Appendix A: SNMP MIB Support

SNMP MIB support

The FortiAnalyzer SNMP agent supports the following management information blocks (MIBs):

You can obtain these MIB files from the Customer Service & Support web site,

https://support.fortinet.com.

To be able to communicate with your FortiAnalyzer unit’s SNMP agent, you must first compile

these MIBs into your SNMP manager. If the standard MIBs used by the SNMP agent are already

compiled into your SNMP manager, you do not have to compile them again.

To view a trap or query’s name, object identifier (OID), and description, open its MIB file in a

plain text editor.

All traps sent include the message, the FortiAnalyzer unit’s serial number, and host name.

For instructions on how to configure traps and queries, see “Configuring the SNMP agent” on

page 126.

Table 19:FortiAnalyzer MIBs

MIB or RFC Description

FORTINET-CORE-MIB This Fortinet-proprietary MIB enables your SNMP

manager to query for system information and to receive

traps that are common to multiple Fortinet devices.

FORTINET-FORTIANALYZER-MIB This Fortinet-proprietary MIB enables your SNMP

manager to query for FortiAnalyzer-specific information

and to receive FortiAnalyzer-specific traps.

RFC-1213 (MIB II) The FortiAnalyzer SNMP agent supports MIB II groups,

except:

• There is no support for the EGP group from MIB II (RFC

1213, section 3.11 and 6.10).

• Protocol statistics returned for MIB II groups (IP, ICMP,

TCP, UDP, etc.) do not accurately capture all

FortiAnalyzer traffic activity. More accurate information

can be obtained from the information reported by the

FortiAnalyzer MIB.

RFC-2665 (Ethernet-like MIB) The FortiAnalyzer SNMP agent supports Ethernet-like MIB

information except the dot3Tests and dot3Errors groups.

Page 317

https://support.fortinet.com/Login/UserLogin.aspx


Appendix B: Maximum Value Matrix

Maximum values matrix

Table 20:Maximum values of FortiAnalyzer models

FeatureFAZ-100B, FAZ-100C

FAZ-200DFAZ-400B, FAZ-400C

FAZ800, FAZ-800B

FAZ-1000, FAZ-1000C

FAZ-2000, FAZ-2000A, FAZ-2000B

FAZ-4000A, FAZ-4000B

Administrative domains (ADOMs)

1a 10 50 50 100 250

Devices per ADOM 100 200 500 2000 2000 2000

Administrators 10 20 100 100 200 500

Administrator access profiles

10 20 100 100 200 500

RADIUS servers 6 6 6 6 6 6

RADIUS authentication groups

6 6 6 6 6 6

RADIUS servers per authentication group

6 6 6 6 6 6

Static routes 32 32 32 32 32 32

SMB shares 16 32 64 64 64 64

SMB users 16 32 64 64 64 64

SMB groups 16 32 64 64 64 64

SMB users per group 16 32 64 64 64 64

SMB read-only users & groups per share

16 32 64 64 64 64

SMB read-write users & groups per share

16 32 64 64 64 64

NFS exports 16 32 64 64 64 64

NFS RO clients per export 16 32 64 64 64 64

NFS RW clients per export 16 32 64 64 64 64

Registered log devices (FGT/FMG/FML/SL+FC)

100 200 500 2000 2000 2000

Page 318

HA members per log device

5 5 5 5 5 5

Log device groups 50 100 250 1000 1000 1000

Log devices per device group

100 200 500 2000 2000 2000

Unregistered log devices 100 200 500 2000 2000 2000

Blocked log devices 100 200 500 2000 2000 2000

Report LDAP servers 6 6 6 6 6 6

Report IP aliases 256 256 512 512 512 512

Report schedules 250 250 500 500 750 1000

Report layouts 250 250 500 500 750 1000

Objects/queries per report layout

500 500 500 500 500 500

Report outputs 250 250 500 500 750 1000

Report filters 250 250 500 500 750 1000

Report datasets 250 250 500 500 750 1000

Outputs per report dataset 3 3 3 3 3 3

Report custom charts 250 250 500 500 750 1000

SQL report layouts 1000 1000 1000 1000 1000 1000

SQL report chart templates 1000 1000 1000 1000 1000 1000

SQL report datasets 1000 1000 1000 1000 1000 1000

SQL report components per layout

500 500 500 500 500 500

Alerts/SNMP managers (CmdGens/NotRcvrs)

31 31 31 31 31 31

Alerts/SNMP managers per community

10 10 10 10 10 10

Alerts email servers 1 8 16 16 32 32

Alerts syslog servers 1 8 16 16 32 32

Alerts events 10 100 100 100 256 256

Alerts destinations per event

16 16 32 32 64 64

Network vulnerability scan assets

200 500 1000 2000 65535 65535

Table 20:Maximum values of FortiAnalyzer models (continued)

Maximum Value Matrix Page 319 FortiAnalyzer v4.0 MR3 Patch Release 7 Administration Guide


Network vulnerability scans

80 160 160 320 400 640

Administrator sessions 300 300 300 300 300 300

NTP servers 20 20 20 20 20 20

External SQL database size limit

1000 2000 4000 4000 8000 24000

a. The FortiAnalyzer 100B and 100C do not support Administrative Domains (ADOMs).

Table 20:Maximum values of FortiAnalyzer models (continued)

Maximum Value Matrix Page 320 FortiAnalyzer v4.0 MR3 Patch Release 7 Administration Guide


Appendix C: SQL Log Databases

Querying FortiAnalyzer SQL log databases

The FortiAnalyzer unit supports local PostgreSQL and remote MySQL databases for storage of

log tables.

To create a report based on the FortiGate log messages in a local or remote database, you can

use either the predefined datasets, or create your own custom datasets by querying the log

messages in the SQL database on the FortiAnalyzer unit.

This document describes the procedure for creating datasets, and describes the fields in each

type of log table to assist in writing SQL queries.

The supported SQL commands depend on your SQL database. If you use a local PostgreSQL

database, refer to the PostgreSQL user documentation for the command syntax. If you use a

remote MySQL database, refer to the MySQL user documentation for the command syntax.


• Creating datasets

• SQL tables

• Examples

Creating datasets

The following procedure describes how to create datasets in the Web-based Manager. You can

also use the CLI command config sql-report dataset to create datasets. For details,

see the FortiAnalyzer v4.0 MR3 Patch Release 7 CLI Reference and the “Examples” section.

To create a custom dataset in the Web-based Manager:

1. Enable the SQL database for log storage in System > Config > SQL Database. For

information on selecting the storage method, see “Configuring SQL database storage” on

page 118.

2. Go to Report > Advanced > Data Set.


4. Configure the following, then select OK.

Page 321


Figure 215:Create a new data set window


Name Enter the name for the dataset.

Log Type ($log)

Enter the type of logs to be used for the dataset.

$log is used in the SQL query to represent the log type you select, and it is run

against all tables of this type.

SQL Query

Enter the SQL query syntax to retrieve the log data you want from the SQL

database.

Different SQL systems use different query syntaxes to deal with date/time

format. The FortiAnalyzer unit uses PostgreSQL as the local database and

supports MySQL as the remote database. To facilitate querying in both MySQL

and PostgreSQL systems, you can use the following default date/time macros

and query syntaxes for the corresponding time period you choose:

• Hour_of_day: For example, you can select Yesterday for the Time Period and

enter the syntax "select $hour_of_day as hourstamp, count(*) from $log

where $filter group by hourstamp order by hourstamp”.

• Day_of_week: For example, you can select This Week for the Time Period

and enter the syntax "select $day_of_week as datestamp, count(*) from $log

where $filter group by datestamp order by datestamp".

• Day_of_month: For example, you can select This Month for the Time Period

and enter the syntax "select $day_of_month as datestamp, count(*) from

$log where $filter group by datestamp order by datestamp”.

• Week_of_year: For example, you can select This Year for the Time Period and

enter the syntax "select $week_of_year as weekstamp, count(*) from $log

where $filter group by weekstamp order by weekstamp”.

• Month_of_year: For example, you can select This Year for the Time Period

and enter the syntax "select $month_of_year as monthstamp, count(*) from

$log where $filter group by monthstamp order by monthstamp”.

The results of running the queries will display the date and time first, followed by

the log data.

SQL Log Databases Page 322 FortiAnalyzer v4.0 MR3 Patch Release 7 Administration Guide


To test a SQL query:

1. Follow the procedures in “To create a custom dataset in the Web-based Manager:” on

page 321.

2. After entering the SQL query, select Test.

The SQL query console opens.

Figure 216:SQL query console window


Test Select to test whether or not the SQL query is successful. See “To test a SQL

query:” on page 323.

Device Select a specific FortiGate unit, FortiMail unit, or FortiClient installation, or

select all devices, to apply the SQL query to.

VDom If you want to apply the SQL query to a FortiGate VDOM, enter the name

of the VDOM. Then use $filter in the “where” clause of the SQL query to

limit the results to the FortiGate VDom you specify.

Time Period ($filter)

Select to query the logs from a time frame, or select Specified and define a

custom time frame by selecting the Begin Time and End Time. Then use

$filter in the “where” clause of the SQL query to limit the results to the

period you select.

Past N Hours/Days/Weeks

If you selected Past N Hours/Days/Weeks for Time Period, enter the

number.

Begin Time Enter the date (or use the calendar icon) and time of the beginning of the

custom time range.

This option appears only when you select Specified in the Time Period

($filter) field.



4. Select Run to proceed.

Troubleshooting

If the query is unsuccessful, an error message appears in the results window indicating the

cause of the problem.

SQL statement syntax errors

Here are some example error messages and possible causes:

You have an error in your SQL syntax (remote/MySQL) or ERROR: syntax error at or near... (local/PostgreSQL)

• Check that SQL keywords are spelled correctly, and that the query is well-formed.

• Table and column names are demarked by grave accent (`) characters. Single (') and double

(") quotation marks will cause an error.

No data is covered.

• The query is correctly formed, but no data has been logged for the log type. Check that you

have configured the FortiAnalyzer unit to save that log type. Under System > Config > SQL

Database, make sure that the log type is checked.

End Time Enter the date (or use the calendar icon) and time of the end of the custom

time range.

This option appears only when you select Specified in the Time Period

($filter) field.

SQL Query Enter the SQL query to retrieve the log data you want from the SQL

database.

Run Select to execute the SQL query.

The results display. If the query is not successful, see “Troubleshooting”

on page 324.

Clear Select to remove the displayed query results.

Save Options

Select to save the SQL query console configuration to the dataset

configuration.

The Device and VDOM configurations are not used by the dataset

configuration.

Close Select to return to the dataset configuration page.



Connection problems

If well formed queries do not produce results, and logging is turned on for the log type, there

may be a database configuration problem with the remote database.

Ensure that:

• MySQL is running and using the default port 3306.

• You have created an empty database and a user with create permissions for the database.

