for ti analyzer admin 40 mr2

FortiAnalyzer™

Version 4.0 MR2Administration Guide

FortiAnalyzer™ Administration GuideVersion 4.0 MR221 March 2011Revision 13

© Copyright 2011 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc.

TrademarksDynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate®, FortiGate Unified Threat Management System, FortiGuard®, FortiGuard-Antispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet®, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Regulatory complianceFCC Class A Part 15 CSA/CUS

Caution: Risk of explosion if the battery on the main board is replaced by an incorrect type. Dispose of used batteries according to instructions.

Caution: The Fortinet equipment is intended for installation in a Restricted Access Location.

Contents

FRh

ContentsIntroduction ............................................................................................ 13Registering your Fortinet product............................................................................... 14

Customer service & technical support ....................................................................... 14

Training .......................................................................................................................... 15

Documentation .............................................................................................................. 15

Scope ............................................................................................................................. 15

Conventions .................................................................................................................. 16IP addresses............................................................................................................. 16Cautions, Notes and Tips ......................................................................................... 16Typographical conventions ....................................................................................... 16Command syntax conventions.................................................................................. 17

Entering FortiOS configuration data ........................................................................... 19Entering text strings (names).................................................................................... 19Selecting options from a list...................................................................................... 20Enabling or disabling options.................................................................................... 20

What’s new ............................................................................................. 21

About the web-based manager............................................................. 23System requirements.................................................................................................... 23

URL for access .............................................................................................................. 23

Settings .......................................................................................................................... 24

About administrative domains (ADOMs) ............................................. 25Configuring ADOMs...................................................................................................... 27

Accessing ADOMs as the admin administrator ......................................................... 32

Assigning administrators to an ADOM ....................................................................... 32

System .................................................................................................... 35Viewing the dashboard................................................................................................. 35

System Information widget ....................................................................................... 38Configuring the time & date................................................................................ 38

ortiAnalyzer™ Version 4.0 MR2 Administration Guideevision 13 3ttp://docs.fortinet.com/ • Feedback

http://docs.fortinet.com/

http://docs.fortinet.com/surveyredirect.html

Contents

Configuring the FortiAnalyzer unit’s host name.................................................. 39License Information widget ....................................................................................... 40Unit Operation widget ............................................................................................... 41System Resources widget ........................................................................................ 41Logs/Data Received widget ...................................................................................... 43Statistics widget ........................................................................................................ 44Report Engine widget ............................................................................................... 47Disk Monitor widget .................................................................................................. 47

Hot-swapping hard disks.................................................................................... 49Adding new disks for FortiAnalyzer 2000B/4000B ............................................. 50

Log Receive Monitor widget ..................................................................................... 50Alert Message Console widget ................................................................................. 51CLI Console widget................................................................................................... 53Top Traffic widget ..................................................................................................... 54Top Web Traffic widget............................................................................................. 56Top Email Traffic widget ........................................................................................... 57Top FTP Traffic widget ............................................................................................. 58Top IM/P2P Traffic widget ........................................................................................ 59Virus Activity widget.................................................................................................. 61Intrusion Activity widget ............................................................................................ 62

Configuring network settings ...................................................................................... 63Configuring the network interfaces ........................................................................... 63

About Fortinet Discovery Protocol...................................................................... 66Configuring and using FortiAnalyzer web services ............................................ 66

Configuring DNS....................................................................................................... 69Configuring static routes ........................................................................................... 69

Configuring network shares ........................................................................................ 70Configuring share users............................................................................................ 71

Configuring share user groups........................................................................... 72Configuring Windows shares .................................................................................... 73Configuring NFS shares ........................................................................................... 75

Default file permissions on NFS shares ............................................................. 76

Configuring administrator-related settings ................................................................ 77Configuring administrator accounts .......................................................................... 77

Changing an administrator’s password .............................................................. 79Configuring access profiles ................................................................................ 80Configuring authentication groups ..................................................................... 81Configuring RADIUS servers.............................................................................. 82

Configuring the web-based manager’s global settings ............................................ 84

Monitoring administrators............................................................................................ 85

FortiAnalyzer™ Version 4.0 MR2 Administration Guide4 Revision 13

http://docs.fortinet.com/ • Feedback



Contents

F

h

Configuring log storage & query features .................................................................. 85Configuring SQL database storage .......................................................................... 85Configuring alerts...................................................................................................... 87Configuring an email server for alerts & reports ....................................................... 89Configuring report output templates ......................................................................... 91Configuring the SNMP agent .................................................................................... 94

Configuring an SNMP community ...................................................................... 96Configuring Syslog servers....................................................................................... 98Configuring log aggregation.................................................................................... 100

Configuring an aggregation client .................................................................... 101Configuring an aggregation server ................................................................... 102

Configuring log forwarding...................................................................................... 103Configuring IP aliases............................................................................................. 104

Importing IP aliases.......................................................................................... 105Configuring RAID.................................................................................................... 106

Supported RAID levels ..................................................................................... 108RAID array capacity ......................................................................................... 111

Configuring LDAP queries for reports..................................................................... 111Querying for the base DN ................................................................................ 114

Backing up the configuration & installing firmware ................................................ 114

Scheduling & uploading vulnerability management updates................................. 116

Migrating data from one FortiAnalyzer unit to another ........................................... 117Actions during the migration process ............................................................... 120

Importing a local server certificate............................................................................ 121

Devices.................................................................................................. 123Configuring connections with devices & their disk space quota........................... 123

Unregistered vs. registered devices ....................................................................... 126Maximum number of devices.................................................................................. 126Configuring IPSec secure connections between the FortiAnalyzer unit and a device or an HA cluster .......................................................................................................... 128Manually adding or deleting a device or HA cluster................................................ 129Manually adding a FortiGate unit using the Fortinet Discovery Protocol (FDP) ..... 131Configuring unregistered device options ................................................................ 133Blocking unregistered device connection attempts................................................. 134

Configuring device groups ........................................................................................ 136

Classifying FortiGate network interfaces ................................................................. 137

Log & Archive....................................................................................... 139Viewing log messages................................................................................................ 139

Customizing the log view ........................................................................................ 142Displaying and arranging log columns ............................................................. 143Filtering logs..................................................................................................... 144Filtering tips...................................................................................................... 145Searching the logs ........................................................................................... 146

ortiAnalyzer™ Version 4.0 MR2 Administration Guide5

ttp://docs.fortinet.com/ • Feedback



Contents

Search tips ....................................................................................................... 148Viewing DLP archives............................................................................................. 149Viewing quarantined files........................................................................................ 151

Browsing log files ....................................................................................................... 154Importing a log file .................................................................................................. 155Downloading a log file............................................................................................. 156

Backing up logs and archived files ........................................................................... 158

Configuring rolling and uploading of devices’ logs ................................................ 158

Using eDiscovery ........................................................................................................ 160

Reports.................................................................................................. 167Configuring reports from logs in the proprietary indexed file system .................. 167

Configuring a report layout ..................................................................................... 168Adding charts, sections, and texts ................................................................... 171Editing charts in a report layout........................................................................ 173

Configuring data filter templates ............................................................................. 178Configuring report schedules.................................................................................. 181Configuring language.............................................................................................. 184Example reports (file system-based) ...................................................................... 188

Example: FortiGate report ................................................................................ 188Example: FortiClient report............................................................................... 191Example: FortiMail report ................................................................................. 194

Configuring reports from logs in a SQL database................................................... 197Configuring report chart templates ......................................................................... 197Configuring data sets.............................................................................................. 201Uploading graphics for reports................................................................................ 203Configuring report profiles ...................................................................................... 204Adding report dashboards and widgets .................................................................. 207Example reports (SQL-based) ................................................................................ 208

Example: FortiGate report ................................................................................ 208

Browsing reports ........................................................................................................ 210

Vulnerability Management................................................................... 213How to use vulnerability management...................................................................... 214

Configuring host assets ............................................................................................. 214Grouping host assets.............................................................................................. 216

Discovering network host assets .............................................................................. 217Viewing network map reports ................................................................................. 220

Preparing for authenticated scanning ...................................................................... 223Microsoft Windows hosts - domain scanning.......................................................... 224

Group Policy - Security Options ....................................................................... 224Group Policy - System Services....................................................................... 224





Contents

F

h

Group Policy - Administrative Templates ......................................................... 224Microsoft Windows hosts - local (non-domain) scanning........................................ 225

Windows firewall settings ................................................................................. 225Unix hosts ............................................................................................................... 225

Configuring vulnerability scans ................................................................................ 226Configuring vulnerability sensors............................................................................ 226Configuring vulnerability scan profiles .................................................................... 231Scheduling vulnerability scans................................................................................ 234Viewing vulnerability scan reports .......................................................................... 235

Viewing host vulnerability statuses .......................................................................... 239Vulnerabilities by severity level & top 10 categories............................................... 239Top 10 vulnerable hosts by business risk............................................................... 239Top 10 vulnerabilities.............................................................................................. 241

Viewing the vulnerability database ........................................................................... 242

Configuring compliance report templates................................................................ 243

Viewing compliance reports ...................................................................................... 245About PCI DSS compliance reports........................................................................ 247

Configuring authenticated network scan ................................................................. 248

Tools...................................................................................................... 257Network Analyzer ........................................................................................................ 257

Connecting the FortiAnalyzer unit to analyze network traffic.................................. 257Viewing network analyzer log messages................................................................ 259

Viewing current network analyzer log messages ............................................. 259Viewing historical network analyzer log messages .......................................... 261

Browsing network analyzer log files........................................................................ 262Viewing network analyzer log file contents....................................................... 263Downloading a network analyzer log file .......................................................... 263

Customizing the network analyzer log view............................................................ 264Displaying and arranging log columns ............................................................. 265Filtering logs..................................................................................................... 266Filtering tips...................................................................................................... 267

Searching the network analyzer logs...................................................................... 268Search tips ....................................................................................................... 269Printing and downloading the search results.................................................... 270

Rolling and uploading network analyzer logs ......................................................... 270

File Explorer ................................................................................................................ 273

Maintaining firmware ........................................................................... 275Firmware upgrade path and general firmware upgrade steps................................ 275

Backing up your configuration .................................................................................. 276Backing up your configuration through the web-based manager ........................... 276Backing up your configuration through the CLI....................................................... 276Backing up your log files......................................................................................... 276





Contents

Testing firmware before upgrading/downgrading ................................................... 277

Installing firmware from the BIOS menu in the CLI ................................................ 279

Upgrading your FortiAnalyzer unit ............................................................................ 279Upgrading/downgrading through the web-based manager..................................... 279Upgrading/downgrading through the CLI................................................................ 280Verifying the upgrade.............................................................................................. 281

Best practices and fine tuning............................................................ 283System security tuning............................................................................................... 283

System maintenance tips ........................................................................................... 283

Performance tuning .................................................................................................... 284

Troubleshooting................................................................................... 285Troubleshooting process ........................................................................................... 285

Establish a baseline................................................................................................ 285Define the problem ................................................................................................. 285Gathering Facts ...................................................................................................... 286Search for a solution............................................................................................... 286

Technical Documentation................................................................................. 286Release Notes.................................................................................................. 287Knowledge Center............................................................................................ 287Fortinet Technical Discussion Forums ............................................................. 287Fortinet Training Services Online Campus....................................................... 287

Create a troubleshooting plan................................................................................. 287Providing Supporting Elements........................................................................ 287

Gather system information...................................................................................... 288Check port assignments ......................................................................................... 288Troubleshoot connectivity issues............................................................................ 289

Check hardware connections........................................................................... 289Run ping and traceroute................................................................................... 290Check routes with traceroute ........................................................................... 291Verify the contents of the routing table............................................................. 292Verify the contents of the ARP table ................................................................ 292Perform a sniffer trace...................................................................................... 293

Obtain any required additional equipment .............................................................. 293Ensure you have administrator level access to required equipment ...................... 293Contact Fortinet customer support for assistance .................................................. 293

Troubleshooting FortiAnalyzer issues...................................................................... 294Report issue............................................................................................................ 294

Solution ............................................................................................................ 294Binary files issue..................................................................................................... 294

Solution ............................................................................................................ 295CPU usage issue .................................................................................................... 295

Solution ............................................................................................................ 295HA log issue............................................................................................................ 296





Contents

F

h

Solution ............................................................................................................ 296NFS server connection issue.................................................................................. 296

Solution ............................................................................................................ 297Vulnerability management issues ........................................................................... 297

Problem............................................................................................................ 297Solution ............................................................................................................ 297Problem............................................................................................................ 297Solution ............................................................................................................ 297

Upgrade issue......................................................................................................... 298Solution ............................................................................................................ 298

Web-based manager issue..................................................................................... 298Solution ............................................................................................................ 298

Disk usage issue..................................................................................................... 299Solution ............................................................................................................ 299

Device IP issue ....................................................................................................... 299Solution ............................................................................................................ 299

Running an HQIP for hardware integrity control ..................................................... 300Packet capture (CLI sniffer) best practice............................................................... 300No logs received with encryption enabled between a FortiGate unit and a FortiAnalyzer unit .......................................................................................................................... 301Bootup issues ......................................................................................................... 302

A. You have text on the screen, but you have problems.................................. 302B. You do not see the boot options menu ........................................................ 302C. You have problems with the console text .................................................... 303D. You have visible power problems................................................................ 303E. You have a suspected defective FortiAnalyzer unit ..................................... 304Examples: Error message "EXT3-fs error (device...)" ...................................... 304





Contents

Appendix A: SNMP MIB support......................................................... 307

Appendix B: Report templates............................................................ 309FortiGate report templates ......................................................................................... 309

Intrusion Activity...................................................................................................... 310Antivirus Activity...................................................................................................... 310Webfilter Activity ..................................................................................................... 312Email Filter Activity ................................................................................................. 314IM Activity ............................................................................................................... 314DLP Activity ............................................................................................................ 315Network Analysis .................................................................................................... 316Web Activity ............................................................................................................ 317Mail Activity............................................................................................................. 318FTP Activity............................................................................................................. 319Terminal Activity ..................................................................................................... 320VPN Activity ............................................................................................................ 321Event Activity .......................................................................................................... 321P2P Activity............................................................................................................. 322VoIP Activity............................................................................................................ 324Data Leak Activity ................................................................................................... 326Application Control Activity ..................................................................................... 327Network Scan ......................................................................................................... 327Application _Control................................................................................................ 327Intrusion_Detection................................................................................................. 328AntiVirus ................................................................................................................. 328Data_Leak_Prevention ........................................................................................... 328Email Filter.............................................................................................................. 329Event....................................................................................................................... 329Traffic...................................................................................................................... 329

FortiClient Report Templates..................................................................................... 329

FortiMail Report Templates........................................................................................ 331

Appendix C: Maximum values matrix ................................................ 333

Appendix D: Querying FortiAnalyzer SQL log databases................ 335Creating datasets ........................................................................................................ 335

Troubleshooting ............................................................................................... 338





Contents

F

h

SQL tables ................................................................................................................... 338Log severity levels .................................................................................................. 341Log fields in each table ........................................................................................... 341Common log fields .................................................................................................. 341Application control log fields ................................................................................... 343Attack log fields....................................................................................................... 345DLP archive / content log fields .............................................................................. 346Data Leak Prevention log fields .............................................................................. 351Email filter log fields................................................................................................ 352Event log fields ....................................................................................................... 353

Malform Description Values ............................................................................. 363Traffic log fields....................................................................................................... 367Antivirus log fields................................................................................................... 369Web filter log fields ................................................................................................. 371Netscan log fields ................................................................................................... 372

Examples ..................................................................................................................... 373Example 1: Distribution of applications by type in the last 24 hours....................... 375

GUI procedure.................................................................................................. 375CLI procedure .................................................................................................. 375Notes: ............................................................................................................... 375

Example 2: Top 100 applications by bandwidth in the last 24 hours ...................... 376GUI procedure.................................................................................................. 376CLI procedure .................................................................................................. 376Notes: ............................................................................................................... 376

Example 3: Top 10 attacks in the past one hour .................................................... 377GUI procedure.................................................................................................. 377CLI procedure .................................................................................................. 377Notes: ............................................................................................................... 377

Example 4: Top WAN optimization applications in the past 24 hours .................... 377GUI procedure.................................................................................................. 377CLI procedure .................................................................................................. 378

Appendix E: Port Numbers ................................................................. 379

Index...................................................................................................... 381





Contents





Introduction

FRh

IntroductionWelcome and thank you for selecting Fortinet products for your network protection.FortiAnalyzer units are network appliances that provide integrated log collection and reporting tools. Reports analyze logs for email, FTP, web browsing, security events, and other network activity to help identify security issues and reduce network misuse and abuse.In addition to logging and reporting, FortiAnalyzer units also have several major features that augment or enable certain FortiGate unit functionalities, such as DLP archiving and quarantining, and improve your ability to stay informed about the state of your network.• Logging and reporting: A FortiAnalyzer unit can aggregate and analyze log data from

Fortinet and other Syslog-compatible devices. Using a comprehensive suite of easily-customized reports, you can filter and review records, including traffic, event, virus, attack, Web content, and email data, mining the data to determine your security stance and ensure regulatory compliance. For information about the FortiAnalyzer logging, analyzing, and reporting workflow, see Figure 1 on page 14.

• DLP archiving: Both FortiGate DLP (Data Leak Prevention) archive logs and their associated copies of files or messages can be stored on and viewed from a FortiAnalyzer unit, leveraging its large storage capacity for large media files that can be common with multimedia content. When DLP archives are received by the FortiAnalyzer unit, you can use data filtering similar to with other log files to track and locate specific email or instant messages, or to examine the contents of archived files.

• Quarantine repository: A FortiAnalyzer unit can act as a central repository for files that are suspicious or known to be infected by a virus, and have therefore been quarantined by your FortiGate units.

• Vulnerability management: A FortiAnalyzer unit can scan your designated target hosts for known vulnerabilities and open TCP and/or UDP ports. When the vulnerability scan is complete, the FortiAnalyzer unit generates a report that describes the discovered security issues and their known solutions.FortiAnalyzer units can utilize FortiGuard subscription service to update their vulnerability databases with new entries added as they are discovered.

• Packet capture: FortiAnalyzer units can log observed packets to diagnose areas of the network where firewall policies may require adjustment, or where traffic anomalies occur.

• File explorer: You can browse through the list of content archive/DLP, quarantine, log, and report files on the FortiAnalyzer unit.

• Network sharing: FortiAnalyzer units can use their hard disks as an NFS or Windows-style network share for FortiAnalyzer reports and logs, as well as users’ files.

• FIPS support: Federal Information Processing Standards (FIPS) are supported in some special releases of FortiAnalyzer firmware. Contact Fortinet Technical Support for more information.




http://support.fortinet.com/

Registering your Fortinet product Introduction

Figure 1: Logging, analyzing, and reporting workflow

This topic includes:• Registering your Fortinet product• Customer service & technical support• Training• Documentation• Scope• Conventions

Registering your Fortinet productBefore you begin configuring and customizing features, take a moment to register your Fortinet product at the Fortinet Technical Support web site, https://support.fortinet.com.Many Fortinet customer services, such as firmware updates, technical support, and FortiGuard Antivirus and other FortiGuard services, require product registration.For more information, see the Fortinet Knowledge Base article Registration Frequently Asked Questions.

Customer service & technical supportFortinet Technical Support provides services designed to make sure that you can install your Fortinet products quickly, configure them easily, and operate them reliably in your network.

FortiAnalyzer data receiving server

Devices monitored by the FortiAnalyzer unit

Indexing & file storage/database

Report engine

Log file index/database

The FortiAnalyzer unit collects logs from the devices that it monitors.

The FortiAnalyzer unit buffers, reorganizes, and stores the logs to generate temporary log files.

The FortiAnalyzer unit indexes the log files for easy search and report generation.

The FortiAnalyzer unit generates reports based on user configurations and requests.

The administrator configures and requests for reports.

The administrator views reports.

Administrator

The administrator views log files.

Reports



https://support.fortinet.com

http://kb.fortinet.com/kb/documentLink.do?externalID=FD31329




Introduction Training

FRh

To learn about the technical support services that Fortinet provides, visit the Fortinet Technical Support web site at https://support.fortinet.com.You can dramatically improve the time that it takes to resolve your technical support ticket by providing your configuration file, a network diagram, and other specific information. For a list of required information, see the Fortinet Knowledge Base article Fortinet Technical Support Requirements.

TrainingFortinet Training Services provides classes that orient you quickly to your new equipment, and certifications to verify your knowledge level. Fortinet provides a variety of training programs to serve the needs of our customers and partners world-wide.To learn about the training services that Fortinet provides, visit the Fortinet Training Services web site at http://campus.training.fortinet.com, or email them at [email protected].

DocumentationThe Fortinet Technical Documentation web site, http://docs.fortinet.com, provides the most up-to-date versions of Fortinet publications, as well as additional technical documentation such as technical notes.In addition to the Fortinet Technical Documentation web site, you can find Fortinet technical documentation on the Fortinet Tools and Documentation CD, and on the Fortinet Knowledge Base.

Fortinet Tools and Documentation CDMany Fortinet publications are available on the Fortinet Tools and Documentation CD shipped with your Fortinet product. The documents on this CD are current at shipping time. For current versions of Fortinet documentation, visit the Fortinet Technical Documentation web site, http://docs.fortinet.com.

Fortinet Knowledge BaseThe Fortinet Knowledge Base provides additional Fortinet technical documentation, such as troubleshooting and how-to-articles, examples, FAQs, technical notes, and more. Visit the Fortinet Knowledge Base at http://kb.fortinet.com.

Comments on Fortinet technical documentation Please send information about any errors or omissions in this technical document [email protected].

ScopeThis document describes how to use the web-based manager of the FortiAnalyzer unit. It assumes you have already successfully installed the FortiAnalyzer unit by following the instructions in the FortiAnalyzer Installation Guide.At this stage:• You have administrative access to the web-based manager and/or CLI.• The FortiAnalyzer unit is integrated into your network.


http://docs.fortinet.com/fa.html





http://campus.training.fortinet.com

mailto:[email protected]

http://docs.fortinet.com


http://kb.fortinet.com


mailto:[email protected]

Conventions Introduction

• The system time, DNS settings, administrator password, and network interfaces have been configured.

• Firmware updates and FortiGuard Vulnerability Management Plugins and Engine updates have been completed.

Once that basic installation is complete, you can use this document. This document explains how to use the web-based manager to:• maintain the FortiAnalyzer unit, including backups• reconfigure basic items that were configured during installation• configure advanced features, such as adding devices, DLP archiving, vulnerability

management, logging, and reportingThis document does not cover commands for the command line interface (CLI). For information on the CLI, see the FortiAnalyzer CLI Reference.

ConventionsFortinet technical documentation uses the conventions described below.

IP addressesTo avoid publication of public IP addresses that belong to Fortinet or any other organization, the IP addresses used in Fortinet technical documentation are fictional and follow the documentation guidelines specific to Fortinet. The addresses used are from the private IP address ranges defined in RFC 1918: Address Allocation for Private Internets, available at http://ietf.org/rfc/rfc1918.txt?number-1918.

Cautions, Notes and TipsFortinet technical documentation uses the following guidance and styles for cautions, notes and tips.

Typographical conventionsFortinet documentation uses the following typographical conventions:

Caution: Warns you about commands or procedures that could have unexpected or undesirable results including loss of data or damage to equipment.

Note: Presents useful information, usually focused on an alternative, optional method, such as a shortcut, to perform a step.

Tip: Highlights useful additional information, often tailored to your workplace activity.



http://ietf.org/rfc/rfc1918.txt?number-1918




Introduction Conventions

FRh

Command syntax conventionsThe command line interface (CLI) requires that you use valid syntax, and conform to expected input constraints. It will reject invalid commands.Brackets, braces, and pipes are used to denote valid permutations of the syntax. Constraint notations, such as <address_ipv4>, indicate which data types or string patterns are acceptable value input.

Table 1: Typographical conventions in Fortinet technical documentation

Convention ExampleButton, menu, text box, field, or check box label

From Minimum log level, select Notification.

CLI input config system dnsset primary <address_ipv4>

end

CLI output FGT-602803030703 # get system settingscomments : (null)opmode : nat

Emphasis HTTP connections are not secure and can be intercepted by a third party.

File content <HTML><HEAD><TITLE>Firewall Authentication</TITLE></HEAD><BODY><H4>You must authenticate to use this service.</H4>

Hyperlink Visit the Fortinet Technical Support web site, https://support.fortinet.com.

Keyboard entry Type a name for the remote VPN peer or client, such as Central_Office_1.

Navigation Go to VPN > IPSEC > Auto Key (IKE).

Publication For details, see the FortiGate Administration Guide.

Table 2: Command syntax notation

Convention DescriptionSquare brackets [ ] A non-required word or series of words. For example:

[verbose {1 | 2 | 3}]indicates that you may either omit or type both the verbose word and its accompanying option, such as:verbose 3




http://docs.fortinet.com/fgt.html



Conventions Introduction

Angle brackets < > A word constrained by data type.To define acceptable input, the angled brackets contain a descriptive name followed by an underscore ( _ ) and suffix that indicates the valid data type. For example:<retries_int>indicates that you should enter a number of retries, such as 5.Data types include:• <xxx_name>: A name referring to another part of the

configuration, such as policy_A.• <xxx_index>: An index number referring to another part of the

configuration, such as 0 for the first static route.• <xxx_pattern>: A regular expression or word with wild cards

that matches possible variations, such as *@example.com to match all email addresses ending in @example.com.

• <xxx_fqdn>: A fully qualified domain name (FQDN), such as mail.example.com.

• <xxx_email>: An email address, such as [email protected].

• <xxx_url>: A uniform resource locator (URL) and its associated protocol and host name prefix, which together form a uniform resource identifier (URI), such as http://www.fortinet.com/.

• <xxx_ipv4>: An IPv4 address, such as 192.168.1.99.• <xxx_v4mask>: A dotted decimal IPv4 netmask, such as

255.255.255.0.• <xxx_ipv4mask>: A dotted decimal IPv4 address and netmask

separated by a space, such as 192.168.1.99 255.255.255.0.

• <xxx_ipv4/mask>: A dotted decimal IPv4 address and CIDR-notation netmask separated by a slash, such as such as 192.168.1.99/24.

• <xxx_ipv6>: A colon( : )-delimited hexadecimal IPv6 address, such as 3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234.

• <xxx_v6mask>: An IPv6 netmask, such as /96.• <xxx_ipv6mask>: An IPv6 address and netmask separated by a

space.• <xxx_str>: A string of characters that is not another data type,

such as P@ssw0rd. Strings containing spaces or special characters must be surrounded in quotes or use escape sequences. See the FortiWeb CLI Reference.

• <xxx_int>: An integer number that is not another data type, such as 15 for the number of minutes.

Curly braces { } A word or series of words that is constrained to a set of options delimited by either vertical bars or spaces.You must enter at least one of the options, unless the set of options is surrounded by square brackets [ ].




http://docs.fortinet.com/fweb.html



Introduction Entering FortiOS configuration data

FRh

Entering FortiOS configuration dataThe configuration of a FortiAnalyzer unit is stored as a series of configuration settings in the FortiAnalyzer configuration database. To change the configuration you can use the web-based manager or CLI to add, delete or change configuration settings. These configuration changes are stored in the configuration database as they are made.Individual settings in the configuration database can be text strings, numeric values, selections from a list of allowed options, or on/off (enable/disable).

Entering text strings (names)Text strings are used to name entities in the configuration. For example, the name of a report chart, administrative user, and so on. You can enter any character in a FortiAnalyzer configuration text string except, to prevent Cross-Site Scripting (XSS) vulnerabilities, text strings in FortiAnalyzer configuration names cannot include the following characters:" (double quote), & (ampersand), ' (single quote), < (less than) and < (greater than)You can determine the limit to the number of characters that are allowed in a text string by determining how many characters the web-based manager or CLI allows for a given name field. From the CLI, you can also use the tree command to view the number of characters that are allowed. For example, report chart names can contain up to 64 characters. When you add a report chart name to the web-based manager, you are limited to entering 64 characters in the report chart name field. From the CLI you can do the following to confirm that the firewall address name field allows 64 characters.

config report chartedit <chart_name>tree--- [chart] --*name (64)|- type|- title (128 xss)|- comment (1024)|- dataset (64)+- graph-type

Note that the tree command output also shows the number of characters allowed for other report chart name settings. For example, the comment field can contain up to 1024 characters.

Options delimited by vertical bars |

Mutually exclusive options. For example:{enable | disable}indicates that you must enter either enable or disable, but must not enter both.

Options delimited by spaces

Non-mutually exclusive options. For example:{http https ping snmp ssh telnet}indicates that you may enter all or a subset of those options, in any order, in a space-delimited list, such as:ping https sshNote: To change the options, you must re-type the entire list. For example, to add snmp to the previous example, you would type:ping https snmp sshIf the option adds to or subtracts from the existing list of options, instead of replacing it, or if the list is comma-delimited, the exception will be noted.





Entering FortiOS configuration data Introduction

Selecting options from a listIf a configuration field can only contain one of a number of selected options, the web-based manager and CLI present you a list of acceptable options and you can select one from the list. No other input is allowed. From the CLI you must spell the selection name correctly.

Enabling or disabling optionsIf a configuration field can only be on or off (enabled or disabled) the web-based manager presents a check box or other control that can only be enabled or disabled. From the CLI you can set the option to enable or disable.





