Fortianalyzer Admin 40 Mr3

FortiAnalyzer v4.0 MR3 Patch Release 6Administration Guide

FortiAnalyzer v4.0 MR3 Patch Release 6 Administration Guide

March 01, 2013

05-436-164257-20130301

Copyright 2013 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, and FortiGuard, are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were attained in internal lab tests under ideal conditions, and performance may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinets General Counsel, with a purchaser that expressly warrants that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinets internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

Technical Documentation docs.fortinet.com

Knowledge Base kb.fortinet.com

Customer Service & Support support.fortinet.com

Training Services training.fortinet.com

FortiGuard fortiguard.com

Document Feedback [email protected]

Status of a failed hard disk on a FAZ-800 unit as shown in the Disk Monitor widget 77Log receive monitor widget ........................................................................................ 79

Editing log receive monitor settings ............................................................................ 79Alert message console widget ..................................................................................... 80List of all alert messages ............................................................................................. 80Table of Figures

Logging, analyzing, and reporting workflow ................................................................ 25Topology of the FortiAnalyzer unit in standalone mode .............................................. 31Change operation mode .............................................................................................. 32Change operation mode .............................................................................................. 33Topology of the FortiAnalyzer units in analyzer/collector mode .................................. 34License information widget .......................................................................................... 37FortiGuard Distribution Network window .................................................................... 37Allowed devices window ............................................................................................. 40Edit device window ...................................................................................................... 41Putty console window .................................................................................................. 46Packet capture in Notepad .......................................................................................... 47Converting sniffer output to .pcap format ................................................................... 48Viewing sniffer output in Wireshark ............................................................................. 48Backup and restore window ........................................................................................ 49Enabling ADOM configuration ..................................................................................... 52FortiAnalyzer system menu ......................................................................................... 53Create new ADOM ....................................................................................................... 53New Administrative Domain window ........................................................................... 54Switching to the global ADOM .................................................................................... 55Administrative Domain name ....................................................................................... 55Administrative settings window ................................................................................... 56FortiAnalyzer system window ...................................................................................... 57FortiAnalyzer system menu ......................................................................................... 58FortiAnalyzer system dashboard ................................................................................. 60Adding a widget ........................................................................................................... 61Widget title bar ............................................................................................................ 61System information widget .......................................................................................... 63Time settings ............................................................................................................... 64System information widget .......................................................................................... 65Change operation mode .............................................................................................. 66License information widget .......................................................................................... 67Unit operation widget .................................................................................................. 68System resources widget ............................................................................................ 69Edit system resources settings window ...................................................................... 70Logs/data received widget .......................................................................................... 71Edit logs/data received settings window ..................................................................... 71Statistics widget .......................................................................................................... 72Statistics widget .......................................................................................................... 72Logs window ................................................................................................................ 73Log details window ...................................................................................................... 74Report engine widget ................................................................................................... 75Disk monitor widget ..................................................................................................... 76Page 3

CLI console widget ...................................................................................................... 82CLI console widget settings ........................................................................................ 82Top traffic widget ......................................................................................................... 83Top traffic widget settings ........................................................................................... 83Top web traffic widget ................................................................................................. 84Top web traffic widget settings ................................................................................... 85Top email traffic widget ............................................................................................... 86Top email traffic widget settings .................................................................................. 86Top FTP traffic widget ................................................................................................. 87Top FTP traffic widget settings .................................................................................... 88Top IM/P2P traffic widget ............................................................................................ 88Top IM/P2P traffic widget settings .............................................................................. 89Virus activity widget ..................................................................................................... 90Virus activity widget settings ....................................................................................... 90Intrusion activity widget ............................................................................................... 91Intrusion activity widget settings ................................................................................. 92Interface list window .................................................................................................... 93Network interfaces ....................................................................................................... 94Edit interface window .................................................................................................. 94Edit interface window .................................................................................................. 97Allowed devices window ............................................................................................. 97DNS configuration ....................................................................................................... 99Route list ...................................................................................................................... 99New routing entry window ......................................................................................... 100Network share user list .............................................................................................. 101User configuration window ........................................................................................ 102User group list ........................................................................................................... 102Group configuration window ..................................................................................... 103Windows network share user list ............................................................................... 104Windows share configuration window ....................................................................... 105List of users with NFS share access .......................................................................... 106NFS export configuration window ............................................................................. 107Administrator account list .......................................................................................... 108New administrator window ........................................................................................ 109Access profile list ....................................................................................................... 112New access profile window ....................................................................................... 112Authentication group list ............................................................................................ 113new Auth Group window ........................................................................................... 114RADIUS server list ..................................................................................................... 114New RADIUS server window ..................................................................................... 115TACACS+ server list .................................................................................................. 116New TACACS+ Server window ................................................................................. 116Administrators settings ............................................................................................. 117Monitoring administrators .......................................................................................... 118SQL database ............................................................................................................ 120Database upgrade notice .......................................................................................... 121Alert events list .......................................................................................................... 122Add Alert Event window ............................................................................................ 123Mail server list ............................................................................................................ 125Mail server settings window ...................................................................................... 126Test mail server window ............................................................................................ 126SNMP access list ....................................................................................................... 128Fortinet Technologies Inc. Page 4 FortiAnalyzer v4.3.6 Administration Guide