Here is an example of creating a new MySQL database named fazlogs, and adding a user for

the database:

#Mysql –u root –pmysql> Create database fazlogs;mysql> Grant all privileges on fazlogs.* to ‘fazlogger’@’*’

identified by ‘fazpassword’;mysql> Grant all privileges on fazlogs.* to ‘fazlogger’@’localhost’

identified by ‘fazpassword’;

SQL tables

The FortiAnalyzer unit creates a database table for each managed device and each log type,

when there is log data. If the FortiAnalyzer unit is not receiving data from a device, or logging is

not enabled under System > Config > SQL Database, it does not create log tables for that

device.

SQL tables follow the naming convention of [Device Name]-[SQL table type]-[time-stamp], where the SQL table type is one of the types listed in Table on page 325.

To view all the named tables created in a database, you can use:

• local (PostgreSQL) database: SELECT * FROM pg_tables

• remote (MySQL): SHOW TABLES

The names of all created tables and their types are stored in a master table named table_ref.

The timestamp portion of the log name depends on the FortiAnalyzer unit firmware release. It is

either the creation time of the table (in releases before 4.2.1), or the timestamp of the log on disk

(in releases 4.2.1 and later).

Table 21:Log types and table types

Log Type SQL table type

Description

Traffic log tlog The traffic log records all traffic to and through the FortiGate

interface.

Event log elog The event log records management and activity events. For

example, when an administrator logs in or logs out of the

web-based manager.

Antivirus log vlog The antivirus log records virus incidents in Web, FTP, and email

traffic.



FortiAnalyzer logs also include log subtypes, which are types of log messages that are within

the main log type. For example, in the event log type there are the subtype admin log mes-

sages. FortiAnalyzer log types and subtypes are numbered, and these numbers appear within

the log identification field of the log message.

Webfilter log wlog The web filter log records HTTP FortiGate log rating errors

including web content blocking actions that the FortiGate unit

performs.

Attack log alog The attack log records attacks that are detected and prevented

by the FortiGate unit.

Spamfilter log slog The spam filter log records blocking of email address patterns

and content in SMTP, IMAP, and POP3 traffic.

Data Leak

Prevention log

dlog The data leak prevention log records log data that is

considered sensitive and that should not be made public. This

log also records data that a company does not want entering

their network.

Application

Control log

rlog The application control log records data detected by the

FortiGate unit and the action taken against the network traffic

depending on the application that is generating the traffic, for

example, instant messaging software, such as MSN

Messenger.

DLP archive log clog The DLP archive log, or clog.log, records all log messages,

including most IM log messages as well as the following

session control protocols (VoIP protocols) log messages:

• SIP start and end call

• SCCP phone registration

• SCCP call info (end of call)

• SIMPLE log message

Vulnerability

Management

log

nlog The vulnerability management log, or netscan log, contains

logging events generated by a network scan.

Table 22:Log Sub-types

Log Type Sub-Type

traffic (Traffic Log) • allowed: Policy allowed traffic

• violation: Policy violation traffic

• Other

Table 21:Log types and table types (continued)



event

(Event Log)

For FortiGate devices:

• system: System activity event

• ipsec: IPsec negotiation event

• dhcp: DHCP service event

• ppp: L2TP/PPTP/PPPoE service event

• admin: Admin event

• ha: HA activity event

• auth: Firewall authentication event

• pattern: Pattern update event

• alertemail: Alert email notifications

• chassis: FortiGate-5000 series chassis event

• sslvpn-user: SSL VPN user event

• sslvpn-admin: SSL VPN administration event

• sslvpn-session: SSL VPN session even

• his-performance: Performance statistics

• vipssl: VIP SSL events

• ldb-monitor: LDB monitor events

dlp

(Data Leak Prevention)

• dlp: Data Leak Prevention

app-crtl (Application

Control Log)

• app-crtl-all: All application control

DLP archive

(DLP Archive Log)

• HTTP: Virus infected

• FTP: FTP content metadata

• SMTP: SMTP content metadata

• POP3: POP3 content metadata

• IMAP: IMAP content metadata

virus (Antivirus Log) • infected: Virus infected

• filename: Filename blocked

• oversize: File oversized

webfilter (Web Filter Log) • content: content block

• urlfilter: URL filter

• FortiGuard block

• FortiGuard allowed

• FortiGuard error

• ActiveX script filter

• Cookie script filter

• Applet script filter

Table 22:Log Sub-types (continued)



Log severity levels

You can define what severity level the FortiGate unit records logs at when configuring the log-

ging location. The FortiGate unit logs all message at and above the logging severity level you

select. For example, if you select Error, the unit logs Error, Critical, Alert, and Emergency level

messages.

The Debug severity level, not shown in Table 23, is rarely used. It is the lowest log severity level

and usually contains some firmware status information that is useful when the FortiGate unit is

not functioning properly. Debug log messages are only generated if the log severity level is set

to Debug. Debug log messages are generated by all types of FortiGate features.

ips (Attack Log) • signature: Attack signature

• anomaly: Attack anomaly

emailfilter (Spam Filter Log) • SMTP

• POP3

• IMAP

Table 23:Log Severity Levels

Levels Description Generated by

0 - Emergency The system has become unstable. Event logs, specifically administrative

events, can generate an emergency

severity level.

1 - Alert Immediate action is required. Attack logs are the only logs that

generate an Alert severity level.

2 - Critical Functionality is affected. Event, Antivirus, and Spam filter logs.

3 - Error An error condition exists and

functionality could be affected.

Event and Spam filter logs.

4 - Warning Functionality could be affected. Event and Antivirus logs.

5 - Notification Information about normal events. Traffic and Web Filter logs.

6 - Information General information about system

operations.

Content Archive, Event, and Spam filter

logs.

Table 22:Log Sub-types (continued)



Log fields in each table

This section describes the fields of each log table stored in an SQL database. Because of differ-

ences in SQL dialects, some fields have different types depending on whether they are stored

locally or remotely.

The tables described in this section are:

• Common log fields

• Application control log fields

• Attack log fields

• DLP archive / content log fields

• DLP log fields

• Email filter log fields

• Event log fields

• Traffic log fields

• Antivirus log fields

• Web filter log fields

• Netscan log fields

Common log fields

All log tables share some common fields, described in Table 24.

Table 24:Common fields

Field Type Description Tables

PostgreSQL MySQL

id int not null

primary key

int unsigned

not null

primary key

ID / primary key for the record all

itime timestamp int unsigned The time the log event was received by the

FortiAnalyzer.

all

dtime timestamp int unsigned The time the log event was generated on the

device.

all

cluster_id varchar(24) varchar(24) The HA cluster ID if the FortiGate runs in HA mode. all

device_id varchar(16) varchar(16) The serial number of the device. all

log_id int default 0 smallint

unsigned

default 0

A ten-digit number. The first two digits represent

the log type and the following two digits represent

the log subtype. The last one to five digits are the

message id.

For more detail about what the combination of

type, subtype and message ID means, see the

FortiGate Log Message Reference.

all

subtype varchar(255) varchar(255) The subtype of the log message. The possible

values of this field depend on the log type. See

Table 22 for a list of subtypes associated with each

log type.

all


http://docs.fortinet.com/fgt.html


type varchar(255) varchar(255) The log type. all

timestamp int default 0 int unsigned

default 0

Timestamp for the event all

pri varchar(255) varchar(255) The log priority level. See Table 23 for a list of

priority levels and the log types that generate

them.

all

vd varchar(255) varchar(255) The virtual domain where the traffic was logged. If

no virtual domains are enabled and configured,

this field contains the virtual domain, root.

all

user varchar(255) varchar(255) The name of the user creating the traffic. all except

nlog

group varchar(255) varchar(255) The name of the group creating the traffic. all except

nlog

src varchar(40) (255

for alog)

varchar(40)

(255 for alog)

The source IP address. all except

nlog

dst varchar(40) (255

for alog)

varchar(40)

(255 for alog)

The destination IP address. all except

nlog

src_port int default 0 smallint

unsigned

default 0

The source port of the TCP or UDP traffic. The

source protocol is zero for other types of traffic.

all except

nlog

dst_port int default 0 smallint

unsigned

default 0

The destination port number of the TCP or UDP

traffic. The destination port is zero for other types

of traffic.

all except

nlog

src_int varchar(255) varchar(255) The interface where the through traffic comes in.

For outgoing traffic originating from the firewall, it

is “unknown”.

all except

clog and

nlog

dst_int varchar(255) varchar(255) The interface where the through traffic goes to the

public or Internet. For incoming traffic to the

firewall, it is “unknown”.

all except

clog and

nlog

policyid bigint default 0 int unsigned

default 0

The ID number of the firewall policy that applies to

the session or packet. Any policy that is

automatically added by the FortiGate will have an

index number of zero. For more information, see

the Knowledge Base article, Firewall policy=0.

all except

nlog

service varchar(255) varchar(255) The service of where the activity or event occurred,

whether it was on a web page using HTTP or

HTTPs. This field is an enum, and can have one of

the following values: http, https, smtp, pop3, imap,

ftp, mm1, mm3, mm4, mm7, nntp, im, smtps,

pop3s, or imaps.

all except

clog

identidx bigint default 0 int unsigned

default 0

The identity index number. all except

nlog

Table 24:Common fields (continued)



Application control log fields

The table below lists the fields defined in application control log tables (type rlog).

profile varchar(255) varchar(255) The protection profile associated with the firewall

policy that traffic used when the log message was

recorded.

all except

dlog,

tlog, and

nlog

profiletype varchar(255) varchar(255) The type of profile associated with the firewall


recorded.

all except

dlog,

tlog, and

nlog

profilegroup varchar(255) varchar(255) The profile group associated with the firewall


recorded.

all except

dlog,

tlog, and

nlog

Table 24:Common fields (continued)

Table 25:Application control log fields

Field Type Description

PostgreSQL MySQL

status varchar(255) varchar(255) The status of the action the FortiGate unit took when the event

occurred. For application control logs, this field can be: request,

cancel, accept, fail, download, stop, start, end, timeout, blocked,

succeeded, failed, authentication-required, pass, or block.

carrier_ep varchar(255) varchar(255) The FortiOS Carrier end-point identification. For example, it

would display MSISDN of the phone that sent the MMS

message. This field will always display N/A in FortiOS.

kind varchar(255) varchar(255) This field is an enum, and can be one of the following values:

login, chat, file, photo, audio, call, regist, unregister, call-block,

request, or response.

dir varchar(255) varchar(255) The direction of the traffic. This field is an enum, and can be one

of the following: incoming, outgoing, or N/A.

src_name varchar(255) varchar(255) The name of the source or the source IP address.

dst_name varchar(255) varchar(255) The destination name or destination IP address.

proto int default 0 smallint

unsigned

default 0

The protocol number that applies to the session or packet. The

protocol number in the packet header that identifies the next

level protocol. Protocol number’s are assigned by the Internet

Assigned Number Authority (IANA).

serial bigint default 0 int unsigned

default 0

Serial number of the log message.

app_list varchar(255) varchar(255) The application control list (under UTM > Application Control >

Application Control List on the FortiGate unit) that contains the

policy that triggered this log item.