What’s new

FRh

What’s newThe list below contains key features which have changed since the previous release, FortiAnalyzer v4.0 MR1. For upgrade information, see the Release Notes available with the firmware, and “Maintaining firmware” on page 275.• SQL (Structured Query Language) reporting – The SQL database option is added.

The logs received by the FortiAnalyzer unit will be inserted into the SQL database for generating reports. Both local and remote SQL database options are supported. The advantages of using the SQL database are:• Flexibility: Through the use of standard SQL queries, more flexible reporting

capabilities can be offered.• Scalability: Through the use of a remote SQL database, any upper bound on the

amount of available log storage is removed. Furthermore, the hardware of an external SQL database server can be more easily upgraded to support growing performance needs.

For more information, see “Configuring SQL database storage” on page 85 and “Example reports (SQL-based)” on page 208.

• Administrator profile extension for RADIUS – If you use a RADIUS server to manage your administrator accounts authentication, you can also use it to manage the administrative authorization (that is, administrator profile). In other words, you can assign an administrator profile to each user on the RADIUS server and have the FortiAnalyzer unit retrieve and apply them for administrator access. The process is as following:• The administrator provides user name and password to the FortiAnalyzer unit.• The FortiAnalyzer unit sends the user name and password to the RADIUS server

for authentication.• The RADIUS server returns "Access Accept" response and includes a VSA

containing the name of the administrator profile to the FortiAnalyzer unit.• The FortiAnalyzer unit looks for the returned administrator profile in its own

configuration.If the administrator profile exists, the FortiAnalyzer unit assigns the returned profile for the duration of the administrator session.If the administrator profile does not exist, the FortiAnalyzer unit assigns the locally configured admin profile for the duration of the administrator session.

For more information, see “Configuring RADIUS servers” on page 82.• Report charts – A new menu item Charts is added to Reports on the web-based

manager to help you understand better how all of the different report elements are related. Under Charts, you can view the existing pre-defined charts on items such as pre-defined services, IPS database, or application database. You can also add your own chart definitions.For more information, see “Configuring report chart templates” on page 197 and “Configuring data sets” on page 201.




What’s new

• eDiscovery extension – eDiscovery allows you to search through the bulk of stored emails, extract the search results, and share them with a third-party in situations such as a lawsuit or regulatory violation action. It is crucial to be able to prove that shared data is an exact copy of the original. This is an extension of the FortiAnalyzer’s archived email searching.For more information, see “Using eDiscovery” on page 160.

• Dashboard enhancements – The interface for renaming and deleting tabs are improved to simplify the user experience. For some widgets, you can add multiple instances of the same widget. This helps if you need to do more than one thing with a widget. Also, each ADOM administrator has a dashboard.For more information, see “Viewing the dashboard” on page 35.

• Web-based manager improvements – When viewing logs and archived files, if you select a log entry, a detailed view will be displayed on the left hand side. You can then see the values for all indexed columns for a particular log type. Fields with no values will be hidden, and can optionally be expanded by selecting "show" at the bottom of the popup window.For more information, see“Log & Archive” on page 139.





About the web-based manager System requirements

FRh

About the web-based managerThis chapter describes aspects that are general to use of the web-based manager, a graphical user interface (GUI) that you can use to access the FortiAnalyzer unit from within a current web browser.This topic includes:• System requirements• URL for access• Settings

System requirementsThe management computer that you use to access the web-based manager must have a compatible web browser, such as Microsoft Internet Explorer 6.0 or greater, or Mozilla Firefox 3.0 or greater.To minimize scrolling, the computer’s screen should have a resolution that is a minimum of 1280 x 1024 pixels.

URL for accessThe web-based manager can be accessed by URL using the network interfaces’ enabled administrative access protocols and IP addresses.By default, the URL when accessing the web-based manager through port1 is https://192.168.1.99/.If the network interfaces have been configured such as during the installation instructions in the FortiAnalyzer Install Guide, the URL and/or permitted administrative access protocols (in this case, HTTPS) may no longer be in their default state. In that case, for the URL, use either a DNS-resolvable domain name for the FortiAnalyzer unit, or the IP address that you configured for the network interface to which you are connected.For example, you might have configured port2 with the IP address 10.0.0.1 and enabled HTTPS. You might have also configured a private DNS server on your network to resolve fortianalyzer.example.com to 10.0.0.1. In this case, to access the web-based manager through port2, you could enter either https://fortianalyzer.example.com/ or https://10.0.0.1/.For information on enabling administrative access protocols and configuring IP addresses, see “Configuring the network interfaces” on page 63.

Note: If the URL is correct and you still cannot access the web-based manager, you may also need to configure from which hosts the FortiAnalyzer unit will accept login attempts for your administrator account (that is, trusted hosts), and/or static routes. For details, see “Configuring administrator accounts” on page 77 and “Configuring static routes” on page 69.


https://192.168.1.99/




Settings About the web-based manager

SettingsSome settings for the web-based manager apply regardless of which administrator account you use to log in. Global settings include the idle timeout, TCP port number on which the web-based manager listens for connection attempts, the network interface(s) on which it listens, and the language of its display.For details, see “Configuring the web-based manager’s global settings” on page 84 and “Configuring the network interfaces” on page 63.





About administrative domains (ADOMs)

FRh


Administrative domains (ADOMs) enable the admin administrator to constrain other FortiAnalyzer unit administrators’ access privileges to a subset of devices in the device list. For FortiGate devices with virtual domains (VDOMs), ADOMs can further restrict access to only data from a specific FortiGate VDOM.

Enabling ADOMs alters the structure and available functionality of the web-based manager and CLI according to whether you are logging in as the admin administrator, and, if you are not logging in as the admin administrator, the administrator account’s assigned access profile.

Note: ADOMs are not supported on FortiAnalyzer-100/100A/100B/100C models.

Table 3: Characteristics of the CLI and web-based manager when ADOMs are enabled

admin administrator account Other administratorsAccess to Global Configuration Yes No

Access to Administrative Domain Configuration (can create ADOMs)

Yes No

Can create administrator accounts Yes No

Can enter all ADOMs Yes No





Within the Global ADOM Within other ADOMsSystem > Dashboard > StatusSystem > ADOM > ADOMSystem > Network > InterfaceSystem > Network > DNSSystem > Network > RoutingSystem > Network Sharing > Windows ShareSystem > Network Sharing > NFS ExportSystem > Network Sharing > UserSystem > Network Sharing > GroupSystem > Admin > AdministratorSystem > Admin > Access ProfileSystem > Admin > Auth GroupSystem > Admin > RADIUS ServerSystem > Admin > SettingsSystem > Admin > MonitorSystem > Config > SQL DatabaseSystem > Config > Log-based AlertsSystem > Config > SNMPSystem > Config > Remote Syslog System > Config > Log AggregationSystem > Config > Log ForwardingSystem > Config > RAIDSystem > Maintenance > Backup & RestoreSystem > Maintenance > FortiGuard System > Maintenance > MigrationDevices > All Devices > AllowedDevice > All Devices > BlockedDevice > All Devices > Unregistered OptionsLog & Archive > eDiscovery > ConfigLog & Archive > Options > Log File OptionsReport > Config > Language (SQL database disabled in System > Config > SQL Database)Vulnerability Management > Summary > Host StatusVulnerability Management > Summary > Vulnerability DatabaseVulnerability Management > Asset > HostVulnerability Management > Asset > GroupVulnerability Management > Network Map > ReportVulnerability Management > Network Map > ConfigVulnerability Management > Scan > ReportVulnerability Management > Scan > ScheduleVulnerability Management > Scan > ProfileVulnerability Management > Scan > SensorVulnerability Management > Compliance Report > ReportVulnerability Management > Compliance Report > TemplateTools > Network Analyzer > HistoricalTools > Network Analyzer > BrowseTools > Network Analyzer > ConfigTools > File Explorer > File Explorer

System > Config > Mail ServerSystem > Config > Remote OutputSystem > Config > IP AliasSystem > Config > LDAPDevices > All Devices > Allowed (read only)Device > Group > Device GroupLog & Archive > Log Access > TrafficLog & Archive > Log Access > EventLog & Archive > Log Access > IPS (Attack)Log & Archive > Log Access > Application ControlLog & Archive > Log Access > Web FilterLog & Archive > Log Access > AntiVirusLog & Archive > Log Access > Data Leak (DLP)Log & Archive > Log Access > VoIPLog & Archive > Log Access > Email FilterLog & Archive > Log Access > Network ScanLog & Archive > Log Access > HistoryLog & Archive > Log Access > IMLog & Archive > Log Access > Generic SyslogLog & Archive > Log Access > All LogsLog & Archive > Archive Access > IPS PacketLog & Archive > Archive Access > QuarantineLog & Archive > Archive Access > WebLog & Archive > Archive Access > EmailLog & Archive > Archive Access > FTPLog & Archive > Archive Access > IMLog & Archive > Archive Access > VoIP LogLog & Archive > Archive Access > MMSLog & Archive > eDiscovery > FoldersLog & Archive > eDiscovery > SearchLog & Archive > Log Browse > Log BrowseReport (SQL database disabled in System > Config > SQL Database):Report > Access > Scheduled ReportReport > Schedule > ScheduleReport > Config > Layout Report > Config > Data FilterReport (SQL database enabled in System > Config > SQL Database):Report > Access > DefaultReport > Access > Scheduled ReportReport > Config > ReportReport > Config > GraphicReport > Chart > TemplateReport > Chart > Data Set





About administrative domains (ADOMs) Configuring ADOMs

FRh

• If ADOMs are enabled and you log in as admin, you first access the Global ADOM where you have full access to the menus and can configure other ADOMs in System > ADOM > ADOM. At the end of the menu list, the Current ADOM menu appears, enabling you to enter into another ADOM or return to the Global ADOM.

The Global ADOM contains settings used by the FortiAnalyzer unit itself and settings shared by ADOMs, such as the device list, RAID, and administrator accounts. It does not include ADOM-specific settings or data, such as logs and reports. When configuring other administrator accounts, an additional option appears allowing you to restrict other administrators to an ADOM. For more information, see “Assigning administrators to an ADOM” on page 32. The admin administrator can further restrict other administrators’ access to specific configuration areas within their ADOM by using access profiles. For more information, see “Configuring access profiles” on page 80.

• If ADOMs are enabled and you log in as any other administrator, you enter the ADOM assigned to your account. You can only access the menu items assigned to you in your access profile. You cannot access the Global ADOM, or enter other ADOMs.By default, administrator accounts other than the admin account are assigned to the root ADOM, which includes all devices in the device list. By creating ADOMs that contain a subset of devices in the device list, and assigning them to administrator accounts, you can restrict other administrator accounts to a subset of the FortiAnalyzer unit’s total devices or VDOMs.

The maximum number of ADOMs varies by FortiAnalyzer model. For details, see “Appendix C: Maximum values matrix” on page 333.This topic includes:• Configuring ADOMs• Accessing ADOMs as the admin administrator• Assigning administrators to an ADOM

Configuring ADOMsAdministrative domains (ADOMs) are disabled by default. To use administrative domains, the admin administrator must:1 Enable the feature by going to System > Admin > Settings. See “To enable ADOMs” on

page 28.

Note: Be default, some menus are hidden. To make them visible, you can enable the menus in System > Admin > Settings.

Note: ADOMs are not supported on FortiAnalyzer-100/100A/100B/100C models.




Configuring ADOMs About administrative domains (ADOMs)

2 Create ADOMs by going to System > ADOM > ADOM. See “To add or edit an ADOM” on page 30.

3 Assign other FortiAnalyzer administrators to an ADOM by going to System > Admin > Administrator. See “To assign an administrator to an ADOM” on page 33.

To enable ADOMs

1 Log in as admin.Other administrators cannot enable, disable, or configure ADOMs.

2 Go to System > Admin > Settings.3 Enable (select) Admin Domain Configuration.

Caution: Enabling ADOMs moves non-global configuration items to the root ADOM. Back up the configuration before beginning the following procedure. For more information about backing up your configuration, see “Backing up the configuration & installing firmware” on page 114.






FRh

4 Click Apply.A dialog appears:Enabling/Disabling the admin domain configuration will require you to re-login. Are you sure you want to continue?

5 Click OK.The FortiAnalyzer unit logs you out.

6 To confirm that ADOMs are enabled, log in again as admin.System > ADOM > ADOM appears. At the end of the menu list, the Current ADOM menu also appears, enabling you to enter into an ADOM or return to the Global ADOM. Continue with “To add or edit an ADOM” on page 30 to create ADOMs.

Note: If other administrators are also logged in at the same time, they will not be automatically logged out. Notify them that ADOMs have been enabled, and that they may need to log out and log in again for display changes to take effect.




Configuring ADOMs About administrative domains (ADOMs)

To add or edit an ADOMBefore you can add an ADOM, you must first enable the feature. For details, see “To enable ADOMs” on page 28.

1 From Current ADOM in the lefthand navigation menu, select Global.2 Go to System > ADOM > ADOM.

3 Click Create New, or, to modify an existing ADOM, mark its check box, then click Edit.

4 In Name, type a name for the ADOM.This field cannot be modified if you are editing an existing entry. To modify the name, delete the entry, then recreate it using the new name.

5 From Available Devices, select which devices to associate with the ADOM, then click the right arrow to move them to Selected Devices.You can move multiple devices at once. To select multiple devices, click the first device, then hold the Shift key while clicking the last device in a continuous range, or hold the Ctrl key while clicking each additional device.To remove a device from Selected Devices, select one or more devices, then click the left arrow to move them to Available Devices.

6 If the ADOM includes a FortiGate unit, and you want to include only a specific VDOM, enable Restrict to Virtual Domain(s), then enter the VDOM name. If the ADOM includes a FortiMail unit and you want to include only a specific email domain, enable and configure Restrict to Email Domain(s).

7 Click OK.Continue with “Assigning administrators to an ADOM” on page 32.






FRh

To disable ADOMs

1 From Current ADOM in the lefthand navigation menu, select Global.2 Go to System > ADOM > ADOM.3 Mark the check boxes next to each ADOM except root (Management Administrative

Domain), then click Delete.

If any other ADOMs except the root ADOM remain, the option to disable ADOMs will not appear.

4 Go to System > Admin > Settings.5 Disable (deselect) Admin Domain Configuration.

Caution: Back up the configuration before beginning this procedure. Deleting ADOMs, which can occur when disabling the ADOM feature, removes administrator accounts assigned to ADOMs other than the root ADOM. For more information, see “Backing up the configuration & installing firmware” on page 114.

If you do not wish to delete these administrator accounts, assign them to the root ADOM before disabling ADOMs.

Note: You cannot delete an ADOM if an administrator is currently assigned to it. You must first reassign the administrator to the root ADOM (see “Assigning administrators to an ADOM” on page 32).




Accessing ADOMs as the admin administrator About administrative domains (ADOMs)

6 Click Apply.A dialog appears:Enabling/Disabling the admin domain configuration will require you to re-login. Are you sure you want to continue?

7 Click OK.The FortiAnalyzer unit logs you out.

Accessing ADOMs as the admin administratorWhen ADOMs are enabled, additional ADOM items become available to the admin administrator and the structure of the web-based manager menu changes. After logging in, other administrators implicitly access the subset of the web-based manager that pertains only to their ADOM, while the admin administrator accesses the root of the web-based manager and can use all menus. The admin administrator must explicitly enter the part of the web-based manager that contains an ADOM’s settings and data to configure items specific to an ADOM.

To access an ADOM1 Log in as admin.

Other administrators can access only the ADOM assigned to their account.2 From Current ADOM in the lefthand navigation menu, select the name of the ADOM

that you want to enter.

The ADOM-specific menu subset appears. While in this menu subset, any changes you make affect this ADOM only, and do not affect devices in other ADOMs or global FortiAnalyzer unit settings.You can return to global settings by selecting Global from Current ADOM.

Assigning administrators to an ADOMThe admin administrator can create other administrators and assign an ADOM to their account, constraining them to configurations and data that apply only to devices in their ADOM.

Note: By default, when ADOMs are enabled, existing administrator accounts other than admin are assigned to the root ADOM, which contains all devices in the device list. For more information about creating other ADOMs, see “Configuring ADOMs” on page 27.





About administrative domains (ADOMs) Assigning administrators to an ADOM

FRh

To assign an administrator to an ADOM1 Log in as admin.

Other administrators cannot configure administrator accounts when ADOMs are enabled.

2 From Current ADOM in the lefthand navigation menu, select Global.

3 Go to System > Admin > Administrator.

4 Configure the administrator account as described in “Configuring administrator accounts” on page 77. In Admin Domain, select which ADOM the administrator will be able to access.

Note: The admin administrator account cannot be restricted to an ADOM.




Assigning administrators to an ADOM About administrative domains (ADOMs)





System Viewing the dashboard

FRh

SystemThe System menu displays a dashboard with widgets that indicate statuses and do basic functions such as rebooting the FortiAnalyzer unit.This menu also contains submenus that enable you to make configuration backups, and configure administrator accounts, system time, network and FortiGuard connectivity, and other system-wide features such as RAID and log forwarding.This topic includes:• Viewing the dashboard• Configuring network settings• Configuring network shares• Configuring administrator-related settings• Configuring log storage & query features• Backing up the configuration & installing firmware• Scheduling & uploading vulnerability management updates• Importing a local server certificate

Viewing the dashboardSystem > Dashboard > Status displays first after you log in to the web-based manager. It contains a dashboard with widgets that each indicates performance level or other status.By default, widgets appear display the serial number and current system status of the FortiAnalyzer unit, including uptime, system resource usage, host name, firmware version, system time, and log throughput. The dashboard also contains a CLI widget that enables you to use the command line through the web-based manager. These widgets appear on a single dashboard.




Viewing the dashboard System

Figure 1: Viewing the dashboard

The dashboard is customizable. You can select which widgets to display, where they are located on the page, and whether they are minimized or maximized. You can also create additional dashboards.To add a dashboard, click Dashboard, then select Add Dashboard and type its name. The dashboard is added to the lefthand navigation menu. (For example, for a dashboard named “Summary Reports”, System > Dashboard > Summary Reports would be added to the menu.) The new dashboard is empty until you add the widgets that you want to show on that new dashboard.To move a widget, position your mouse cursor on the widget’s title bar, then click and drag the widget to its new location.To show a widget, in the upper left-hand corner, click Widget, then click the names of widgets that you want to show. To hide a widget, in its title bar, click Close.

Figure 2: Adding a widget






FRh

To see the available options for a widget, position your mouse cursor over the icons in the widget’s title bar. Options vary slightly from widget to widget, but always include options to close or show/hide the widget.

Figure 3: A minimized widget

The available dashboard widgets are:• System Information widget • License Information widget• Unit Operation widget• System Resources widget• Logs/Data Received widget• Statistics widget• Report Engine widget• Disk Monitor widget• Log Receive Monitor widget• Alert Message Console widget• CLI Console widget• Top Traffic widget • Top Web Traffic widget• Top Email Traffic widget• Top FTP Traffic widget• Top IM/P2P Traffic widget• Virus Activity widget• Intrusion Activity widget

Name of the GUI item DescriptionWidget Title The name of the widget.

Show/Hide arrow Click to display or show the widget.

Edit Click to change settings for the widget.

Refresh Click to update the displayed information.

Close Click to hide the widget on the dashboard. You will be prompted to confirm the action. To show the widget again, click Widget near the top of the dashboard.

Show/Hide arrow Refresh Close

Widget title

Edit





System Information widgetThe System Information widget (System > Dashboard > Status) displays the serial number and basic system statuses such as the firmware version, system time, host name, and up time.In addition to displaying basic system information, the System Information widget enables you to configure the host name, operation mode, and to change the firmware.

Figure 4: System Information widget

Configuring the time & dateYou can either manually set the FortiAnalyzer system time or configure the FortiAnalyzer unit to automatically keep its system time correct by synchronizing with a Network Time Protocol (NTP) server.

To configure the date and time1 Go to System > Dashboard > Status. In the System Information widget, in the System

Time row, click Change. 2 From Time Zone, select the time zone in which the FortiAnalyzer unit is located.

Name of the GUI item DescriptionSerial Number The serial number of the FortiAnalyzer unit. The serial number is specific to

the FortiAnalyzer unit’s hardware and does not change with firmware upgrades. Use this number when registering the hardware with Fortinet Technical Support.

Uptime The time in days, hours, and minutes since the FortiAnalyzer unit was started.

System Time The current date and time according to the FortiAnalyzer unit’s internal clock. Click Change to change the time or configure the FortiAnalyzer unit to get the time from an NTP server. See “Configuring the time & date” on page 38.

Host Name The host name of the FortiAnalyzer unit.Click Change to change the host name. See “Configuring the FortiAnalyzer unit’s host name” on page 39.

Firmware Version The version of the firmware currently installed on the FortiAnalyzer unit.Click Update to install firmware. See “Maintaining firmware” on page 275.

Note: For many features to work, including scheduling, logging, and SSL-dependent features, the FortiAnalyzer system time must be accurate.



https://support.fortinet.com/





FRh

3 Configure the following to either manually configure the system time, or automatically synchronize the FortiAnalyzer unit’s clock with an NTP server:

4 Click OK.

Configuring the FortiAnalyzer unit’s host nameThe host name of the FortiAnalyzer unit is used in several places.• It appears in the System Information widget on the Status tab. For more information

about the System Information widget, see “System Information widget” on page 38.• It is used in the command prompt of the CLI.• It is used as the SNMP system name. For information about SNMP, see “Configuring

the SNMP agent” on page 94.The System Information widget and the get system status CLI command will display the full host name. However, if the host name is longer than 16 characters, the CLI and other places display the host name in a truncated form ending with a tilde ( ~ ) to indicate that additional characters exist, but are not displayed.For example, if the host name is FortiAnalyzer1234567890, the CLI prompt would be FortiAnalyzer123456~#.

Name of the GUI item DescriptionSystem Time The date and time according to the FortiAnalyzer unit’s clock at

the time that this tab was loaded, or when you last clicked the Refresh button.

Refresh Click to update the System Time field with the current time according to the FortiAnalyzer unit’s clock.

Time Zone Select the time zone in which the FortiAnalyzer unit is located.

Set Time Select this option to manually set the date and time of the FortiAnalyzer unit’s clock, then select the Hour, Minute, Second, Year, Month and Day fields before you click OK.

Synchronize with NTP Server Select this option to automatically synchronize the date and time of the FortiAnalyzer unit’s clock with an NTP server, then configure the Server and Sync Interval fields before you click OK.

Server Enter the IP address or domain name of an NTP server. To find an NTP server that you can use, go to http://www.ntp.org.

Sync Interval Enter how often in minutes the FortiAnalyzer unit should synchronize its time with the NTP server. For example, entering 1440 causes the FortiAnalyzer unit to synchronize its time once a day.




http://www.ntp.org


To change the host name1 Go to System > Dashboard > Status.2 In the System Information widget, in the Host Name row, click Change.

3 In the Host Name field, type a new host name.The host name may be up to 35 characters in length. It may include US-ASCII letters, numbers, hyphens, and underscores. Spaces and special characters are not allowed.

4 Click OK.

License Information widgetThe License Information widget displays information on features that vary by a purchased license or contract, such as FortiGuard subscription services.It also displays how many devices are connected or attempting to connect to the FortiAnalyzer unit.

Figure 5: License Information widget

Name of the GUI item

Description

FortiGuard Services

Vulnerability Management

Indicates whether or not this FortiAnalyzer unit is licensed for FortiGuard Vulnerability Management Service. If it is not, you can click Subscribe to register for the service.

VM Plugins The version of the vulnerability management plug-in, and the date of its last update. Click Update to upload a new version of the plug-in. For more information on vulnerability management, see “Scheduling & uploading vulnerability management updates” on page 116.






FRh

Unit Operation widgetThe Unit Operation widget indicates the connectivity status for each physical network port. It also enables administrators to perform basic system operations such as rebooting the FortiAnalyzer unit.

Color indicates whether or not a port has detected a physical connection. If a port’s color is gray, there is no connectivity, but if a port’s color is green, it is connected.Additional system-wide operations, such as formatting the log disk or resetting the configuration to the firmware’s default values, are available from the CLI. For details, see the FortiAnalyzer CLI Reference.

Figure 6: Unit Operation widget

System Resources widgetThe System Resources widget displays the CPU and memory usage levels over time.

VM Engine The version of the vulnerability management engine, and the date of its last update.

Device Registration Summary

A total of the number of each device type connecting or attempting to connect to the FortiAnalyzer unit. For more information about the maximum numbers of devices of each type and/or VDOMs that are permitted to connect to the FortiAnalyzer unit, see “Maximum number of devices” on page 126 and “Appendix C: Maximum values matrix” on page 333.The Registered column is the number of devices that you have added to the FortiAnalyzer unit’s device list, either manually or automatically.The Unregistered column is the number of devices attempting to connect to the FortiAnalyzer unit that are not yet registered. To configure the FortiAnalyzer unit to accept data from a device, see “Manually adding or deleting a device or HA cluster” on page 129.For more information about registered and unregistered device, see “Unregistered vs. registered devices” on page 126.

Note: These operations are available only to users with the read and write access profile.

Name of the GUI item DescriptionReboot Click to halt and restart the operating system of the FortiAnalyzer unit.

ShutDown Click to halt the operating system of the FortiAnalyzer unit, preparing its hardware to be powered off.






Figure 7: System Resources widget

Name of the GUI item DescriptionCPU Usage The current CPU usage displayed as a dial gauge or graph.

The web-based manager displays CPU usage for core processes only. CPU usage for management processes (for example, for HTTPS connections to the web-based manager) is excluded.The FortiAnalyzer CPU utilization can appear to be continually high due to the amount of work the FortiAnalyzer is tasked to perform.There are two key CPU-intensive operations on a FortiAnalyzer unit:• indexing log messages• report generation and other enhanced features

Log indexingA FortiAnalyzer unit deployed in a network can receive hundreds of log messages per second throughout the day. The FortiAnalyzer unit indexes nearly all fields in a log message to include in the database. This process can be very CPU intensive, as the indexing component is continually running to keep up with the incoming log messages.

Report generation and other enhanced featuresThe FortiAnalyzer unit has many reporting functions. Various report generations can be running at any time during the day including:• security event reports• traffic summary reports• regular reports whose complexity can vary depending on the

requirements• quota checking with log rolling• network sniffing• vulnerability scan.

All these tasks can be CPU intensive, especially when a combination of them is occurring at the same time. This can cause the CPU to stay at 90% or more a lot of the time. It is important to note that the indexing operation is set to the lowest priority so as to not affect the critical process such as receiving log messages. These operation will take all the available cpu cycles so it is normal to expect high CPU utilization at times.On smaller devices, such as the FortiAnalyzer-100A, where the CPU and disk speed are not as fast as the higher-end models, the CPU usage can appear more pronounced.

Edit






FRh

To configure settings for the widget, in its title bar, click Edit to open the Edit System Resources Settings window.

• To view only the most current information about system resources, from View Type, select Real Time.

• To view historical information about system resources, from View Type, select History. To change the time range, from Time Period, select one of the following: Last 10 Minutes, Last Hour, or Last Day.

• To automatically refresh the widget at intervals, in Refresh Interval, type a number between 10 and 240 seconds. To disable the refresh interval feature, type 0.

Logs/Data Received widgetThe Logs/Data Received widget displays the rate over time of the logs and data, such as DLP archives and quarantined files, received by the FortiAnalyzer unit.This widget display varies on different models.

Figure 8: Logs/Data Received widget

Memory Usage The current memory (RAM) usage displayed as a dial gauge or graph. The web-based manager displays memory usage for core processes only. Memory usage for management processes (for example, for HTTPS connections to the web-based manager) is excluded.

Session The number of sessions over the specified historical time period. Sessions are the current communications sessions on the FortiAnalyzer unit which includes devices that connect to send logs or quarantine files.This item does not appear when viewing current (Real Time) system resources.

Network Utilization The network utilization over the specified historical time period.This item does not appear when viewing current (Real Time) system resources.

Edit





To configure settings for the widget, in its title bar, click Edit to open the Edit Logs/Data Received Settings window.

• To view only the most current information about system resources, from View Type, select Real Time.

• To view historical information about system resources, from View Type, select History. To change the time range, from Time Period, select one of the following: Last 10 Minutes, Last Hour, or Last Day.

• To automatically refresh the widget at intervals, in Refresh Interval, type a number between 10 and 240 seconds. To disable the refresh interval feature, type 0.

For information on how much disk space is currently consumed, see “Disk Monitor widget” on page 47.

Statistics widgetThe Statistics widget displays the numbers of sessions, volume of log files, and number of reports handled by the FortiAnalyzer unit.

Figure 9: Statistics widget

Name of the GUI item DescriptionLogs Received Number of logs received per second.

Data Received Volume of data received.


Description

(Since yyyy-mm-dd hh:mm:ss)

The date and time when the statistics were last reset.To rest the date and time, hover your mouse cursor over the widget’s title bar area, then click Reset.

Sessions The number of communication sessions occurring on the FortiAnalyzer unit, including those with devices that connect to send logs or quarantine files. Click Details for more information on the connections. For more information, see “To view session details” on page 45.

Logs & Reports

Reset






FRh

To view session details1 Go to System > Dashboard > Status.2 In the Statistics widget, next to Sessions, click Details.