New SNMP community window ................................................................................ 130Syslog server list ........................................................................................................ 131New Syslog Server window ....................................................................................... 132Test syslog server window ........................................................................................ 132Log aggregation client configuration ........................................................................ 134Log aggregation server configuration ........................................................................ 135Log forwarding ........................................................................................................... 136List of IP aliases ......................................................................................................... 137RAID settings ............................................................................................................. 139LDAP server list ......................................................................................................... 145New LDAP Server window ......................................................................................... 145LDAP distinguished name query ............................................................................... 147Backup & Restore page ............................................................................................. 148FortiGuard Distribution Network window .................................................................. 150Migration .................................................................................................................... 153Migrating configuration settings ................................................................................ 154Device list .................................................................................................................. 158Add a device to an HA cluster ................................................................................... 163Add device ................................................................................................................. 164Edit device window .................................................................................................... 167Enable FDP packets on an interface ......................................................................... 168Edit Interface .............................................................................................................. 168Unregistered device options window ........................................................................ 169Blocked devices ........................................................................................................ 170Block a device ........................................................................................................... 171Blocked devices ........................................................................................................ 172Device groups ............................................................................................................ 172Create new group ...................................................................................................... 173All device logs ............................................................................................................ 176Log details window .................................................................................................... 179Change display options ............................................................................................. 180Column display settings ............................................................................................ 180Filter icons ................................................................................................................. 181Filters window ............................................................................................................ 181Log search ................................................................................................................. 183DLP log archive window ............................................................................................ 186Quarantine summary ................................................................................................. 188Quarantine window .................................................................................................... 189Log file list .................................................................................................................. 191Import log file window ............................................................................................... 193Download log file window .......................................................................................... 194Device log settings .................................................................................................... 196eDiscovery folders list page ....................................................................................... 197eDiscovery Config ...................................................................................................... 199New eDiscovery folder window ................................................................................. 199eDiscovery search window ........................................................................................ 199View eDiscovery search window ............................................................................... 201Enable the SQL local database ................................................................................. 205Start time options ...................................................................................................... 205SQL database window ............................................................................................... 206Left-click and right-click menu options ..................................................................... 207Default device reports ................................................................................................ 208Fortinet Technologies Inc. Page 5 FortiAnalyzer v4.3.6 Administration Guide

Add section to default device report ......................................................................... 209Report options window .............................................................................................. 210Edit new report section .............................................................................................. 212New Report Output .................................................................................................... 214Mail server settings window ...................................................................................... 215Report settings .......................................................................................................... 216Report filters .............................................................................................................. 217Predefined reports page ............................................................................................ 218Custom reports window ............................................................................................ 219Indexer based reports view options .......................................................................... 220Create a new folder ................................................................................................... 220Pre-defined charts window ........................................................................................ 221Create new chart template ........................................................................................ 223Custom chart template .............................................................................................. 226Pre-defined datasets ................................................................................................. 226Custom datasets ....................................................................................................... 227New data set window ................................................................................................ 227SQL query console window ....................................................................................... 229View calendar and task list ........................................................................................ 230Language options window ......................................................................................... 231Edit report language window ..................................................................................... 231Add report language window ..................................................................................... 233Report layout ............................................................................................................. 234Indexer based reports page ....................................................................................... 235View report schedule list window .............................................................................. 237New report schedule window .................................................................................... 238Predefined report layouts window ............................................................................. 240Edit report layout window .......................................................................................... 242Create new report layout ........................................................................................... 244Add chart to the new report layout ............................................................................ 244Add section to new report layout .............................................................................. 245Add text to new report layout dialog box .................................................................. 245Run report now window ............................................................................................. 247Data filter template menu .......................................................................................... 248New data filter ............................................................................................................ 249Configure report languageTo edit the report language ............................................. 254Edit report language window ..................................................................................... 254Add report language window ..................................................................................... 256Host asset list page ................................................................................................... 260Create asset window ................................................................................................. 261Scan schedule list page ............................................................................................. 267New scan schedule window ...................................................................................... 268Scan result list page .................................................................................................. 269Vulnerability scan results page .................................................................................. 270Example network topology for Network Analyzer use ............................................... 273Enable Network Analyzer in GUI Menu Customization ............................................. 273Configure Network Analyzer settings ........................................................................ 274Real time Network Analyzer logs page ...................................................................... 275Historical Network Analyzer logs page ...................................................................... 276Network analyzer log file list page ............................................................................. 278Download log file window .......................................................................................... 279Download a partial (filtered) log file ........................................................................... 279Fortinet Technologies Inc. Page 6 FortiAnalyzer v4.3.6 Administration Guide

Change Dispay Options ............................................................................................. 280Column display settings window ............................................................................... 281Filter icons in Network Analyzer ................................................................................ 282Filters window ............................................................................................................ 282Network Analyzer log search window ........................................................................ 283Traffic log settings page ............................................................................................ 287File explorer window .................................................................................................. 289Firmware upgrade path ............................................................................................. 291Backup & Restore menu ............................................................................................ 292Firmware version [Update] page ................................................................................ 296Database upgrade notice .......................................................................................... 296Enable administrative access on the interface .......................................................... 304Create a new data set window .................................................................................. 326SQL query test results window .................................................................................. 327Adding a dataset to a chart template ........................................................................ 374Adding a chart to a report .......................................................................................... 375Creating a dataset ..................................................................................................... 376ConnectWise setup tables ......................................................................................... 383ConnectWise Integrator login .................................................................................... 383ConnectWise management IT ................................................................................... 384ConnectWise company information .......................................................................... 385ConnectWise configuration menu ............................................................................. 386Fortinet Technologies Inc. Page 7 FortiAnalyzer v4.3.6 Administration Guide

Table of Contents

Table of Figures ................................................................................................ 3

Change Log..................................................................................................... 15

Introduction..................................................................................................... 16Scope..................................................................................................................... 17

Entering FortiAnalyzer configuration data.............................................................. 17Entering text strings (names) ........................................................................... 17Selecting options from a list ............................................................................ 18Enabling or disabling options........................................................................... 18

Whats New in FortiAnalyzer v4.0 MR3......................................................... 19Report enhancements ........................................................................................... 19

Default device reports...................................................................................... 19Per device report generation ........................................................................... 19Email report option at the device level............................................................. 19Report and chart variables support ................................................................. 19PDF report improvements................................................................................ 20

Web-based Manager changes .............................................................................. 20Menu layout enhancements............................................................................. 20Operation mode changes ................................................................................ 20

Structured Query Language database................................................................... 20SQL database compatibility............................................................................. 20Performance improvements on SQL report generation................................... 20Local event logs in SQL database ................................................................... 20Custom fields support in SQL database.......................................................... 20

FortiWeb support ................................................................................................... 21FortiWeb integration ........................................................................................ 21FortiMail, FortiWeb, and FortiClient logs in SQL database ............................. 21

FortiAnalyzer Virtual Machine support................................................................... 21VMware ESX/ESXi 5.0 Support........................................................................ 21