Attack log fields

The table below lists the fields defined in attack log tables (type alog).

app_type varchar(255) varchar(255) The application category.

app varchar(255) varchar(255) The application name. You can look the application type up in

UTM > Application Control > Application List, and then select the

name that is in the field to go to more detailed information on the

FortiGuard Encyclopedia.

action varchar(255) varchar(255) The action the FortiGate unit took for this session or packet.

This field is an enum and can be one of the following values:

pass, block, monitor, kickout, encrypt-kickout, or reject.

count bigint default 0 int unsigned

default 0

Total number of blocked applications.

filename varchar(255) varchar(255) The file name associated with the blocked application.

filesize bigint default 0 int unsigned

default 0

The file size of the file.

message varchar(255) varchar(255) The blocked message of chat applications.

content varchar(255) varchar(255) Content of the blocked applications.

reason varchar(255) varchar(255) The reason why the log was recorded.

This field is an enum, and can be one of the following values:

meter-overload-drop, meter-overload-refuse, rate-limit,

dialog-limit, long-header, unrecognized-form, unknown,

block-request, invalid-ip, or exceed-rate.

req varchar(255) varchar(255) Request.

phone varchar(255) varchar(255) Phone number of the blocked application.

msg varchar(255) varchar(255) Explains why the log was recorded.

attack_id bigint default 0 int unsigned

default 0

Attack ID.

Table 25:Application control log fields (continued)

Table 26:Attack log fields


PostgreSQL MySQL


occurred.

For attack logs, this field can be: detected, dropped, reset,

reset_client, reset_server, drop_session, pass_session, or

clear_session.


default 0

The serial number of the log message.



DLP archive / content log fields

The table below lists the fields defined in application DLP / Content log tables (type clog).

attack_id bigint default 0 int unsigned

default 0

The identification number of the attack log message.

severity varchar(255) varchar(255) The specified severity level of the attack.

This field is an enum, and can have one of the following values:

info, low, medium, high, or critical.


would display the MSISDN of the phone that sent the MMS

message. If you do not have FortiOS Carrier, this field always

display N/A.

sensor varchar(255) varchar(255) The DLP sensor that was used.

icmp_id varchar(255) varchar(255) The Internet Control Message Protocol (ICMP) message ID

(returned for ECHO REPLY).

icmp_type varchar(255) varchar(255) The ICMP message type.

icmp_code varchar(255) varchar(255) The ICMP message code.

proto smallint

default 0

tinyint

unsigned

default 0

The protocol of the event.

ref varchar(255) varchar(255) A reference URL to the Fortiguard IPS database for more

information about the attack.


default 0

The number of times that attack was detected within a short

period of time. This is useful when the attacks are DoS attacks.

incident_seria

lno

bigint default 0 int unsigned

default 0

The unique ID for this attack. This number is used for

cross-references IPS packet logs.

msg varchar(255) varchar(255) Explains the activity or event that the FortiGate unit recorded. In

this example, an attack occurred that could have caused a

system crash.

Table 26:Attack log fields (continued)

Table 27:DLP archive/content log fields


PostgreSQL MySQL


occurred.

clogver smallint

default 0

tinyint

unsigned

default 0

The version of the content log.

epoch bigint default 0 int unsigned

default 0

The unique number for each archive. It is used for cross reference

purposes.



eventid bigint default 0 int unsigned

default 0

The ID of the archive event.

SN bigint default 0 int unsigned

default 0

The session number.

endpoint varchar(255) varchar(255) The ID of the endpoint, such as MSISDN or account ID.

client varchar(40) varchar(40) The IP of the client.

server varchar(40) varchar(40) The IP of the server.

laddr varchar(40) varchar(40) The local IP.

raddr varchar(40) varchar(40) The remote IP.

cstatus varchar(255) varchar(255) The cstatus field can be any one of the following:

• clean

• infected

• heuristic

• banned_word

• blocked

• exempt

• oversize

• carrier_endpoint_filter (FortiOS Carrier only)

• mass_mms (FortiOS Carrier only)

• dlp

• fragmented

• spam

• im_summary

• im-message

• im_file_request (a file was transferred

• im_file_accept (an file was accepted)

• im_file_cancel

• im_voice (an IM voice chat)

• im_photo_share_request (a photo was shared)

• im_photo_share_cancel

• im_photo_share_stop

• im_photo_xfer (a photo was transferred during the chat)

• voip

• error

Table 27:DLP archive/content log fields (continued)



infection varchar(255) varchar(255) The infection type. This field is an enum, and can be one of the

following:

• bblock

• fileexempt

• file intercept

• mms block

• carrier end point filter

• mms flood

• mms duplicate

• virus

• virusrm

• heuristic

• html script

• script filter

• banned word

• exempt word

• oversize

• virus

• heuristic

• worm

• mime block

• fragmented

• exempt

• ip blacklist

• dnsbl

• FortiGuard - AntiSpam ip blacklist

• helo

• emailblacklist

• mimeheader

• dns

• FortiGuard - AntiSpam ase block

• banned word

• ipwhitelist

• emailwhitelist

• fewhitelist

• headerwhitelist

• wordwhitelist

• dlp

• dlpban

• pass

• mms content checksum




virus varchar(255) varchar(255) The virus name.

rcvd bigint default 0 int unsigned

default 0

The number of bytes that were received from the client.

sent bigint default 0 int unsigned

default 0

The number of bytes that were received from the server.

method varchar(255) varchar(255) The type of HTTP command used. For example, GET.

url varchar(255) varchar(255) The URL address of the web site that was accessed.

cat varchar(255) varchar(255) The http/https category.

cat_desc varchar(255) varchar(255) The http/https category description.

to varchar(255) varchar(255) To

from varchar(255) varchar(255) From

subject varchar(255) varchar(255) Subject

direction varchar(255) varchar(255) Incoming or outgoing.

attachment

smallint

default 0

tinyint

unsigned

default 0

Mail attachment present.

ftpcmd varchar(255) varchar(255) The FTP command. This field is an enum and can be one of:

NONE, USER, PASS, ACCT, STOR, RETR, or QUIT.

file varchar(255) varchar(255) The archive file name.

local varchar(255) varchar(255) The local user.

remote varchar(255) varchar(255) The remote user.

proto varchar(255) varchar(255) The protocol.




kind varchar(255) varchar(255) The kind field can be any one of the following:

• summary

• chat

• file (a file was transferred)

• photo (photo sharing)

• photo-xref (a photo was transferred)

• audio (a voice chat)

• oversize (an oversized file)

• fileblock (a file was blocked)

• fileexempt

• virus

• dlp

• call-block (SIP call blocked)

• call-info (SIP call information)

• call (SIP call)

• register (SIP register)

• unregister (SIP unregister)

action varchar(255) varchar(255) The action.

dir varchar(255) varchar(255) The direction, either "inbound" or "outbound".

messages bigint default 0 int unsigned

default 0

The message number.

start-date varchar(255) varchar(255) The local start date.

end-date varchar(255) varchar(255) The local end date.

content varchar(255) varchar(255) IM chat content.

filename varchar(255) varchar(255) File name.

filesize bigint default 0 int unsigned

default 0

File size.

message varchar(255) varchar(255) Message.

conn-mode

varchar(255) varchar(255) Connection mode.

heuristic varchar(255) varchar(255) Heuristic.

duration bigint default 0 int unsigned

default 0

The duration of the session.

reason varchar(255) varchar(255) The reason.

phone varchar(255) varchar(255) Phone number.




dlp_sensor

varchar(255) varchar(255) DLP sensor.

message_type

varchar(255) varchar(255) The message type. This field is an enum, and be one of: request or

response.

request_name

varchar(255) varchar(255) Request name.

malform_desc

varchar(255) varchar(255) Malformed content description. This field is an enum, and can be

one of the values listed in Table 28 on page 338.

malform_data


default 0

Malformed data.

line varchar(255) varchar(255) Line.

column bigint default 0 int unsigned

default 0

Column.