When viewing sessions, you can search or filter to find specific content. For more information about filtering information, see “Filtering logs” on page 144.

Logs The number of new log files received from a number of devices since the statistics were last reset. For more information, see “To view log details” on page 46.

Log Volume The average log file volume received per day over the past 7 days. Click Details to view the log file volume received per day. For information on total disk space consumption, see “Disk Monitor widget” on page 47.

Reports The number of reports generated for a number of devices. Click Details for more information on the reports. For more information, see “Example reports (SQL-based)” on page 208.

Search





To view log details1 Go to System > Dashboard > Status.2 In the Statistics widget, next to Logs, click Details.


Description

Refresh Click to refresh the page with current, updated session information.

Search Enter a word or words to find specific information. Press Enter to initiate the search process.

Protocol The protocol used during that session.

Source The session’s source IP address.

Source Port The session’s source port number.

Destination The session’s destination IP address.

Destination Port The session’s destination port number.

Expires(secs) The number of seconds the session expires.


Description

Display Mark the check box of a log file whose messages you want to view, then click this button. Only one log file can be selected each time. For more information about viewing log details, see “Viewing log messages” on page 139.

Download Mark the check box of a log file that you want to download, click this button, then select one of the following.• Log file format: Downloads the log file in text (.txt), comma-separated

value (.csv), or standard .log (Native) file format.• Compress with gzip: Compress the downloaded log file with GZIP

compression. Downloading a log-formatted file with GZIP compression results in a download with the file extension .log.gz.






FRh

Report Engine widgetYou can only add a Report Engine widget when you selected the proprietary indexed file storage system. For information on switching file storage systems, see “Configuring SQL database storage” on page 85.This widget indicates report generation activity. Report engine activities include whether the report engine is active or inactive, what reports are running when active, and the percentage completed.When a report is being generated as scheduled, the report engine status changes from inactive to active. To generate a report, click the Generate report icon in the title bar, and then configure a new report schedule. For more information, see “Configuring report schedules” on page 181.

Figure 10: Report Engine widget

Disk Monitor widgetThe Disk Monitor widget displays information about the status of RAID disks as well as what RAID level has been selected. It also displays how much disk space is currently consumed. To configure settings for the widget, in its title bar, click RAID Settings. For more information, see “Configuring RAID” on page 106.

Import Click to import devices’ log files. This can be useful when restoring data or loading log data for temporary use.From the Device field, select the device to which the imported log file belongs, or select Take From Imported File to read the device ID from the log file.If you select Take From Imported File, your log file must contain a device_id field in its log messages.In Filename, click Browse to find the log file.For more information, see “Importing a log file” on page 155.

Device Type Select the type of devices whose log files you want to view.

Show Log File Names

Enable to show the log file names under each log type.

Log Files Depending on the

# Number of log files for each type.

From The date and time when the FortiAnalyzer unit starts to generate the log file.

To The date and time when the FortiAnalyzer unit completes generating the log file when the file reaches its maximum size or the scheduled time. For more information, see “Configuring rolling and uploading of devices’ logs” on page 158.

Size (bytes) The size of the log file.

Note: The RAID Settings icon does not appear on FortiAnalyzer 100A, 100B, and 100C units, because RAID is not supported on these models. Only disk space usage information is displayed on these models.





Figure 11: Disk Monitor widget

Name of the GUI item DescriptionRAID Status Icons and text indicate one of the following RAID disk statuses:

• green checkmark (OK): Indicates that the RAID disk has no problems

• warning symbol (Warning): Indicates that there is a problem with the RAID disk, such as a failure, and needs replacing. The RAID disk is also in reduced reliability mode when this status is indicated in the widget.

• wrench symbol (Rebuilding): Indicates that a drive has been replaced and the RAID array is being rebuilt; it is also in reduced reliability mode.

• exclamation mark (Failure): Indicates that one or more drives have failed, the RAID array is corrupted, and the drive must be reinitialized. This is displayed by both a warning symbol and text. The text appears when you hover your mouse over the warning symbol; the text also indicates the amount of space in GB.

Rebuild Status A percentage bar indicating the progress of the rebuilding of a RAID array. The bar displays only when a RAID array is being rebuilt.

Estimated rebuild time [start and end time]

The time remaining to rebuild the RAID array, and the date and time the rebuild is expected to end. This time period displays only when an array is being rebuilt. This time period will not display in hardware RAID, such as FortiAnalyzer-2000/2000A/2000B, and FortiAnalyzer-4000/4000A/4000B.

Rebuild Warning Text reminding you the system has no redundancy protection until the rebuilding process is complete. This text displays only when an array is being rebuilt.

Disk space usage The amount of disk used, displayed as a percentage and a percentage bar. Note that the FortiAnalyzer unit reserves some disk space for compression files, upload files, and temporary reports files.The total reserved space is:• 25% of total disk space if total < 500G, with MAX at 100G• 20% of total disk space if 500G< total <1000G, with MAX at 150G• 15% of total disk space if 1000G < total < 3000G, with MAX at

300G• 10% of total disk space if total > 3000G This is therefore to be deducted from the total capacity.

Rebuilding icon

RAID Settings






FRh

FortiAnalyzer units allocate most of their total disk space for both the FortiAnalyzer unit’s own logs as well as logs and quarantined files from connecting devices. Disk space quota is assigned to each device and the FortiAnalyzer unit itself. If the quota is consumed, the FortiAnalyzer unit will either overwrite the oldest files saved or stop collecting new logs, depending on your preference. For devices’ disk space quota settings, see “Manually adding or deleting a device or HA cluster” on page 129. For the FortiAnalyzer unit’s local log disk space quota settings, see the FortiAnalyzer CLI Reference. Remaining disk space is reserved for devices, FortiAnalyzer reports, and any temporary files, such as configuration backups and log files that are currently queued for upload to a server. The size of the reserved space varies by the total RAID/hard disk capacity. For more information, see “Disk space usage” on page 48.For more information about RAID, see “Configuring RAID” on page 106. For more information on the volume of logs being received, see “Logs/Data Received widget” on page 43.

Hot-swapping hard disksIf a hard disk on a FortiAnalyzer unit fails, it must be replaced. The hard disk can be replaced while the FortiAnalyzer unit is running, also known as hot swapping.

Figure 12: Status of a failed hard disk on a FortiAnalyzer-800 unit as shown in the Disk Monitor widget

To hot-swap a hard disk

1 Go to System > Dashboard > Status.2 In the Unit Operation widget, click Shutdown.3 Click OK.4 Remove the faulty hard disk and replace it with a new one.

Caution: Electrostatic discharge (ESD) can damage FortiAnalyzer equipment. Only perform the procedures described in this document from an ESD workstation. If no such station is available, you can provide some ESD protection by wearing an anti-static wrist or ankle strap and attaching it to an ESD connector or to a metal part of a FortiAnalyzer chassis.When replacing a hard disk, you need to first verify that the new disk has the same size as those supplied by Fortinet and has at least the same capacity as the old one in the FortiAnalyzer unit. Installing a smaller hard disk will affect the RAID setup and may cause data loss. Due to possible differences in sector layout between disks, the only way to guarantee that two disks have the same size is to use the same brand and model. The size provided by the hard drive manufacturer for a given disk model is only an approximation. The exact size is determined by the number of sectors present on the disk.






5 Restart the FortiAnalyzer unit.The FortiAnalyzer unit will automatically add the new disk to the current RAID array. The status appears on the console. After the FortiAnalyzer unit boots, the widget will display a green check mark icon for all disks and the RAID Status area will display the progress of the RAID resynchronization/rebuild.

Adding new disks for FortiAnalyzer 2000B/4000BThe FortiAnalyzer 2000B unit is shipped with 2 hard disks. You can add up to 4 more disks to increase the storage capacity. The FortiAnalyzer 4000B unit is shipped with 6 hard disks. You can add up to 18 more disks to increase the storage capacity.

To add more hard disks1 Obtain the same disks as those supplied by Fortinet.2 Back up the log data on the FortiAnalyzer 2000B/4000B unit. You can also migrate the

data to another FortiAnalyzer unit if you have one. Data migration reduces system down time and risk of data loss.For information on data backup, see “Backing up the configuration & installing firmware” on page 114. For information on data migration, see “Migrating data from one FortiAnalyzer unit to another” on page 117.

3 Install the disks on the FortiAnalyzer unit. You can do so while the FortiAnalyzer unit is running.

4 Configure the RAID level. See “Configuring RAID” on page 106.5 If you have backed up the log data, restore the data. For more information, see

“Backing up the configuration & installing firmware” on page 114.

Log Receive Monitor widgetThe Log Receive Monitor widget displays the rate at which logs are received over time.To configure settings for the widget, in its title bar, click Edit.

Note: Once a RAID array is built, adding another disk with the same capacity will not affect the array size until you rebuild the array by restarting the FortiAnalyzer unit.

Note: Fortinet recommends that you use the same disks as those supplied by Fortinet. Disks of other brands will not be supported by Fortinet. For information on purchasing extra hard disks, contact Fortinet Technical Support.






FRh

Figure 13: Log Receive Monitor widget

Figure 14: Editing Log Receive Monitor Settings

Alert Message Console widgetThe Alert Message Console widget displays log-based alert messages for both the FortiAnalyzer unit itself and connected devices.


Description

Widget Name The current widget name.

Type Select either: • Log Type: Display the type of logs that are received from all registered

devices and separates them into categories, such as top 5 traffic logs or antivirus logs.

• Device: Display the logs that received by each registered device and separates the devices into the top number of devices.

N0. Entries Select the number of either log types or devices in the widget’s graph, depending on your selection in the Type field.

Time Period Select one of the following time ranges over which to monitor the rate at which log messages are received: • Hour • Day • Week

Refresh Interval To automatically refresh the widget at intervals, in Refresh Interval, type a number between 10 and 240 seconds. To disable the refresh interval feature, type 0.

Edit





Alert messages help you track system events on your FortiAnalyzer unit such as firmware changes, and network events such as detected attacks. Each message shows the date and time that the event occurred.

Figure 15: Alert Message Console widget

The widget displays only the most current alerts. For a complete list of unacknowledged alert messages, in the widget’s title bar, click More alerts. To sort the columns by either ascending or descending order, click the column headings.

Figure 16: List of all alert messages

Tip: Alert messages can also be delivered by email, Syslog or SNMP. For more information, see “Configuring alerts” on page 87.

Name of the GUI item DescriptionAcknowledge Mark the check boxes of alert messages that you want to remove from

the list of alerts, then click Acknowledge.

Include...and higher Select a severity threshold. Log messages equal to or greater than that severity will appear in the list of alerts.

Remove unacknowledged alerts older than [n days]

Select a number of days to remove the alert messages older than that number.

formatted | raw Select either:• formatted: Display the alert messages in columnar format.• raw: Display the information without formatting, as it actually

appears in the log messages.

Device The device where the log message originated.

Event The Message (msg=) field of the log message, which usually contains a description of the event.

Level The severity level of the log message.

More alerts






FRh

CLI Console widgetThe CLI Console widget enables you to enter command lines through the web-based manager, without making a separate Telnet, SSH, or local console connection to access the CLI.

To use the console, first click within the console area. Doing so will automatically log you in using the same administrator account you used to access the web-based manager. You can then enter commands by typing them. Alternatively, you can copy and paste commands from or into the CLI Console.

For information on available commands, see the FortiAnalyzer CLI Reference.

Figure 17: CLI Console widget

To configure settings for the widget, in its title bar, click Console Preferences.

Time The date and time when the log message was generated. To sort in ascending or descending order, click the arrow in the column heading.

Counter The number of occurrences of the event.

Note: The CLI Console widget requires that your web browser support JavaScript.

Note: The prompt, by default the model number such as FortiAnalyzer-800B #, contains the host name of the FortiAnalyzer unit. To change the host name, see “Configuring the FortiAnalyzer unit’s host name” on page 39.

Console Preferences






Figure 18: CLI Console widget settings

Top Traffic widgetYou can only add a Top Traffic widget when you selected the proprietary indexed file storage system. For information on switching file storage systems, see “Configuring SQL database storage” on page 85.This widget displays a bar chart of the total volume of traffic handled by FortiGate units, based upon their traffic logs.

Name of the GUI item DescriptionPreview A preview of your changes to the CLI Console widget’s appearance.

Text Click the current color swatch to the left of this label, then click a color from the color palette to the right to change the color of the text in the CLI Console.

Background Click the current color swatch to the left of this label, then click a color from the color palette to the right to change the color of the background in the CLI Console.

Use external command input box

Enable to display a command input field below the normal console emulation area. When this option is enabled, you can enter commands by typing them into either the console emulation area or the external command input field.

Console buffer length Enter the number of lines the console buffer keeps in memory. The valid range is from 20 to 9999.

Font Select a font type from the list. There are only three font types to choose from: Lucida Console, Courier New, and the default font.

Size Select a font from the list to change the display font of the CLI Console.

Reset Defaults Select the size in points of the font. The default size is 10 points.

Color palette






FRh

Figure 19: Top Traffic widget

To expand details for one of the widget’s items, click its + button, then select which log field you want to use to categorize its results.For example, for one of the items, you might select Device to display and categorize that item’s results by which devices recorded those log messages. To further subcategorize one of the device’s results by protocol, you could then click its + button, then select Service. The resulting widget display would show reflect traffic volume for each service on that one device, from that source IP address.To collapse details and return to higher-level items, click a parent item’s X button.To configure settings for the widget, in its title bar, click Edit.

Figure 20: Top Traffic widget settings


Description

Widget Name Type a name for the widget. It will appear in the widget’s title bar.

Device Select the name of either a device or device group for which you want to display traffic volumes.

Display by Select which attribute to use in order to rank the top results: • Top Sources (to any): Rank results according to the total volume for each

source IP address. • Top Destinations (from any): Rank results according to the total volume for

each destination IP address.

Filter Port Select whether to include TCP or UDP protocols, then type the port number. The valid range is from 1 to 65,535.

Time Scope Select one of the following time ranges: • Hour • Day • Week • Month

No. Entries Select the number of entries to display.

Edit





Top Web Traffic widgetYou can only add a Top Web Traffic widget when you selected the proprietary indexed file storage system. For information on switching file storage systems, see “Configuring SQL database storage” on page 85.This widget displays a bar chart of the total volume of web traffic handled by FortiGate units, based upon either their traffic logs (if you select By Volume in the widget’s settings) or web filtering logs (if you select By Request in the widget’s settings).

Figure 21: Top Web Traffic widget

To expand details for one of the widget’s items, click its + button, then select which log field you want to use to categorize its results.For example, for one of the items, you might select Device to display and categorize that item’s results by which devices recorded those log messages. To further subcategorize one of the device’s results by protocol, you could then click its + button, then select Service. The resulting widget display would show reflect web traffic volume for each service on that one device, from that source IP address.To collapse details and return to higher-level items, click a parent item’s X button.To configure settings for the widget, in its title bar, click Edit.

Figure 22: Top Web Traffic widget settings

Name of the GUI item DescriptionWidget Name Type a name for the widget. It will appear in the widget’s title bar.


Display by Select which attribute to use in order to rank the top results: • Top Sources (to any): Rank results according to the total

volume for each source IP address. • Top Destinations (from any): Rank results according to the

total volume for each destination IP address.

Edit






FRh

Top Email Traffic widgetYou can only add a Top Email Traffic widget when you selected the proprietary indexed file storage system. For information on switching file storage systems, see “Configuring SQL database storage” on page 85.This widget displays a bar chart of the total volume of email traffic handled by FortiGate units, based upon either their traffic logs (if you select By Volume in the widget’s settings) or content logs (if you select By Request in the widget’s settings).

Figure 23: Top Email Traffic widget

To expand details for one of the widget’s items, click its + button, then select which log field you want to use to categorize its results.For example, for one of the items, you might select Device to display and categorize that item’s results by which devices recorded those log messages. To further subcategorize one of the device’s results by protocol, you could then click its + button, then select Service. The resulting widget display would show reflect email traffic volume for each service on that one device, from that source IP address.To collapse details and return to higher-level items, click a parent item’s X button.To configure settings for the widget, in its title bar, click Edit.

FIlter Source IP Address or User

Type the traffic’s source IP address or user name.

Filter Destination IP Address Type the traffic’s destination IP address.

By Volume Select to gather the information for this widget from the traffic logs.

By Requests Select to gather the information for this widget from the Web Filter logs.



Edit





Figure 24: Top Email Traffic widget settings

Top FTP Traffic widgetYou can only add aTop FTP Traffic widget when you selected the proprietary indexed file storage system. For information on switching file storage systems, see “Configuring SQL database storage” on page 85.This widget displays a bar chart of the total volume of FTP traffic handled by FortiGate units, based upon their traffic logs.


Description






Filter Protocol Select a protocol to filter by email protocol.

Filter Address Enter the email server IP address for filtering the information.

By Volume Select to gather the total amount of email traffic for this widget from the traffic logs.

By Requests Select to gather the total amount of email traffic for this widget from the content logs.








FRh

Figure 25: Top FTP Traffic widget

To expand details for one of the widget’s items, click its + button, then select which log field you want to use to categorize its results.For example, for one of the items, you might select Device to display and categorize that item’s results by which devices recorded those log messages. To further subcategorize one of the device’s results by protocol, you could then click its + button, then select Service. The resulting widget display would show reflect FTP traffic volume for each service on that one device, from that source IP address.To collapse details and return to higher-level items, click a parent item’s X button.To configure settings for the widget, in its title bar, click Edit.

Figure 26: Top FTP Traffic widget settings

Top IM/P2P Traffic widgetYou can only add a Top IM/P2P Traffic widget when you selected the proprietary indexed file storage system. For information on switching file storage systems, see “Configuring SQL database storage” on page 85.


Description








Edit





This widget displays a bar chart of, depending on your selection in the widget’s settings, either the total number of instant message (IM) or peer-to-peer (P2P) sessions handled by FortiGate units, based upon their DLP logs.

Figure 27: Top IM/P2P Traffic widget

To expand details for one of the widget’s items, click its + button, then select which log field you want to use to categorize its results.For example, for one of the items, you might select Device to display and categorize that item’s results by which devices recorded those log messages. To further subcategorize one of the device’s results by protocol, you could then click its + button, then select Service. The resulting widget display would show reflect IM/P2P traffic volume for each service on that one device, from that source IP address.To collapse details and return to higher-level items, click a parent item’s X button.To configure settings for the widget, in its title bar, click Edit.

Figure 28: Top IM/P2P Traffic widget settings


Description


Type Select either instant messaging (IM) or peer-to-peer (P2P) traffic.





Protocol Select a protocol for filtering the traffic. If you select All, all of the protocols will be included.

Edit






FRh

Virus Activity widgetYou can only add a Virus Activity widget when you selected the proprietary indexed file storage system. For information on switching file storage systems, see “Configuring SQL database storage” on page 85.This widget displays a bar chart of the total number of virus detections in traffic handled by FortiGate units, based upon their antivirus logs.

Figure 29: Virus Activity widget

To expand details for one of the widget’s items, click its + button, then select which log field you want to use to categorize its results.For example, for one of the items, you might select Device to display and categorize that item’s results by which devices recorded those log messages. To further subcategorize one of the device’s results by protocol, you could then click its + button, then select Service. The resulting widget display would show reflect detected viruses for each service on that one device, from that source IP address.To collapse details and return to higher-level items, click a parent item’s X button.To configure settings for the widget, in its title bar, click Edit.

Figure 30: Virus Activity widget settings




Description


Edit





Intrusion Activity widgetYou can only add an Intrusion Activity widget when you selected the proprietary indexed file storage system. For information on switching file storage systems, see “Configuring SQL database storage” on page 85.This widget displays a bar chart of the total number of attack attempts in traffic handled by FortiGate units, based upon their attack logs.

Figure 31: Intrusion Activity widget

To expand details for one of the widget’s items, click its + button, then select which log field you want to use to categorize its results.For example, for one of the items, you might select Device to display and categorize that item’s results by which devices recorded those log messages. To further subcategorize one of the device’s results by protocol, you could then click its + button, then select Service. The resulting widget display would show reflect detected intrusion attempts for each service on that one device, from that source IP address.To collapse details and return to higher-level items, click a parent item’s X button.To configure settings for the widget, in its title bar, click Edit.


Display by Select which attribute to use in order to rank the top results: • Time Period: Rank results according to the total number of incidents for

each 24-hour time period, from 00:00:00 to 23:59:59.• Top Viruses: Rank results according to the total number of incidents for

each virus.• Top Sources (to any): Rank results according to the total number of

incidents for each source IP address. • Top Destinations (from any): Rank results according to the total number

of incidents for each destination IP address.• Protocol break down for virus incidents: Rank results according to the

total number of incidents for each protocol.



Edit





System Configuring network settings

FRh

Figure 32: Intrusion Activity widget settings

Configuring network settingsThe Network menu allows you to configure the FortiAnalyzer unit to operate on your network. You can configure basic network settings, including configuring interfaces, DNS settings, and static routes.

Configuring the network interfacesSystem > Network > Interface displays a list of the FortiAnalyzer unit’s network interfaces.You must configure at least one of the FortiAnalyzer unit’s network interfaces for you to be able to connect to the CLI and web-based manager, which require an IP address.Depending on your network topology and other considerations, to enable the FortiAnalyzer unit to connect to your network and to the devices whose logs it receives, you may need to configure one or more of the FortiAnalyzer unit’s other network interfaces. You can configure each network interface separately, with its own IP address, netmask, and accepted administrative access protocols.


Description



Display by Select which attribute to use in order to rank the top results: • Time Period: Rank results according to the total number of incidents for each

24-hour time period, from 00:00:00 to 23:59:59.• Top Intrusions: Rank results according to the total number of incidents for each

virus.• Top Sources (to any): Rank results according to the total number of incidents

for each source IP address. • Top Destinations (from any): Rank results according to the total number of

incidents for each destination IP address.


No, Entries Select the number of entries to display.




Configuring network settings System

Unlike other administrative protocols, SNMP access is not configured individually for each network interface. Instead, see “Configuring the SNMP agent” on page 94.

Figure 33: Interface list

To edit a network interface1 Go to System > Network > Interface.2 Mark the check box next to the interface whose settings you want to modify, then click

Edit.

Caution: Enable administrative access only on network interfaces connected to trusted private networks or directly to your management computer. If possible, enable only secure administrative access protocols such as HTTPS or SSH. Failure to restrict administrative access could compromise the security of your FortiAnalyzer unit.

Note: You can restrict which IP addresses are permitted to log in as a FortiAnalyzer administrator through the network interfaces. For details, see “Configuring administrator accounts” on page 77.

Name of the GUI item DescriptionBring Up Mark the check box of the network interface that you want to enable,

then click Bring Up. The new status appears in Status.

Bring Down Mark the check box of the network interface that you want to disable, then click Bring Down. The new status appears in Status.

Name The name of the network interface, usually directly associated with one physical link as indicated by its name, such as port1.

IP/Netmask The IP address and netmask of the network interface, separated by a slash ( / ).

Access The administrative access services that are enabled on the network interface, such as HTTPS for the web-based manager.

FDP Indicates whether Fortinet Discovery Protocol (FDP) is enabled. When Fortinet Discovery Protocol is enabled for an interface, a green check appears. For more information about FDP, see “About Fortinet Discovery Protocol” on page 66 and “Manually adding a FortiGate unit using the Fortinet Discovery Protocol (FDP)” on page 131.

Status Indicates the “up” (available) or “down” (unavailable) administrative status of the network interface.• Green up arrow: The network interface is up and permitted to

receive or transmit traffic.• Red down arrow: The network interface is down and not

permitted to receive or transmit traffic.






FRh

3 Configure the following:

Name of the GUI item DescriptionInterface Name The name (such as port2) and media access control (MAC)

address of this network interface.

Fortinet Discovery Protocol Select Enabled to respond to Fortinet Discovery Protocol (FDP) on this interface, allowing FortiGate devices to find the FortiAnalyzer unit automatically. For more information about FDP, see “About Fortinet Discovery Protocol” on page 66 and “Manually adding a FortiGate unit using the Fortinet Discovery Protocol (FDP)” on page 131.

IP/Netmask Enter the IP address/subnet mask. The IP address must be on the same subnet as the network to which the interface connects.

Administrative Access Enable the types of administrative access that you want to permit on this interface.

HTTPS Enable to allow secure HTTPS connections to the web-based manager through this network interface.For information on configuring the port number on which the FortiAnalyzer listens for these connections, see “Configuring the web-based manager’s global settings” on page 84.

PING Enable to allow ICMP ping responses from this network interface.

HTTP Enable to allow HTTP connections to the web-based manager through this network interface.For information on configuring the port number on which the FortiAnalyzer listens for these connections, see “Configuring the web-based manager’s global settings” on page 84.Caution: HTTP connections are not secure, and can be intercepted by a third party. If possible, enable this option only for network interfaces connected to a trusted private network, or directly to your management computer. Failure to restrict administrative access through this protocol could compromise the security of your FortiAnalyzer unit.

SSH Enable to allow SSH connections to the CLI through this network interface.

TELNET Enable to allow Telnet connections to the CLI through this network interface.Caution: Telnet connections are not secure, and can be intercepted by a third party. If possible, enable this option only for network interfaces connected to a trusted private network, or directly to your management computer. Failure to restrict administrative access through this protocol could compromise the security of your FortiAnalyzer unit.

AGGREGATOR Enable to allow sending and receiving log aggregation transmissions. For more information about aggregation, see “Configuring log aggregation” on page 100.





4 Click OK.If you were connected to the web-based manager through this network interface, you are now disconnected from it.

5 To access the web-based manager again, in your web browser, modify the URL to match the new IP address of the network interface. For example, if you configured the network interface with the IP address 172.16.1.20, you would browse to https://172.16.1.20.If the new IP address is on a different subnet than the previous IP address, and your computer is directly connected to the FortiAnalyzer unit, you may also need to modify the IP address and subnet of your computer to match the FortiAnalyzer unit’s new IP address.

About Fortinet Discovery ProtocolFortiGate units running FortiOS 4.0 or greater can use Fortinet Discovery Protocol (FDP), a UDP protocol, to locate a FortiAnalyzer unit.When a FortiGate administrator selects Automatic Discovery, the FortiGate unit attempts to locate FortiAnalyzer units on the network within the same subnet. If FDP has been enabled for the FortiAnalyzer unit’s network interface to that subnet, the FortiAnalyzer unit will respond. After discovering the FortiAnalyzer unit, the FortiGate unit automatically enables logging to the FortiAnalyzer and begins sending log data. Depending on its configuration, the FortiAnalyzer unit may then automatically register the device and save its data, add the device but ignore its data, or ignore the device entirely. For more information, see “Configuring unregistered device options” on page 133.

Configuring and using FortiAnalyzer web servicesTo manage FortiAnalyzer v3.0 MR5 or later, FortiManager 3.00 MR5 or later requires that you enable web services on the FortiAnalyzer unit and obtain the Web Services Description Language (WSDL) file that defines the XML requests you can make and the responses that the FortiAnalyzer unit can provide. If web services are not enabled, the FortiManager unit will not be able to send a configuration to the FortiAnalyzer unit.

WEBSERVICES Enable to allow web service (SOAP) connections. FortiManagerunits require web service connections for remote management of FortiAnalyzer units. If this option is not enabled, the FortiManager unit will not be able to install a configuration on the FortiAnalyzer unit. For more information, see “Configuring and using FortiAnalyzer web services” on page 66.Web services can also be used by third party tools to access logs and reports stored on the FortiAnalyzer unit. For more information about web services, see the FortiAnalyzer CLI Reference.

MTU Enable Override default MTU value (1500) to change the maximum transmission unit (MTU) value, then enter the maximum packet size in bytes.To improve network performance, adjust the MTU so that it equals the smallest MTU of all devices between this interface and traffic’s final destinations.If the MTU is larger than other devices’ MTU, other devices through which the traffic travels must spend time and processing resources to break apart large packets to meet their smaller MTU, which slows down transmission.The default value is 1500 bytes. The MTU size must be between 576 and 1500 bytes.



http://docs.forticare.com/fa.html





FRh

In addition to enabling web services, you must also register the devices with each other. When registering the FortiAnalyzer with the FortiManager unit, to guarantee full access to the FortiAnalyzer unit’s entire configuration, you must provide the login for the FortiAnalyzer unit’s admin administrator account. When registering the FortiManager with the FortiAnalyzer unit’s device list, you must set connection permissions to allow remote management.Web services can also be used by third party tools to access logs and reports stored on the FortiAnalyzer unit. For more information, see the FortiAnalyzer CLI Reference.Web services are automatically encrypted with SSL (HTTPS). For information on the certificate used to do so, see “Importing a local server certificate” on page 121.

To configure web services1 On the FortiAnalyzer unit, log in as admin.2 Go to System > Network > Interface.3 Mark the check box of the network interface which will accept web services

connections, then click Edit.4 In the Administrative Access area, enable WEBSERVICES.

If it is not already enabled, also enable HTTPS.5 Click OK.6 Go to System > Admin > Administrator.7 Mark the check box of the admin administrator account, then click Edit.

8 In Trusted Host, include the FortiManager unit's IP address. For additional security, restrict the Trusted Host entry to include only the FortiManager unit's IP address (that is, a subnet mask of 255.255.255.255) and your computer's IP address.