Logging enhancements ......................................................................................... 21Log file integrity validation ............................................................................... 21Retrieve FortiGate logs on demand ................................................................. 21Log forwarding IP spoofing.............................................................................. 21UTM logs consolidation ................................................................................... 21Page 8

Additional enhancements ...................................................................................... 22Secure communication between devices ........................................................ 22Network vulnerability scan............................................................................... 22SNMP v3 support............................................................................................. 22TACACS+ server .............................................................................................. 22DNS log consolidation ..................................................................................... 22Email filters for reports..................................................................................... 22Compatibility with ConnectWise...................................................................... 22SMP support and large storage....................................................................... 23Federal Information Processing Standard ....................................................... 23

Key Concepts and Workflow......................................................................... 24Administrative Domains ......................................................................................... 24

Operation mode..................................................................................................... 24

Log storage............................................................................................................ 25

Workflow................................................................................................................ 25

Setting up the FortiAnalyzer.......................................................................... 26Connecting to the Web-based Manager or CLI..................................................... 26

Connect to the Web-based Manager .............................................................. 27Connect to the CLI........................................................................................... 28

Updating the firmware ........................................................................................... 30

The operation mode............................................................................................... 31Standalone mode............................................................................................. 31Analyzer and collector mode ........................................................................... 31

Changing the administrator password................................................................... 34

Configuring the system time and date................................................................... 35

Configuring basic network settings ....................................................................... 35

Configuring global settings .................................................................................... 35

Configuring administrative domains ...................................................................... 36

Connecting to FortiGuard services........................................................................ 36Configuring scheduled updates....................................................................... 38Manually requesting updates........................................................................... 39

Collecting device logs............................................................................................ 40Configuring FortiAnalyzer connection attempt handling ................................. 40Configuring disk quota and device privileges.................................................. 40Configuring a FortiGate unit to send logs to the FortiAnalyzer unit................. 41Further reading................................................................................................. 42

Testing the setup ................................................................................................... 42Troubleshooting tools ...................................................................................... 43

Backing up the configuration................................................................................. 49

Administrative Domains................................................................................. 50Configuring ADOMs............................................................................................... 51

Accessing ADOMs as the admin administrator ..................................................... 57Page 9

Assigning administrators to an ADOM................................................................... 57

System............................................................................................................. 59Viewing the dashboard .......................................................................................... 59

Customizing the dashboard............................................................................. 60System information widget .............................................................................. 62License Information widget.............................................................................. 67Unit operation widget....................................................................................... 68System resources widget ................................................................................ 69Logs/data received widget .............................................................................. 71Statistics widget............................................................................................... 72Report engine widget....................................................................................... 75Disk monitor widget ......................................................................................... 75Log Receive Monitor widget ............................................................................ 79Alert message console widget......................................................................... 80CLI console widget .......................................................................................... 81Top traffic widget ............................................................................................. 83Top web traffic widget ..................................................................................... 84Top email traffic widget ................................................................................... 86Top FTP traffic widget...................................................................................... 87Top IM/P2P traffic widget ................................................................................ 88Virus activity widget ......................................................................................... 90Intrusion activity widget ................................................................................... 91

Configuring network settings................................................................................. 92Configuring the network interfaces.................................................................. 92Configuring DNS .............................................................................................. 99Configuring static routes.................................................................................. 99

Configuring network shares................................................................................. 100Configuring share users ................................................................................. 101Configuring Windows shares ......................................................................... 104Configuring NFS shares................................................................................. 106

Configuring administrator related settings........................................................... 108Configuring administrator accounts............................................................... 108

Configuring the Web-based Managers global settings ...................................... 117

Monitoring administrators.................................................................................... 118Page 10

Configuring log storage & query features ............................................................ 119Configuring SQL database storage ............................................................... 119Configuring alerts........................................................................................... 122Configuring an email server for alerts & reports ............................................ 125Configuring the SNMP agent ......................................................................... 127Configuring syslog servers............................................................................. 131Configuring log aggregation .......................................................................... 133Configuring log forwarding ............................................................................ 135Configuring IP aliases .................................................................................... 137Configuring RAID ........................................................................................... 138Configuring LDAP queries for reports............................................................ 144

Backing up the configuration and installing firmware.......................................... 147

Scheduling & uploading vulnerability management updates............................... 149

Migrating data from one FortiAnalyzer unit to another ........................................ 152

Importing a local server certificate....................................................................... 156

Devices .......................................................................................................... 157Configuring connections with devices & their disk space quota......................... 157

Unregistered vs. registered devices .............................................................. 161Maximum number of devices......................................................................... 161Manually configuring a device or HA cluster ................................................. 162Manually adding a FortiGate unit using the Fortinet Discovery Protocol ...... 167Configuring unregistered device options....................................................... 169Blocking unregistered device connection attempts ...................................... 170

Configuring device groups................................................................................... 172

Classifying FortiGate network interfaces ............................................................. 173

Log & Archive................................................................................................ 175Viewing log messages ......................................................................................... 175

Viewing Log Details........................................................................................ 179Customizing the log view............................................................................... 179Searching the logs ......................................................................................... 182Viewing DLP archives .................................................................................... 185Viewing quarantined files ............................................................................... 188

Browsing log files................................................................................................. 191Importing a log file ......................................................................................... 192Downloading a log file.................................................................................... 193

Backing up logs and archived files ...................................................................... 195

Configuring rolling and uploading of devices logs.............................................. 195

Using eDiscovery ................................................................................................. 197Page 11

Reports .......................................................................................................... 203SQL based reports............................................................................................... 204

Enable/disable SQL database ....................................................................... 205Enable/disable remote SQL database ........................................................... 206Left & right click menu tree ............................................................................ 207Default device reports.................................................................................... 208Email/upload remote output .......................................................................... 214Predefined reports ......................................................................................... 217Custom report filters ...................................................................................... 218Custom reports .............................................................................................. 219Advanced report settings............................................................................... 221View report layout .......................................................................................... 234

Indexer based reports.......................................................................................... 235Viewing scheduled reports............................................................................. 235Configuring report schedules......................................................................... 237Configuring reports ........................................................................................ 240Configuring data filter templates.................................................................... 248Configuring report language .......................................................................... 252