Table 28:Values for malform-desc

<att-field>-expec

ted

<att-value>-expe

cted

<bandwidth>-ex

pected

<bwtype>-expec

ted

<callid>-expecte

d

<CSeq-num>-ex

pected

<delta-seconds>

-expected

<encoding-name

>-expected-in-rt

pmap

<fmt>-expected <gen-value>-exp

ected

<generic-param>

-with-invalid-<ge

n-value>

<integer>-expect

ed

<m-attribute>-ex

pected-after-SE

MI

<m-subtype>-ex

pected

<m-type>-expec

ted

<media>-expect

ed

<method>-does-

not-match-the-re

quest-line

<method>-expec

ted

<Method>-expec

ted-after-<CSeq-

num>

<payload-type>-

expected-in-rtp

map

<proto>-expecte

d

<repeat-interval>

-expected

<response-num>

-expected

<seq>-number-e

xpected

<sess-id>-expec

ted

<sess-version>-e

xpected

<text>-expected <time>-expected <token>-expecte

d-in-<proto>-afte

r-slash

<typed-time>-ex

pected

<username>-exp

ected

<word>-expecte

d

boundary-param

eter-appears-mo

re-than-once

colon-expected digits-expected domain-label-ov

ersize

domain-name-in

valid

domain-name-ov

ersize

duplicated-sip-h

eader

empty-quoted-st

ring

end-of-line-error EQUAL-expecte

d-after-<m-attrib

ute>

expires-header-r

epeated

header-line-overs

ize

header-paramete

r-expected

IN-expected invalid-<clock-rat

e>-in-rtpmap

invalid-<encodin

g-parameters>-i

n-rtpmap

invalid-<gen-valu

e>

invalid-<m-value

>

invalid-<protocol

-name>

invalid-<protocol

-version>

invalid-<quoted-

string>-in-<gen-

value>

invalid-<quoted-

string>-in-<m-val

ue>

invalid-<SIP-Vers

ion>-on-request-

line

invalid-<start-tim

e>

invalid-<stop-tim

e>

invalid-<transpor

t>

invalid-<userinfo

>

invalid-branch-p

arameter




invalid-candidate

-line

invalid-escape-e

ncoding-in-<reas

on-phrase>

invalid-escape-e

ncoding-in-<user

info>

invalid-escape-e

ncoding-in-uri-he

ader

invalid-escape-e

ncoding-in-uri-pa

rameter

invalid-expires-p

arameter

invalid-fqdn invalid-ipv4-addr

ess

invalid-ipv6-addr

ess

invalid-maddr-pa

rameter

invalid-max-forw

ards

invalid-method-u

ri-parameter

invalid-port invalid-port-after-

ip-address-in-alt-

line

invalid-port-after-

ip-address-in-ca

ndidate-line

invalid-port-in-rtc

p-line

invalid-q-parame

ter

invalid-quoted-st

ring-in-display-n

ame

invalid-quoting-c

haracter

invalid-received-

parameter

invalid-rport-para

meter

invalid-status-co

de

invalid-tag-para

meter

invalid-transport-

uri-parameter

invalid-ttl-param

eter

invalid-ttl-uri-par

ameter

invalid-uri-heade

r-name

invalid-uri-heade

r-name-value-pai

r

invalid-uri-heade

r-value

invalid-uri-param

eter-pname

invalid-uri-param

eter-value

invalid-user-uri-p

arameter

IP-expected IP4-or-IP6-expec

ted

ipv4-address-ex

pected

IPv4-or-IPv6-add

ress-expected

ipv6-address-ex

pected

left-angle-bracke

t-is-mandatory

line-order-error LWS-expected missing-mandato

ry-field

msg-body-oversi

ze

multipart-Conten

t-Type-has-no-b

oundary

no-matching-dou

ble-quote

no-METHOD-on-

request-line

no-SLASH-after-

<protocol-name>

no-SLASH-after-

<protocol-versio

n>

no-tag-paramete

r

o-line-not-allowe

d-on-media-level

port-expected port-not-allowed r-line-not-allowe

d-on-media-level

right-angle-brack

et-not-found

s-line-not-allowe

d-on-media-level

sdp-alt-line-befor

e-m-line

sdp-candidate-li

ne-before-m-line

sdp-invalid-alt-lin

e

sdp-rtcp-line-bef

ore-m-line

sdp-v-o-s-t-lines

-are-mandatory

sip-udp-messag

e-truncated

sip-Yahoo-candi

date-invalid-prot

ocol

slash-expected-a

fter-<encoding-n

ame>-in-rtpmap

SLASH-expected

-after-<m-type>

space-violation syntax-malforme

d

t-line-not-allowe

d-on-media-level

token-expected too-many-c-lines too-many-candid

ate-lines

too-many-i-lines too-many-m-line

s

too-many-o-lines

too-many-rtcp-li

nes

too-many-s-lines too-many-v-line trailing-bytes unexpected-char

acter

unknown-header

unknown-schem

e

uri-expected uri-parameter-re

peat

uri-parameters-n

ot-allowed-by-R

FC

v-line-not-allowe

d-on-media-level

via-parameter-re

peat

whitespace-expe

cted

z-line-not-allowe

d-on-media-level

Table 28:Values for malform-desc (continued)



DLP log fields

The table below lists the fields defined in data leak prevention log tables (type dlog).

Email filter log fields

The table below lists the fields defined in email filter log tables (type slog).

Table 29:DLP log fields


PostgreSQL MySQL

status varchar(255) varchar(255) The status of the action the FortiGate unit took when the

event occurred. For DLP logs, this field can be: detected or

blocked.

service varchar(255) varchar(255) The service of where the activity or event occurred. For DLP

logs, this field is an enum, and can have one of the following

values: http, https, smtp, pop3, imap, ftp, mm1, mm3, mm4,

mm7, nntp, im, smtps, pop3s, or imaps/


default 0


sport int default 0 smallint

unsigned

default 0

The source port.

dport int default 0 smallint

unsigned

default 0

The destination port.

hostname varchar(255) varchar(255) The host name or IP address.

url varchar(255) varchar(255) The URL address of the web site that was visited.

from varchar(255) varchar(255) The sender’s email address.

to varchar(255) varchar(255) The receiver’s email address.

msg varchar(255) varchar(255) Explains the activity or event that the FortiGate unit recorded.

rulename varchar(255) varchar(255) The name of the rule within the DLP sensor.

compoundname

varchar(255) varchar(255) The compound name.

action varchar(255) varchar(255) The action that was specified within the rule. In some rules

within sensors, you can specify content archiving. If no log

type is specified, this field displays log-only.

This field is an enum, and can have one of the following

values: log-only, block, exempt, ban, ban sender, quarantine

ip, or quarantine interface.

severity smallint

default 0

tinyint

unsigned

default 0

The level of severity for the specified rule.

Table 30:Email filter log fields


PostgreSQL MySQL




occurred. For email filter logs, this field can be: exempted,

blocked, or detected.

service varchar(255) varchar(255) The service of where the activity or event occurred. For DLP logs,

this field is an enum, and can have one of the following values:

http, smtp, pop3, imap, ftp, mm1, mm3, mm4, mm7, im, nntp,

https, smtps, imaps, or pop3s.


default 0



unsigned

default 0

The source port.


unsigned

default 0


carrier_ep varchar(255) varchar(255) The FortiOS Carrier end-point identification. For example, it would

display the MSISDN of the phone that sent the MMS message. If

you do not have FortiOS Carrier, this field always displays N/A.

from varchar(255) varchar(255) The sender’s email address.

to varchar(255) varchar(255) The receiver’s email address.

banword varchar(255) varchar(255) The name of the Banned Word policy.

tracker varchar(255) varchar(255) Tracker

dir varchar(255) varchar(255) The email direction. This field is an enum, and can have one of the

following values: tx or rx.

agent varchar(255) varchar(255) This field is for FortiGate units running FortiOS Carrier. If you do

not have FortiOS Carrier running on your FortiGate unit, this field

always displays N/A.

msg varchar(255) varchar(255) Explains the activity or event that the FortiGate unit recorded. In

this example, the sender’s email address is in the blacklist and

matches the fourth email address in that list.

Table 30:Email filter log fields (continued)



Event log fields

The table below lists the fields defined in event log tables (type elog).

Table 31:Event log fields


PostgreSQL MySQL


occurred.

For event logs, the possible values of this field depend on the

subcategory:

subcategory ipsec

• success

• failure

• negotiate_error

• esp_error

• dpd_failure

subcategory voip

• start

• end

• timeout

• blocked

• succeeded

• failed

• authentication-required

subcategory gtp

• forwarded

• prohibited

• rate-limited

• state-invalid

• tunnel-limited

• traffic-count

• user-data

msg varchar(255) varchar(255) Explains the activity or event that the FortiGate unit recorded.

ssid varchar(255) varchar(255) The service set identifier.



action varchar(255) varchar(255) The action the FortiGate unit should take for this firewall policy.

For event logs, the possible values of this field depend on the

subcategory of the event:

subcategory ipsec:

• negotiate

• error

• install_sa

• delete_phase1_sa

• delete_ipsec_sa

• dpd

• tunnel-up

• tunnel-down

• tunnel-stats

• phase2-up

• phase2-down

subcategory nac-quarantine:

• ban-ip

• ban-interface

• ban-src-dst-ip

subcategory sslvpn-user:

• tunnel-up

• tunnel-down

• ssl-login-fail

subcategory sslvpn-admin:

• info

subcategory sslvpn-session:

• tunnel-stats

• ssl-web-deny

• ssl-web-pass

• ssl-web-timeout

• ssl-web-close

• ssl-sys-busy

• ssl-cert

• ssl-new-con

• ssl-alert

• ssl-exit-fail

• ssl-exit-error

• tunnel-up

• tunnel-down

• tunnel-statsssl-tunnel-unknown-tag

• ssl-tunnel-error

Table 31:Event log fields (continued)



action (continued)

subcategory voip:

• permit

• block

• monitor

• kickout

• encrypt-kickout

• cm-reject

• exempt

• ban

• ban-user

• log-only

subcategory his-performance:

• perf-stats

session_id bigint default 0 int unsigned

default 0

The session ID


default 0

The number of dropped SIP packets.

proto varchar(255) varchar(255) The protocol

cpu smallint

default 0

tinyint

unsigned

default 0

The CPU usage, for performance.

epoch bigint default 0 int unsigned

default 0

The unique number for each archive. It is used for cross

reference purposes.

mem smallint

default 0

tinyint

unsigned

default 0

The memory usage, for performance.


default 0

The duration of the interval for item counts (such as infected,

scanned, etc) in this log entry.

infected bigint default 0 int unsigned

default 0

The number of infected messages.

from varchar(255) varchar(255) Source IP address.

ha_group smallint

default 0

tinyint

unsigned

default 0

High availability group

tunnel_id bigint default 0 int unsigned

default 0

Tunnel ID

bssid varchar(255) varchar(255) The basic service set identifier.

tunnel_type varchar(255) varchar(255) Tunnel type




event_id bigint default 0 int unsigned

default 0

Event ID

ip varchar(40) varchar(40) IP address

ha_role varchar(255) varchar(255) High availability role.

rem_ip varchar(40) varchar(40) Remote IP (used in ipsec subcategory logs).

suspicious bigint default 0 int unsigned

default 0

The number of suspicious messages.

sn varchar(255) varchar(255) Serial number of the event

to varchar(255) varchar(255) Destination IP address.

total_session


default 0

Total IP sessions.

ap varchar(255) varchar(255) The physical AP name.

scanned bigint default 0 int unsigned

default 0

The number of scanned messages.

vcluster bigint default 0 int unsigned

default 0

Virtual cluster.

remote_ip varchar(40) varchar(40) Remote IP (Used in sslvpn-* subcategory logs).




displays N/A.

imsi varchar(255) varchar(255) An International Mobile Subscriber Identity or IMSI is a unique

number associated with all GSM and UMTS network mobile

phone users.

loc_ip varchar(40) varchar(40) Local IP

from_vcluster


default 0

From virtual cluster.

rem_port int default 0 smallint

unsigned

default 0

Remote port.

msisdn varchar(255) varchar(255) The MSISDN of the carrier endpoint.

tunnel_ip varchar(40) varchar(40) Tunnel IP.

intercepted bigint default 0 int unsigned

default 0

The number of intercepted messages.

vap varchar(255) varchar(255) The virtual AP name.

apn varchar(255) varchar(255) The access point name.




out_intf varchar(255) varchar(255) The out interface.

blocked bigint default 0 int unsigned

default 0

The number of blocked messages.

mac varchar(255) varchar(255) MAC address.

to_vcluster bigint default 0 int unsigned

default 0

To virtual cluster.

acct_stat varchar(255) varchar(255) The accounting state. This is an enum and can have one of the

following values: Start, Stop, Interim-Update, Accounting-On, or

Accounting-Off.

selection varchar(255) varchar(255) The selection. This is an enum and can have one of the following

values: apns-vrf, ms-apn-no-vrf, or net-apn-no-vrf.

reason varchar(255) varchar(255) The reason this log was generated.

rate smallint

default 0

tinyint

unsigned

default 0

Traffic rate

loc_port int default 0 smallint

unsigned

default 0

Local port.

vcluster_member


default 0

Virtual cluster member.

vcluster_state

varchar(255) varchar(255) Virtual cluster state.

app-type varchar(255) varchar(255) Application type.

nsapi smallint

default 0

tinyint

unsigned

default 0

Network Service Access Point Identifier, an identifier used in

cellular data networks.


unsigned

default 0

Destinatlon port.