9 Click OK.10 Go to Devices > All Devices > Allowed.





11 If the FortiManager unit appears as an unregistered device, mark its check box, then click Register to complete the device registration.If the FortiManager unit does not appear in the device list, click Create New to add the device registration.

12 Click OK.13 Register the FortiAnalyzer unit with the FortiManager unit’s device list. For details, see

the FortiManager Administration Guide.

To obtain the WSDL fileDownload the WSDL file directly from the following URL: https://<FortiAnalyzer_ip_address>:8080/FortiAnalyzerWS?wsdlThe following is a section of the WSDL file:<definitions name="FortiAnalyzerWS" targetNamespace="http://localhost:8080/FortiAnalyzerWS.wsdl">

<types><schema targetNamespace="urn:FortiAnalyzerWS"

elementFormDefault="qualified" attributeFormDefault="qualified">

<import namespace="http://schemas.xmlsoap.org/soap/encoding/"/>

<element name="FortiRequestEl" type="ns:FortiRequest"/><element name="FortiResponseEl" type="ns:FortiResponse"/><simpleType name="SearchContent"><restriction base="xsd:string"><enumeration value="Logs"/><enumeration value="ContentLogs"/><enumeration value="LocalLogs"/>

</restriction></simpleType><simpleType name="ReportType"><restriction base="xsd:string"><enumeration value="FortiGate"/><enumeration value="FortiClient"/><enumeration value="FortiMail"/>

</restriction></simpleType>…

<service name="FortiAnalyzerWS"><documentation>gSOAP 2.7.7 generated service

definition</documentation> <port name="FortiAnalyzerWS" binding="tns:FortiAnalyzerWS">

<SOAP:address location="https://localhost:8080/FortiAnalyzerWS"/>



http://docs.fortinet.com/fmgr.html


FRh

</port></service>

</definitions>

Configuring DNSSystem > Network > DNS enables you to configure the FortiAnalyzer unit with the IP addresses of the domain name system (DNS) servers that the FortiAnalyzer unit will query to resolve domain names such as www.example.com into IP addresses.

FortiAnalyzer units require connectivity to DNS servers for DNS lookups. Your Internet service provider (ISP) may supply IP addresses of DNS servers, or you may want to use the IP addresses of your own DNS servers.

Configuring static routesThe route list displays the static routes on the FortiAnalyzer unit. Static routes provide the FortiAnalyzer unit with the information it needs to forward a packet to a particular destination other than the default gateway.To view the routing list, go to System > Network > Routing.

Figure 34: Route list

Note: For improved performance, use DNS servers on your local network. Features such as NFS shares can be impacted by poor DNS connectivity.

Name of the GUI item DescriptionMove Select to change the route’s order in the route list.

Insert Select to add a route before the selected one in the list.

Destination IP/Netmask The destination IP address and netmask of packets that the FortiAnalyzer unit wants to send to.

Gateway The IP address of the router where the FortiAnalyzer unit forwards packets.

Interface The names of the FortiAnalyzer interfaces through which intercepted packets are received and sent.




Configuring network shares System

To add a static route1 Go to System > Network > Routing.2 Select Create New.

3 Enter the applicable information, and click OK.

Configuring network sharesThe FortiAnalyzer hard disk can be used as an NFS or Windows network share to store users’ files and/or FortiAnalyzer reports and logs.By default, this option is not available. To make it appear, you need to enable it in System > Admin > Settings.

Name of the GUI item DescriptionDestination IP/Mask Enter the destination IP address network mask of packets that the

FortiAnalyzer unit has to intercept. Enter a netmask to associate with the IP address.

Gateway Enter the IP address of the gateway where the FortiAnalyzer unit will forward intercepted packets.

Interface Select a port through which intercepted packets are received and sent.





System Configuring network shares

FRh

When selecting a network share style, consider the access methods available to your users:• Microsoft Windows users could connect to a FortiAnalyzer Windows network share by

mapping a drive letter to a network folder• Apple Mac OS X, Unix or Linux users:

• could mount a FortiAnalyzer Windows network share using smbfs• could mount a FortiAnalyzer NFS network share

Before a user can access files on the FortiAnalyzer network share:• network share user accounts and groups must be created (for Windows share only)• network sharing (Windows or NFS) must be enabled• the share folder and its file permissions (user access) must be set

Configuring share usersYou can create Windows network share user accounts to provide non-administrative access to the log, reports and hard disk storage of the FortiAnalyzer unit.Users that are added will not have administrative access to the FortiAnalyzer hard disk or FortiAnalyzer unit. For information about how to add administrative users, see “Configuring administrator-related settings” on page 77.To view the network user list, go to System > Network Sharing > User.

Figure 35: Network share user list

To add a user account1 Go to System > Network Sharing > User.2 Select Create New.

Name of the GUI item DescriptionCreate New Select to create a Windows network share user. See “To add a user

account” on page 71.

Edit Change a selected user’s current settings.

Delete Remove a selected user’s current settings.

Username The name of the user.

UID The user’s identification. This is useful for NFS shares only.

Description A comment about the user account.





3 Enter the appropriate information for the network share user account and select OK.

Configuring share user groupsYou can create Windows network share user groups to maintain access privileges for a large number of users at once. You need to add users before you can create groups. To view the user group list, go to System > Network Sharing > Group.

Figure 36: User group list

To add a user group1 Go to System > Network Sharing > Group.2 Select Create New.

Name of the GUI item DescriptionUsername Enter a user name.

The name cannot include spaces.

UID (NFS only) Leave this field empty.This field is for NFS shares only. The NFS protocol uses the UID to determine the permissions on files and folders.

Password Enter a password for the user.

Description Enter a description of the user. For example, you might enter the users name or a position such as IT Manager.

Name of the GUI item DescriptionGroup The name of the group. For example, Finance. The name cannot include

spaces.

GID The Group ID. This is useful for NFS shares only.

Members The users that are members of that group.






FRh

3 Enter the information for the group account and select OK.

Configuring Windows sharesYou can configure the FortiAnalyzer unit to provide folder and file sharing using Windows sharing. To view users with Windows share access to the FortiAnalyzer unit, go to System > Network Sharing > Windows Share.

Figure 37: Windows network share user list

Name of the GUI item DescriptionGroup Enter the name of the group.

GID (NFS only) Leave this field empty.This field is for NFS shares only. The GID is the numerical unique identification for a group. The NFS protocol uses the GID to determine the permissions on files and folders.

Available Users The available users that you can add to the group. Select a user and then select the right arrow to move that user to the Members area.

Members The users that are included in the group. If you do not want a user included as a member, select a user and then select the left arrow to move that user back to the Available Users area.





To configure Windows share1 Go to System > Network Sharing > Windows Share.2 Select Create New.

3 Enter the information for the Windows share and select OK.


Description

Enable Windows Network Sharing

Select the check box to enable Windows network sharing.

Workgroup Enter the name of the work group and then select Apply.

Local Path The shared file or folder path.

Share as The share name.

Read Only User A list of users or groups that have read-only access to the folder or files.

Read Write User A list of users or groups that have read-write access to the folder or files.


Description

Local Path Type a folder directory, such as /Storage/Mail, or select the local path button to choose a folder to share on the FortiAnalyzer hard disk. If you type a directory, you must start with /Storage.The default permission for files and folders is read and execute privileges. The owner of the document also has write privileges. You must select the write permission for the folder, user and the group to enable write permissions. For more information, see “Default file permissions on NFS shares” on page 76.

Share Name The name of the share configuration.

Local path button






FRh

Configuring NFS sharesYou can configure the FortiAnalyzer unit to provide folder and file sharing using NFS sharing.To view a list of users with NFS share access to the FortiAnalyzer unit, including access privileges, go to System > Network Sharing > NFS Export.

Figure 38: List of users with NFS share access

To add a new NFS share configuration1 Configure DNS and a default route. For information, see “Configuring network settings”

on page 63.NFS exports are file system-level mounts. Bad DNS or routing connectivity can cause very slow access or 'hangs' when trying to write a file using NFS.

2 Go to System > Network Sharing > NFS Export.3 Select Enable NFS Exports and select Apply.

Available Users & Group

The list of users and groups that are available for Windows network shares. For information on adding users and groups, see “Configuring share users” on page 71.Select a user and then select the right arrow that points to the permission list that you want that user or group to be under, either Read-Only Access or Read-Write Access.

Ready-Only Access

Users or groups that do not have permission to edit or change settings. To remove a user or group from either access list, select the user or group and then select the left arrow to move it back to the Available Users & Groups list.

Read-Write Access Users or groups that have permission to edit or change settings. To remove a user or group from either access list, select the user or group and then select the left arrow to move it back to the Available Users & Groups list.


Description

Enable NFS Exports Select the check box beside Enable NFS Exports and then select Apply to enable NFS shares.

Local Path The path the user has permission to connect to.

Remote Clients A list of users that have access to the folder or files.

Read Only User A list of users or groups that have read-only access to the folder or files.

Read Write User A list of users or groups that have read-write access to the folder or files.





4 Select Create New.

5 Select OK.6 Configure the NFS client to connect to the FortiAnalyzer unit and mount the share.

Default file permissions on NFS sharesBy default, when a user adds a new file or folder, the permissions are:• read, write, and execute for the owner (user)• read and execute for the Admin group and Others group.You can set file permissions in the CLI. For more information, see the config nas share command in the FortiAnalyzer CLI Reference.


Description

Local Path Type a folder directory, such as /Storage/Mail, or select the local path button to choose a folder to share on the FortiAnalyzer hard disk. If you type a directory, you must start with /Storage.The default permissions for files and folders is read and execute privileges. The owner of the document also has write privileges. You must select the write permission for the folder and for the user and the group to enable write access for users and groups. For more information, see “Default file permissions on NFS shares” on page 76.

Remote Client: (Host, subnet, FQDN)

Enter the IP address or domain name of an NFS client, such as a FortiMail unit configured for NFS storage. This client can access the NFS share folder.

Permissions Select the type of permissions. The type of permission selected determines which list the NFS client will be put in. • Read Only – users connecting to the share will be able to list and read

files.• Read Write – users connecting to the share will be able to list, read,

create, modify, and delete files.

Add Select to add the NFS client to either the Read-only Access list or the Read Write Access list, depending on the permission selected.

Delete Select the check box beside the NFS client in either the Read Only Access list or the Read Write Access list, and then select Delete to remove it.

Read-only Access The list of remote clients that have read-only access.

Read-Write Access The list of remote clients that have both read and write access.

Local Path button






System Configuring administrator-related settings

FRh

Configuring administrator-related settingsThe Admin menu manages administrator accounts, access profiles, and RADIUS authentication. It also controls settings for the web-based manager that apply to all administrator accounts, and enables you to monitor which administrator accounts are currently logged in.

Configuring administrator accountsSystem > Admin > Administrator displays the list of FortiAnalyzer administrator accounts.In its factory default configuration, a FortiAnalyzer unit has one administrator account, named admin. The admin administrator has permissions that grant full access to the FortiAnalyzer configuration and firmware. After connecting to the web-based manager or the CLI using the admin administrator account, you can configure additional administrator accounts with various levels of access to different parts of the FortiAnalyzer configuration.Administrators may be able to access the web-based manager and/or the CLI through the network, depending on administrator account’s trusted hosts, and the administrative access protocols enabled for each of the FortiAnalyzer unit’s network interfaces. For details, see “Configuring the network interfaces” on page 63 and “Trusted Host” on page 79.To determine which administrators are currently logged in, see “Monitoring administrators” on page 85.

Figure 39: Administrator account list

Note: In FortiAnalyzer 4.0 patch release 2, the admin administrator account can be deleted. However, Fortinet strongly recommends updating to the latest FortiAnalyzer 4.0 patch release, or 4.0 MR1 and above to prevent any user or administrator from accidentally deleting the admin administrator account. If you have FortiAnalyzer 4.0 Patch release 2 currently running on your FortiGate unit, back up either the default configuration or the current configuration containing the admin administrator so that you can restore the admin administrator account.

Name of the GUI item DescriptionChange Password Change the account password. For more information, see “Changing

an administrator’s password” on page 79.

Update Column Settings Define log columns for an administrator account. You can revert the column settings to the system default one if they have been customized, or copy the settings from another administrator account.For information about configuring column settings, see “Displaying and arranging log columns” on page 143.

Name The assigned name for the administrator.

Trusted Hosts The IP address and netmask of acceptable locations for the administrator to log in to the FortiAnalyzer unit.If you want the administrator to be able to access the FortiAnalyzer unit from any address, use the IP address and netmask 0.0.0.0/0.0.0.0. To limit the administrator to only access the FortiAnalyzer unit from a specific network or host, enter that network’s IP and netmask.




Configuring administrator-related settings System

To add an administrator account1 Go to System > Admin > Administrator. 2 Select Create New.

3 Enter the appropriate information and select OK.

Profile The access profile assigned to the administrator. For more information, see “Configuring access profiles” on page 80.

Type Type can be either local, as a configured administrator on the FortiAnalyzer unit, or RADIUS if you are using a RADIUS server on your network.

Name of the GUI item DescriptionAdministrator Enter the administrator name.

You can add the ‘@’ symbol in the name. For example, admin_1@headquarters, could identify an administrator that will access the FortiAnalyzer unit from the headquarters office of their organization. The ‘@’ symbol is also useful to those administrators who require RADIUS authentication. You can also configure an administrator account for remote authentication and associate an authentication group as well.

Remote Auth Select if you are authenticating a specific account on a RADIUSserver.

Wild Card This option appears only if Remote Auth is enabled. Select if you don’t want to set a password for this account.

Auth Group This option appears only if Remote Auth is enabled. You also need to create an authentication group so that you can select it from the list. For more information about creating an authentication group, see “Configuring authentication groups” on page 81. Select which RADIUS server group to use when authenticating this administrator account.






FRh

Changing an administrator’s passwordThe admin administrator and administrators with read and write permissions can change their own account passwords.Administrators with read-only permissions cannot change their own password. Instead, the admin administrator must change the password for them.

To change the administrator account password1 Go to System > Admin > Administrator.2 Select an administrator account 3 Select Change Password.

4 Enter the old password for confirmation.5 Enter the new password and confirm the spelling by entering it again.6 Select OK.

Password Enter a password for the administrator account. For security reasons, a password should be a mixture of letters and numbers and longer than six characters.If a user attempts to log in and mis-types the password three times, the user is locked out of the system from that IP address for a short period of time.This option does not appear if you select Wild Card and when editing the account.

Confirm Password Re-enter the password for the administrator account to confirm its spelling.This option does not appear if you select Wild Card and when editing the account.

Trusted Host Enter the IP address and netmask of acceptable locations for the administrator to log in to the FortiAnalyzer unit.If you want the administrator to be able to access the FortiAnalyzer unit from any address, use the IP address and netmask 0.0.0.0/0.0.0.0. To limit the administrator to only access the FortiAnalyzer unit from a specific network, enter that network’s IP and netmask.

Access Profile Select an access profile from the list. Access profiles define administrative access permissions to areas of the configuration by menu item. For more information, see “Configuring access profiles” on page 80.This option does not appear for the admin administrator.

Admin Domain Select an administrative domain (ADOM) from the list. ADOMs define administrative access permissions to areas of the configuration and device data by device or VDOM. For more information, see “About administrative domains (ADOMs)” on page 25.This option does not appear when ADOMs are disabled, nor for the admin administrator.





Configuring access profilesAccess profiles define administrator privileges to parts of the FortiAnalyzer configuration. For example, you can have a profile where the administrator only has read and write access to the reports, or assign read-only access to the DLP archive logs. Only the admin administrator has access to all configuration areas of a FortiAnalyzer unit by default. Every other administrator must be assigned an access profile.You can create any number of access profiles. For each profile, you can define what access privileges are granted. Administrator accounts can only use one access profile at a time.To view the list of access profiles, go to System > Admin > Access Profile.

Figure 40: Access profile list

To create an access profile1 Go to System > Admin > Access Profile.2 Select Create New.

Name of the GUI item DescriptionProfile Name The name of the access profile.






FRh

3 Enter the information for the new access profile, and select OK.

Configuring authentication groupsAuth Group enables you to group RADIUS servers into logical arrangements for administrator authentication.You must first configure at least one RADIUS server before you can create an authorization group. For information on creating RADIUS servers, see “Configuring RADIUS servers” on page 82.To view the list of auth groups, go to System > Admin > Auth Group.

Figure 41: Authentication group list


Description

Profile Name Enter a name for the new access profile.

Access Control Lists the FortiAnalyzer configuration components to which you can set administrator access.

None The administrator has no access to the function.

Read Only The administrator can view pages, menus and information, but cannot modify any settings.

Read-Write The administrator can view pages, menus and information as well as change configurations.

Note: Administrator accounts can also be restricted to specific devices or FortiGate units with VDOMs in the FortiAnalyzer device list. For more information, see “About administrative domains (ADOMs)” on page 25.





To add a group1 Go to System > Admin > Auth Group.2 Select Create New.

3 Enter a name for the group.4 Select the servers from Available Auth Servers to add to the group and select the right

arrow.5 Select OK.

Configuring RADIUS serversIf you already have a RADIUS server for authentication, you can configure the FortiAnalyzer unit to have it perform the user authentication. RADIUS servers authenticate administrators. To view the RADIUS server list, go to System > Admin > RADIUS Server.

Name of the GUI item DescriptionGroup Name The name of the auth group.

Members RADIUS servers in the group.






FRh

Figure 42: RADIUS server list

To add a RAIDUS server1 Go to System > Admin > RADIUS Server, select Create New.

2 Enter the appropriate information for the server and select OK.

Name of the GUI item DescriptionName The name that identifies the server.

Server Name/IP The server name or IP address of that server.

Name of the GUI item DescriptionName Enter a name to identify the server.

Primary Server Name/IP

Enter the primary IP address for the server.

Primary Server Secret Enter the password for the primary server.

Secondary Server Name/IP

Enter the secondary IP address for the server. This is in case the primary one goes out of service.

Secondary Server Secret

Enter the password for the secondary server.

Authentication Protocol

Select which protocol the FortiAnalyzer unit will use to communicate with the RADIUS server.




Configuring the web-based manager’s global settings System

Configuring the web-based manager’s global settingsAdministrators Settings allows you to configure some common settings for all administrator accounts, including the idle timeout (how much time must pass without activity before the FortiAnalyzer unit logs out an administrator), the language for the web-based manager, and the web-based manager menu customization (showing or hiding the menu items). You can also enable or disable administrative domains (ADOMs). To configure administrators, go to System > Admin > Settings.

Figure 43: Administrators’ settings

Note: Only the admin administrator can change administrators’ settings.

Name of the GUI item DescriptionIdle Timeout Set the idle timeout to control the amount of inactive time before the

administrator must log in again. For better security, keep the idle timeout to a low value (for example, five minutes).When viewing real-time logs, a pop-up window appears 60 seconds before the set idle timeout value is reached, prompting you to keep or cancel the value. If you choose to cancel the set idle timeout value, you will not be logged out after the idle timeout value is reached.

Web Administration [Language]

Select the language for the web-based manager.





System Monitoring administrators

FRh

Monitoring administratorsThe Monitor page enables the admin administrator to view a list of other administrators that are currently logged in to the FortiAnalyzer unit. The admin administrator can disconnect other administrators’ sessions, should the need arise.To monitor current administrators, go to System > Admin > Monitor.

Figure 44: Monitoring administrators

To disconnect an administrator, mark the check box next to an administrator’s account name, then click Disconnect.

Configuring log storage & query featuresSystem > Config enables you to configure miscellaneous features, such as SQL database, alert output, log aggregation, log forwarding, IP aliases, RAID, and LDAP connections.

Configuring SQL database storageThe FortiAnalyzer unit saves logs received to the default proprietary indexed file storage system which is always ready to accept log data, it can also insert the log data into the Structured Query Language (SQL) database for generating reports. Both local and remote SQL database options are supported. The advantages of using the SQL database are:• Flexibility: Through the use of standard SQL queries, more flexible reporting

capabilities can be offered.• Scalability: Through the use of a remote SQL database, any upper bound on the

amount of available log storage is removed. Furthermore, the hardware of an external SQL database server can be more easily upgraded to support growing performance needs.

The FortiAnalyzer unit inserts logs into a remote SQL database but is not responsible for deleting logs from that database nor for enforcing any type of size quotas. These tasks are the responsibility of the remote SQL database administrator.

GUI Menu Customization

Be default, these menu items are hidden. Select one to make it appear in the menu list.

Admin Domain Configuration

Enable or disable administrative domains (ADOMs). For more information on ADOMs, see “About administrative domains (ADOMs)” on page 25.This option does not appear if ADOMs are currently enabled and ADOMs other than the root ADOM exist.This option does not appear on FortiAnalyzer-100/100A/100B/100C models.




Configuring log storage & query features System

The FortiAnalyzer unit stores the log data into the SQL database according to a pre-determined structure called the SQL schema. The schema contains all the possible log fields of every log type and allows the extraction of log data on a per-device and/or per-VDOM basis for any continuous time period.

To configure the SQL database1 Go to System > Config > SQL Database.

2 Complete the fields and click Apply.


Description

Location Select Disabled to save log data to the proprietary indexed file storage system instead of the SQL database, Local Database to save log data into the local SQL database, and Remote Database to save log data into the remote MySQL database.By default, the local SQL database is PostgreSQL. The selection of location affects the way to configure reports. For more information, see “Reports” on page 167.

Start Time Select the time when the FortiAnalyzer unit can start to insert log data into the SQL database.This field activates when Local Database or Remote Database is selected.

Type Select the remote SQL database from the supported list of databases. This field only appears when Remote Database is selected.

Server Enter the IP address or FQDN of the server on which the remote SQL database is installed.This field only appears when Remote Database is selected.

Database Name

Enter the name for the database in which log tables will be stored. This database should already exist on the MySQL server. If it does not, the FortiAnalyzer unit will not be able to connect.This field only appears when Remote Database is selected.

User NamePassword

Enter the login information for a user on the database that has permissions to read and write data, and to create tables.

Log Type Select the log type(s) that you want to save to the SQL database.This field activates when Local Database or Remote Database is selected.





System Configuring log storage & query features

FRh

Configuring alerts Log-based alerts define log message types, severities, and sources which trigger administrator notification. For example, you could configure a trigger on the attack logs with an SMTP server output if you want to receive an alert by email when your network detects an attack attempt.You can notify administrators by email, SNMP, or Syslog, as well as the Alert Message Console widget. For information on viewing alerts through the web-based manager, see “Alert Message Console widget” on page 51.To view configured log-based alerts, go to System > Config > Log-based Alerts.

Figure 45: Alert events list

To add a log-based alert1 Go to System > Config > Log-based Alerts, select Create New, enter the appropriate

information and select OK.


Description

Name The name given to the log-based alert configuration.

Devices The devices the FortiAnalyzer unit is monitoring for the log-based alerts.

Triggers The log message packets the FortiAnalyzer unit is monitoring for the log-based alerts.

Destination The location where the FortiAnalyzer unit sends the alert message. This can be an email address, SNMP Trap or syslog server.





Name of the GUI item DescriptionAlert name Enter a name indicating the type of alert the FortiAnalyzer is

monitoring for.

Device Selection Select the devices the FortiAnalyzer unit monitors for the alert event. Select from the Available Devices list and select the right arrow to move the device name to the Selected Devices list. Hold the SHIFT or CTRL keys while selecting to select multiple devices.






FRh

Configuring an email server for alerts & reportsWhen the FortiAnalyzer unit receives a log message meeting the alert event conditions, it can send an alert message to an email address via SMTP, informing an administrator of the issue and where it is occurring.You must first configure an SMTP server so that the FortiAnalyzer unit can send email alert messages.

Trigger(s) Select the triggers that the FortiAnalyzer unit uses to indicate when to send an alert message. Select the following:• a log type to monitor, such as Event Log or Attack Log• the severity level to monitor for within the log messages, such as

>=• the severity of the log message to match, such as CriticalFor example, selecting Event Log >= Warning, the FortiAnalyzer unit will send alerts when an event log message has a level of Warning, Error, Critical, Alert and Emergency.These options are used in conjunction with Generic Text (located under Log Filters) and Device Selection to specify which log messages will trigger the FortiAnalyzer unit to send an alert message.

Log Filters(Generic Text)

Select the check box Generic Text to enable log filters, and then enter log message filter text. This text is used in conjunction with Trigger(s) and Device Selection to specify which log messages will trigger the FortiAnalyzer unit to send an alert message.Enter an entire word, which is delimited by spaces, as it appears in the log messages that you want to match. Inexact or incomplete words or phrases may not match. For example, entering log_i or log_it may not match; entering log_id=0100000075 will match all log messages containing that whole word.Do not use special characters, such as quotes (‘) or asterisks (*). If the log message that you want to match contains special characters, consider entering a substring of the log message that does not contain special characters. For example, instead of entering, User 'admin' deleted report 'Report_1', you might enter admin.

Threshold Set the threshold or log message level frequency that the FortiAnalyzer unit monitors before sending an alert message. For example, set the FortiAnalyzer unit to send an alert only after it receives five emergency messages in an hour.

Destination(s) Select where the FortiAnalyzer unit sends the alert message.

Send Alert To Select an email address, SNMP trap or Syslog server from the list. You must configure the SNMP traps or Syslog server, before you can select them from the list.For the FortiAnalyzer unit to send an email message, you must configure a DNS server and mail server account. For information, see “Configuring an email server for alerts & reports” on page 89.For information on configuring SNMP traps, see “Configuring the SNMP agent” on page 94.For information on configuring Syslog servers, see “Configuring Syslog servers” on page 98.

From When configuring the FortiAnalyzer unit to send an email alert message, enter the sender’s email address.

To When configuring the FortiAnalyzer unit to send an email alert message, enter the recipients’ email address.

Add Select to add the destination for the alert message. Add as many recipients as required.

Delete Select a recipient from the Destination list and select Delete to remove a recipient.

Include Alert Severity Select the alert severity value to include in the outgoing alert message information.





If the mail server is defined by a domain name, the FortiAnalyzer unit will query the DNS server to resolve the IP address of that domain name. In this case, you must also define a DNS server. For details, see “Configuring DNS” on page 69.If sending an email by SMTP fails, the FortiAnalyzer unit will re-attempt to send the message every ten seconds, and never stop until it succeeds in sending the message, or the administrator reboots the FortiAnalyzer unit.To view the mail server list, go to System > Config > Mail Server.

Figure 46: Mail server list

To add a mail server for alerts 1 Go to System > Config > Mail Server and select Create New.

2 Enter the appropriate information and select OK.

Name of the GUI item DescriptionTest Verify if the email server is correctly configured. For more information,

see “To verify mail server connectivity” on page 91.

SMTP Server The name of the email server.

E-Mail Account The email address used for accessing the account on the email server.

Password The password used in authentication of that server. The password displays as ******.






FRh

To verify mail server connectivity1 Go to System > Config > Mail Server.2 Select the mail server that you want to verify, then select Test.

3 Enter an email address in the Send test email to field.To verify complete connectivity from the FortiAnalyzer unit to the administrator’s inbox, this should be the administrator’s email address.

4 Select Test.A message appears, indicating the success or failure of sending email to the SMTP server. If the message was successfully sent, verify that it reached the email address.

Configuring report output templatesYou can configure the FortiAnalyzer unit to output the report in one or more file formats, save the reports of selected file formats to the FortiAnalyzer hard disk, email the report to recipients, and upload completed report files to a server accepting FTP, SFTP, or SCP. You can make multiple report output templates and assign them to different report schedules.The report output templates are used when configuring a report schedule. For more information, see “Configuring report schedules” on page 181 and “Configuring report profiles” on page 204.When configuring the FortiAnalyzer unit to email a report, you must first configure the FortiAnalyzer unit to connect to an email server. For more information, see “Configuring an email server for alerts & reports” on page 89. If HTML reports are sent to a user that has an email client without supported HTML, the HTML code for the reports will display in the message body.

Name of the GUI item DescriptionSMTP Server The name/address of the SMTP email server.

Enable Authentication Select to enable SMTP authentication. When set, you must enter an email user name and password for the FortiAnalyzer unit to send an email with the account.

E-Mail Account Enter the user name for logging on to the SMTP server to send alert mails. You only need to do this if you have enabled the SMTP authentication. The account name must be in the form of an email address, such as [email protected].

Password Enter the password for logging on to the SMTP server to send alert email. You only need to do this if you enabled the SMTP authentication.

Note: Mail servers that you have defined for the FortiAnalyzer unit to be able to send alerts can also be selected when configuring report profiles and vulnerability scan jobs to email report output. For more information, see “Scheduling vulnerability scans” on page 234 and“Configuring reports from logs in the proprietary indexed file system” on page 167.





To view the list of output templates, go to System > Config > Remote Output.

Figure 47: Output templates

To configure a report output template1 Go to System > Config > Remote Output.2 Select Create New, enter the appropriate information and then select OK.

Name of the GUI item DescriptionCreate New Select to create a new report output template. See “To configure a

report output template” on page 92.

Edit Modify a selected report output.

Delete Remove selected report output templates. You cannot delete a report output template if it is being used by a report schedule. For more information, see “Configuring report schedules” on page 181. If you want to delete a report output template that is being used by a report schedule, edit that report schedule to deselect the data filter template.

Name The name of the output template.