Network Vulnerability Scan ......................................................................... 258Model support...................................................................................................... 259

How to use the network vulnerability scan feature.............................................. 259

Configuring host assets ....................................................................................... 260

Discovering network host assets......................................................................... 262

Preparing for authenticated scanning.................................................................. 262Microsoft Windows hosts domain scanning.................................................. 263Microsoft Windows hosts local (non-domain) scanning ................................ 264Unix hosts ...................................................................................................... 265

Configuring vulnerability scans............................................................................ 265

Viewing scan results ............................................................................................ 269

Tools .............................................................................................................. 272Network analyzer ................................................................................................. 272

Connecting the FortiAnalyzer unit to analyze network traffic ........................ 272Viewing network analyzer log messages ....................................................... 274Browsing network analyzer log files .............................................................. 277Customizing the network analyzer log view................................................... 280Searching the network analyzer logs ............................................................. 283Rolling and uploading network analyzer logs ................................................ 286

File explorer ......................................................................................................... 289

Maintaining Firmware .................................................................................. 290Firmware upgrade path and general firmware upgrade steps............................. 290Page 12

Backing up your configuration............................................................................. 291Backing up your configuration through the Web-based Manager ................ 291Backing up your configuration through the CLI............................................. 292Backing up your log files................................................................................ 292

Testing firmware before upgrading/downgrading ............................................... 293

Installing firmware from the BIOS menu in the CLI ............................................. 295

Upgrading your FortiAnalyzer unit ....................................................................... 295Upgrading/downgrading through the Web-based Manager ......................... 295Upgrading/downgrading through the CLI ...................................................... 297Verifying the upgrade..................................................................................... 297

Troubleshooting ........................................................................................... 298Troubleshooting process ..................................................................................... 298

Establish a baseline ....................................................................................... 298Define the problem......................................................................................... 299Gathering facts............................................................................................... 299Search for a solution ...................................................................................... 300Create a troubleshooting plan ....................................................................... 300Providing supporting elements ...................................................................... 300Gather system information............................................................................. 300Check port assignments ................................................................................ 302Troubleshoot connectivity issues .................................................................. 302

Run ping and traceroute ...................................................................................... 303Check connections with ping......................................................................... 303Check routes with traceroute......................................................................... 305What traceroute can tell you .......................................................................... 305How to use traceroute ................................................................................... 305

What can sniffing packets tell you ....................................................................... 306Obtain any required additional equipment..................................................... 307Ensure you have administrator access to required equipment ..................... 307

Contact customer service & support ................................................................... 307Page 13

Troubleshooting FortiAnalyzer issues.................................................................. 308File system issue............................................................................................ 308Report issue................................................................................................... 309Binary files issue ............................................................................................ 309CPU usage issue............................................................................................ 309HA log issue ................................................................................................... 311NFS server connection issue ......................................................................... 311Vulnerability management issues .................................................................. 311Upgrade issue................................................................................................ 312Web-based Manager issue............................................................................ 312Disk usage issue ............................................................................................ 313Device IP issue............................................................................................... 313Running an HQIP for hardware integrity control ............................................ 315Packet capture (CLI sniffer) best practice...................................................... 315No logs received with encryption enabled between a FortiGate unit and a

FortiAnalyzer unit ......................................................................................... 315Bootup issues ................................................................................................ 316

Appendix A: SNMP MIB Support................................................................. 321SNMP MIB support.............................................................................................. 321

Appendix B: Maximum Value Matrix........................................................... 322Maximum values matrix ....................................................................................... 322

Appendix C: SQL Log Databases................................................................ 325Querying FortiAnalyzer SQL log databases......................................................... 325

Creating datasets........................................................................................... 325SQL statement syntax errors ......................................................................... 328Connection problems..................................................................................... 329SQL tables ..................................................................................................... 329Examples ....................................................................................................... 374

Appendix D: Port Numbers.......................................................................... 380Port Numbers....................................................................................................... 380

Appendix E: ConnectWise ........................................................................... 382FortiAnalyzer compatibility with ConnectWise .................................................... 382

Index .............................................................................................................. 388Page 14

Change Log

Date Change Description

2012-02-29 Initial release.

2012-03-28 Reports chapter updated.

2012-04-03 Added custom report filter details.

2012-09-13 Updated document template.

2013-03-01 Minor document updates.Page 15

Introduction

Welcome and thank you for selecting Fortinet products for your network protection.

FortiAnalyzer units are network appliances that provide integrated log collection and reporting tools. Reports analyze logs for email, FTP, web browsing, security events, and other network activity to help identify and mitigate security issues throughout your network.

In addition to logging and reporting, FortiAnalyzer units also have several major features that augment or enable certain FortiGate unit functionalities, such as DLP archiving and quarantining, and improve your ability to stay informed about the state of your network.

Logging and reporting: A FortiAnalyzer unit can aggregate and analyze log data from Fortinet and other syslog-compatible devices. Using a comprehensive suite of easily-customized reports, you can filter and review records, including traffic, event, virus, attack, web content, and email data, mining the data to determine your security stance and ensure regulatory compliance. For information about the FortiAnalyzer logging, analyzing, and reporting workflow, see Figure 1 on page 25.

DLP archive / Data mining: Both FortiGate DLP (Data Leak Prevention) archive logs and their associated copies of files or messages can be stored on and viewed from a FortiAnalyzer unit, leveraging its storage capacity for large media files that can be common with multimedia content. When DLP archives are received by the FortiAnalyzer unit, you can use data filtering similar to other log files to track and locate specific email or instant messages, or to examine the contents of archived files.

Quarantine repository: A FortiAnalyzer unit can act as a central repository for files that are suspicious or known to be infected by a virus, and have therefore been quarantined by your FortiGate units.

Network vulnerability scan: A FortiAnalyzer unit can scan your designated target hosts for known vulnerabilities and open TCP and/or UDP ports. When the vulnerability scan is complete, the FortiAnalyzer unit generates a report that describes the discovered security issues and their known solutions.