channel smallint

default 0

tinyint

unsigned

default 0

Channel.

cookies varchar(255) varchar(255) Cookies.

checksum bigint default 0 int unsigned

default 0

The number of content checksum blocked messages.

dst_host varchar(255) varchar(255) Destination host name or IP.

nf_type varchar(255) varchar(255) The notification type. This is an enum and can have one of the

following values: bword, file_block, carrier_ep_bwl, flood, dupe,

alert, mms_checksum, or virus.




vdname varchar(255) varchar(255) The VDOM name.

linked-nsapi smallint

default 0

tinyint

unsigned

default 0

Linked Network Service Access Point Identifier.

next_stats bigint default 0 int unsigned

default 0

Next Statistics.

virus varchar(255) varchar(255) Virus name.

imei-sv varchar(255) varchar(255) International Mobile Equipment Identity or IMEI is a number,

usually unique, to identify GSM, WCDMA, and iDEN mobile

phones, as well as some satellite phones.

devintfname

varchar(255) varchar(255) The device interface name.

security varchar(255) varchar(255) The wireless security. This field is an enum, and can have one of

the following values: open, wep64, wep128, wpa-psk,

wpa-radius, wpa, wpa2, or wpa2-auto.

policy_id bigint default 0 int unsigned

default 0

The policy ID that triggered this log.

rai varchar(255) varchar(255) Routing Area Identification.

hostname varchar(255) varchar(255) The host name or IP

xauth_user varchar(255) varchar(255) Authenticated user name.

uli varchar(255) varchar(255) User Location Information.

xauth_group

varchar(255) varchar(255) Authenticated user group.

sent numeric(20)

default 0

bigint

unsigned

default 0

Number of bytes sent.

rcvd numeric(20)

default 0

bigint

unsigned

default 0

Number of bytes received.

sess_duration


default 0

The duration of the session.

hbdn_reason

varchar(255) varchar(255) Heartbeat down reason. This field is an enum, and can have one

of the following values: linkfail or neighbor-info-lost.

banned_src varchar(255) varchar(255) Banned source. This field is an enum, and can have one of the

following values: ips, dos, dlp-rule, dlp-compound, or av.

end-usr-address

varchar(40) varchar(40) End user address.




msg-type smallint

default 0

tinyint

unsigned

default 0

Message type.

sync_type varchar(255) varchar(255) Synchronization type. This field is an enum, and can have one of

the following values: configurations or external-files.

banned_rule varchar(255) varchar(255) Banned rule / reason.

vpn_tunnel varchar(255) varchar(255) VPN tunnel.

sync_status varchar(255) varchar(255) Synchronization status. This field is an enum, and can have one

of the following values: out-of-sync or in-sync.

alert varchar(255) varchar(255) Alert.

sensor varchar(255) varchar(255) Sensor name.

endpoint varchar(255) varchar(255) The endpoint.

stage smallint

default 0

tinyint

unsigned

default 0

Stage.

voip_proto varchar(255) varchar(255) This field is an enum, and can have one of the following values:

sip or sccp.

deny_cause varchar(255) varchar(255) This field is an enum, and can have one of the following values:

• packet-sanity

• invalid-reserved-field

• reserved-msg

• out-state-msg

• reserved-ie

• out-state-ie

• invalid-msg-length

• invalid-ie-length

• miss-mandatory-ie

• ip-policy

• non-ip-policy

• sgsn-not-authorized

• sgsn-no-handover

• ggsn-not-authorized

• invalid-seq-num

• msg-filter

• apn-filter

• imsi-filter

• adv-policy-filter

desc varchar(255) varchar(255) Description




dir varchar(255) varchar(255) Direction (inbound or outbound).

kind varchar(255) varchar(255) This field is an enum, and can have one of the following values:

register, unregister, call, call-info, or call-block.

init varchar(255) varchar(255) This field is an enum, and can have one of the following values:

local or remote.

mode varchar(255) varchar(255) This field is an enum, and can have one of the following values:

aggressive, main, quick, xauth, or xauth_client.

cert-type varchar(255) varchar(255) Certificate type. This field is an enum, and can have one of the

following values: CA, CRL, Local, or Remote.

ui varchar(255) varchar(255) User interface.

exch varchar(255) varchar(255) This field is an enum, and can have one of the following values:

NSA_INIT, AUTH, or CREATE_CHILD.

rat-type varchar(255) varchar(255) This field is an enum, and can have one of the following values:

utran, geran, wlan, gan, or hspa.

error_num varchar(255) varchar(255) This field is an enum, and can have one of the following values:

• Invalid ESP packet detected.

• Invalid ESP packet detected (HMAC validation failed).

• Invalid ESP packet detected (invalid padding).

• Invalid ESP packet detected (invalid padding length).

• Invalid ESP packet detected (replayed packet).

• Received ESP packet with unknown SPI.

method varchar(255) varchar(255) The method.

phase2_name

varchar(255) varchar(255) IPsec VPN Phase 2 name

spi varchar(255) varchar(255) IPsec VPN SPI.

c-sgsn varchar(40) varchar(40) SGSN IP address for GTP signalling.

request_name

varchar(255) varchar(255) Request name

seq varchar(255) varchar(255) Sequence number

c-ggsn varchar(40) varchar(40) GGSN IP address for GTP signalling.

in_spi varchar(255) varchar(255) Remote SPI in IPsec VPN configuration.

u-sgsn varchar(40) varchar(40) SGSN IP address for GTP user traffic.

out_spi varchar(255) varchar(255) Local SPI in IPsec VPN configuration.

u-ggsn varchar(40) varchar(40) GGSN IP address for GTP user traffic.

c-sgsn-teid bigint default 0 int unsigned

default 0

SGSN TEID (Tunnel endpoint identifier) for signalling.




enc_spi varchar(255) varchar(255) Encryption SPI in IPsec VPN.

c-ggsn-teid bigint default 0 int unsigned

default 0

GGSN TEID for signalling.

dec_spi varchar(255) varchar(255) Decryption SPI in IPsec VPN.

message_type

varchar(255) varchar(255) Message type. This field is an enum, and can have one of the

following values: request or response.

malform_desc

varchar(255) varchar(255) Malformed description. This field is an enum. See “Malform

Description Values:” on page 352 for possible values.

tunnel varchar(255) varchar(255) Tunnel name

u-sgsn-teid bigint default 0 int unsigned

default 0

SGSN TEID for user traffic.

u-ggsn-teid bigint default 0 int unsigned

default 0

GGSN TEID for user traffic.

malform_data


default 0

Malformed data.

tunnel-idx bigint default 0 int unsigned

default 0

VPN tunnel index.

line varchar(255) varchar(255) The content of misformed SIP line.

column bigint default 0 int unsigned

default 0

The syntax error point in the SIP line.

c-pkts numeric(20)

default 0

bigint

unsigned

default 0

Number of packets for signalling.

phone varchar(255) varchar(255) SCCP phone device name.

profile_group

varchar(255) varchar(255) Profile group name.

c-bytes numeric(20)

default 0

bigint

unsigned

default 0

Number of bytes for signalling.

u-pkts numeric(20)

default 0

bigint

unsigned

default 0

Number of packets used for traffic.

profile_type varchar(255) varchar(255) Profile type.

u-bytes numeric(20)

default 0

bigint

unsigned

default 0

Number of bytes used for traffic.

next_stat bigint default 0 int unsigned

default 0

Next stat.




user_data varchar(255) varchar(255) User data.

role varchar(255) varchar(255) This field is an enum, and can have one of the following values:

responder or initiator.

result varchar(255) varchar(255) This field is an enum, and can have one of the following values:

ERROR, OK, DONE, or PENDING.

xauth_result varchar(255) varchar(255) Authorization result. This field is an enum, and can have one of

the following values:

• XAUTH authentication successful

• XAUTH authentication failed

esp_transform

varchar(255) varchar(255) ESP Transform. This field is an enum, and can have one of the

following values: ESP_NULL, ESP_DES, ESP_3DES, or

ESP_AES.

esp_auth varchar(255) varchar(255) ESP Authorization. This field is an enum, and can have one of the

following values: no authentication, HMAC_SHA1, HMAC_MD5,

or HMAC_SHA256.

error_reason

varchar(255) varchar(255) Text explanation for the error. This field is an enum, and can have

one of the following values:

• invalid certificate

• invalid SA payload

• probable pre-shared key mismatch

• peer SA proposal not match local policy

• peer notification

• not enough key material for tunnel

• encapsulation mode mismatch

• no matching gateway for new request

• aggressive vs main mode mismatch for new request




Malform Description Values:

• unexpected-character

• invalid-quoting-character

• trailing-bytes

• header-line-oversize

• msg-body-oversize

• domain-name-oversize

• domain-label-oversize

• syntax-malformed

• duplicated-sip-header

• space-violation

• invalid-ipv4-address

• invalid-ipv6-address

• invalid-port

• invalid-fqdn

• no-matching-double-quote

• empty-quoted-string

• invalid-<userinfo>

• invalid-escape-encoding-in-<userinfo>

• invalid-escape-encoding-in-uri-parameter

• invalid-escape-encoding-in-uri-header

• invalid-escape-encoding-in-<reason-phrase>

• port-expected

• port-not-allowed

peer_notif varchar(255) varchar(255) Peer Notification.

This field is an enum, and can have one of the following values:

NOT-APPLICABLE, INVALID-PAYLOAD-TYPE,

DOI-NOT-SUPPORTED, SITUATION-NOT-SUPPORTED,

INVALID-COOKIE, INVALID-MAJOR-VERSION,

INVALID-MINOR-VERSION, INVALID-EXCHANGE-TYPE,

INVALID-FLAGS, INVALID-MESSAGE-ID,

INVALID-PROTOCOL-ID, INVALID-SPI,

INVALID-TRANSFORM-ID, ATTRIBUTES-NOT-SUPPORTED,

NO-PROPOSAL-CHOSEN, BAD-PROPOSAL-SYNTAX,

PAYLOAD-MALFORMED, INVALID-KEY-INFORMATION,

INVALID-ID-INFORMATION, INVALID-CERT-ENCODING,

INVALID-CERTIFICATE, BAD-CERT-REQUEST-SYNTAX,

INVALID-CERT-AUTHORITY, INVALID-HASH-INFORMATION,

AUTHENTICATION-FAILED, INVALID-SIGNATURE,

ADDRESS-NOTIFICATION, NOTIFY-SA-LIFETIME,

CERTIFICATE-UNAVAILABLE,

UNSUPPORTED-EXCHANGE-TYPE,

UNEQUAL-PAYLOAD-LENGTHS, CONNECTED,

RESPONDER-LIFETIME, REPLAY-STATUS, INITIAL-CONTACT,

R-U-THERE, R-U-THERE-ACK, HEARTBEAT, or

RETRY-LIMIT-REACHED.