E-Mail Destination The route the email will take when sent, in the format, <recipient_email address> (from <sender_email address> through <email server>).

FTP/SFTP/SCP Server IP The type of server that the report will be uploaded to in the format, <ipv4>(typeofserver). For example, 10.10.20.15(FTP).






FRh

Name of the GUI item DescriptionName Enter a name for the report output. This name concerns only the

report output configuration that you are configuring for your report, not the report itself.

Description Enter a description for the report. This is optional.

Output Format The format of the report when it is sent or uploaded. Select one or more of the following file formats:• HTML (default)• PDF• MS Word (RTF)• Text (ASCII)• Multi-purpose Internet Mail Externsion HTML format (MHT)• XML

Send Report by Mail Verify this check box is selected. If you do not want to send a report by email, unselect the check box. If the check box is unselected, the available options under Send Report by Mail are hidden. Note: Only those file formats that are enabled in both output template and schedule output types are sent by email. For example, if PDF and Text formats are selected in the output template, and then PDF and MHT are selected in the report schedule, the report’s file format in the email attachment is PDF.





Configuring the SNMP agentSimple Network Management Protocol (SNMP) allows you to monitor hardware on your network. You can configure the hardware, such as the FortiAnalyzer SNMP agent, to report system information and send traps (alarms or event messages) to SNMP managers. An SNMP manager, or host, is typically a computer running an application that can read the incoming trap and event messages from the agent and send out SNMP queries to the SNMP agents. A FortiManager unit can act as an SNMP manager, or host, to one or more FortiAnalyzer units.

Compress Report Files Select to compress the report files into a .zip file and attach that .zip file to the email.

From Enter a sender email address for the FortiAnalyzer unit or administrator to configure the report.

Server Select which email server to use when the FortiAnalyzer unit sends reports as an email, or select Create New to configure a new email server connection.

Recipient Enter the email addresses of the recipients of the report. Add multiple recipients by selecting Add after each email address. These email addresses display in the To field.

To Displays email addresses in the format, <recipient_email address> (from <sender_email address> through <email server>).If you want to remove an email address from the list, select the email address you want removed, and then select Delete.

Attachment Name Select Use Default if you want the attached report name to be the name given of the report when configuring the layout in Layout. Deselect Use Default to enter a specific name for the attached report in the field. This name will appear as the attachment’s name, and is not the report’s actual name.

Subject Enter a subject for the report email. If you do not enter a subject, the subject line will be the name of the report.

Body Enter text to include in the body of the email message.

Upload report to Server Select to upload completed report files to a server accepting FTP, SFTP, or SCP. These options are only available when the Upload Report to FTP Server check box is selected. Note: When sending reports to an FTP server, the following are sent: HTML, PDF and MHT.

Server Type Select the protocol to use when connecting to the upload server. Select from: • File Transfer Protocol (FTP)• Secure File Transfer Protocol (SFTP)• Secure Copy Protocol (SCP)

IP Address Enter the IP address of the upload server.

Username Enter the user name the FortiAnalyzer unit will use when connecting to the upload server.

Password Enter the password the FortiAnalyzer unit will use when connecting to the upload server.

Directory Enter the directory path that the FortiAnalyzer unit will upload the report to.

Delete file(s) after uploading

Select to delete the report files from the ForitAnalyzer hard disk after the FortiAnalyzer unit has completed uploading the report files to the server.






FRh

By using an SNMP manager, you can access SNMP traps and data from any FortiAnalyzer interface configured for SNMP management access. Part of configuring an SNMP manager is to list it as a host in a community on the FortiAnalyzer unit it will be monitoring. Otherwise the SNMP monitor will not receive any traps from that FortiAnalyzer unit, or be able to query that unit.You can configure the FortiAnalyzer unit to respond to traps and send alert messages to SNMP managers that were added to SNMP communities. When you are configuring SNMP, you need to first download and install both the FORTINET-CORE-MIB.mib and FORTINET-FORTIANALYZER-MIB.mib files so that you can view these alerts in a readable format. The Fortinet MIB contains support for all Fortinet devices, and includes some generic SNMP traps; information responses and traps that FortiAnalyzer units send are a subset of the total number supported by the Fortinet proprietary MIB.Your SNMP manager may already include standard and private MIBs in a compiled database which is all ready to use; however, you still need to download both the FORTINET-CORE-MIB.mib and FORTINET-FORTIANALYZER-MIB.mib files regardless. FortiAnalyzer SNMP is read-only: SNMP v1 and v2 compliant SNMP managers have read-only access to FortiAnalyzer system information and can receive FortiAnalyzer traps. RFC support includes most of RFC 2665 (Ethernet-like MIB) and most of RFC 1213 (MIB II). FortiAnalyzer units also use object identifiers from the Fortinet proprietary MIB.For more information about the MIBs and traps that are available for the FortiAnalyzer unit, see “Appendix A: SNMP MIB support” on page 307.SNMP traps alert you to events that happen, such as an a log disk being full or a virus being detected. SNMP fields contain information about your FortiAnalyzer unit, such as percent CPU usage or the number of sessions. This information is useful to monitor the condition of the unit, both on an ongoing basis and to provide more information when a trap occurs. To configure the SNMP agent, go to System > Config > SNMP.

Figure 48: SNMP Access List

Name of the GUI item DescriptionSNMP Agent Select to enable the SNMP agent.

Description Enter a descriptive name for this FortiAnalyzer unit.

Location Enter the physical location of the FortiAnalyzer unit, such as a city or floor number.

Expand arrow





Configuring an SNMP communityAn SNMP community is a grouping of devices for network administration purposes. Within that SNMP community, devices can communicate by sending and receiving traps and other information. One device can belong to multiple communities, such as one administrator terminal monitoring both a firewall SNMP community and a printer SNMP community.You can add an SNMP community to define a destination IP address that can be selected as the recipient (SNMP manager) of FortiAnalyzer unit SNMP alerts. Defined SNMP communities are also granted permission to request FortiAnalyzer unit system information using SNMP traps.

Contact Enter the contact information for the person responsible for this FortiAnalyzer unit.

Trap Type The type of available SNMP trap.

Trigger Enter a number (percent) for the trap type usage that will trigger a trap. The number can be between 1 to 100.

Threshold Enter the number of times a trigger value is reached before triggering a trap.The number can be between 1 and 100.

Sample Period(s) Enter a time period, in seconds. The number can be between 1 and 28800. The default number is 600 seconds, which is 10 minutes.During the configured time period, the SNMP agent evaluates the trap type, for example, CPU, at every same frequency. For example, during 600 seconds (10 minutes), the SNMP agent evaluates Memory every 60 seconds (1 minute).

Sample Frequency(s) Enter a number for the frequency of triggers. The number can be between 1 and 100.

Apply Select to save the configured settings. Selecting Apply will not save the SNMP communities because they are automatically saved after being configured.

Communities The list of SNMP communities added to the FortiAnalyzer configuration.

Create New Select to add a new SNMP community. See “Configuring an SNMP community” on page 96.

Edit Change the selected SNMP community configuration.

Delete Remove the selected SNMP community configuration. You cannot delete a community if it is used in an alert event. For more information, see “Configuring alerts” on page 87.

Test Verify the selected SNMP community configuration by sending a test SNMP trap to the SNMP manager. This option only shows if the test SNMP trap is successfully sent by the FortiAnalyzer unit. You need to go to the SNMP manager to check if the trap has been successfully received. If the test fails, you need to reconfigure the SNMP community that you want to verify.This option is inactive if the SNMP agent configuration is not saved. See “Apply” on page 96.

# The sequential order of the communities.

Community Name The name of the SNMP community.

Queries The status of SNMP queries for each SNMP community. The query status can be enabled (green check mark) or disabled (gray cross).

Traps The status of SNMP traps for each SNMP community. The trap status can be enabled (green check mark) or disabled (gray cross)

Enable Select to enable the SNMP community. By default, an SNMP community is enabled when it is configured.






FRh

Each community can have a different configuration for SNMP queries and traps. Each community can be configured to monitor the FortiAnalyzer unit for a different set of events. You can also add the IP addresses of up to 10 SNMP managers to each community.

To add an SNMP community1 Go to System > Config > SNMP. 2 Under Communities, select Create New.

3 Enter the appropriate information and then select OK.





Configuring Syslog serversBy default, this option is not available. To make it appear, you need to enable it in System > Admin > Settings.You can configure Syslog servers where the FortiAnalyzer unit can send alerts by the Syslog protocol. You must add the Syslog server before you can select it as a way for the FortiAnalyzer unit to communicate an alert.To view the Syslog servers, go to System > Config > Remote Syslog.

Figure 49: Syslog server list

Name of the GUI item DescriptionCommunity Name Enter a name to identify the SNMP community.

Hosts Enter the IP address and Identify the SNMP managers that can use the settings in this SNMP community to monitor the FortiAnalyzer unit.

Host Name The IP address of an SNMP manager than can use the settings in this SNMP community to monitor the FortiAnalyzer unit. You can also set the IP address to 0.0.0.0 to so that any SNMP manager can use this SNMP community.

Interface Optionally select the name of the interface that this SNMP manager uses to connect to the FortiAnalyzer unit. You only have to select the interface if the SNMP manager is not on the same subnet as the FortiAnalyzer unit. This can occur if the SNMP manager is on the Internet or behind a router.

Delete Select a Delete icon to remove an SNMP manager.

Add Add a blank line to the Hosts list. You can add up to 10 SNMP managers to a single community.

Queries Enter the Port number (161 by default) that the SNMP managers in this community use for SNMP v1 and SNMP v2c queries to receive configuration information from the FortiAnalyzer unit. Select the Enable check box to activate queries for each SNMP version.Note: The SNMP client software and the FortiAnalyzer unit must use the same port for queries.

Traps Enter the Local and Remote port numbers (port 162 for each by default) that the FortiAnalyzer unit uses to send SNMP v1 and SNMP v2c traps to the SNMP managers in this community. Select the Enable check box to activate traps for each SNMP version.Note: The SNMP client software and the FortiAnalyzer unit must use the same port for traps.

SNMP Events Enable each SNMP event for which the FortiAnalyzer unit should send traps to the SNMP managers in this community.






FRh

To add a Syslog server1 Go to System > Config > Remote Syslog.2 Click Create New, enter the appropriate information, then click OK.

To verify a Syslog server configuration1 Go to System > Config > Remote Syslog.2 Select the Syslog server configuration you want to verify.3 Select Test.

Name of the GUI item DescriptionTest Verify the Syslog server configuration by sending a test message to

the server. See “To verify a Syslog server configuration” on page 99.

Name The name of the Syslog server.

IP or FQDN: Port The IP address or Fully Qualified Domain Name (FQDN) for the SNMP server, and port number.

Name of the GUI item DescriptionName Enter a name for the SNMP server.

IP address (or FQDN) Enter the IP address or fully qualified domain name for the SNMP server.

Port Enter the Syslog server port number. The default Syslog port is 514.





4 In the Syslog Message field, enter a Syslog message such as “This is a test”.

5 Select Test.This option only appears if the test Syslog message is successfully sent by the FortiAnalyzer unit. You need to go to the Syslog server to check if the message has been successfully received. If the test fails, reconfigure the Syslog server.

Configuring log aggregationBy default, this option is not available. To make it appear, you need to enable it in System > Admin > Settings.Log aggregation is a method of collecting log data from one or more FortiAnalyzer units to a central FortiAnalyzer unit.Log aggregation involves one or more FortiAnalyzer units configured to act as aggregation clients, and a FortiAnalyzer unit configured to act as an aggregation server. The aggregation client sends all of its device logs, including quarantined or archived files, to the aggregation server. The transfer includes the active log to the point of aggregation (for example, tlog.log) and all rolled logs stored on the aggregation client (tlog.1.log, tlog.2.log, tlog.3.log …). Subsequent log aggregations include only changes; the aggregation client does not re-send previously aggregated logs.For example, a company may have a headquarters and a number of branch offices. Each branch office has a FortiGate unit and a FortiAnalyzer-100B to collect local log information. Those branch office FortiAnalyzer units are configured as log aggregation clients. The headquarters has a FortiAnalyzer-2000/2000A which is configured as a log aggregator. The log aggregator collects logs from each of the branch office log aggregation clients, enabling headquarters to run reports that reflect all offices.

Note: For more information about log aggregation port numbers, see the Fortinet Knowledge Base article Traffic Types and TCP/UDP Ports used by Fortinet Products.



http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=10773&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=665850&stateId=0%200%20667110




FRh

Figure 50: Example log aggregation topology

All FortiAnalyzer models can be configured as a log aggregation client, but log aggregation server support varies by FortiAnalyzer model, due to storage and resource requirements.

A device logging to a log aggregator client cannot send its logs to the aggregation server since the server will refuse them. This device will appear in the device list of the aggregation server. You can easily identify these devices as they do not have Rx and Tx permissions.

Configuring an aggregation clientAn aggregation client is a FortiAnalyzer unit that sends logs to an aggregation server. By default, log aggregation is disabled on the FortiAnalyzer unit.

Table 1: FortiAnalyzer models that support either an aggregation client or server, or both

FortiAnalyzer Model Aggregation Client Aggregation ServerFortiAnalyzer-100A/100B/100C Yes No

FortiAnalyzer-400B Yes No

FortiAnalyzer-800/800B Yes Yes

FortiAnalyzer-1000B/1000C Yes Yes

FortiAnalyzer-2000/2000A/2000B Yes Yes

FortiAnalyzer-4000/4000A/4000B Yes Yes

Note: On the aggregation server, configure the device quotas to be equal to or more than those on the aggregation client to avoid log data loss.When using log aggregation, all the FortiAnalyzer units must be running the same firmware release and their system time must be synchronized.





To configure the aggregation client, go to System > Config > Log Aggregation, select Enable log aggregation TO remote FortiAnalyzer and enter the appropriate information. Select Apply.

Figure 51: Log aggregation client configuration

Configuring an aggregation serverAn aggregation server is a FortiAnalyzer unit that receives the logs sent from an aggregation client. FortiAnalyzer-800/800B units and higher can be configured as aggregation servers.

By default, log aggregation is disabled on the FortiAnalyzer unit.To configure the aggregation server, go to System > Config > Log Aggregation, select Enable log aggregation TO this FortiAnalyzer, enter the password and confirm it, and then select Apply.

Name of the GUI item DescriptionEnable log aggregation TO remote FortiAnalyzer

Select to enable log aggregation to a remote FortiAnalyzer unit.

Remote FortiAnalyzer IP

Enter the IP address of the FortiAnalyzer unit acting as the aggregation server.

Password Enter the password for the aggregation server. This password is set when configuring the aggregation server. See “Password” on page 103.

Confirm Password Enter the password again for the aggregation server.

Aggregation daily at [hh:mm]

Select the time of the day when the aggregation client uploads the logs to the aggregation server.

Aggregation Now Select to start a log aggregation operation. Depending on the amount of new logs since the previous sychronization, the aggregation operation can take some time. It is recommended to perform the aggregation during off-peak hours.

Caution: The aggregration server needs to have device quotas at least as large as the aggregation client. If the device quotas are not correctly configured, log data will be lost.






FRh

Figure 52: Log Aggregation server configuration

Configuring log forwardingBy default, this option is not available. To make it appear, you need to enable it in System > Admin > Settings.Log forwarding sends duplicates of log messages received by the FortiAnalyzer unit to a separate Syslog server. This can be useful for additional log storage or processing.The log forwarding destination (remote device IP) may receive either a full duplicate or a subset of those log messages that are received by the FortiAnalyzer unit. Log messages are forwarded only if they meet or exceed the Minimum Severity threshold.Log forwarding is similar to log uploading or log aggregation, but log forwards are sent as individual Syslog messages, not whole log files over FTP, SFTP, or SCP, and not as batches of log files.By default, log forwarding is disabled on the FortiAnalyzer unit.

To forward logs1 Go to System > Config > Log Forwarding.2 Select Enable log forwarding to remote log server.

Name of the GUI item DescriptionEnable log aggregation TO this FortiAnalyzer

Select to enable log aggregation to this FortiAnalyzer unit.

Password Enter a password for access to this FortiAnalyzer unit.

Confirm Password Enter the password again to confirm it.





3 Enter the appropriate information, and click Apply.

Configuring IP aliasesBy default, this option is not available. To make it appear, you need to enable it in System > Admin > Settings.Use IP Alias to assign meaningful names to IP addresses. When configuring reports, or viewing logs and DLP archives, select Resolve Host Name to view the alias rather than the IP address.IP aliases can make logs and reports easier to read and interpret. For example, you could create an IP alias to display the label mailserver1 instead of its IP address, 10.10.1.54.When adding an IP alias, you can also include an IP address range. For example: • 10.10.10.1 - 10.10.10.50• 10.10.10.1 - 10.10.20.100To view the IP Alias list, go to System > Config > IP Alias.

Name of the GUI item DescriptionEnable log forwarding to remote log server

Select to enable log forwarding to a Syslog server.

Remote device IP Enter the IP address of the external syslog server.

Forward all incoming logs

Select to forward all incoming logs.

Forward only authorized logs

Select to forward only authorized logs (authorized according to a device’s permissions).

Minimum Severity Select the minimum severity threshold. All log events of equal or greater severity will be transmitted. For example, if the selected minimum severity is Critical, all Emergency, Alert and Critical log events will be forwarded; other log events will not be forwarded.






FRh

Figure 53: List of IP aliases with IP alias ranges

To add an IP alias1 Go to System > Config > IP Alias.2 Select Create New.

3 Enter a nickname for the IP address in Alias.4 Enter the IP address or range in Host(Subnet / IP Range).5 Select OK.

Importing IP aliasesIf you have a text file with IP addresses and aliases mapping, you can import the file instead of mapping them one by one on the FortiAnalyzer unit. This is a quick way to add the mappings to the FortiAnalyzer unit. The contents of the text file should be in the following format:<alias_ipv4> <alias_name>

For example:

Name of the GUI item DescriptionImport If you have a text file with IP addresses and aliases mapping, you can

import the file instead of mapping them one by one on the FortiAnalyzer unit. See “Importing IP aliases” on page 105.

Alias The name of the IP alias.

Host The IP address or range for the IP alias.





10.10.10.1 User_1

There can be only one IP address and user name entry per line.

To import the alias file1 Go to System > Config > IP Alias.2 Click Import.

3 Enter the path and file name, or select Browse to locate the file.4 Click OK.

Configuring RAIDRAID (Redundant Array of Independent Disks) helps to divide data storage over multiple disks which provides increased data reliability. FortiAnalyzer units that contain multiple hard disks can configure the RAID array for capacity, performance and availability.From System > Dashboard > Status, you can view the status of the RAID array from the Disk Monitor widget. The Disk Monitor widget displays the status of each disk in the RAID array, including the disk’s RAID level. This widget also displays how much disk space is being used. For more information, see “Disk Monitor widget” on page 47. The Alert Message Console widget, located in System > Dashboard > Status provides detailed information about RAID array failures. For more information see “Alert Message Console widget” on page 51. If you need to remove a disk from the FortiAnalyzer unit, you can hot swap it. Hot swapping means that you can remove a failed hard disk and replace it with a new one even while the FortiAnalyzer unit is still in operation. Hot swapping is a quick and efficient way to replace hard disks. For more information about hot swapping, see “Hot-swapping hard disks” on page 49.System > Config > RAID allows you to change the RAID level of the RAID array. Changing the RAID level will remove all log data from the disks, and the device disk quota may be reduced to accommodate the available disk space in the new RAID array.






FRh

Figure 54: RAID Settings (FortiAnalyzer-800B)

To change the RAID levels1 Go to System > Config > RAID.

2 From RAID Level, select a RAID level.

Name of the GUI item DescriptionRAID Level Select a RAID level and click Apply.

The FortiAnalyzer unit will reboot, destroy the existing RAID array, create a new RAID array with the specified level, and then create a new file system on the array. All existing data is lost.

Total Disk Space The amount of disk space available within the RAID array.

Free Disk Space The amount of free disk space.

Disk # The number identifying the disk. These numbers reflect what disks are available on the FortiAnalyzer unit.For example, on a FortiAnalyzer-4000/4000A, there would be 1-12, whereas on a FortiAnalyzer-2000A there would be 1-6.

Size (GB) The size of the individual hard disk.

Status The current status of the hard disk. For example, OK indicates that the hard disk is okay and working normally; Not Present indicates that the hard disk is not being detected by the FortiAnalyzer unit or has been removed and no disk is available; Failed indicates that the hard disk is not working properly.

Tip: Alternatively, go to System > Dashboard > Status and, on the Disk Monitor widget, click RAID Settings in the title bar.





3 Click Apply to begin the process of changing the RAID level.The following message appears: Warning: If the RAID setting is changed, ALL data will be DELETED! The procedure could take up to 20 minutes. Continue?

4 Click OK to continue with the process.

Supported RAID levelsRAID levels vary between FortiAnalyzer units. The following table explains the recommended RAID levels for each unit, the supported RAID levels, and any additional information.

When changing the RAID level, the available levels depend on the number of working disks that are actually present in the unit. For example, RAID5 is not available on FortiAnalyzer units with fewer than three disks. With a full complement of working disks, the default level is the recommended level in the above table. The following sections assume a full complement except where noted.

Table 2: RAID levels

FortiAnalyzer Platform

Supported Levels

Recommended Level

Note

FortiAnalyzer-100A/100B/100C

RAID is not supported.

FortiAnalyzer-400B 0, 1 1 RAID 0 is supported for only two-disk configuration.

FortiAnalyzer-800/800B

Linear, 0, 1, 5, 10

10 RAID 5 can be configured in the CLI; however, using RAID 5 may decrease performance.

FortiAnalyzer-1000B 0, 1 1 RAID 0 is supported for only two-disk configuration.

FortiAnalyzer-1000C Linear, 0, 1, 10

10

FortiAnalyzer-2000/2000A/2000B

0, 5, 5 plus spare, 10, 50

50 RAID 5 is supported on 2000B with more than three disks.

FortiAnalyzer-4000/4000A

0, 5, 5 plus spare, 10, 50

50

FortiAnalyzer-4000B 0, 5, 5 plus spare, 10, 50, 6, 6 plus spare, 60

50






FRh

You can find out information about RAID from the get system status or diag raid info commands in the CLI.

LinearA linear RAID level combines all hard disks into one large virtual disk. It is also known as concatenation or JBOD (Just a Bunch of Disks). The total space available in this option is the capacity of all disks used. There is very little performance change when using this RAID format. If any of the drives fails, the entire set of drives is unusable until the faulty drive is replaced. All data will be lost. RAID 0A RAID 0 array is also referred to as striping. The FortiAnalyzer unit writes information evenly across all hard disks. The total space available is that of all the disks in the RAID array. There is no redundancy available. If any of the drives fails, the data cannot be recovered. This RAID level is beneficial because it provides better performance, since the FortiAnalyzer unit can distribute disk writing across multiple disks. RAID 1A RAID 1 array is also referred to as mirroring. The FortiAnalyzer unit writes information to one hard disk, and writes a copy (a mirror image) of all information to all other hard disks. The total disk space available is that of only one hard disk, as the others are solely used for mirroring. This provides redundant data storage with no single point of failure. Should any of the hard disks fail, there are several backup hard disks available. With a FortiAnalyzer-800 for example, if one disk fails, there are still three other hard disks the FortiAnalyzer unit can access and continue functioning.RAID 5A RAID 5 array employs striping with a parity check. The FortiAnalyzer unit writes information evenly across all drives. Additional parity blocks are written on the same stripes. The parity block is staggered for each stripe. The total disk space is the total number of disks in the array, minus one disk for parity storage. For example, on a FortiAnalyzer-800 with four hard disks, the total capacity available is actually the total for three hard disks. RAID 5 performance is typically better with reading than writing, although performance is degraded when one disk has failed or is missing. With RAID 5, one disk can fail without the loss of data. If a drive fails, it can be replaced and the FortiAnalyzer unit will restore the data on the new disk using reference information from the parity volume.

RAID 10RAID 10 (or 1+0), includes nested RAID levels 1 and 0, or a stripe (RAID 0) of mirrors (RAID 1). The total disk space available is the total number of disks in the array (a minimum of 4) divided by 2. One drive from a RAID 1 array can fail without loss of data; however, should the other drive in the RAID 1 array fail, all data will be lost. In this situation, it is important to replace a failed drive as quickly as possible.• two RAID 1 arrays of two disks each (FortiAnalyzer-800/800B)• three RAID 1 arrays of two disks each (FortiAnalyzer-2000/2000A/2000B)

Note: Fortinet recommends having an Uninterruptible Power Supply (UPS) to reduce the possibility of data inconsistencies when power failures occur.

Note: RAID 5 appears in the web-based manager only for FortiAnalyzer units with hardware RAID.





• six RAID1 arrays of two disks each (FortiAnalyzer-4000/4000A)• twelve RAID1 arrays of two disks each (FortiAnalyzer-4000B)

RAID 50RAID 50 (or 5+0) includes nested RAID levels 5 and 0, or a stripe (RAID 0) and stripe with parity (RAID 5). The total disk space available is the total number of disks minus the number of RAID 5 sub-arrays. RAID 50 provides increased performance and also ensures no data loss for the same reasons as RAID 5. One drive in each RAID 5 array can fail without the loss of data. For the following FortiAnalyzer units, data is recoverable when: • two RAID 5 arrays of three disks each (FortiAnalyzer-2000/2000A/2000B)• three RAID 5 arrays of four disks each (FortiAnalyzer-4000/4000A)• two RAID 5 arrays of twelve disks each (FortiAnalyzer-4000B)RAID 5 with hot spareFortiAnalyzer-2000/2000A/2000B and FortiAnalyzer-4000/4000A/4000B units can use one of their hard disks as a hot spare (a stand-by disk for the RAID), should any of the other RAID hard disks fail. If a hard disk fails, within a minute of the failure, the FortiAnalyzer unit begins to automatically substitute the hot spare for the failed drive, integrating it into the RAID array, and rebuilding the RAID’s data.When you replace the failed hard disk, the FortiAnalyzer unit uses the new hard disk as the new hot spare. The total disk space available is the total number of disks minus two. RAID 6RAID 6 provides fault tolerance from two drive failures; array continues to operate with up to two failed drives. This makes larger RAID groups more practical, especially for high-availability systems. This becomes increasingly important as large-capacity drives lengthen the time needed to recover from the failure of a single drive. Single-parity RAID levels are as vulnerable to data loss as a RAID 0 array until the failed drive is replaced and its data rebuilt; the larger the drive, the longer the rebuild will take. Double parity gives time to rebuild the array without the data being at risk if a single additional drive fails before the rebuild is complete.RAID 60RAID 60 (or 6+0) includes nested RAID levels 6 and 0, or a stripe (RAID 0) and stripe with parity (RAID 6). The total disk space available is the total number of disks minus the number of RAID 6 sub-arrays. RAID 60 provides increased performance and also ensures no data loss for the same reasons as RAID 6. One drive in each RAID 6 array can fail without the loss of data. For the following FortiAnalyzer unit, data is recoverable when: • two RAID 6 arrays of twelve disks each (FortiAnalyzer-4000B)RAID 6 with hot spareFortiAnalyzer-4000B unit can use one of its hard disks as a hot spare (a stand-by disk for the RAID), should any of the other RAID hard disks fail. If a hard disk fails, within a minute of the failure, the FortiAnalyzer unit begins to automatically substitute the hot spare for the failed drive, integrating it into the RAID array, and rebuilding the RAID’s data.When you replace the failed hard disk, the FortiAnalyzer unit uses the new hard disk as the new hot spare. The total disk space available is the total number of disks minus two.

Note: Fortinet recommends using RAID 10 for redundancy instead of RAID 5 on FortiAnalyzer units with software RAID. RAID 5 can cause decreased performance.






FRh

RAID array capacityBased on the hard disk numbers and sizes, the following table lists the RAID array capacity for selected FortiAnalyzer platforms. You can use the table as a reference for choosing RAID levels.Table 3: RAID array capacity for selected FortiAnalyzer platforms (All values are rounded)

Configuring LDAP queries for reportsBy default, this option is not available. To make it appear, you need to enable it in System > Admin > Settings.

A directory is a set of objects with similar attributes organized in a logical and hierarchical way. Generally, an LDAP directory tree reflects geographic or organizational boundaries, with the Domain Name System (DNS) names at the top level of the hierarchy. The common name identifier for most LDAP servers is cn; however some servers use other common name identifiers such as uid.For example, you could use the following base distinguished name:ou=marketing,dc=fortinet,dc=com

where ou is organization unit and dc is a domain component.You can also specify multiple instances of the same field in the distinguished name, for example, to specify multiple organization units:ou=accounts,ou=marketing,dc=fortinet,dc=com

Total Usable Disk Space (in GB)

Platform Number of Disks

Size per Disk (GB)

RAID 0 RAID 1 RAID 5 RAID 5 + Spare

RAID 10 RAID 50 RAID 6 RAID 6 + Spare

RAID 60

400B 2 500 930 460

800B 4 500 1860 465 1390 930

1000B 2 1000 1860 930

1000C 4 932 3668 917 1834

2000A6 250 1390 1160 930 695 930

6 400 2230 1863 1490 1110 1490

6 500 2790 2320 1860 1390 1860

2000B 6 932 5500 4582 3666 2750 3666

4000A12 250 2790 2560 2320 1396 2320

12 400 4470 4090 3720 2330 3720

12 500 5580 5120 4650 2790 4650

4000B 24 932 15380 15380 15380 10990 14653 15380 15380 10990

Note: FortiAnalyzer-4000B supports up to 24 disks. Each disk size is 932GB. In theory, FortiAnalyzer-4000B can support a maximum disk space of 24 x 932GB (close to 24TB) when RAID level is 0. However, the FortiAnalyzer unit uses filesystem ext3 which has a 16TB limitation of disk space. Therefore, even if FortiAnalyzer-4000B has 24TB RAID array capacity, the total disk space is limited to 16TB. This is why the max disk space for FortiAnalyzer-4000B is 15380GB.