FortiAnalyzer units can utilize the FortiGuard subscription service to update their vulnerability databases with new entries added as they are discovered.

Packet capture: FortiAnalyzer units can log observed packets to diagnose areas of the network where firewall policies may require adjustment, or where traffic anomalies occur.

File explorer: You can browse through the list of content archive/DLP, quarantine, log, and report files on the FortiAnalyzer unit.

Network sharing: FortiAnalyzer units can use their hard disks as an NFS or Windows-style network share for FortiAnalyzer reports and logs, as well as users files.

FIPS support: Federal Information Processing Standards (FIPS) are supported in some special releases of FortiAnalyzer firmware. Contact Customer Service & Support for more information.Introduction Page 16 FortiAnalyzer v4.3.6 Administration Guide

Scope

This document describes how to use the Web-based Manger to set up and configure the FortiAnalyzer unit. It assumes you have already successfully installed the FortiAnalyzer unit by following the instructions in the FortiAnalyzer Install Guide.

At this stage:

You have administrative access to the Web-based Manger and/or CLI.

The FortiAnalyzer unit can connect to the Web-based Manger and CLI.

This document explains how to use the Web-based Manger to:

maintain the FortiAnalyzer unit, including backups

configure basic

such as system time, DNS settings, administrator password, and network interfaces

configure advanced features, such as adding devices, DLP archiving, vulnerability management, logging, and reporting

This document does not cover commands for the command line interface (CLI). For information on the CLI, see the FortiAnalyzer v4.0 MR3 CLI Reference.

Entering FortiAnalyzer configuration data

The configuration of a FortiAnalyzer unit is stored as a series of configuration settings in the FortiAnalyzer configuration database. To change the configuration you can use the Web-based Manger or CLI to add, delete or change configuration settings. These configuration changes are stored in the configuration database as they are made.

Individual settings in the configuration database can be text strings, numeric values, selections from a list of allowed options, or on/off (enable/disable).

Entering text strings (names)

Text strings are used to name entities in the configuration. For example, the name of a report chart, administrative user, and so on. You can enter any character in a FortiAnalyzer configuration text string except, to prevent Cross-Site Scripting (XSS) vulnerabilities, text strings in FortiAnalyzer configuration names cannot include the following characters:

" (double quote), & (ampersand), ' (single quote), < (less than), and < (greater than)

You can determine the limit to the number of characters that are allowed in a text string by determining how many characters the Web-based Manger or CLI allows for a given name field. From the CLI, you can also use the tree command to view the number of characters that are allowed. For example, report chart names can contain up to 64 characters. When you add a report chart name to the Web-based Manger, you are limited to entering 64 characters in the report chart name field.Introduction Page 17 FortiAnalyzer v4.3.6 Administration Guide

From the CLI you can do the following to confirm that the firewall address name field allows 64 characters:

config report chartedit

tree--- [chart] --*name (64)|- type|- title (128 xss)|- comment (1024)|- dataset (64)+- graph-type

Note that the tree command output also shows the number of characters allowed for other report chart name settings. For example, the comment field can contain up to 1024 characters.

Selecting options from a list

If a configuration field can only contain one of a number of selected options, the Web-based Manger and CLI present you a list of acceptable options and you can select one from the list. No other input is allowed. From the CLI, you must spell the selection name correctly.

Enabling or disabling options

If a configuration field can only be on or off (enabled or disabled), the Web-based Manger shows a check box or other control that can only be enabled or disabled. From the CLI, you can set the option to enable or disable.Introduction Page 18 FortiAnalyzer v4.3.6 Administration Guide

VDOM

User (or Source IP) Group (LDAP User Group).Whats New in FortiAnalyzer v4.0 MR3

This chapter lists and describes some of the key changes and new features added to the FortiAnalyzer system. For upgrade information, see the Release Notes available at https://support.fortinet.com, and Maintaining Firmware on page 290.

Report enhancements

The FortiAnalyzer system in v4.0 MR3 includes a number of changes and improvements to the report settings, report sections, and reports contents. These improve the user experience when generating and working with reports at both the device and group levels. See Reports on page 203 for more information.

Default device reports

The FortiAnalyzer includes predefined report layouts at the device level. These report layouts contains a selection of the most commonly used charts and datasets. Each device report can be customized on a device-by-device basis. You can automatically generate reports at a per device level, for all devices assigned to a device group, or for multiple individual devices. See Default device reports on page 208 for more information.

Per device report generation

Reports can now be generated per device.

Email report option at the device level

The email report option is now available at the device level. A report template created for one device can be pushed to other connected devices. Reports will be emailed per device, device group, or for multiple individual devices. See Email/upload remote output on page 214 for more information.

Report and chart variables support

The following variables are now supported at both the report and chart levels:

Device

Time Period

The following list is current as of FortiAnalyzer v4.0 MR3 Patch Release 6.Whats New in FortiAnalyzer v4.0 MR3 Page 19 FortiAnalyzer v4.3.6 Administration Guide

You can define these variables from the Web-based Manager, or from the CLI at the report layout level. The variables defined at the chart level will override the report level values. If the same variable is defined at both levels, the chart level value will have a higher priority. See Report settings on page 210 for more information.

PDF report improvements

The FortiAnalyzer PDF report has been redesigned with layout and design improvements. The reports have an updated text style and size, headers and footers, introduction pages, tables of contents, and appendix pages.

Web-based Manager changes

Menu layout enhancements

The reports section has been updated to improve the user experience. The report menu includes the following sections:

Default Device Reports

Predefined Reports

Custom Reports

Advanced (chart, dataset, calendar, language).

Operation mode changes

You can now select the FortiAnalyzer operation mode - Standalone, Analyzer, and Collector - based on your requirements. For more information, see System information widget on page 62.

Structured Query Language database

SQL database compatibility

FortiAnalyzer units now save logs received by the default proprietary indexed file storage system and the Structured Query Language (SQL) database for generating reports. In this release, the SQL database is the default database for log storage.

Performance improvements on SQL report generation

The speed to read log files and insert them into the SQL database has been increased to 10 000 logs per second on high end FortiAnalyzer units.

Local event logs in SQL database

The FortiAnalyzer local event logs are now supported by the SQL database.