• domain-name-invalid

• <gen-value>-expected

• invalid-<gen-value>

• invalid-<quoted-string>-in-<gen-value>

• ipv4-address-expected

• ipv6-address-expected

• uri-expected

• invalid-transport-uri-parameter

• invalid-user-uri-parameter

• invalid-method-uri-parameter

• invalid-ttl-uri-parameter

• invalid-uri-parameter-pname

• invalid-uri-parameter-value

• uri-parameter-repeat

• invalid-uri-header-name

• invalid-uri-header-value

• invalid-uri-header-name-value-pair

• invalid-quoted-string-in-display-name

• left-angle-bracket-is-mandatory

• right-angle-bracket-not-found

• invalid-status-code

• no-METHOD-on-request-line

• uri-parameters-not-allowed-by-RFC

• unknown-scheme

• whitespace-expected

• LWS-expected

• invalid-<SIP-Version>-on-request-line

• invalid-<protocol-name>

• invalid-<protocol-version>

• invalid-<transport>

• no-SLASH-after-<protocol-name>

• no-SLASH-after-<protocol-version>

• header-parameter-expected

• invalid-ttl-parameter

• invalid-maddr-parameter

• invalid-received-parameter

• invalid-branch-parameter

• invalid-rport-parameter

• via-parameter-repeat

• <seq>-number-expected

• <method>-expected

• <method>-does-not-match-the-request-line

• <response-num>-expected



• <CSeq-num>-expected

• <Method>-expected-after-<CSeq-num>

• expires-header-repeated

• <delta-seconds>-expected

• invalid-max-forwards

• token-expected

• invalid-expires-parameter

• invalid-q-parameter

• <generic-param>-with-invalid-<gen-value>

• <m-type>-expected

• SLASH-expected-after-<m-type>

• <m-subtype>-expected

• <m-attribute>-expected-after-SEMI

• boundary-parameter-appears-more-than-once

• EQUAL-expected-after-<m-attribute>

• invalid-<quoted-string>-in-<m-value>

• invalid-<m-value>

• multipart-Content-Type-has-no-boundary

• digits-expected

• IN-expected

• IP-expected

• IP4-or-IP6-expected

• IPv4-or-IPv6-address-expected

• line-order-error

• z-line-not-allowed-on-media-level

• <time>-expected

• <typed-time>-expected

• r-line-not-allowed-on-media-level

• <repeat-interval>-expected

• <bwtype>-execpted

• colon-expected

• <bandwidth>-expected

• t-line-not-allowed-on-media-level

• invalid-<start-time>

• invalid-<stop-time>

• too-many-i-lines

• <text>-expected

• too-many-c-lines

• too-many-v-line

• v-line-not-allowed-on-media-level

• too-many-o-lines

• o-line-not-allowed-on-media-level

• <username>-expected



• <sess-id>-expected

• <sess-version>-expected

• too-many-s-lines

• s-line-not-allowed-on-media-level

• too-many-m-lines

• <media>-expected

• <integer>-expected

• <proto>-expected

• <token>-expected-in-<proto>-after-slash

• <fmt>-expected

• <att-field>-expected

• <att-value>-expected

• <payload-type>-expected-in-rtpmap

• <encoding-name>-expected-in-rtpmap

• slash-expected-after-<encoding-name>-in-rtpmap

• invalid-<clock-rate>-in-rtpmap

• invalid-<encoding-parameters>-in-rtpmap

• invalid-candidate-line

• sdp-candidate-line-before-m-line

• sip-Yahoo-candidate-invalid-protocol

• invalid-port-after-ip-address-in-candidate-line

• too-many-candidate-lines

• sdp-invalid-alt-line

• sdp-alt-line-before-m-line

• invalid-port-after-ip-address-in-alt-line

• sdp-rtcp-line-before-m-line

• invalid-port-in-rtcp-line

• too-many-rtcp-lines

• <callid>-expected

• <word>-expected

• invalid-tag-parameter

• no-tag-parameter

• sdp-v-o-s-t-lines-are-mandatory

• unknown-header

• end-of-line-error

• sip-udp-message-truncated

• missing-mandatory-field



Traffic log fields

The table below lists the fields defined in traffic log tables (type tlog).

Table 32:Traffic log fields


PostgreSQL MySQL


occurred. For traffic logs, this field can be: accept, deny, or start.

dir_disp varchar(255) varchar(255) The direction of the sessions. Org displays if a session is not a

child session or the child session originated in the same direction

as the master session. Reply displays if a different direction is

taken from the master session.

tran_disp varchar(255) varchar(255) The packet is source NAT translated or destination NAT

translated. This field is an enum, and can have one of the

following values: noop, snat, or dnat.

srcname varchar(255) varchar(255) The source name or the IP address.

dstname varchar(255) varchar(255) The destination name or IP address.

tran_ip varchar(40) varchar(40) The translated IP in NAT mode. For transparent mode, it is

“0.0.0.0”.

tran_port int default 0 smallint

unsigned

default 0

The translated port number in NAT mode. For transparent mode,

it is zero (0).

proto int default 0 smallint

unsigned

default 0

The protocol that applies to the session or packet. The protocol

number in the packet header that identifies the next level

protocol. Protocol numbers are assigned by the Internet

Assigned Number Authority (IANA).app_type varchar(255) varchar(255) The application or program used. This field is an enum, and can

have one of the following values: N/A, BitTorrent, eDonkey,

Gnutella, KaZaa, Skype, WinNY, AIM, ICQ, MSN, or YAHOO.


default 0

This represents the value in seconds.

rule bigint default 0 int unsigned

default 0

The rule number.

sent bigint default 0 int unsigned

default 0

The total number of bytes sent.

rcvd bigint default 0 int unsigned

default 0

The total number of bytes received.

sent_pkt bigint default 0 int unsigned

default 0

The total number of packets sent during the session.

rcvd_pkt bigint default 0 int unsigned

default 0

The total number of packets received during the session.

vpn varchar(255) varchar(255) The name of the VPN tunnel used by the traffic.

SN bigint default 0 int unsigned

default 0





displays N/A.



Antivirus log fields

The table below lists the fields defined in antivirus log tables (type vlog).

wanopt_app_type

varchar(255) varchar(255) The type of WAN optimization that was used. This field is an

enum, and can have one of the following values: web-cache, cifs,

tcp, ftp, mapi, or http.

wan_in bigint default 0 int unsigned

default 0

This field always displays WAN in.

wan_out bigint default 0 int unsigned

default 0

This field always displays WAN out.

lan_in bigint default 0 int unsigned

default 0

This field always displays LAN in.

lan_out bigint default 0 int unsigned

default 0

This field always displays LAN out.

app varchar(255) varchar(255) The type of application. On the FortiGate unit, you can look the

application type up in UTM > Application Contol > Application

List, and then select the name that is in the field to go to more

detailed information on the FortiGuard Encyclopedia.

app_cat varchar(255) varchar(255) The application category that the application is associated with.

shaper_drop_sent


default 0

The number of sent traffic shaper bytes that were dropped.

shaper_drop_rcvd


default 0

The number of received traffic shaper bytes that were dropped.

perip_drop bigint default 0 int unsigned

default 0

The number of per-IP traffic shaper bytes that were dropped.

shaper_sent_name

varchar(255) varchar(255) The name of the traffic shaper sending the bytes.

shaper_rcvd_name

varchar(255) varchar(255) The name of the traffic shaper receiving the bytes

perip_name varchar(255) varchar(255) The name of the per-IP traffic shaper.

Table 32:Traffic log fields (continued)

Table 33. Antivirus log fields


PostgreSQL MySQL


occurred. For antivirus logs, this field can be: blocked,

passthrough, or monitored.

msg varchar(255) varchar(255) Explains the activity or event that the FortiGate unit recorded. For

example, the file that was downloaded from the web site

exceeded the specified size limit.


unsigned

default 0

The source port of where the traffic is originating from.


unsigned

default 0

The destination port of where the traffic is going to.


default 0




Web filter log fields

The table below lists the fields defined in web filter log tables (type wlog).

dir varchar(255) varchar(255) Direction

filefilter varchar(255) varchar(255) The file filter. This field is an enum, and can have one of the

following values: none, file pattern, or file type.

filetype varchar(255) varchar(255) The file type. This field is an enum, and can have one of the

following values: arj, cab, lzh, rar, tar, zip, bzip, gzip, bzip2, bat,

msc, uue, mime, base64, binhex, com, elf, exe, hta, html, jad,

class, cod, javascript, msoffice, fsg, upx, petite, aspack, prc, sis,

hlp, activemime, jpeg, gif, tiff, png, bmp, ignored, or unknown

file varchar(255) varchar(255) The file name.

checksum varchar(255) varchar(255) The file checksum.

quarskip varchar(255) varchar(255) This field is an enum, and can have one of the following values:

• No skip

• No quarantine for HTTP GET file pattern block.

• No quarantine for oversized files.

• File was not quarantined.

virus varchar(255) varchar(255) The virus name.

ref varchar(255) varchar(255) The URL reference that gives more information about the virus. If

you enter the URL in your web browser’s address bar, the URL

directs you to the specific page that contains information about

the virus.

url varchar(255) varchar(255) The URL address of where the file was acquired.




displays N/A.




from varchar(255) varchar(255) The from email address.

to varchar(255) varchar(255) The to email address.

command varchar(255) varchar(255) Protocol specific command, such as “POST” and “GET” for

HTTP, “MODE” and “REST” for FTP.

dtype varchar(255) varchar(255) Detection type, possible values: virus or grayware.

Table 33. Antivirus log fields (continued)

Table 34:Web filter log fields


PostgreSQL MySQL


occurred. For web filter logs, this field can be: blocked,

exempted, allowed, passthrough, filtered, or DLP.


default 0





unsigned

default 0

The source port.


unsigned

default 0


hostname varchar(255) varchar(255) The host name or IP.




displays N/A.

req_type varchar(255) varchar(255) The request type. This field is an enum, and can have one of the

following values: direct or referral.

url varchar(255) varchar(255) The URL.

msg varchar(255) varchar(255) A text message explaining the log entry. For example, 'Message

was blocked because it contained a banned word.'

dir varchar(255) varchar(255) The direction.




from varchar(255) varchar(255) From

to varchar(255) varchar(255) To

banword varchar(255) varchar(255) The name of the banned word policy that triggered the log event.

error varchar(255) varchar(255) The Web Filter error.

method varchar(255) varchar(255) The HTTP method. This field is an enum, and can have one of the

following values: ip or domain.

class smallint

default 0

tinyint

unsigned

default 0

Class

class_desc varchar(255) varchar(255) Class description

cat smallint

default 0

tinyint

unsigned

default 0

Category

cat_desc varchar(255) varchar(255) Category description

mode varchar(255) varchar(255) The mode. Can be 'rule' or 'off-site'.

rule_type varchar(255) varchar(255) Rule type. This field is an enum, and can have one of the

following values: directory, domain, or rating.

rule_data varchar(255) varchar(255) Rule data

ovrd_tbl varchar(255) varchar(255) Override table

ovrd_id bigint default 0 int unsigned

default 0

Override ID


default 0

The number of scripts blocked by the scriptfilter within the page.

url_type varchar(255) varchar(255) URL Type. This field is an enum, and can have one of the

following values: http, https, ftp, telnet, or mail.

urlfilter_idx bigint default 0 int unsigned

default 0

URL Filter Index

Table 34:Web filter log fields (continued)



Netscan log fields

The table below lists the fields defined in vulnerability / netscan log tables (type nlog).