Caution: By default, the LDAP query occurs over a standard LDAP connection. The FortiAnalyzer unit does not support secure query (TLS or LDAPS) protocols.





Binding occurs when the LDAP server successfully authenticates the user and allows the user access to the LDAP server based on his or her permissions.You can configure the FortiAnalyzer unit to use one of two types of binding:• anonymous - bind using anonymous user search• regular - bind using user name/password and then searchIf the users are under more than one DN, use the anonymous or regular type, which can search the entire LDAP database for the required user name.If your LDAP server requires authentication to perform searches, use the regular type and provide values for user name and password.In System > Config > LDAP, you can define a query to retrieve a list of LDAP users from a remote LDAP server. LDAP queries are used in FortiAnalyzer reports as an additional filter for the user field, providing a convenient way for filtering log data without having to list the user names manually. For example, you need to create a scope in a report that is restricted to include only log messages whose user= field matches user names retrieved from the network’s main LDAP server. For more information about LDAP queries in FortiAnalyzer reports, see “Configuring reports from logs in the proprietary indexed file system” on page 167. To view the LDAP server list, go to System > Config > LDAP.

Figure 55: LDAP server list

To define an LDAP server query1 Go to System > Config > LDAP.2 Select Create New, enter the appropriate information for the LDAP server, and select

OK.

Name of the GUI item DescriptionName The name of the LDAP server.

Server Name/IP The server name or IP address of the LDAP server.

Port The port with which the server is exchanging information. The default port is 389.

Common Name Identifier The name of the common name identifier.

Distinguished Name The name of the attribute identifier that is used in the LDAP query filter.






FRh

Name of the GUI item DescriptionName Enter the name for the LDAP server query.

Server Name/IP Enter the LDAP server domain name or IP address.

Server Port Enter the port number. By default, the port is 389.

Server Type Select whether to use anonymous or authenticated (regular) queries.If selecting Anonymous, your LDAP server must be configured to allow unauthenticated anonymous queries.If selecting Regular, you must also enter the Bind DN and Bind Password.

Bind DN Enter an LDAP user name in DN format to authenticate as a specific LDAP user, and bind the query to a DN.This option appears only when the Server Type is Regular.

Bind Password Enter the LDAP user’s password.This option appears only when the Server Type is Regular.

Common Name Identifier Enter the attribute identifier used in the LDAP query filter. By default, the identifier is cn.For example, if the Base DN contains several objects, and you want to include only objects whose cn=Admins, enter the Common Name Identifier cn and enter the Group(s) value Admins when configuring report profiles. For more information, see “Configuring reports from logs in the proprietary indexed file system” on page 167.Report scopes using this query require Common Name Identifier. If this option is blank, the LDAP query for reports will fail.

LDAP Distinguished Name Query




Backing up the configuration & installing firmware System

Querying for the base DNThe LDAP Distinguished Name Query list displays the LDAP Server IP address, and all the distinguished names associated with the Common Name Identifier for the LDAP server. The tree helps you to determine the appropriate entry for the Base DN field. In the Base DN field, enter the DN you choose from the list and click OK. The DN appears in the Base DN field of the LDAP server configuration.

Figure 56: LDAP Distinguished Name Query

Backing up the configuration & installing firmwareBackup & Restore displays the date and time of the last configuration backup and the last firmware upload. It also enables you to:• download and back up a FortiAnalyzer unit’s configuration• upload and restore a FortiAnalyzer unit’s configuration• upload a firmware updateBacked up copies of the FortiAnalyzer unit configuration file can be encrypted with a password. When restoring encrypted configuration files, the password must be entered to decrypt the file.

For additional information about backing up and restoring configuration, see “Maintaining firmware” on page 275.

Base DN Enter the Distinguished Name of the location in the LDAP directory which will be searched during the query.To improve query speed, enter a more specific DN to constrain your search to the relevant subset of the LDAP tree.For example, instead of entering dc=example,dc=com you might enter the more specific DN ou=Finance,dc=example,dc=com. This restricts the query to the “Finance” organizational unit within the tree.Report scopes using this query require Base DN. If this option is blank, the LDAP query for reports will fail.

LDAP Distinguished Name Query

View the LDAP server Distinguished Name Query tree for the LDAP server that you are configuring so that you can cross-reference to the Distinguished Name.Leave the Base DN filed empty for this option to work.For more information, see “Querying for the base DN” on page 114.

Caution: Do not forget the password to the backed up configuration file. A password-encrypted backup configuration file cannot be restored without the password.





System Backing up the configuration & installing firmware

FRh

Figure 57: Backup & Restore

Name of the GUI item DescriptionSystem Configuration

Last Backup The date and time of the last backup to local PC

Backup configuration to:

Currently, the only option on the web-based manager is to back up to your local PC. However, you can use the execute backup config command to back up the system configuration to a file on a FTP, SFTP, SCP, or TFTP server. For more information, see the FortiAnalyzer CLI Reference.

Encrypt configuration file

Select to encrypt the backup file. Enter a password in the Password field and enter it again in the Confirm field. You will need this password to restore the file.You must encrypt the backup file if you are using a secure connection to a FortiGate or FortiManager device.

Password Enter a password to encrypt the configuration file. This password is required when restoring the configuration file.

Confirm Enter the password again to confirm.

Backup Select to back up the configuration.

Restore configuration from:

Currently the only option is to restore from a PC.

Filename Enter the configuration file name or use the Browse button if you are restoring the configuration from a file on the management computer.

Password Enter the password if the backup file is encrypted.

Restore Select to restore the configuration from the selected file.

FirmwarePartition A partition can contain one version of the firmware and the system

configuration.

Active A green check mark indicates which partition contains the firmware and configuration currently in use.

Last Upgrade The date and time of the last update to this partition.

Firmware Version The version and build number of the FortiAnalyzer firmware. If yourFortiAnalyzer model has a backup partition, you can:• Select Upload to replace with firmware from the management

computer. • Select Upload and Reboot to replace the existing firmware and

make this the active partition.




Scheduling & uploading vulnerability management updates System

Scheduling & uploading vulnerability management updatesYou can update the engine and vulnerability scan modules in one of the following ways: • manually upload update packages to the FortiAnalyzer unit from your management

computer• configure the FortiAnalyzer unit to periodically request updates from the Fortinet

Distribution Network (FDN)You must register and license the FortiAnalyzer unit and purchase and register vulnerability management service with the Fortinet Technical Support web site, https://support.fortinet.com/, to receive vulnerability management updates from the FDN. See “(Vulnerability Management) Subscribe” on page 117. The FortiAnalyzer unit must also have a valid Fortinet Technical Support contract, which includes VM update subscriptions, and be able to connect to the FDN or the IP address that you have configured to override the default FDN addresses. For port numbers required for license validation and update connections, see the Fortinet Knowledge Base article FDN Services and Ports.For more information about configuring vulnerability scan jobs and viewing vulnerability scan reports, see “Vulnerability Management” on page 213.To manually upload vulnerability management updates or to configure scheduled vulnerability management updates, go to System > Maintenance > FortiGuard.

Figure 58: FortiGuard Distribution Network

Name of the GUI item DescriptionFortiGuard Subscription Services

The Vulnerability Management registration status, engine and module version number, date of last update, and status of the connection to the FortiGuard Distribution Network (FDN).A green indicator means that the FortiAnalyzer unit can connect to the FDN or override server.An orange indicator means that the FortiAnalyzer unit cannot connect to the FDN or override server. Check the configuration of the FortiAnalyzer unit and any NAT or firewall devices that exist between the FortiAnalyzer unit and the FDN or override server. For example, you may need to add routes to the FortiAnalyzer unit’s routing table.








System Migrating data from one FortiAnalyzer unit to another

FRh

Migrating data from one FortiAnalyzer unit to anotherBy default, this option is not available. To make it appear, you need to enable it in System > Admin > Settings.

(Vulnerability Management) Subscribe

Select to open the Fortinet Technical Support web site to register the FortiAnalyzer unit and Vulnerability Management Service to receive vulnerability management updates from the FDN.

(VM Plugins) Update Select to upload a Vulnerability Management upgrade file from your management computer. To obtain a VM upgrade file, contact Fortinet Technical Support.You might upload a VM file if you want to provide an immediate update, or use a VM version other than the one currently provided by the FDN. If you want to use a VM file other than the one currently provided by the FDN, also disable scheduled updates.Note: Manual updates are not a substitute for a connection to the FDN. As with scheduled updates, manual updates require that the FortiAnalyzer unit be able to connect to the FDN to validate its VM license.


Select the Expand arrow to display this FortiAnalyzer unit’s FortiGuard’s server options for the subscription services.

Use override server address

Enable Use override server address and enter the IP address and port number of an FDS in the format <IP>:<port>, such as 10.10.1.10:8889.If you want to connect to a specific FDN server other than the one to which the FortiAnalyzer unit would normally connect, you can override the default IP addresses by configuring an override server.If, after applying the override server address, the FDN status icon changes to indicate availability (a green check mark), the FortiAnalyzer unit has successfully connected to the override server. If the icon still indicates that the FDN is not available, the FortiAnalyzer unit cannot connect to the override server. Check the FortiAnalyzer configuration and the network configuration to make sure you can connect to the FDN override server from the FortiAnalyzer unit.

Use Web Proxy Select to enable the FortiAnalyzer unit to connect to the FDN through a web proxy, then enter the IP, Port, and (if required) Name and Password.

IP Enter the IP address of the web proxy.

Port Enter the port number of the web proxy.This is usually 8080.

Name If your web proxy requires a login, enter the user name that your FortiAnalyzer unit should use when connecting to the FDN through the web proxy.

Password If your web proxy requires a login, enter the password that your FortiAnalyzer unit should use when connecting to the FDN through the web proxy.

Scheduled Update [Request Update Now]

Enable scheduled updates, then select the frequency of the update (Every, Daily or Weekly). Select Request Update Now if you want to immediately request an update.

Every Select to update once every n hours, then select the number of hours in the interval.

Daily Select to update once every day, then select the hour. The update attempt occurs at a randomly determined time within the selected hour.

Weekly Select to update once a week, then select the day of the week and the hour of the day. The update attempt occurs at a randomly determined time within the selected hour.




Migrating data from one FortiAnalyzer unit to another System

You can migrate configuration settings and log data from one FortiAnalyzer unit to another from System > Maintenance > Migration. This is referred to as migrating data, and provides an easy way to have the same information on multiple FortiAnalyzer units without having to manually configure each one.

You can also test the connection between two FortiAnalyzer units before migrating the configuration settings to verify that the connection is working properly. Before you begin the migration process, you need to verify that each FortiAnalyzer unit is upgraded to FortiAnalyzer 4.0 MR1 or higher. The migration feature is available only in FortiAnalyzer 4.0 MR1 or higher. You also need to decide which FortiAnalyzer unit will be the one used for migrating data to the other before proceeding. Migrating data should be done during a low traffic time period, for example at night, because, depending on the amount of data being transferred, it could take more than an hour to transfer.

You need to configure both the FortiAnalyzer unit that will be sending data (source FortiAnalyzer unit) and the FortiAnalyzer unit that will be receiving data (destination FortiAnalyzer unit) for migrating configuration settings.

To configure the source FortiAnalyzer unit1 On the source FortiAnalyzer unit, log in to the web-based manager.

Remember the login password. You will need it for configuring the destination FortiAnalyzer unit. See “To configure the destination FortiAnalyzer unit for migrating configuration settings” on page 119.

2 Go to System > Maintenance > Migration.3 Select Source to enable the FortiAnalyzer unit to send the configuration settings to the

other FortiAnalyzer unit.

4 In Peer IP, enter the IP address of the FortiAnalyzer unit that will be receiving the data.

Caution: When migrating configuration settings and log data from one FortiAnalyzer unit to another, the source FortiAnalyzer unit stops receiving logs from the managed devices as soon as it enters into the migration mode. If you want to keep the logs from the devices during the migration process, make sure that the managed devices send logs to the destination FortiAnalyzer unit or another compatible log storage location. To send logs to the destination FortiAnalyzer unit, simply swap the IP addresses of the source and destination units by going to System > Network > Interface on each unit. You also need to perform step 5 on the destination unit. You can swap the IP addresses back after the migration completes.

The destination FortiAnalyzer unit will lose all of the data received prior to the migration process starts. Back up the important data on the destination unit if necessary.

Caution: To migrate data, the firmware release number and build number on the source and destination FortiAnalyzer units must match. Otherwise the migration will fail.





System Migrating data from one FortiAnalyzer unit to another

FRh

5 Select Apply, then select Enter Migration Mode. A message similar to the following, appears: Enabling source migration mode will cause a reboot. Would you like to continue?

6 Select OK to reboot the FortiAnalyzer unit in migration mode. This may take a few minutes. You may need to refresh the page so that the login page displays. You can then log back in to the web-based manager to verify that the FortiAnalyzer unit is in migration mode. Only the admin user can log in to the FortiAnalyzer unit in migration mode.Only System > Admin > Settings (Read + Write) and System > Maintenance > Migration (Read + Write) menu items appear under migration mode for a source FortiAnalyzer unit. You can modify these settings and they will be migrated to the destination unit.The migration will not start before the destination FortiAnalyzer unit is configured and starts to query the source unit.

7 If you need to modify the Peer IP in migration mode, enter a new one and select Apply.

To configure the destination FortiAnalyzer unit for migrating configuration settings1 On the destination FortiAnalyzer unit, log in to the web-based manager and go to

System > Maintenance > Migration.2 Select Destination to enable the FortiAnalyzer unit to receive the configuration settings.

3 Enter the IP address of the source FortiAnalyzer unit.4 Enter the same password you used when logging into the source FortiAnalyzer unit.

The destination FortiAnalyzer unit will use this password to log into the source FortiAnalyzer unit to get the configuration. The migration will fail if the passwords do not match.

5 If you want this FortiAnalyzer unit to receive logs and data from the registered devices during the migration process, select the check box beside Accept Logs & Reports.The logs and data received from the managed devices during the migration process will not be overridden by the migrated data.You can also enable or disable this option during the migration process. For more information, see “Actions during the migration process” on page 120.

6 To receive certain logs and files, expand All Categories and then select what you want to receive. To receive all the categories, select the check box beside All Categories.




Migrating data from one FortiAnalyzer unit to another System

7 Click Apply, and then click Test Migration Mode. This FortiAnalyzer unit contacts the source FortiAnalyzer unit to validate the migration. The validation focuses on the following:• If the source unit and destination unit have different versions of firmware, the

destination unit aborts the migration.• If the destination unit has data, a warning displays. You may choose to proceed or

not.• If the source unit is not in migration mode, the destination unit aborts the migration.• If the source unit’s IP is wrong or there is a network problem, Migration source is not

reachable displays. 8 If the migration mode test is successful, select Enter Migration Mode.

Only the following menu items appear:• System > Dashboard > Dashboard (Read-Only)• System > Network > Interface/DNS/Routing (Read + Write)• System > Admin > Settings (Read + Write)• System > Admin > Maintenance > Migration (Read + Write)• Device > All > Device (Read-Only)• Log > Log Viewer > Real-time (Read + Write)• Tools > File Explorer (Read-Only)You can modify the settings with Read + Write privileges and they will not be overridden by the migrated data.

9 If you modify the configurations in migration mode, select Apply.10 Select Start Migration.

This may take a few minutes or several hours, depending on the amount of data that is being transferred. For example, if there is 500 GB of data that is being transferred, it will take several hours to send. See “Actions during the migration process” on page 120 for actions that can be taken during the migration process.

11 When the migration process is complete, go to the source and destination FortiAnalyzer units.

12 Log in to the web-based manager and go to System > Maintenance > Migration.13 Select Exit Migration Mode.

Actions during the migration processDuring the migration process, the destination FortiAnalyzer unit displays and automatically updates phase descriptions and results and progress bar with size (such as 123 of 480 GB) and time (such as 18 mins. of estimated 4h14m) indicators. You can check the migration status from both the web-based manager and CLI in real-time.You can also:• Choose Start/Stop Accepting New Data.

This action allows the destination unit to accept or deny data from the registered devices. For example, if you want to speed up the data migration process and can afford to lose some logs from the devices, you can select to stop accepting new data. When the destination unit receives new logs and data, messages will appear in migration status display.





System Importing a local server certificate

FRh

• Choose to pause the ongoing migration process from destination unit. You can subsequently start again or cancel the migration by selecting the respective button.

• If the destination unit is interrupted unexpectedly, for example, by a power or network failure:• the message The migration destination became silent. Please verify its status.

appears on the source unit. Click OK.• when the destination unit is back alive in migration mode, resume or cancel the

migration by selecting the respective button.

Importing a local server certificateYou can change the FortiAnalyzer unit’s default HTTPS certificate to a new certificate (PKCS #12 format) signed by a certificate authority (CA) other than Fortinet.This feature is not available on the web-based manager. However, you can do it with the following CLI command:execute admin-cert import {ftp|sftp|scp|tftp} <server_ipv4> <argument1_str> <argument2_str> <argument3_str>

where:• <argument1_str> – For FTP, SFTP or SCP, enter a user name. For TFTP, enter a

directory or file name.• <argument2_str> – For FTP, SFTP or SCP, enter a password or “-”. For TFTP, enter

a file name or PKCS #12 file password or “-”.• <argument3_str> – For FTP, SFTP or SCP, enter a directory or file name. For TFTP,

enter a PKCS #12 file password or “-”.Web services are automatically encrypted with SSL (HTTPS). The FortiAnalyzer unit automatically generates a self-signed public certificate. To view the public certificate, in the CLI, enter the command:

get system ws-cert

You can use this auto-generated certificate, or you can replace it with your own certificate using the associated set command. FortiManager units with which the FortiAnalyzer unit is registered will automatically accept the new certificate.For more information on HTTPS access to the web-based manager and web services, see “Configuring the network interfaces” on page 63.For more information about CLI commands, see the FortiAnalyzer CLI Reference.





Importing a local server certificate System





Devices Configuring connections with devices & their disk space quota

FRh

DevicesThe Devices menu controls connection attempt handling, permissions, disk space quota, and other aspects of devices that are connected to the FortiAnalyzer unit for remote logging, DLP archiving, quarantining, and/or remote management.For a diagram of traffic types, ports and protocols that FortiAnalyzer units use to communicate with other devices and services, see the Fortinet Knowledge Base article Traffic Types and TCP/UDP Ports used by Fortinet Products. This topic includes:• Configuring connections with devices & their disk space quota• Configuring device groups• Classifying FortiGate network interfaces

Configuring connections with devices & their disk space quotaThe device list displays devices that are allowed to connect to the FortiAnalyzer unit including their connection permissions. The list may also display unregistered devices attempting to connect.Connection attempts occur when a device sends traffic to the FortiAnalyzer unit before you have added the device to the FortiAnalyzer unit. FortiAnalyzer units either ignore the connection attempt, or automatically add the device to its device list as either a registered or unregistered device. This connection attempt handling depends on:• the type of the device that is attempting to connect• your selections in Unregistered Options, and• whether the maximum number of devices has been reached on the FortiAnalyzer unitFor more information on:• connection attempt handling, see “Configuring unregistered device options” on

page 133.• the device number maximum, see “Maximum number of devices” on page 126.• manually adding a device to the device list, see “Manually adding or deleting a device

or HA cluster” on page 129.Adding a device to the device list configures connections from the device but does not automatically establish a connection. You need to configure the device to send traffic to the FortiAnalyzer unit to establish a connection. For more information, see the FortiGate Administration Guide, FortiMail Administration Guide, FortiManager Administration Guide, FortiClient Administrator’s Guide, or your Syslog server’s documentation. Due to the nature of connectivity for certain high availability (HA) modes, FortiGate units in an HA cluster may not be able to send full DLP archives and quarantine data. For more information, see the FortiGate HA Overview.

Note: Connection attempts not handled by the device list include log aggregation, log forwarding, and SNMP traps. For more information about configuring connection handling for those types, see “Configuring log aggregation” on page 100, “Configuring log forwarding” on page 103, and “Configuring the SNMP agent” on page 94.





http://docs.fortinet.com/fclnt.html

http://docs.forticare.com/fgt.html


http://docs.fortinet.com/fmail.html



Configuring connections with devices & their disk space quota Devices

You may want to block connection attempts from devices that you do not want to add to the device list since connection attempts must be reconsidered with each attempt. For more information, see “Blocking unregistered device connection attempts” on page 134.Devices may automatically appear on the device list when the FortiAnalyzer unit receives a connection attempt, according to your configuration of Unregistered Options, but devices may also automatically appear as a result of importing log files. For more information, see “Importing a log file” on page 155.To view the device list, go to Devices > All Devices > Allowed.

Figure 59: Device list

Note: Hover your cursor over an item to display more information.

Name of the GUI item DescriptionCreate New Select to manually add a new device to the device list.

For information about how to manually add devices, see “Manually adding or deleting a device or HA cluster” on page 129.

Edit Reconfigure the selected device connection.

Current page

Column Display Settings Search






FRh

Delete Remove the selected devices from the list. You cannot delete a device that is referenced elsewhere in the configuration, such as by being assigned to a device group. To delete the device, first remove all configuration references to that device. If you use the default proprietary indexed file storage system for log storage, once a device is removed from the device list, the associated logs and other data, such as DLP archives and the default report profile for the device (that is, the device summary report Default_<device_name>) are deleted. Reports that may have been already generated from the device’s log data, however, are not deleted.If you use the local SQL file storage system for log storage, once a device is removed from the device list, the associated logs are not deleted. To delete the logs, use the command execute sql-local remove-device. This command does not remove reports that may have been already generated from the device’s log data. If the device is still configured to attempt to connect to the FortiAnalyzer unit and you have configured Unregistered Device Options to display connection attempts from unregistered devices, the device may reappear in the device list.

Register This option only appears if you select an unregistered device.Change a selected unregistered device into an registered one. When the Register Device page appears, enter a name for the device, and modify other settings if required. Click OK. The device appears in the Allowed device list. For more information on registering a device, see “Manually adding or deleting a device or HA cluster” on page 129.

Block Stop further connection attempts. This option appears if the selected device is an unregistered device. For more information about on blocking a device, see “Blocking unregistered device connection attempts” on page 134

Column Display Settings Select to change the columns to view and the order they appear on the page. For more information, see “Displaying and arranging log columns” on page 143.

Search Enter partial or the full name of a device and select the one you want from the list to view or edit the device.

Name The name of the device in the device list. This can be any descriptive name that you want assigned to it, and does not need to be its host name.Select the arrow beside Name to list the devices in either ascending or descending order. An orange exclamation point (!) icon before a device name indicates that the device is connecting to the FortiAnalyzer unit and the device’s time zone is not synchronized with the FortiAnalyzer unit’s time zone.

Model The model of the device. For example, the device list displays a FortiGate-400A model as FGT400A.

IP Address The IP address of the device. If the device has not recently established a connection, 0.0.0.0 appears.

Log DLP QuarIPS

Mouse over an icon to view when the last logs or data the FortiAnalyzer unit received from the device, if there are any logs or data the FortiAnalyzer unit received from the device, if logs are disabled on the device, or, if it’s an unregistered device.Only FortiGate units can send DLP archives, quarantine files, and IPS files to the FortiAnalyzer unit.

Secure Indicates whether IPSec VPN tunnelling has been enabled for secure transmission of logs, content and quarantined files.Caution: A locked icon indicates that secure connection is enabled, but not necessarily fully configured, and the tunnel may not be up. For more information, see “Configuring IPSec secure connections between the FortiAnalyzer unit and a device or an HA cluster” on page 128.





Unregistered vs. registered devicesDevices > All Devices > Allowed displays devices, both registered and unregistered, that have attempted to connect to the FortiAnalyzer unit.A registered device can use all features of the FortiAnalyzer unit, while an unregistered device will not be able to use most of the FortiAnalyzer unit’s features unless you add/register it.

By default, all Fortinet devices (FortiGate, FortiManager, FortiClient, and FortiMail) are discovered and listed as registered devices. All generic Syslog devices are discovered and automatically listed as unregistered devices automatically. You can configure these settings. For more information, see “Configuring unregistered device options” on page 133. You can also manually add/register a device. For more information, see “Manually adding or deleting a device or HA cluster” on page 129.

Maximum number of devicesEach FortiAnalyzer model is designed to support and provide effective logging and reporting capabilities for up to a certain maximum number of devices (registered and unregistered combined). The following table details these maximums.

Quota Usage The amount of the FortiAnalyzer disk space allocated for the device and how much of that space is used. For information on configuring disk space usage by quarantined files, see the FortiAnalyzer CLI Reference.

Virtual Domains The number of VDOMs on the device.

Type The type of the device: FortiGate unit, FortiManager unit, FortiMail unit, FortiClient installation, or Syslog server.

ADOM The ADOMs to which the device is assigned.This column does not appear:• on FortiAnalyzer-100B models• when ADOM is disabled on the FortiAnalyzer unit. For more information about ADOM, see “About administrative domains (ADOMs)” on page 25.

Mode Indicate if the device is a standalone one or in a cluster.

Show Select the type of devices to display in the list. You can select devices by type, or select Unregistered to display devices that are attempting to connect but that have not yet been registered or added.

Current Page By default, the first page of the list of items is displayed. The total number of pages displays after the current page number. For example, if 2/10 appears, you are currently viewing page 2 of 10 pages. To view pages, select the left and right arrows to display the first, previous, next, or last page. To view a specific page, enter the page number in the field and then press Enter.

Note: Generic Syslog devices cannot be used for features such as reports or DLP archives, and therefore cannot be registered.








FRh

To view the number of devices currently attempting to connect, see “License Information widget” on page 40.For networks with more demanding logging scenarios, an appropriate device ratio may be less than the allowed maximum. Performance will vary according to your network size, device types, logging thresholds, and many other factors. When choosing a FortiAnalyzer model, consider your network’s log frequency, and not only your number of devices.A VDOM or high availability (HA) cluster counts as a single “device” towards the maximum number of allowed devices. Multiple FortiClient installations (which can number up to the limit of allowed FortiClient installations) also count as a single “device.”For example, a FortiAnalyzer-100B could register up to either:• 100 devices• 99 devices and 100 FortiClient installations• 99 devices and one HA pair• 91 device and 9 VDOMsWhen devices attempt to connect to a FortiAnalyzer unit that has reached its number of maximum number of allowed devices, the FortiAnalyzer unit will reject connection attempts by excess devices, and automatically add those excess devices to the list of blocked devices. For more information about on blocked devices, see “Configuring device groups” on page 136.

Table 4: FortiAnalyzer device limits

FortiAnalyzer models

Maximum number of devices and/or VDOMs allowed

Maximum number of FortiClient installations allowed

FortiGate models supported

FortiManager models supported

FortiMail models supported

FortiAnalyzer-100A/100B/100C

100 100 FortiGate-30B to FortiGate-224B/C(If the FortiAnalyzer unit has only one FortiGate unit registered, then all models are supported.)

All All

FortiAnalyzer-400B

200 2000 All All All

FortiAnalyzer-800/800B

500 5000 All All All

FortiAnalyzer-1000B

2000 No restrictions All All All

FortiAnalyzer-1000C




FortiAnalyzer-2000B




FortiAnalyzer-4000B






When the FortiAnalyzer unit has exceeded its maximum number of allowed devices, you will not be able to add devices to the device list. To resume adding devices, you must first block a device that is currently on your device list, then unblock the device you want to add and add it to the device list.

Configuring IPSec secure connections between the FortiAnalyzer unit and a device or an HA cluster

For secure transmission of logs, content archives, and quarantined files, you can configure an IPSec VPN tunnel between the FortiAnalyzer unit and FortiGate devices or HA clusters, and FortiManager devices.

For more information on the CLI commands, see the FortiAnalyzer CLI Reference, FortiGate CLI Reference, and FortiManager CLI Reference.

To configure a secure connection on a FortiAnalyzer unitOn the FortiAnalyzer CLI, enter the following commands:

config log deviceedit <device_name>set secure pskset psk <preshared-key_str>set id <fortigate’s_device_name_on_the_fortianalyzer

/fortimanager-serial-number_str>end

To configure a secure connection on a FortiGate unitOn the FortiGate CLI, enter the following commands:

config log {fortianalyzer | fortianalyzer2 | fortianalyzer3} settings

set encrypt enableset psksecret <preshared-key_str>set localid <fortigate’s_device_name_on_the_fortianalyzer>

end

To configure a secure connection on a FortiManager systemOn the FortiManager CLI, enter the following commands:

config fmsystem log fortianalyzerset secure_connection enableset psk <preshared-key_str>set localid <fortianalyzer_serial_number_str>

Note: You must configure the secure tunnel on both ends of the tunnel, the FortiAnalyzer unit and the device.