Custom fields support in SQL database

In each FortiGate log type, you can define a maximum of five customized fields by using any keyword as the field name. These custom fields can now be transferred into the SQL database and are included in the reports created with them. Whats New in FortiAnalyzer v4.0 MR3 Page 20 FortiAnalyzer v4.3.6 Administration Guide

FortiWeb support

FortiWeb integration

You can add FortiWeb units to FortiAnalyzer units and view the FortiWeb logs on the FortiAnalyzer units. You can also generate reports using the collected FortiWeb logs.

FortiMail, FortiWeb, and FortiClient logs in SQL database

In this release, similar to FortiGate logs, FortiMail, FortiWeb, and FortiClient logs can be inserted into the SQL database and are supported by SQL-based reports.

FortiAnalyzer Virtual Machine support

VMware ESX/ESXi 5.0 Support

FortiAnalyzer VM now supports VMware ESX/ESXi versions 4.0, 4.1 and 5.0.

Logging enhancements

Log file integrity validation

You can use the execute log-integrity command to query a log file's MD5 checksum and timestamp to ensure that the log file has not been modified. This command only applies for:

rolled log files with MD5 hash recorded

a local log containing the MD5 hash of the log files downloaded from the FortiAnalyzer Web-based Manager.

You cannot apply this command on an active log file.

For more information, see the FortiAnalyzer CLI Reference.

Retrieve FortiGate logs on demand

In addition to receiving logs sent from the devices, you can manually retrieve logs stored on a FortiGate. For more information, see To edit a device and retrieve the devices logs: on page 166.

Log forwarding IP spoofing

You can select to retain a device's IP in the log packets when configuring log forwarding in the CLI. For more information, see the config log forwarding command in the FortiAnalyzer CLI Reference.

UTM logs consolidation

IPS (Attack), Application Control, Web Filter, AntiVirus, Data Leak (DLP), and Email Filter logs are merged into a Unified Threat Management log when you enable the option in System > Admin > Settings. For more information, see Log & Archive on page 175.Whats New in FortiAnalyzer v4.0 MR3 Page 21 FortiAnalyzer v4.3.6 Administration Guide

Additional enhancements

Secure communication between devices

SSL FTP secure communications can be established between a FortiAnalyzer unit and a FortiGate or FortiManager unit. In the FortiAnalyzer CLI, you can choose the encryption algorithm for secure communications.

Network vulnerability scan

Network Vulnerability Scan replaces Vulnerability Management to configure vulnerability scans and view the scan results. For more information, see Network Vulnerability Scan on page 258.

SNMP v3 support

The FortiAnalyzer SNMP v3 implementation includes support for queries, traps, authentication, and privacy. This is configured only with the CLI. For more information, see config system snmp in the FortiAnalyzer CLI Reference.

TACACS+ server

You can configure the FortiAnalyzer unit to have a TACACS+ server perform the user authentication. For more information, see Configuring TACACS+ servers on page 115.

DNS log consolidation

The logs can be consolidated under a single domain instead of the specific uniform resource identifier (URI) of the server when users visit websites that use multiple DNS servers, such as google.com and yahoo.com. This leads to better report consolidation.

Email filters for reports

Email filters for senders and recipients are added to the report data filters. These new filters behave similarly to the existing filters. Each new filter can support a list of email addresses.

Compatibility with ConnectWise

The FortiAnalyzer unit integrates with the ConnectWise Management Services Platform (MSP) by providing statistics from FortiGate logs and reports for the MSPs Executive Summary report. The statistics include:

Top 10 web sites

Top 10 intrusions prevented

Top 10 web filter categories

Total bandwidth usage

Total number of events

For more information, see FortiAnalyzer compatibility with ConnectWise on page 382.Whats New in FortiAnalyzer v4.0 MR3 Page 22 FortiAnalyzer v4.3.6 Administration Guide

SMP support and large storage

The FortiAnalyzer units filesystem and kernel have been upgraded to support:

64-bit kernel.

ext4, enabling the FortiAnalyzer unit to utilize the storage more than the current limit of 16TB (for information on enabling or disabling ext4, see the execute formatlogdisk-ext4 command in the FortiAnalyzer CLI Reference. Backup log and quarantine files before running this command, as this operation will erase all data on the hard disk, including quarantine and log files.The ext4 formatting time is longer than the ext3 formatting time).

SMP in kernel/build environment, enabling the FortiAnalyzer processing to scale up when using multi-core CPUs.

Federal Information Processing Standard

A FIPS compliant firmware image is now available for FortiAnalyzer v4.0 MR3.Whats New in FortiAnalyzer v4.0 MR3 Page 23 FortiAnalyzer v4.3.6 Administration Guide

The mode of operation that you choose will depend on your network topology and individual requirements.For information about appropriate network topologies for each mode of operation, see Operation modes on page 12.Key Concepts and Workflow

This chapter defines basic FortiAnalyzer concepts and terms.

If you are new to FortiAnalyzer, this chapter can help you to quickly understand this document and your FortiAnalyzer platform.

This topic includes:

Administrative Domains

Operation mode

Log storage

Workflow

Administrative Domains

FortiAnalyzer Administrative Domains (ADOMs) enable the admin administrator to constrain other FortiAnalyzer unit administrators access privileges to a subset of devices in the device list. For Fortinet devices with virtual domains (VDOMs), ADOMs can further restrict access to only data from a specific devices VDOM.

For more information, see Administrative Domains on page 24.

Operation mode

The FortiAnalyzer unit has three operation modes:

Standalone: The default mode that supports all FortiAnalyzer features.

Analyzer: The mode used for aggregating logs from one or more log collectors. In this mode, the log aggregation configuration function is disabled.

Collector: The mode used for saving and uploading logs. For example, instead of writing logs into the database, the collector can retain the logs in original (binary) format for uploading. In this mode, the report function and some functions under System and Tools are disabled.

The analyzer and collector modes are used together to increase the analyzers performance. The collector provides a buffer to the analyzer by off-loading the log receiving task from the analyzer. Since log collection from the connected devices is the dedicated task of the collector, its log receiving rate and speed are maximized.