Examples

The following examples illustrate how to write custom datasets.

urlfilter_list varchar(255) varchar(255) URL Filter List

quota_exceeded

varchar(255) varchar(255) Quota Exceeded. Can be 'yes' or 'no'.

quota_used bigint default 0 int unsigned

default 0

Quota time used (in seconds).

quota_max bigint default 0 int unsigned

default 0

Maximum quota time allowed (in seconds).

Table 34:Web filter log fields (continued)

Table 35:Netscan log fields


PostgreSQL MySQL

action varchar(255) varchar(255) The nature of the event. This field is an enum, and can have one

of the following values: scan, vuln-detection, host-detection, or

service-detection.

start bigint default 0 int unsigned

default 0

GMT epoch time the scan was started.

end bigint default 0 int unsigned

default 0

GMT epoch time the scan was started

engine varchar(255) varchar(255) The netscan engine version.

plugin varchar(255) varchar(255) The version of netscan plugins.

ip varchar(40) varchar(40) The IP of the scanned asset.

proto varchar(255) varchar(255) The protocol. Can be: tcp or udp.

port int default 0 smallint

unsigned

default 0

The port scanned.

vuln varchar(255) varchar(255) The name of the vulnerability found.

vuln_cat varchar(255) varchar(255) The found vulnerability category.

vuln_id bigint default 0 int unsigned

default 0

The found vulnerability ID.

vuln_ref varchar(255) varchar(255) A link to the detected vulnerability in FortiGuard.

severity varchar(255) varchar(255) The severity of the vulnerability. This field is an enum, and can

have one of the following values: critical, high, medium, low, or

info.

os varchar(255) varchar(255) The operating system of the scanned asset.

os_family varchar(255) varchar(255) The family of the operating system on the scanned asset.

os_gen varchar(255) varchar(255) The generation of the operating system on the scanned asset.

os_vendor varchar(255) varchar(255) The vendor of the operating system on the scanned asset.

message varchar(255) varchar(255) Informational message.



After you create the datasets, you can use them when you configure chart templates under

Report > Advanced > Chart.

Figure 217:Adding a dataset to a chart template

Then you can add the chart template to a report when you create the new report under Report >

Unclassified Reports. For more information, see “Configuring report chart templates” on

page 218.

Select the dataset



Figure 218:Adding a chart to a report

On the FortiAnalyzer unit, datasets can be created via the CLI or the Web-based Manager.



Example 1: Distribution of applications by type

Web-based Manager procedure:

1. Go to Report > Advanced > Dataset.

2. Select Create New to create a new dataset and enter a name (such as "apps_type").

Figure 219:New dataset window

3. Under Log Type($log), select Application Control.

4. Enter the query:

SELECT app_type, COUNT( * ) AS totalnumFROM $logAND app_type IS NOT NULL GROUP BY app_typeORDER BY totalnum DESC

CLI procedure:

To perform the same task using the CLI, use these commands:

config sql-report datasetedit apps_type

set device-type FortiGateset log-type app-ctrlset query "SELECT app_type, COUNT( * ) AS totalnum FROM $log AND

app_type IS NOT NULL GROUP BY app_type ORDER BY totalnum DESC"

end



Notes:

• $log queries all application control logs.

• The application control module classifies each firewall session in app_type. One firewall

session may be classified to multiple app_types. For example, an HTTP session can be

classified to: HTTP, Facebook, etc.

• Some app/app_types may not be able to detected, then the ‘app_type’ field may be null or

‘N/A’. These will be ignored by this query.

• The result is ordered by the total session number of the same app_type. The most frequent

app_types will appear first.

Example 2: Top 100 applications by bandwidth



2. Select Create New to create a new dataset and enter a name (such as "top_100_aps").

3. Under Log Type($log), select Traffic.

4. Enter the query:

SELECT (TIMESTAMP - TIMESTAMP %3600) AS hourstamp, app, service, SUM( sent + rcvd ) AS volumeFROM $log GROUP BY appORDER BY volume DESC LIMIT 100

CLI procedure:


config sql-report datasetedit top_100_apps

set device-type FortiGateset log-type trafficset query "SELECT app, service, SUM( sent + rcvd ) AS volume

FROM $log and app IS NOT NULL GROUP BY app ORDER BY volume DESC LIMIT 100"

end

Notes:

• SUM(sent + rcvd) AS volume - this calculates the total sent and received bytes.

• ORDER BY volume DESC - this orders the results by descending volume (largest volume

first)

• LIMIT 100 - this lists only the top 100 applications.

Example 3: Top 10 attacks



2. Select Create New to create a new dataset and enter a name (such as "top_attacks").

3. Under Log Type($log), select Attack.



4. Enter the query:

SELECT attack_id, COUNT( * ) AS totalnumFROM $log and attack_id IS NOT NULL GROUP BY attack_idORDER BY totalnum DESC LIMIT 10

CLI procedure:


config sql-report datasetedit top_attacks

set device-type FortiGateset log-type attackset query "SELECT attack_id, COUNT( * ) AS totalnum FROM $log

and attack_id IS NOT NULL GROUP BY attack_id ORDER BY totalnum DESC LIMIT 10"

end

Notes:

• The result is ordered by the total attack number of the same attack_id. The most frequent

attack_id will appear first.

Example 4: Top WAN optimization applications



2. Select Create New to create a new dataset and enter a dataset name (such as "WAN_OPT").

3. Under Log Type($log), select Traffic.

4. Enter the query:

SELECT wanopt_app_type, SUM( wan_in + wan_out ) AS bandwidthFROM $logAND subtype = 'wanopt-traffic'GROUP BY wanopt_app_typeORDER BY SUM( wan_in + wan_out ) DESC LIMIT 5

CLI procedure:


config sql-report datasetedit WAN_OPT

set device-type FortiGateset log-type trafficset query "SELECT wanopt_app_type, SUM( wan_in + wan_out ) AS

bandwidth FROM $log AND subtype = 'wanopt-traffic' GROUP BY wanopt_app_type ORDER BY SUM( wan_in + wan_out ) DESC LIMIT 5"

end



Notes:

• The WAN optimizer module will log each application bandwidth. All bandwidth data is

logged in traffic logs and wan opt data will have the subtype ‘wanopt-traffic’

• SUM(wan_in + wan_out) AS bandwidth - this calculates the total in and out traffic.



Appendix D: Port Numbers

Port numbers

The following tables describe the port numbers that the FortiAnalyzer unit uses:

• ports for traffic originating from units (outbound ports)

• ports for traffic receivable by units (listening ports)

• ports used to connect to the FortiGuard Distribution Network (FDN ports)

Traffic varies by enabled options and configured ports. Only default ports are listed.

Table 36:FortiAnalyzer outbound ports

Functionality Port(s)

DNS lookup UDP 53

NTP synchronization UDP 123

Windows share UDP 137-138

SNMP traps UDP 162

Syslog, log forwarding UDP 514

Note: If a secure connection

has been configured between

a FortiGate and a

FortiAnalyzer, syslog traffic

will be sent into an IPsec

tunnel. Data will be

exchanged over UDP

500/4500, Protocol IP/50.

Log and report upload TCP 21 or TCP 22

SMTP alert email TCP 25

User name LDAP queries for reports TCP 389 or TCP 636

Vulnerability Management updates TCP 443

RADIUS authentication TCP 1812

TACACS+ authentication TCP 49

Log aggregation client TCP 3000

Device registration of FortiGate or FortiManager units; remote

access to quarantine, logs & reports from a FortiGate unit;

remote management from a FortiManager unit (configuration

retrieval) (OFTP)

TCP 514

Page 367

Table 37:FortiAnalyzer listening ports


Windows share UDP 137-139 and TCP 445

Syslog, log forwarding UDP 514

Note: If a secure connection

has been configured between

a FortiGate and a

FortiAnalyzer, syslog traffic

will be sent into an IPsec

tunnel. Data will be

exchanged over UDP

500/4500, Protocol IP/50.

SSH administrative access to the CLI TCP 22

Telnet administrative access to the CLI TCP 23

HTTP administrative access to the Web-based Manager TCP 80

HTTPS administrative access to the Web-based Manager;

remote management from a FortiManager unit

TCP 443

Device registration of FortiGate or FortiManager units; remote

access to quarantine, logs & reports from a FortiGate unit;

remote management from a FortiManager unit (configuration

retrieval) (OFTP)

TCP 514

NFS share TCP 2049

HTTP or HTTPS administrative access to the Web-based

Manager's CLI dashboard widget.

Protocol used will match the protocol used by the

administrator when logging in to the Web-based Manager.

TCP 2032

Log aggregation server

Log aggregation server support requires model

FortiAnalyzer-800 or greater.

TCP 3000

Remote management from a FortiManager unit (configuration

installation)

TCP 8080

Remote MySQL database connection TCP 3306

Table 38:FortiAnalyzer FDN ports


Vulnerability Management updates TCP 443

Port Numbers Page 368 FortiAnalyzer v4.0 MR3 Patch Release 7 Administration Guide


Appendix E: ConnectWise

FortiAnalyzer compatibility with ConnectWise

The FortiAnalyzer unit integrates with the ConnectWise Management Services Platform (MSP)

by providing statistics from FortiGate logs and reports for the MSP’s Executive Summary report.

The statistics include:

• Top 10 web sites

• Top 10 intrusions prevented

• Top 10 web filter categories

• Total bandwidth usage

• Total number of events

The Executive Summary provides important metrics from different solutions to generate

informative reports for the end users. By connecting to the ConnectWise MSP, the FortiAnalyzer

unit uploads reporting data each time it runs.

The ConnectWise support is controlled through the CLI only. For more information, see the

config connectwise report command in FortiAnalyzer v4.0 MR3 Patch Release 7 CLI

Reference.

This section describes how to configure the ConnectWise server and the FortiAnalyzer unit to

generate executive reports.

This process assumes that you have installed the ConnectWise server properly.

This configuration example uses ConnectWise 2010.

Page 369

To set the integrator login and add a new management IT:

1. Login to ConnectWise.

2. From the navigation pane, select Setup > Setup Tables.

Figure 220:ConnectWise setup tables

3. Search and select Integrator Login.

Figure 221:ConnectWise Integrator login

4. In Enable Available APIs, select Managed Services API.

5. Select Save.

6. Search and select Management IT and select Add New.

Username Enter the user name, such as “UserName1”.