Note: Changing a device’s FortiAnalyzer settings clears sessions to that IP address. If the FortiAnalyzer unit is behind a NAT device, such as a FortiGate unit, this also resets sessions to other hosts behind that same NAT.To prevent disruption of other devices’ traffic, on the NAT device, create a separate virtual IP for the FortiAnalyzer unit.

Note: To enable and configure secure connection on a FortiGate HA cluster, configure the primary device in the cluster. The primary device will synchronize the configuration with its members.









FRh

end

Manually adding or deleting a device or HA clusterYou can add devices to the FortiAnalyzer unit’s device list either manually or automatically. If you have configured Unregistered Options to automatically add known-type devices, you may only need to manually add unknown-type devices such as a generic Syslog server. If you have configured Unregistered Options to list all devices as unregistered, you may be required to add all devices manually. For more information, see “Configuring unregistered device options” on page 133.If the device has already been automatically added, the device was added to the device list using default settings. You can reconfigure the device connection by manually editing the device in the device list.All FortiClient installations are added as a single device, rather than as one device configuration per FortiClient installation, and their log messages are stored together. Use the FortiAnalyzer reporting features to obtain network histories for individual FortiClient installations.

You must add the FortiManager system to the FortiAnalyzer device list for the FortiAnalyzer unit to be remotely administered by the FortiManager system. Additionally, you must also:• enable web services on the FortiAnalyzer network interface that will be connected to

the FortiManager system (see “Configuring and using FortiAnalyzer web services” on page 66)

• register the FortiAnalyzer unit with the FortiManager system (see the FortiManager Administration Guide)

• be able to connect from your computer to the web-based manager of both the FortiManager system and the FortiAnalyzer unit.

To manually add a device or HA cluster1 Go to Devices > All Devices > Allowed.2 Do one of the following:

• To add unregistered devices, at the bottom of the page, select Unregistered from Show. Select an unregistered device and select Register.

• To add other devices, select Create New.

Note: Remote logging from FortiClient installations requires FortiClient 3.0 MR2 or later.







3 Enter the appropriate information.

Name of the GUI item DescriptionDevice Type Select the device type.

The type is automatically pre-selected if you are adding an unregistered device from the device list, or if you are editing an existing device.Other device options vary by the device type.






FRh

4 Select OK.The device appears in the device list. After registration, some device types can be configured for secure connection. For more information, see “Secure” on page 125.

Manually adding a FortiGate unit using the Fortinet Discovery Protocol (FDP)If you configure the FortiAnalyzer unit to respond to Fortinet Discovery Protocol (FDP) packets, FortiGate units running FortiOS version 4.0 or higher can use FDP to locate a FortiAnalyzer unit. Both units must be on the same subnet to use FDP, and they also must be able to connect using UDP. For more information, see “About Fortinet Discovery Protocol” on page 66.

Device Name Enter a name to represent the FortiGate unit, such as FG-1000-1.This can be any descriptive name that you want assign to it, and does not need to be its host name.The device name is automatically pre-entered if you are adding a FortiClient installation.

IP Address Enter the IP address of the device.This option appears only if Device Type is Syslog.

Device ID Enter the device ID. Device IDs are usually the serial number of the device, and usually appear on the dashboard of the device’s web-based manager.The device ID is automatically pre-entered if you are adding an unregistered device from the device list, or if you are editing an existing device.This option does not appear if Device Type is Syslog or FortiClient.

Cluster ID (primary member)

Enter the ID of the primary member in an HA cluster. This option appears only if Mode is HA.

Disk Allocation (MB) Enter the amount of hard disk space allocated to the device’s log and content messages, including quarantined files.The allocated space should be at least 10 times the log rolling size for the Log and DLP archive. For example, if you set the log and DLP archive log file roll size to 50 MB, allocate at least 500 MB of disk space for the device.Amounts following the disk space allocation field indicate the amount of disk space currently being used by the device, and the total amount of disk space currently available on the FortiAnalyzer unit.

When Allocated Disk Space is All Used

Select to either Overwrite Oldest Files or Stop Logging to indicate what the FortiAnalyzer unit should do when the allocated disk space has been used. For more information about disk space allocation, see “System Resources widget” on page 41.

Device Privileges Select the connection privileges of the device, such as for sending and viewing log files, DLP archives and quarantined files. Available permissions vary by device type.Note: Remotely accessing logs, DLP archive logs and quarantined files is available on FortiGate units running firmware version 4.0 or later.

Description Enter any additional information on the device. Description information appears when you move the mouse over a device name in the device list.

Mode If you are adding a single unit, select Standalone. If you are adding an HA cluster, select HA, then select the devices other than the primary member of the cluster from Available Devices (devices on the FortiAnalyzer unit’s device list) and move them to Membership using the right-pointing arrow. The devices are added to the HA cluster. You can also manually enter a device ID in the field under Available Devices and select Add to put it into the HA cluster. Although the manually-entered devices will not appear in the device list since they are not added to the FortiAnalyzer unit, they can communicate with the FortiAnalyzer unit through the primary device of the cluster because the primary device synchronizes the configuration with its members.All device models in an HA cluster must be the same. The FortiAnalyzer unit will check each device ID’s first 6 digits to ensure the consistency.This option appears only if Device Type is FortiGate or FortiManager.





When a FortiGate administrator selects Automatic Discovery, the FortiGate unit sends FDP packets to locate FortiAnalyzer units on the same subnet. If FDP has been enabled for its interface to that subnet, the FortiAnalyzer unit will respond. Upon receiving an FDP response, the FortiGate unit knows the IP address of the FortiAnalyzer unit, and the administrator can configure the FortiGate unit to begin sending log, DLP archive, and/or quarantine data to that IP address. When the FortiGate unit attempts to send data to the FortiAnalyzer unit, the FortiAnalyzer unit detects the connection attempt.Connection attempts from devices not registered with the FortiAnalyzer unit’s device list may not be automatically accepted. In this case, you may need to manually add the device to the device list. For more information, see “Configuring unregistered device options” on page 133.For a diagram of traffic types, ports and protocols that FortiAnalyzer units use to communicate with other devices and services, see the Knowledge Base article Traffic Types and TCP/UDP Ports used by Fortinet Products.

To enable the FortiAnalyzer unit to reply to FDP packets1 Go to System > Network > Interface.2 Select Edit for the network interface that should reply to FDP packets.

3 Enable Fortinet Discovery Protocol.

4 Select OK.The FortiAnalyzer unit is now configured to respond to FDP packets on that network interface, including those from FortiGate units’ Automatic Discovery feature. For more information about connecting the FortiGate unit using FDP, see “To connect a FortiGate unit to a FortiAnalyzer unit using FDP” on page 132.

To connect a FortiGate unit to a FortiAnalyzer unit using FDPThis procedure is based on the FortiOS v4.0 MR2 release and may change in future releases.

On the FortiGate unit CLI, enterconfig log fortianalyzer setting








FRh

set address-mode auto-discoveryend

The FortiGate unit sends FDP packets to other hosts on the FortiGate unit’s subnet. If a FortiAnalyzer unit exists on the subnet and is configured to reply to FDP packets, it sends a reply.If your FortiGate unit is connecting to a FortiAnalyzer unit from another network, such as through the Internet or through other firewalls, this may fail to locate the FortiAnalyzer unit, and you may need to configure an IPSec VPN tunnel to facilitate the connection. For more information and examples, see the Fortinet Knowledge Base article Sending remote FortiGate logs to a FortiAnalyzer unit behind a local FortiGate unit.For more information about configuring FortiGate unit quarantining, DLP archiving, and/or remote logging, see the FortiGate Administration Guide.

Configuring unregistered device optionsYou can configure the FortiAnalyzer unit to accept and handle connection attempts from Fortinet devices (known devices) or generic Syslog devices (unknown devices) automatically.To configure device connection attempt handling, go to Devices > All Devices > Unregistered Options.

Figure 60: Unregistered Device Options

Note: Due to the nature of connectivity for certain high availability (HA) modes, full DLP archiving and quarantining may not be available for FortiGate units in an HA cluster. For more information, see the FortiGate HA Overview.

Unregistered Device Options apply to all device types attempting to connect, not just FortiGate units.

Name of the GUI item DescriptionKnown Device Types (FortiGate, FortiManager, FortiClient, FortiMail)Ignore connection and log data

Select to deny any connection attempts and log-sending to the FortiAnalyzer unit from Fortinet devices. Note that this option does not apply to manually added devices. For more information on adding a device manually, see “Manually adding or deleting a device or HA cluster” on page 129.

Allow connection, add to unregistered table, but ignore log data

Select to allow the devices to connect but list them as unregistered devices. The FortiAnalyzer unit will ignore any logs sent from the devices until you manually register them.









Blocking unregistered device connection attemptsFortiAnalyzer units support a maximum number of devices, including registered and unregistered devices combined. For more information, see “FortiAnalyzer device limits” on page 127. Blocking unregistered devices prevents them from being able to connect to the FortiAnalyzer unit and therefore can free up spots on the unit. Devices may automatically appear on your list of blocked devices. This can occur when devices attempt to connect after the maximum number of allowed devices has been reached. To view, delete, or unblock blocked devices, go to Devices > All Devices > Blocked.

Figure 61: Blocked devices

Allow connection, register automatically, and store up to n MB data (<sequential_number> MB available)

Select to allow the connection and automatically register the devices. The FortiAnalyzer unit will store a specified amount of log data from the devices.

Unknown Device Type (Generic Syslog Devices)Ignore all unknown unregistered devices

Select to deny any connection attempts from all unknown Syslog devices. Note that this option does not apply to manually added devices. For more information on adding a device manually, see “Manually adding or deleting a device or HA cluster” on page 129.

Add unknown unregistered devices to unregistered table, but ignore data

Select to list unknown Syslog devices as unregistered devices and ignore any logs sent from these devices.

Add unknown unregistered devices to unregistered table, and store up to n MB data (<sequential_number> MB available)

Select to list unknown devices as unregistered, and allow the FortiAnalyzer unit to store a specified amount of log data from these devices. The default amount of storage space is 1,000 MB. The available MB of data is determined by how much is currently available on your FortiAnalyzer unit, which fluctuates and is never a fixed number.

Note: Many FortiAnalyzer features are not available for unregistered devices of unknown types. For more information about the differences between unregistered and registered devices, see “Unregistered vs. registered devices” on page 126.

Both registered and unregistered devices count towards the maximum number of devices available for a FortiAnalyzer unit. Too many unregistered devices will prevent you from adding a device. For more information, see “Manually adding or deleting a device or HA cluster” on page 129.

When devices attempt to connect to a FortiAnalyzer unit that has reached its maximum number of allowed devices, the FortiAnalyzer unit will reject connection attempts by excess devices, and automatically add those excess devices to the list of blocked devices. For more information about blocked devices, see “Blocking unregistered device connection attempts” on page 134.






FRh

To block a device1 Go to Devices > All Devices > Allowed.2 At the bottom of the page, from Show, select Unregistered.

3 Mark the check box of the unregistered device that you want to block, then click Block.

The device appears in the blocked devices list (Devices > All Devices > Blocked).

Name of the GUI item DescriptionUnblock Register a selected device to the FortiAnalyzer unit’s device list.

When the Register Device page appears, enter a name for the device, and modify other settings if required. Select OK. The device appears in the Allowed device list. For more information on registering a device, see “Manually adding or deleting a device or HA cluster” on page 129.

Delete Remove a selected device from the list of blocked devices. If the device attempts to connect to the FortiAnalyzer unit, it may appear in the device list as an unregistered device, according to your configuration of Unregistered Device Options. For more information, see “Configuring unregistered device options” on page 133.

Device ID The unique ID or serial number of the blocked device.

Hardware Model The type of device, such as FortiGate, FortiManager, FortiMail, or Syslog server.

IP Address The IP address of the blocked device.




Configuring device groups Devices

Configuring device groups When you have multiple devices belonging to a department or section of your organization, you may want to create device groups to simplify log browsing or report configuration.A device can belong to multiple groups; however, the device cannot be deleted from the device list until it is removed from all groups.To view device groups, go to Device > Group > Device Group.

Figure 62: Device groups

To configure a device group1 Go to Device > Group > Device Group.2 Select Create New to configure a new device group, or select the Edit icon to

reconfigure an existing device group.


Description

Show Select the device group type to display, such as FortiGate, FortiManager, FortiMail or Syslog groups.

Group Name The name of the device group.

Members The names of devices that belong to the device group.





Devices Classifying FortiGate network interfaces

FRh

3 Select OK.

Classifying FortiGate network interfacesAfter a FortiGate unit is added to the FortiAnalyzer unit, you need to assign each FortiGate network interface to a network interface class (None, LAN, WAN, or DMZ) based on your FortiGate network interface usage. Traffic between classes determines traffic flow directionality for reports. Through the FortiAnalyzer CLI command config log device, you can classify network interfaces and VLAN subinterfaces according to their connections in your network topology. Functionally classifying the device’s network interfaces and VLAN subinterfaces as None, LAN, WAN or DMZindirectly defines the directionality of traffic flowing between those network interfaces. For example, FortiAnalyzer units consider log messages of traffic flowing from a WAN class interface to a LAN or DMZ class interface to represent incoming traffic.Some report types for FortiGate devices include traffic direction — inbound or outbound traffic flow. When the FortiAnalyzer unit generates reports involving traffic direction, the FortiAnalyzer unit compares values located in the source and destination interface fields of the log messages with your defined network interface classifications to determine the traffic directionality.The table below illustrates the traffic directionality derived from each possible combination of source and destination interface class.For more information on classifying FortiGate network interfaces, see the FortiAnalyzer CLI Reference.

Example:


Description

Group Name Enter a name for the device group.

Group Type Select the device group type that you want to create. You can choose FortiGate Group, FortiMail Group, FortiManager Group, and Syslog Group. When you select a group type, the devices that are available to that group appear in the Available Devices field. FortiClient installations are treated as a single device, and so cannot be configured as a device group.

Available Devices The available devices for the group type you select in Group Type. Select a device and then use the -> arrow to move it to the Members field.

Members The devices that are available in the group you are creating. If you want to remove a device from the Members field, select the device and then select the <- arrow to remove it.

Table 5: Traffic directionality by class of the source and destination interface

Source interface class Destination interface class Traffic directionNone All types Unclassified

All types None Unclassified

WAN LAN, DMZ Incoming

WAN WAN External

LAN, DMZ LAN, DMZ Internal

LAN, DMZ WAN Outgoing






Classifying FortiGate network interfaces Devices

Your FortiGate unit has four interfaces: port 1 to 4. Port 1 is connected to WAN; Port 2 and Port 3 are connected to LAN; and Port 4 is connected to DMZ. In this case, traffic from Port 1 (WAN) to Port 2 (LAN) is considered as incoming, while traffic from Port 2 to Port 1 is considered outgoing.





Log & Archive Viewing log messages

FRh

Log & ArchiveThe Log & Archive menu displays log messages and DLP archives from both other devices and the FortiAnalyzer unit itself.

This topic includes:• Viewing log messages• Browsing log files• Backing up logs and archived files• Configuring rolling and uploading of devices’ logs• Using eDiscovery

Viewing log messagesLog & Archive > Log Access displays logs for devices that were added to the device list, as well as the FortiAnalyzer unit itself.

You can view log messages from all devices or a particular device in real-time or within a specified time frame. For more information about log messages from FortiGate units, see the FortiGate Log Message Reference.To view all log messages, go to Log & Archive > Log Access > All Logs.

Note: FortiAnalyzer units cannot display logs from unregistered devices of unknown types. Add the device first to view the logs of an unknown type device. For more information about adding a device to the device list, see “Configuring connections with devices & their disk space quota” on page 123.

You may need to reschedule the time when logs are rolled because log file size is now reduced. For example, log files that are rolled every two months now need to be rolled every four months. Fortinet recommends upgrading both the FortiGate and FortiAnalyzer units to 4.0 MR1 firmware and later to take full advantage of this feature.

Note: FortiGate units send log messages to the FortiAnalyzer unit only after a session is closed. All real-time log messages you view on the FortiAnalyzer unit therefore do not reflect the real-time activities on the FortiGate units.

Note: The columns that appear reflect the content found in the log file. You can select an item in a column to display more information.




http://kc.forticare.com/default.asp?id=895


Viewing log messages Log & Archive

Figure 63: All device logs

Name of the GUI item DescriptionShow Select the type of device you want to view logs from. You can select

multiple devices.

Timeframe Select the time frame during which you want to display the logs.

Realtime Log Click to view the real-time device log messages. After selecting Realtime Log, the Historical Log icon appears. Select it to go back to view logs within a specified time frame.

Column Settings Click to change the columns to view and the order they appear on the page. For more information, see “Displaying and arranging log columns” on page 143.

Printable Version Click to download a HTML file containing all log messages that match the current filters. The HTML file is formatted to be printable.Time required to generate and download large reports varies by the total amount of log messages, the complexity of any search criteria, the specificity of your column filters, and the speed of your network connection.

Download Current View

Click to download log files in text (.txt), comma-separated value (.csv), or standard .log (Native) file format. You can also select to compress the log files in gzipped format before uploading to the server. The downloaded version will match the current log view, containing only log messages that match your current filter settings.

Search Enter a keyword to perform a simple search on the available log information, then press the Enter key to begin the search.

Advanced Search Select to search the device logs for matching text using two search types: Quick Search and Full Search. For more information, see “Searching the logs” on page 146.

Last Activity The date and time the log was received by the FortiAnalyzer unit.

Device ID The ID of the device that sent the log.

Type The log type.

Level The severity level of the log.

Realtime LogSearch

Download Current ViewPrintable VersionColumn Settings

Current page






FRh

To view a type of log, go to Log & Archive > Log Access and select a log type:

• Traffic: record all traffic to and through the interfaces on a device.• Event: record all event activities such as an administrator adding a firewall policy on a

FortiGate unit.• IPS (Attack): record all attacks that occur against your network. These log messages

also contain links to the Fortinet Vulnerability Encyclopedia where you can better assess the attack.

• Application Control: record the application traffic generated by the applications on the device.

• Web Filter: record HTTP device log rating errors, including web content blocking actions that the device performs.

• AntiVirus: record virus incidents in Web, FTP, and email traffic.

Timestamp The date and time when events occurred on the devices that sent the logs.

Details The detailed information of the log.

View n per page Select the number of rows of log entries to display per page. You can choose up to 1000 entries.

Current Page Enter a page number, then press Enter to go to the page.

Change Display Options

Select a view of the log file. Selecting Formatted (the default) displays the log files in columnar format. Selecting Raw displays the log information as it actually appears in the log file.

Note: Log messages that are received from a log aggregation device are scheduled transfers, and not real-time messages, because log aggregation devices do not appear in the Real-time log page. Individual high availability (HA) cluster members also do not appear in the Real-time log page because HA members are treated as a single device. For more information about log aggregation, see “Configuring log aggregation” on page 100.

Note: The columns that appear reflect the content found in the log file. You can select an item in a column to display more information.





• Data Leak (DLP): provide information concerning files, such as email messages and web pages, that are archived on the FortiAnalyzer unit by the device.

• VoIP: provide information on VoIP traffic on the device. By default, this option is not available. To make it appear, you need to enable it in System > Admin > Settings.

• Email Filter: record IMAPS, POP3S, and SMTPS email traffic.• Network Scan: record the vulnerability scan activities on the device.• History: record all mail traffic going through the FortiMail unit.

By default, this option is not available. To make it appear, you need to enable it in System > Admin > Settings.

• IM: record instant message text, audio communications, and file transfers attempted by users. By default, this option is not available. To make it appear, you need to enable it in System > Admin > Settings.

• Generic Syslog: record syslog server activities.By default, this option is not available. To make it appear, you need to enable it in System > Admin > Settings.

Customizing the log viewLog messages can be displayed in either Raw or Formatted view.• Raw view displays log messages exactly as they appear in the log file.• Formatted view displays log messages in a columnar format. Each log field in a log

message appears in its own column, aligned with the same field in other log messages, for rapid visual comparison. When displaying log messages in Formatted view, you can customize the log view by hiding, displaying and arranging columns and/or by filtering columns, refining your view to include only those log messages and fields that you want to see.

To display logs in Raw or Formatted view, go to a page that displays log messages, such as Log & Archive > Log Access > All Logs, and select Change Display Options > Raw/Formatted at the bottom of the page. By default, log messages appear in Formatted view.

Note: When selecting Change Display Options for some log types, Resolve Host Name, Resolve Services, or both may appear in addition to Formatted and Raw.Resolve Host Name: Select to display recognizable device names rather than IP addresses. For more information about configuring IP address host names, see “Configuring IP aliases” on page 104.Resolve Services: Select to display the network service names rather than the port numbers, such as HTTP rather than port 80.






FRh

Figure 64: Change display options

If you select Formatted, options appear that enable you to display and arrange log columns and/or filter log columns.

Displaying and arranging log columnsWhen viewing logs in Formatted view, you can display, hide and re-order columns to display only relevant categories of information in your preferred order.For most columns, you can also filter data within the columns to include or exclude log messages which contain your specified text in that column. For more information, see “Filtering logs” on page 144.

To display or hide columns1 Go to a page which displays log messages, such as Log & Archive > Log Access > All

Logs.2 Select Column Settings.

Lists of available and displayed columns for the log type appear.





3 Select which columns to hide or display.• In the Available Fields area, select the names of individual columns you want to

display, then select the single right arrow to move them to the Display Fields area.Alternatively, to display all columns, select the double right arrow.

• In the Display Fields area, select the names of individual columns you want to hide, then select the single left arrow to move them to the Available Fields area.Alternatively, to hide all columns, select the double left arrow.

• To return all columns to their default displayed/hidden status, select Default.4 Select OK.

To change the order of the columns1 Go to a page which displays log messages, such as Log & Archive > Log Access > All

Logs.2 Select Column Settings.

Lists of available and displayed columns for the log type appear.3 In the Display Fields area, select a column name whose order of appearance you want

to change.4 Select the up or down arrow to move the column in the ordered list.

Placing a column name towards the top of the Display Fields list will move the column to the left side of the Formatted log view.

5 Select OK.

Filtering logsWhen viewing log messages in Formatted view, you can filter columns to display only those log messages that do or do not contain your specified content in that column. By default, most column headings contain a gray filter icon, which becomes green when a filter is configured and enabled.Filters do not appear when viewing logs in Raw view, or for unindexed log fields in Formatted view. When you are viewing real-time logs, filtering by time is not supported; by definition of the real-time aspect, only current logs are displayed. You can download filtered logs when you select Download Current View.






FRh

Figure 65: Filter icons

To filter log messages by column contents1 In the heading of the column that you want to filter, select the filter icon to open the log

filtering window.

2 Select Enable.3 If you want to exclude log messages with matching content in this column, select NOT.

If you want to include log messages with matching content in this column, deselect NOT.

4 Enter the text that matching log messages must contain.Matching log messages will be excluded or included in your view based upon whether you have selected or deselected NOT.

5 Select OK.A column’s filter icon is green when the filter is currently enabled. You can select Download Current View to download only log messages which meet the current filter criteria.

To disable a filter1 In the heading of the column whose filter you want to disable, select the filter icon.

A column’s filter icon is green when the filter is currently enabled.2 To disable the filter on this column, deselect Enable.

Alternatively, to disable the filters on all columns, select Clear All Filters. This disables the filter; it does not delete any filter text you might have configured.

3 Select OK.A column’s filter icon is gray when the filter is currently disabled.

Filtering tipsWhen filtering by source or destination IP, you can use the following in the filtering criteria:• a single address (2.2.2.2)

Filter Filter in useDownload Current View





• an address range using a wild card (1.2.2.*)• an address range (1.2.2.1-1.2.2.100)You can also use a Boolean operator (or) to indicate mutually exclusive choices:• 1.1.1.1 or 2.2.2.2

• 1.1.1.1 or 2.2.2.*

• 1.1.1.1 or 2.2.2.1-2.2.2.10

Most column filters require that you enter the column’s entire contents to successfully match and filter contents; partial entries do not match the entire contents, and so will not create the intended column filter.For example, if the column contains a source or destination IP address (such as 192.168.2.5), to create a column filter, enter the entire IP address to be matched. If you enter only one octet of the IP address, (such as 192) the filter will not completely match any of the full IP addresses, and so the resulting filter would omit all logs, rather than including those logs whose IP address contains that octet.Exceptions to this rule include columns that contain multiple words or long strings of text, such as messages or URLs. In those cases, you may be able to filter the column using a substring of the text contained by the column, rather than the entire text contained by the column.

Searching the logsWhen viewing device logs and archived files, you may find that some of them have a button called Advanced Search. You can use the button to search the device’s log files for matching text using two search types: Quick Search and Full Search. For more information, see “Viewing log messages” on page 139 and “Viewing DLP archives” on page 149.

You can use Quick Search to find results more quickly if your search terms are relatively simple and you only need to search indexed log fields. Indexed log fields are those that appear with a filter icon when browsing the logs in column view; unindexed log fields do not contain a filter icon for the column or do not appear in column view but do appear in the raw log view. Quick Search keywords cannot contain:• special characters such as single or double quotes (‘ or ") or question marks (?)






FRh

• wild card characters (*), or only contain a wild card as the last character of a keyword (logi*)

You can use Full Search if your search terms are more complex, and require the use of special characters or log fields not supported by Quick Search. Full Search performs an exhaustive search of all log fields, both indexed and unindexed, but is often slower than Quick Search.You can stop any search before the search is complete by selecting Stop Search beside Full Search.

Figure 66: Log search


Description

Device/Group Select to search logs from the FortiAnalyzer unit (Local Logs), a device, or a device group.

Time Period Select to search logs from a time frame, or select Specify and define a custom time frame by selecting the From and To date times.

From Enter the date (or use the calendar icon) and time of the beginning of the custom time range. This option appears only when you select Specify.

To Enter the date (or use the calendar icon) and time of the end of the custom time range. This option appears only when you select Specify.

Keyword(s) Enter search terms which will match to yield log message search results. To specify that results must include all, any, or none of the keywords, select these options in Match.

Quick Search Select to perform a quick search. Keywords for a quick search cannot contain special characters. Quick Search examines only indexed fields.

Full Search Select to perform a full search. Keywords for a full search may contain special characters. Full Search examines all log message fields.

Stop Search Select to stop the search before it is completed. This option is grayed out unless there is a search in progress.

More Options Select the Expand Arrow to hide or expand additional search options.

Match Select how keywords are used to match log messages which comprise search results.

• All Words: Select to require that matching log messages must contain all search keywords. If a log message does not contain one or more keywords, it will not be included in the search results.

• Any Words: Select to require that matching log messages must contain at least one of the search keywords. Any log message containing one or more keyword matches will be included in the search results.

• Does Not Contain the Words: Select to require that matching log messages must not contain the search keywords. If a log message contains any of the search keywords, it will be excluded from the search results.





Search tipsIf your search does not return the results you expect, but log messages exist that should contain matching text, examine your keywords and filter criteria using the following search characteristics and recommendations.• Separate multiple keywords with a space (type=webfilter

subtype=activexfilter).• Keywords cannot contain unsupported special characters. Supported characters vary

by selection of Quick Search or Full Search.• Keywords must literally match log message text, with the exception of case insensitivity

and wild cards; resolved names and IP aliases will not match.• Some keywords will not match unless you include both the log field name and its value

(type=webfilter).• Remove unnecessary keywords and search filters which can exclude results. In More

Options, if All Words is selected, for a log message to be included in the search results, all keywords must match; if any of your keywords do not exist in the message, the match will fail and the message will not appear in search results. If you cannot remove some keywords, select Any Words.

• You can use the asterisk (*) character as a wild card (192.168.2.*). For example, you could enter any partial term or IP address, then enter * to match all terms that have identical beginning characters or numbers.

• You can search for IP ranges, including subnets. For example:• 172.16.1.1/24 or 172.16.1.1/255.255.255.0 matches all IP addresses in

the subnet 172.16.1.1/255.255.255.0• 172.16.1.1-140.255 matches all IP addresses from 172.16.1.1 to

172.16.140.255

Other Filters Specify additional criteria, if any, that can be used to further restrict the search criteria.

• Log Type: Select to include only log messages of the specified type. For example, selecting Traffic would cause search results to include only log messages containing type=traffic.

• Log Level: Select to include only log messages of the specified severity level. For example, selecting Notice would cause search results to include only log messages containing pri=notice.

• Source IP: Enter an IP address to include only log messages containing a matching source IP address. For example, entering 192.168.2.1 would cause search results to include only log messages containing src=192.168.2.1 and/or content log messages containing a client IP address of 192.168.2.1.

• Destination IP: Enter an IP address to include only log messages containing a matching destination IP address. For example, entering 192.168.2.1 would cause search results to include only log messages containing dst=192.168.2.1 and/or content log messages containing a server IP address of 192.168.2.1.

• User Name: Enter a user name to include only log messages containing a matching authenticated firewall user name. For example, entering userA would cause search results to include only log messages containing user=”userA”.

• Group Name: Enter a group name to include only log messages containing a matching authenticated firewall group name. For example, entering groupA would cause search results to include only log messages containing group=”groupA”.