The FortiAnalyzer 100 and 400 models do not support the analyzer mode.Key Concepts and Workflow Page 24 FortiAnalyzer v4.3.6 Administration Guide

Log storage

The FortiAnalyzer unit saves logs received to the default proprietary indexed file storage system which is always ready to accept log data. It can also insert the log data into the Structured Query Language (SQL) database for generating reports. Both local and remote SQL database options are supported.

For more information, see Reports on page 203.

Workflow

Once you have successfully deployed the FortiAnalyzer device on your network, using and maintaining your FortiAnalyzer unit involves the following:

Configuration of optional features, and re-configuration of required features if required by changes to your network

Backups

Updates

Monitoring reports, logs, and alerts

Figure 1 illustrates the process of data logging, data analyzing, and report generation by the FortiAnalyzer unit in standalone or analyzer mode.

Figure 1: Logging, analyzing, and reporting workflowKey Concepts and Workflow Page 25 FortiAnalyzer v4.3.6 Administration Guide

Setting up the FortiAnalyzer

After physically installing your FortiAnalyzer unit, you need to set up the unit by performing some basic configuration so that the FortiAnalyzer unit can receive logs from Fortinet devices, analyze the logs, and generate reports.

You can set up your FortiAnalyzer unit in standalone, analyzer, or collector mode, depending on your network topology and requirements. For more information, see The operation mode on page 31.

This setup serves as a road map for making the FortiAnalyzer unit up and running. Detailed configuration is described in the other chapters of this guide.

Only the configuration procedures through the Web-based Manager are provided. For configuration procedures through the CLI, see the FortiAnalyzer v4.0 MR3 CLI Reference.

This chapter includes:

Connecting to the Web-based Manager or CLI

Updating the firmware

The operation mode

Changing the administrator password

Configuring the system time and date

Configuring basic network settings

Configuring global settings

Configuring administrative domains

Connecting to FortiGuard services

Collecting device logs

Testing the setup

Backing up the configuration

Connecting to the Web-based Manager or CLI

To configure, maintain, and administer your FortiAnalyzer unit, you need to connect to it. There are two methods that you can use:

the Web-based Manager from within a web browser

the command line interface (CLI), an interface similar to DOS or UNIX commands, from a Secure Shell (SSH) or Telnet terminal.

Access to the CLI and/or Web-based Manager will not yet be configured if:

you are connecting for the first time

you have just reset the configuration to its default state

you have just restored the firmware.Setting up the FortiAnalyzer Page 26 FortiAnalyzer v4.3.6 Administration Guide

In these cases, you must access either interface using the default settings.

After you connect, you can use the Web-based Manager or CLI to configure basic network settings and access the CLI and/or Web-based Manager through your network. However, if you want to update the firmware, you may want to do so before continuing. See Updating the firmware on page 30.

Connect to the Web-based Manager

To connect to the Web-based Manager using its default settings, you must have:

a computer with an RJ-45 Ethernet network port

a web browser such as Microsoft Internet Explorer or Mozilla Firefox

a crossover network cable

To connect to the Web-based Manager:

1. On your management computer, configure the Ethernet port with the static IP address 192.168.1.2 with a netmask of 255.255.255.0.

2. Using the Ethernet cable, connect your computers Ethernet port to the FortiAnalyzer units port1.

3. Start your browser and enter the URL https://192.168.1.99.

To support HTTPS authentication, the FortiAnalyzer unit ships with a self-signed security certificate, which it presents to clients whenever they initiate an HTTPS connection to the FortiAnalyzer unit. When you connect, depending on your web browser and prior access of the FortiAnalyzer unit, your browser might display two security warnings related to this certificate:

The certificate is not automatically trusted because it is self-signed, rather than being signed by a valid certificate authority (CA). Self-signed certificates cannot be verified with a proper CA, and therefore might be fraudulent. You must manually indicate whether or not to trust the certificate.

The certificate might belong to another web site. The common name (CN) field in the certificate, which usually contains the host name of the web site, does not exactly match the URL you requested. This could indicate server identity theft, but could also simply

If the above conditions do not apply, access the Web-based Manager using the IP address, administrative access protocol, administrator account, and password already configured, instead of the default settings.

Until the FortiAnalyzer unit is configured with an IP address and connected to your network, you may prefer to connect the FortiAnalyzer unit directly to your management computer, or through a switch, in a peer network that is isolated from your overall network. However, isolation is not required.

Table 1: Default settings for connecting to the Web-based Manager

Network Interface port1

URL https://192.168.1.99/

Administrator Account admin

Password (none)Setting up the FortiAnalyzer Page 27 FortiAnalyzer v4.3.6 Administration Guide

indicate that the certificate contains a domain name while you have entered an IP address. You must manually indicate whether this mismatch is normal or not.

Both warnings are normal for the default certificate.

4. Verify and accept the certificate, either permanently (the web browser will not display the self-signing warning again) or temporarily. You cannot log in until you accept the certificate.

For details on accepting the certificate, see the documentation for your web browser.

5. In the Name field, type admin, then select Login. (In its default state, there is no password for this account.)

Login credentials entered are encrypted before they are sent to the FortiAnalyzer unit. If your login is successful, the Web-based Manager appears.

To continue by updating the firmware, see Updating the firmware on page 30. Otherwise, to continue by configuring the basic settings, see The operation mode on page 31.

Connect to the CLI

Using its default settings, you can access the CLI from your management computer in two ways:

a local serial console connection

an SSH connection, either local or through the network

To connect to the CLI using a local serial console connection, you must have:

a computer with a serial communications (COM) port

the RJ-45-to-DB-9 serial or null modem cable included in your FortiAnalyzer package

terminal emulation software, such as HyperTerminal for Microsoft Windows

To connect to the CLI using an SSH connection, you must have:

a computer with an RJ-45 Ethernet port

a crossover Ethernet cable

an SSH client, such as PuTTY

For more information on available CLI commands, see the FortiAnalyzer v4.0 MR3 CLI Reference.