Password Enter the password, such as “PassW1”.

ConnectWise Page 370 FortiAnalyzer v4.0 MR3 Patch Release 7 Administration Guide


Figure 222:ConnectWise management IT

7. Select Save.

To configure the Management IT in company record:


2. From the navigation pane, select Contacts > Company.

3. Search for your company name.

Before you log into the ConnectWise server, your company information has already been set

up.

Name Enter the name of the Management IT, such as “FortiAnalyzer

Central Office”.

Management IT Solution Select Custom.

Custom Solution Name Enter the same name as the Management IT.



Figure 223:ConnectWise company information

4. Go to the Management tab.

5. Under Management Solutions, create a new management solution.

6. Select Save.

To add configurations for FortiGate units:


2. From the navigation pane, select Contacts > Company.

3. Search for your company name.

Before you log into the ConnectWise server, your company information has already been set

up.

4. Select the Configuration tab to create a new configuration for the FortiGate units.

Company Select your company name.

Solution Select the name for the Management IT created in step

Step 6, “FortiAnalyzer Central Office/FortiAnalyzer Central

Office”.

Management ID Enter a management ID, such as

“FAZCentralOfficeManagementID”.



Figure 224:ConnectWise configuration menu

5. For Configuration Type, select Network Security Appliance.

6. For Name, enter the same name used by these FortiGate units on the FortiAnalyzer unit,

such as “FG100A”.

7. Enter the other information as required.

8. Select Save.

9. Repeat this procedure for all the FortiGate units that report their usage to ConnectWise

through the FortiAnalyzer unit.

To configure the FortiAnalyzer unit:

1. In the FortiAnalyzer CLI console, type the following commands to enable ConnectWise

report:

config connectwise report set status enableset integration-login-id <user_name_used_in_ConnectWise_Management

IT_config> set integration-password <Password_used_in_ConnectWise_Management

IT_config> set company-name <company_ID_used_at_ConnectWise_login>set management-solution-name <ConnectWise_Managment_ID_name>set connectwise-server <ConnectWise_server_address>

end

2. Create a device group if you only want certain FortiGate units to report to ConnectWise.

For more information, see “Configuring device groups” on page 170.

3. Create a report for the FortiGate units to report to ConnectWise.

For more information, see “Reports” on page 201.

4. Create a report output template for the FortiGate units to report to ConnectWise.



5. Create a report schedule (for proprietary indexed file system) or configure report settings (for

SQL database).

For more information, see “Configuring report schedules” on page 233 and “Report settings”

on page 207.

When configuring the report schedule or settings:

• Use the report layout you configured.

• Select the device group you created if you only want certain FortiGate units to report to

ConnectWise, or select All FortiGates.

• Use the report output template you configured.



Index

Aaccess profile 48

adding configuring defininglog severity levels 328

administrative accessinterface settings 93restricting 91, 93, 107

administrative domains. See ADOMs

administrator"admin" account 24, 25, 31admin, accessing ADOMs 55assigning to ADOM 55password 31permissions 31

ADOMs 49access privileges 48accessing as admin administrator 55admin account privileges 48assigning administrators 55disabling 52enabling 49Global 48maximum number 318permissions 48root 52

aggregation client 132

alerts 121, 128, 130testing 125

alias 135

ARP 302

authenticated network scanpreparing 258

authentication 24

Bbacking up log files 288

backing up the configurationusing the CLI 288using web-based manager 287

backup & restore 145

baseline 46

baud rate 314

blocking device connection attempts 168

Boolean operator 279

Bootup issues 312

browsenetwork analyzer 273sniffer 273

browser 23, 24warnings 24

Ccable

null modem 25

certificatedefault 25mismatch 25self-signed 24warning 24

certificate authority (CA) 24

charts 237create a template 220pre-defined 219view custom templates 222

classifying FortiGate network interfaces 172

CLIcommands 297connecting to 25

clock 61, 62

column viewnetwork analyzer logs 276

command line interface (CLI) 14, 23, 57, 79, 107Console widget 79prompt 63

command prompt 63

common name (CN) field 24

communications (COM) port 25

connectingweb UI 24

connection attempt handling 167

ConnectWise 20

contract 65

count 187

CPU usage 67, 68

Ddashboard 57

data filter 244create new 244

data sets 223custom 223pre-defined 223

databaseSQL 17

DC (duplicate count) 189

defaultadministrator account 24, 25, 31certificate 25IP address 32password 14, 24, 25, 26, 27, 31settings 24, 25URL 24

delete after uploadnetwork analyzer log 284

Page 375

deviceadding or deleting 163groups 170list 155maximum number 159registration and reports 186reports 205unregistered vs. registered 159

device communication 19

disk spaceallocated to Network Analyzer 283

DLP archive 183backing up 193

DNS server 32, 98test connection 301

domain namecertificate 25

DOS 23

down 92

downloadlogs 191, 281network analyzer logs 274search results 281

EeDiscovery 195

errorlog level 42

Ethernet 24, 25

eventlog 42

Ffactory default settings 24, 25

Federal Information Processing Standards (FIPS) 13

fileextension 72, 275, 281

filtercriteria 279icon 275, 278, 279logs 179network analyzer 278tip 279tips 180

firmwareinstall 60version 61

formatted viewnetwork analyzer logs 276

FortiClient 18

FortiGateadding 38registering 38

FortiGate unitregistering 37

FortiGuardscheduling updates 35Vulnerability Management 33

FortiMail 18

FortinetTechnical Support 33

Fortinet Discovery Protocol (FDP) 92, 93, 95

Fortinet Distribution Network (FDN) 33

Fortinet Distribution Server (FDS) 33

FortiWeb 18

FTP 283

further reading 39

Ggateway 32

gzip 72, 275, 281, 284

HHA cluster 163

hard disk 75

historical viewernetwork analyzer 272

host name 24, 63

HTTP 93

HTTPS 24, 91, 93

HyperTerminal 25

IICMP 93

importing log files 190

indexed log fields 279

installation 14

interfaceconfiguring 32

IP address 25, 32

IP alias 135resolve host names 186

JJavaScript 79

Kkernel upgrade 20

Llicense information, widget 65

lightweight directory access protocol (LDAP) 142, 145

Linux 302

local console access 79

logevent 42

log forwarding 134

Fortinet Technologies Inc. Page 376 FortiAnalyzer v4.3.7Administration Guide


logs 61backing up 193configuring 39content. See DLP archiveCSV format 281DNS 19download 281enhancements 18FortiClient 18FortiMail 18FortiWeb 18gzip 72, 275, 281indexed fields 279integrity validation 18raw view 278, 279search 279search tips 182unindexed fields 278, 279UTM 19

Mmail server 125

maximum transmission unit (MTU) 94

Maximum Values Matrix 318

media access control (MAC) address 93

memory usage 67

menu layout 17

MicrosoftInternet Explorer 24

migrating data 150

modeoperation 28

Mozilla Firefox 24

MS Windows 301

Nnetmask 32

networkinterface 24, 25sniffer 273

network analyzerbrowse 273column view 271delete after download 284download logs 274enable 283filter 278gzip 284historical viewer 272real-time viewer 270resolve host names 271, 273roll settings 282upload to 283

network analyzer logscolumn view 276formatted view 276

network file share (NFS) 13

network interfaceadministrative access 93status 92

network interfaces, classifying (FortiGate) 172

network share 13, 99

Network Time Protocol (NTP) 32, 61

new diskadding for 2000B and 4000B 76

null modem cable 25

Ooperation mode 17, 28

Ppassword 24, 25, 26, 27, 31, 110

administrator 14log upload 284

patch releases 286

performance 57

permissions 31access profile 110ADOMs 48

ping 40, 93

portdestination 271numbers 298scan 13source 271

port1 24, 25

portsUDP ports 33434-33534 301

powering on 312

prompt 80

protocolFTP 283SCP 283SFTP 283

Qquarantine 186

count 187duplicate count 189ticket number 188

query 142, 145DNS 98

Rraid monitor, widget 73

random access memory (RAM) 67

real-time viewernetwork analyzer 270

Register a FortiGate unit 37

remote authentication dial in user service (RADIUS) 113



reportadd a language 229, 252add a section 206, 209browsing 232calendar 225chart template 218charts 237custom 217data filter 244data filters 244data sets 223default device 205edit a language 250edit a layout 237edit a section 209email filters 19enhancements 16index based 217language 226, 227, 248layout 230, 233, 236, 237, 239new folder 218profiles 237redefined 214remote output 211run 242schedule 225settings 207SQL based 201

report engine, widget 73

resolve host names 186network analyzer 271, 273

RJ-45 24, 25

roll settingsnetwork analyzer 282

rootadministrator account 31

root (Management Administrative Domain) 52

root ADOM 49, 52

router 32

Sscheduled reports

configuring 233

scheduling 61

scheduling updates 35

SCP 283

searchDLP archive 183download results 281Network Analyzer logs 268, 279tips 182, 280user data 183

secure connection 186

Secure Shell (SSH) 23, 79, 91, 93

security certificate 24

self-signed 24

serial number 61

serial port parameters 313

severity levels (logs) 328

SFTP 283

share 13

simple network management protocol (SNMP)system name 63

SMP support 20

sniffer 268, 273See also network analyzer

SNMPcommunity 128event 130manager 128queries 130

span port 268

special characters 63

SQLdatabase 202remote database 204reports 201

SQL database 17

SSL 61

statistics widget 70

subnet 281

supported RFCs1213 1262665 126, 317

sync interval 62

Syslog server 130

system information, widget 60

system operation, widget 66

system resources, widget 67

system time 32, 297

TTACACS+ server 19

Telnet 23, 79, 94

terminal 23, 25

Terminal Access Controller Access-Control System (TACACS+) 114

testconfiguration 40

ticket number 188

time 32, 61

time to live (TTL) 301

time zone 33, 35

traceroute 40, 301

tracert 302

troubleshooting 40, 294packet sniffing 303routing table 302

trust certificate 24

Uunindexed log fields 278, 279

UNIX 23

unknown 167

unregistered 159, 186

up 92

upgradeFortiGuard Vulnerability Management 33



upgrading 291

uptime 297

URL 24

US-ASCII 43, 63

Vverify

configuration 40

virusSee quarantine

vulnerability management 254assets 256database 254signatures 254

vulnerability scan 19viewing results 265

Wweb browser 23, 24

warnings 24

web filtering 182

web services 95

web UI 24

widget 57intrusion activity 89license information 65log receive monitor 77logs/data received 69raid monitor 73report engine 73statistics 70system information 60system operation 66system resources 67top email traffic 84top ftp traffic 85top im/p2p traffic 87top traffic 81top web traffic 82virus activity 88

WSDL fileobtaining 97

Date post:	23-Oct-2015
Category:	Documents
Upload:	sua07j398
View:	208 times
Download:	6 times

Fortianalyzer Admin 40 Mr3

Documents