Table 2: Default settings for connecting to the CLI by SSH

Network Interface port1

IP Address 192.168.1.99

SSH Port Number 22

Administrator Account admin

Password (none)

If you are not connecting for the first time, or have not just reset the configuration to its default state or restored the firmware, administrative access settings may have already been configured. In this case, access the CLI using the IP address, administrative access protocol, administrator account and password already configured instead of the default settings.Setting up the FortiAnalyzer Page 28 FortiAnalyzer v4.3.6 Administration Guide

To connect to the CLI using a local serial console connection:

1. Using the RJ-45-to-DB-9 or null modem cable, connect your computers COM port to the FortiAnalyzer units console port.

2. Verify that the FortiAnalyzer unit is powered on.

3. On your management computer, start HyperTerminal.

4. On Connection Description, enter a Name for the connection and select OK.

5. On Connect To, from Connect using, select the COM port to which you connected the FortiAnalyzer unit.

6. Select OK.

7. Select the following Port settings and select OK.

8. Press Enter.

The terminal emulator connects to the CLI and the CLI displays a login prompt.

9. Type admin and press Enter twice. (In its default state, there is no password for this account.)

The CLI displays a prompt, such as:

FortiAnalyzer #

You can now enter commands.

To continue by updating the firmware, see Updating the firmware on page 30. Otherwise, to continue by configuring the basic settings, see The operation mode on page 31. For information about how to use the CLI, see the FortiAnalyzer v4.0 MR3 CLI Reference.

To connect to the CLI using an SSH connection:

1. On your management computer, configure the Ethernet port with the static IP address 192.168.1.2 with a netmask of 255.255.255.0.

2. Using the Ethernet cable, connect your computers Ethernet port to the FortiAnalyzer units port1.

3. Verify that the FortiAnalyzer unit is powered on.

The following procedure uses Microsoft HyperTerminal. Steps may vary with other terminal emulators.

Bits per second 9600

Data bits 8

Parity None

Stop bits 1

Flow control None

The following procedure uses PuTTY. Steps may vary with other SSH clients.Setting up the FortiAnalyzer Page 29 FortiAnalyzer v4.3.6 Administration Guide

4. On your management computer, start your SSH client.

5. In Host Name (or IP Address), type 192.168.1.99.6. In Port, type 22.7. From Connection type, select SSH.

8. Select Open.

The SSH client connects to the FortiAnalyzer unit.

The SSH client may display a warning if this is the first time you are connecting to the FortiAnalyzer unit and its SSH key is not yet recognized by your SSH client, or if you have previously connected to the FortiAnalyzer unit but it used a different IP address or SSH key. If your management computer is directly connected to the FortiAnalyzer unit with no network hosts between them, this is normal.

9. Select Yes to verify the fingerprint and accept the FortiAnalyzer units SSH key. You cannot log in until you accept the key.

The CLI displays a login prompt.

10.Type admin and press Enter. (In its default state, there is no password for this account.)

The CLI displays a prompt, such as:

FortiAnalyzer #

You can now enter commands.

To continue by updating the firmware, see Updating the firmware on page 30. Otherwise, to continue by configuring the basic settings, see The operation mode on page 31. For information about how to use the CLI, see the FortiAnalyzer CLI Reference.

Updating the firmware

Your new FortiAnalyzer appliance comes with the latest firmware when shipped. However, if a new version has been released since your appliance was shipped, you should install it before you continue the installation.

Fortinet periodically releases FortiAnalyzer firmware updates that include enhancements and address issues. After you register your FortiAnalyzer unit, FortiAnalyzer firmware is available for download at https://support.fortinet.com.

New firmware can also introduce new features which you must configure for the first time.

For information specific to the firmware release version, see the Release Notes available with that release.

For more information, see Maintaining Firmware on page 290.

If three incorrect login attempts occur in a row, you will be disconnected. Wait for one minute, then reconnect to attempt the login again.

Before you can download firmware updates for your FortiAnalyzer unit, you must first register your FortiAnalyzer unit with Customer Service & Support. For details, go to https://support.fortinet.com/ or contact Customer Service & Support.Setting up the FortiAnalyzer Page 30 FortiAnalyzer v4.3.6 Administration Guide

The operation mode

Once the FortiAnalyzer unit is installed, powered on, physically connected to your network, and you have connected to either the FortiAnalyzer units Web-based Manager or CLI, you must configure the operation mode.

The FortiAnalyzer unit has three operation modes: standalone, analyzer, and collector. The analyzer and collector modes are used together to increase the analyzers performance. For more information, see The operation mode on page 31 and The operation mode on page 31.

Standalone mode

The standalone mode is the default mode that supports all FortiAnalyzer features. If your network log volume is reasonable and does not compromise the performance of your FortiAnalyzer unit, you can choose this mode.

Figure 2 illustrates the network topology of the FortiAnalyzer unit in standalone mode.

Figure 2: Topology of the FortiAnalyzer unit in standalone mode

Analyzer and collector mode

The analyzer and collector modes are used together to increase the analyzers performance. The collector provides a buffer to the analyzer by off-loading the log receiving task from the analyzer. Since log collection from the connected devices is the dedicated task of the collector, its log receiving rate and speed are maximized.

In most cases, the volume of logs fluctuates dramatically during a day or week. You can deploy a collector to receive and store logs during the high traffic periods and transfer them to the

LAN

FortiAnalyzer unit External SQL database for log

Monitored devices that send logs to the FortiAnalyzer unit for analyzing and reporting.Setting up the FortiAnalyzer Page 31 FortiAnalyzer v4.3.6 Administration Guide

analyzer during the low traffic periods. As a result, the performance of the analyzer is guaranteed as it will only deal with log insertion and reporting when the log transfer process is over.

As illustrated in Figure 5: company A has two remote branch networks protected by multiple FortiGate units. The networks generate large volumes of logs which fluctuate significantly during a day. It used to have a FAZ-4000A in standalone mode to collect logs from the FortiGate units and generate reports. To further boost the performance of the FAZ-4000A, the company deploys a FAZ-400B in collector mode in each branch to receive logs from the FortiGate units during the high traffic period and

Date post:	18-Oct-2015
Category:	Documents
Upload:	juan-miguel-amado
View:	171 times
Download:	3 times

Fortianalyzer Admin 40 Mr3

Documents