FRh

• You can search for URLs in multiple ways, using part or all of the URL. Searching for the full URL may not return enough results if the URL contains random substrings, such as session IDs. If your search keywords do not return enough results, try one of the following:• Full Search• shortening your keyword to the smallest necessary substring of the URL• shortening your keyword to a substring of the URL delimited by slash (/) characters

• The search returns results that match all, any, or none of the search terms, according to the option you select in Match.For example, if you enter into Keyword(s):192.168.* action=login

and if from Match you select All Words, log messages for attacks on 192.168.* by W32/Stration.DU@mm do not appear in the search results, since although the first keyword (the IP address) appears in attack log messages, the second keyword (the name of the attack) does not appear, and so the match fails. If the match fails, the log message is not included in the search results.

Viewing DLP archivesDLP archiving provides a method of simultaneously logging and archiving copies of content transmitted over your network, such as email messages and web pages.FortiGate units can log metadata for common user content-oriented protocols. DLP logs include information such as the senders, recipients, and the content of email messages and files. If full DLP archiving is enabled, FortiGate units can also archive a copy of the associated file or message with the DLP log message. Both FortiGate DLP archive logs and their associated copies of files or messages can be stored and viewed remotely on a FortiAnalyzer unit, leveraging its large storage capacity for large media files that can be common with multimedia content. When DLP archives are received by the FortiAnalyzer unit, you can use data filtering similar to other log files to track and locate specific email or instant messages, or to examine the contents of archived files.For more information about how to configure the FortiGate unit to send DLP archives to the FortiAnalyzer unit, see the FortiGate Administration Guide.You can view DLP archives of these types:• IPS Packet• Quarantine• Web • Email • FTP• IM • VoIP Log• MMS (By default, this option is not available. To make it appear, you need to enable it

in System > Admin > Settings.)






You can view full and/or summary DLP archives. Summary DLP archives are those which contain only a log message consisting of summary metadata. Full DLP archives are those which contain both the summary and a hyperlink to the associated archived file or message. For example, if the FortiAnalyzer unit has a full DLP archive for an email message, the subject log field of email DLP archives contains a link that enables you to view that email message. If the FortiAnalyzer unit has only a DLP archive summary, the subject field does not contain a link.Whether or not each DLP archive will be full or summary varies by:• whether the device is configured to send full DLP archives• whether the content satisfies DLP archiving requirements• whether the FortiAnalyzer unit has the file or message associated with the summary

log message (that is, full DLP archives do not appear if you have deleted the associated file or message)

For more information about requirements and configuration of DLP archiving, see the FortiGate Administration Guide.To view DLP archives, go to Log & Archive > Archive Access. Select a DLP archive type. Each type has similar controls.

Figure 67: Email archive

Note: The columns that appear reflect the content found in the archive file. You can select an item in a column to display more information.

Column SettingsPrintable Version

Download Current View Delete associated

Search

Current Page

DLP archive files







FRh

Viewing quarantined filesFortiAnalyzer units can act as a central repository for files that are suspicious or known to be infected by a virus, and have therefore been quarantined by your FortiGate units. This section describes how to view quarantined files.

Name of the GUI item DescriptionShow To view the archives from a single FortiGate unit, select the FortiGate

unit from the list. Select All FortiGates to view a combined list of archives from all the configured FortiGate units.

Timeframe Select a time frame to display only the archived files from the specified period. Select Any time to display all the archived files.

Column Settings Select to change the columns to view and the order they appear on the page. For more information, see “Displaying and arranging log columns” on page 143.Note: This option is not available for the Quarantine type.

Printable Version Select to download an HTML file containing all DLP archive summaries that match the current filters. The HTML file is formatted to be printable.Time required to generate and download large reports varies by the total number of log messages, the complexity of any search criteria, the specificity of your column filters, and the speed of your network connection.Note: This option is not available for the Quarantine type.

Download Current View Select to download a copy of the archived file with the current filters applied. For example, if you have a filter applied to display only the entries with a particular URL, selecting Download Current View will allow you to download a log file with only the entries related to the URL configured in the filter.Note: This option is not available for the Quarantine type.

Delete associated DLP archive files

Select to delete the links of all DLP archive files to the currently selected device, not the file records.Note: This option is not available for IPS Packet, Quarantine, and VoIP archive.

Search Enter a keyword to perform a simple search on the available archive information, then press the Enter key to begin the search. Note: This option is not available for the Quarantine type.

View n per page Select the number of log entries to display per page.

Current Page Enter a page number, then press Enter to go to the page.

Change Display Options Select a view of the archive file. This option is not available for the Quarantine type.Resolve Host Name: Select to view the IP alias instead of the client’s IP address. You must configure the IP aliases on the FortiAnalyzer unit for this setting to take effect. For more information, see “Configuring IP aliases” on page 104. This option is not available for the Email type.Resolve Services: Select to display the network service names rather than the port numbers, such as HTTP rather than port 80. This option is only available for the IPS Packet type. Formatted (the default): Select to display the log files in columnar format. Raw: Select to display the log information as it actually appears in the log file.

Note: DLP Archive allows you to both view logged details and to download the archived files. If you want to display only the DLP archive log file, instead go to Log & Archive > Log Browse > Log Browse and select the device’s dlog.log file. For more information, see “Browsing log files” on page 154.





If a secure connection has been established with the FortiGate and FortiAnalyzer units, the communication between them is the same IPSec tunnel that the FortiGate unit uses when sending log files.For more information about configuring the FortiGate unit to send quarantined files to the FortiAnalyzer unit, see the FortiGate Administration Guide.

To view the quarantine summary, go to Log & Archive > Archive Access > Quarantine.

Figure 68: Quarantine summary

To view the details of a quarantined file1 Go to Log & Archive > Archive Access > Quarantine.2 Select Details for a file.

Note: Sending quarantine files to a FortiAnalyzer unit is available only on FortiGate units running FortiOS 3.0 or later.FortiAnalyzer units do not accept quarantine files from devices that are not registered with the FortiAnalyzer unit’s device list. For more information about adding devices, see “Manually adding or deleting a device or HA cluster” on page 129.

Name of the GUI item DescriptionDelete Select to remove the selected quarantined file summary of this device

and all quarantined files under it from the hard disk.

Details Select to view the quarantined files for this device. For more information, see “To view the details of a quarantined file” on page 152.

Show Select a device from the list of available devices to display the list of quarantined files for a specific device.

Timeframe Select a span of time when quarantined files were sent to the FortiAnalyzer unit.

From Device The FortiGate unit from which the file originated. Select the expand arrow next to a FortiGate unit to view the files sent from that unit.

Type The type of quarantined file. For example, and infected file is quarantined because a virus is detected. A blocked file is quarantined because the file matches a defined file pattern. The Reason field offers additional detail.

Reason The reason a file is quarantined. This elaborates on the information in the Type field. For example, if the Type is listed as Infected, the virus name appears in the Reason field.

First Detection Time The date and time the FortiGate unit quarantined the first instance of this file, in the format yyyy/mm/dd hh:mm:ss.

Last Detection Time The date and time the FortiGate unit quarantined the last instance of this file, in the format yyyy/mm/dd hh:mm:ss, if multiple copies of this file are quarantined.

Unique The number of quarantined files from this device.

Count The number of duplicates of the same file that are quarantined. A rapidly increasing number can indicate a virus outbreak.








FRh

Name of the GUI item DescriptionDelete Select to remove files whose check boxes are selected.

• To delete one or more files, select the check box next to their file name, then select Delete.

• To delete all files, select the column heading check box. All files’ check boxes are selected, and then select Delete.

Download Select to save the file to another location when it is deemed safe for the recipient to collect. You can enter a password to protect the file.Caution: Quarantined files are suspected or known to contain a virus or other network threat. Inspecting quarantine files involves a significant security risk. Use caution when downloading quarantined files.

Details Select to view the log for this quarantined file. For information on viewing logs, see “Viewing log messages” on page 139.

Analyze Select to analyze a .sis file using the SIS Analyzer.This option is only available if there is a quarantined .sis file.

Refresh Select to update the current page.

From Device The FortiGate unit from which the file originated.

File Name The processed file name of the quarantined file.

First Detection Time The date and time the FortiGate unit quarantined the first instance of this file, in the format yyyy/mm/dd hh:mm:ss.

Last Detection Time The date and time the FortiGate unit quarantined the last instance of this file, in the format yyyy/mm/dd hh:mm:ss, if multiple copies of this file are quarantined.

Service The service by which the quarantined file was attempting to be transmitted, such as SMTP.

Checksum A 32-bit checksum the FortiGate unit created from the file.

Type The type of quarantined file. For example, an infected file is quarantined because a virus is detected. A blocked file is quarantined because the file matches a defined file pattern. The Reason field offers additional detail.

Reason The reason a file is quarantined. This elaborates on the information in the Type field. For example, if the Type is listed as Infected, the virus name appears in the Reason field.

DC Duplicate count. A count of how many duplicates of the same file were quarantined. A rapidly increasing number can indicate a virus outbreak.

Current Page




Browsing log files Log & Archive

Browsing log filesLog & Archive > Log Browse > Log Browse displays log files stored for both devices and the FortiAnalyzer itself.By default, this option is not available. To make it appear, you need to enable it in System > Admin > Settings.When a log file reaches its maximum size, or reaches the scheduled time, the FortiAnalyzer rolls the active log file by renaming the file. The file name will be in the form of xlog.N.log, where x is a letter indicating the log type and N is a unique number corresponding to the time the first log entry was received.For information about setting the maximum file size and log rolling options, see “Configuring rolling and uploading of devices’ logs” on page 158.If you display the log messages in Formatted view, you can display and arrange columns and/or filter log messages by column contents. For more information, see “Customizing the log view” on page 142.For more information about log messages, see the FortiGate Log Message Reference and “Viewing log messages” on page 139.

Figure 69: Log file list

View n per page Select the number of quarantine files to display per page.


Name of the GUI item DescriptionDisplay Mark the check box of the file whose log messages you want to view, then

click this button. For more information, see “Viewing log messages” on page 139.

Import Click to import log files. You can only import log files in Native format. For more information about importing log files, see “Importing a log file” on page 155.






Log & Archive Browsing log files

FRh

Importing a log fileYou can import devices’ log files. This can be useful when restoring data or loading log data for temporary use.For example, if you have older log files from a device, you can import these logs to the FortiAnalyzer unit so that you can generate reports containing older data. Importing log files is also useful when changing your RAID configuration. Changing your RAID configuration reformats the hard disk, erasing log files. If you back up the log files, after changing the RAID configuration, you can import logs to restore them to the FortiAnalyzer unit.You can only import log files in Native format.

To import a log file1 Go to Log & Archive > Log Browse > Log Browse.2 Select the Device Type.3 Expand the group name or device name to view the list of available log files under each

log type. 4 Select a log file in Native format and then select Import.

Download Mark the check box of the log file that you want to download, click this button, then select a format for saving the log files: text (.txt), comma-separated value (.csv), or standard .log (Native).You can also select to compress the log files before saving them.For more information, see “Downloading a log file” on page 156

Device Type Select the type of devices whose logs you want to view.

Show Log File Names

Enable to display the file names of log files in the Log Files column when their log type is expanded.

Log Files A list of available log files for each device or device group. Click the group name to expand the list of devices within the group, and to view their log files.The current, or active, log file appears as well as rolled log files. Rolled log files include a number in the file name, such as vlog.1267852112.log.If you configure the FortiAnalyzer unit to delete the original log files after uploading rolled logs to an FTP server, only the current log will exist.

# The number of devices in a group, and the number of log files for a device.

From The start time when the log file was generated.

To The end time when the log file was generated.





Browsing log files Log & Archive

5 Select from Device to which device in the device list the imported log file belongs, or select Take From Imported File to read the device ID from the log file.If you select Take From Imported File, your log file must contain a device_id field in its log messages.

6 In Filename, enter the path and file name of the log file, or select Browse.7 Select OK.

A message appears, stating that the upload is beginning, but will be cancelled if you leave the page.

8 Select OK.Upload time varies by the size of the file and the speed of the connection.

After the log file successfully uploads, the FortiAnalyzer unit inspects the log file.• If the device_id field in the uploaded log file does not match the device, the import

will fail. Select Return to attempt another import.• If you selected Take From Imported File, and the FortiAnalyzer unit’s device list

does not currently contain that device, a message appears after the upload. Select OK to import the log file and automatically add the device to the device list, or select Cancel.

Downloading a log fileYou can download a log file to save it as a backup or for use outside the FortiAnalyzer unit. The download consists of either the entire log file, or a partial log file, as selected by your current log view filter settings.

To download a whole log file1 Go to Log & Archive > Log Browse > Log Browse.2 Select the Device Type.3 Expand the group name or device name to view the list of available log files under each

log type. 4 Select the specific log file (wlog.log, elog.log, etc.) that you want to download.5 Select Download.





Log & Archive Browsing log files

FRh

6 Select one of the following download options:

7 Select OK.8 If prompted by your web browser, select a location to save the file, or open it without

saving.

To download a partial log file1 Go to Log & Archive > Log Browse > Log Browse.2 Select the Device Type.3 Expand the group name or device name to view the list of available log files under each

log type. 4 Select the specific log file (wlog.log, elog.log, etc.) that you want to download.5 Select Display.

6 Select a filter icon to restrict the current view to only items which match your criteria, then select OK.Filtered columns have a green filter icon, and Download Current View appears next to Printable Version. For more information about filtering log views, see “Filtering logs” on page 144.

7 Select Download Current View.

Log File format Downloads the log in text (.txt), comma-separated value (.csv), or standard .log (Native) format. Each log element is separated by a comma. CSV files can be viewed in spreadsheet applications.

Compress with gzip Compress the .txt, .log, or .csv file with gzip compression. For example, downloading a log-formatted file with gzip compression would result in a download with the file extension .log.gz.




Backing up logs and archived files Log & Archive

8 Select one of the following download options:

9 Select OK.10 If prompted by your web browser, select a location to save the file, or open it without

saving.

Backing up logs and archived filesTo back up both logs and associated DLP archive files, enter the CLI command execute backup logs. To back up logs only, enter execute backup logs-only. For more information, see the FortiAnalyzer CLI Reference.

Configuring rolling and uploading of devices’ logsYou can control devices’ log file size and consumption of the FortiAnalyzer disk space by configuring log rolling and/or scheduled uploads to a server.

As the FortiAnalyzer unit receives new log items, it performs the following tasks:• verifies whether the log file has exceeded its file size limit• if the file size is not exceeded, checks to see if it is time to roll the log file. You configure

the time to be either a daily or weekly occurrence, and when the roll occurs.When a current log file (tlog.log) reaches its maximum size, or reaches the scheduled time, the FortiAnalyzer unit rolls the active log file by renaming the file. The file name will be in the form of xlog.N.log (for example, tlog,1252929496.log), where x is a letter indicating the log type and N is a unique number corresponding to the time the first log entry was received. The file modification time will match the time when the last log was received in the log file.Once the current log file is rolled into a numbered log file, it will not be changed. New logs will be stored in the new current log called tlog.log.If log uploading is enabled, once logs are uploaded to the remote server or downloaded via the web-based manager, they are in the following format:FG3K6A3406600001-tlog.1252929496.log-2009-09-14-14-00-14.gz

Log File Format Downloads the log in text (.txt), comma-separated value (.csv), or standard .log (Native) format. Each log element is separated by a comma. CSV files can be viewed in spreadsheet applications.

Compress with gzip Compress the .txt, .log, or .csv file with GZIP compression. For example, downloading a log-formatted file with GZIP compression would result in a download with the file extension .log.gz.

Tip: You can also configure rolling and uploading settings for the FortiAnalyzer unit’s own log files. For details, see the FortiAnalyzer CLI Reference.







Log & Archive Configuring rolling and uploading of devices’ logs

FRh

If you have enabled log uploading, you can choose to automatically delete the rolled log file after uploading, thereby freeing the amount of disk space used by rolled log files. If the log upload fails, such as when the FTP server is unavailable, the logs are uploaded during the next scheduled upload.To enable and configure log rolling or uploading, go to Log & Archive > Options > Log File Options.

Figure 70: Device log settings

Name of the GUI item DescriptionLog file should not exceed

Enter the maximum size of each device log file.

Log file should be rolled... even if size is not exceeded

Set the time of day when the FortiAnalyzer unit renames the current log file and starts a new active log file.• Daily: Roll log files daily, even if the log file has not yet reached

maximum file size.• Weekly: Roll log files weekly, even if the log file has not yet reached

maximum file size.• Optional: Roll log files only when the log file reaches the maximum file

size, regardless of time interval.

Enable log uploading Select to upload log files to a server when a log file rolls.

Server type Select the protocol to use when uploading to a server:• File Transfer Protocol (FTP)• Secure File Transfer Protocol (SFTP)• Secure Copy Protocol (SCP)

Server IP address Enter the IP address of the log upload server.

Username Enter the user name required to connect to the upload server.

Password Enter the password required to connect to the upload server.

Confirm Password Re-enter the password to verify correct entry.

Directory Enter a location on the upload server where the log file should be saved.

Upload Files Select when the FortiAnalyzer unit should upload files to the server.• When rolled: Uploads logs whenever the log file is rolled, based upon

Log file should be rolled.• Daily at [hh:mm]: Uploads logs at the configured time, regardless of

when or what size it rolls at according to Log file should be rolled.

Uploaded log format Select a format for uploading the log files. The format is in text (.txt), comma-separated value (.csv), or standard .log (Native) file.




Using eDiscovery Log & Archive

Using eDiscoveryeDiscovery allows you to search through the bulk of stored email from the FortiGate units, extract and download the search results, and share them with a third-party if required in situations such as a lawsuit or regulatory violation action. To prove that shared data is an exact copy of the original, the FortiAnalyzer unit produces local logs indicating when each search was executed, when the search results were downloaded, and when they were deleted. In addition, the FortiAnalyzer unit generates SHA1 and MD5 digests for every search result. When a search result is downloaded to an external device, the SHA1 or MD5 digest calculated on the downloaded file must match the same digest generated by the FortiAnalyzer unit in order to prove that the search result has not been tampered with since leaving the FortiAnalyzer unit.Log & Archive > eDiscovery > Folders displays the list of eDiscovery folders containing search results.

Figure 71: eDiscovery folders list

Compress uploaded log files

Select to compress the log files before uploading to the server.

Delete files after uploading

Select to remove the log file from the FortiAnalyzer hard disk after the FortiAnalyzer unit completes the upload.


Description

Download Click to save the selected folder and the contained search results.The saved information can be shared with a third party.

Run Now Click to refresh the search tasks in a selected folder. This will update the email lists in the search tasks.

Clone Click to duplicate a folder to use as a basis for creating a new one.Folder Name The names of the eDiscovery folders that you create. For more information, see

“To create eDiscovery folders” on page 162.Select the arrow beside a folder name to display the task names of the search results saved in the folder. For more information, see “Task Name” on page 163.Select a task name to view the email list. See “To view a search task” on page 163.

Creation Date The date and time when the folder and search tasks were created.





Log & Archive Using eDiscovery

FRh

To use eDiscovery, follow the general steps below:• Set the disk quota for eDiscovery results out of the current disk space reserved for the

system (that is, space not allocated to the devices), since the search results may take considerable amount of disk space. See “To set the eDiscovery disk quota” on page 161.

• Create folders to store search results. Typically, you store search results that are part of a single investigation under one folder. See “To create eDiscovery folders” on page 162.

• Search email based on the search criteria and save the results to a folder where you will view, download, delete, or clone the results. See “To search email” on page 162.

To set the eDiscovery disk quota1 Go to Log & Archive > eDiscovery > Config.

Search Results

Each eDiscovery folder displays the number of search results contained in it.Each search task displays the number of email extracted based on the search criteria. See “To search email” on page 162.

Size (bytes) The size of the folders and search tasks. This column also displays the status of search results:• Completed: Search is completed and results are available for viewing.• Incomplete: Search was interrupted by a system shutdown.• Running: Search is in progress.• Pending: Search has been queued and will run once other searches are

completed.• Quota Exceeded: Search was stopped because the disk quota has been

exceeded.





2 Enter the maximum size of disk space for storing eDiscovery search results. The used and available disk spaces also display. The size of the reserved space for eDiscovery varies by the total disk space. You cannot adjust the disk quota below the size of the existing eDiscovery results. eDiscovery results will not be saved if they exceed the disk quota.

3 Click Apply.

To create eDiscovery folders1 Go to Log & Archive > eDiscovery > Folders.

2 Click Create New.

3 Enter a folder name.4 Click OK.

To search email1 Go to Log & Archive > eDiscovery > Search.

2 Complete the following search criteria:






FRh

3 Do one of the following:• If you selected Don’t Save in the Save to Folder field, select Search.

The search results will display.• If you selected a folder in the Save to Folder field, select Search & Save.

The search results are saved to the selected folder.

To view a search task1 Go to Log & Archive > eDiscovery > Folders.2 Select the arrow beside a folder that contains the task you want to view.3 Select the task name you want to view.


Description

Device Select the FortiGate unit of which you want to search the archived email.

Timeframe Select the time period for the email that you want to search. If you click Specify, enter the start and end time.

From Enter the sender’s email address that you want to search. This can be a full or partial email address.

To Enter all or part of the recipient’s email address. For multiple recipients, enter any one of the recipients, or enter multiple recipient addresses in the order that they appear in the email address field, separated by a comma (,) and a space, such as:[email protected], [email protected]

Subject Enter all or part of the subject line of the email message.

Message Contains

Enter all or part of a word or phrase in the email message.

Save to Folder

If you want to save the search results, select a folder. If you do not want to save the search results, select Don’t Save. If you want to create a new folder for the search results, select Create New, enter a folder name and select OK.

Task Name Enter a unique name for this search task. Such a name will help you identify a particular search result in a folder. For more information, see “Folder Name” on page 160.This field appears only if you selected to save the search results to a folder in the Save to Folder field.

Description Enter a note to describe the task name. For more information, see “Description” on page 164.This field appears only if you selected to save the search results to a folder in the Save to Folder field.





The task’s email list displays. Selecting an item displays its detailed information.


Description

Task name The name of this search task. For more information, see “Task Name” on page 163.

Description The note for this task. For more information, see “Description” on page 163.

Device The serial number(s) of the FortiGate unit(s) of which you have searched the archived email. For more information, see “Device” on page 163.

Timeframe The date and time when the search task was created.

SHAR1 The SHA1 digest for this search task. When a search result is downloaded to an external device, the SHA1 digest calculated on the downloaded file must match this digest in order to prove that the search result has not been tampered with since leaving the FortiAnalyzer unit.

MD5 The MD5 digest for this search task. When a search result is downloaded to an external device, the MD5 digest calculated on the downloaded file must match this digest in order to prove that the search result has not been tampered with since leaving the FortiAnalyzer unit.

Column Settings

Click to change the columns to view and the order they appear on the page. For more information, see “Displaying and arranging log columns” on page 143.

Last Activity The date and time that the FortiAnalyzer unit received the email from the FortiGate unit.

From The sender’s email address that was searched. This can be a full or partial email address.

To The recipient’s email address that was searched. This can be a full or partial email address.

Column Settings Attachment






FRh

Subject The subject line of an email.The email list can display full and/or summary email archives. Summary email archives contain only email messages with summary metadata. Full email archives contain both the summary and a hyperlink to the associated archived message. For example, if the FortiAnalyzer unit has a full email archive for an email message, the subject column of the email contains a link that enables you to view the email message. If the FortiAnalyzer unit has only a email archive summary, the subject column does not contain a link.Whether or not each email archive will be full or summary varies by:• whether the FortiGate unit is configured to send full email archives• whether the content satisfies email archiving requirements• whether the FortiAnalyzer unit has the file or message associated with the

summary email message (that is, full email archives do not appear if you have deleted the associated message)

For more information about requirements and configuration of DLP archiving, see the FortiGate Administration Guide.

Size The size of the email message.

Attachment icon

If an email has an attachment, this icon appears.





Reports Configuring reports from logs in the proprietary indexed file system

FRh

ReportsFortiAnalyzer units can collate information collected from FortiGate log files and present the information in tabular and graphical reports, which provides quick analysis of what is occurring on the network. You can create reports based on logs from the proprietary indexed file system or SQL database, depending on your SQL database configuration in System > Config > SQL Database. For more information on selecting the storage method, see “Configuring SQL database storage” on page 85.By using reports, you can: • minimize the effort required to identify attack patterns when customizing policies to

prevent attacks• monitor Internet surfing patterns for compliance with company policy• identify your web site visitors for potential customersFortiAnalyzer reports are also flexible, offering administrators a choice to compile a report layout based on variables (which can be reused) or based on specific information. Fortinet recommends a report layout based on variables and then reuse them. This topic includes: • Configuring reports from logs in the proprietary indexed file system• Configuring reports from logs in a SQL database• Browsing reports

Configuring reports from logs in the proprietary indexed file system

If you have disabled SQL database for log storage in System > Config > SQL Database, you must instead configure reports based on logs from the proprietary indexed file system. For information on selecting the storage method, see “Configuring SQL database storage” on page 85.

Note: Reports can only be created for registered devices and device groups. For more information about registering devices, see “Unregistered vs. registered devices” on page 126.

Note: If you want to configure custom charts, or configure a chart containing criteria for web clicks vs. web hits, see the FortiAnalyzer CLI Reference because these are only configured in the CLI. For information about new and changed reports, see “Appendix B: Report templates” on page 309.





Configuring reports from logs in the proprietary indexed file system Reports

Figure 72: Configuring SQL database

Logs must be collected or uploaded before you can generate a report. Logs are the basis of all FortiAnalyzer reports. After logs are collected or uploaded, you can then define the three basic components that make up a report based on logs from the proprietary indexed file system: • report layout (the report template and the contents)• output and data filter templates, language (optional components)• report schedule (log data parameters and time range)You need to configure a report layout and data filter before configuring the report schedule, because the report schedule requires a report layout. You also need to configure remote report output (see “Configuring report output templates” on page 91) if you want to upload completed report files to a server accepting FTP, SFTP, or SCP when scheduling a report. The layout configurations are referred to as templates because they can be applied to any report schedules that you want. If you are using data filter or output templates with a report schedule, these templates cannot be deleted. Data filter or output templates can be deleted when they are not being used by a report schedule.

Configuring a report layoutReport > Config > Layout enables you to configure and define multiple report layouts, which can then be applied to report schedules or generated immediately. There are also default report layouts for you to choose from, and they appear in the report layout list with the report layouts you created. The default layouts are: • Bandwidth_Analysis: An overview of bandwidth consuming applications and users.• Forensic_Analysis: An overview of detailed network activity information such as

instant messaging programs and email.• Threat_Analysis: An overview of user Anti-Virus, Intrusion Protection and Anti-Spam

threats for the time period.• Web_Filtering-Group_Activity: An overview of user web site activity for a group of

users while also providing a summary and analysis information on usage and behavior. • Web_Filtering-User_Activity: An overview of user web site activity plus detailed audit

of all blocked sites and all sites visited.






FRh

When configuring a report layout, you can choose and specify each individual chart. The charts include default and customized ones. You can configure customized charts in the CLI. For more information, see the FortiAnalyzer CLI Reference.You can edit charts either during or after they are included in the report layout.

Figure 73: Report layout list

To configure a report layout 1 Go to Report > Config > Layout. 2 Click Create New.


Name of the GUI item DescriptionClone Create a duplicate of a report layout to use as a basis for creating a new

report layout.

Run Run a report layout immediately (on demand), instead of waiting for the report layout’s scheduled time.

Name The name of the report layout given when configuring a report layout.

Description The description or comments entered in the Description field of the report layout.

Company Name The name of the company, if given, when configuring the report layout.

Number of Charts The number of charts that are included in that report layout.







Description

Name Enter a name for the report.

Description Enter a description, for example, for what the report is about.

Company Name

Enter the name of your company or organization.

Report Title Enter a title name for the report, for example, Report_1.

Header Enter a header name for the report.

Title Page Logo

Select the Browse logo files icon to choose a logo that will appear on the title page of the report. You need to select a logo file format that is compatible with your selected file format outputs. The logo will not appear if it is incompatible with the chosen file format. You can choose JPG, PNG, and GIF logo formats for PDFs and HTMLS; WMF are also supported for RTF.

Header Logo Select the Browse logo files icon to choose a logo that will appear only in the header of the report. Logo formats for headers also need to be compatible with the chosen file format. The same logo formats for the title page also apply to headers.

Add Chart(s) Select to add default or user-defined charts to your report. See “To add a chart” on page 171.

Device Type

Select one of the device types from the drop-down list. The available types are FortiGate, FortiClient and FortiMail. The report’s log information will come from the selected device type. For example, if you selected FortiMail, the log information used is only FortiMail logs.

Category Select a category or all categories of charts from the drop-down list. Note: Customized charts (Custom Charts) are under Others category.

Chart Name

The names of the charts in each category. The category name is in bold, and the charts associated within that category name and data source are displayed beneath.

Action Select the plus (+) symbol in the row containing the main chart name to add all charts of the category to the report. Select the plus (+) symbol in each row to add charts individually. When the plus (+) symbol is selected, a minus (-) symbol appears. Select the minus (-) symbol in each row to remove the selected chart or charts.

Browse logo files






FRh

4 Click OK.

Adding charts, sections, and textsYou can add default or user-defined charts to your report. You can also add a section to a report that keeps charts separate from each other, or add a note or comment about a section or to include additional information about the charts that are in the report.

To add a chart1 Go to Report > Config > Layout. 2 Click Create New. 3 Click Add Chart(s).

Add Section Select to add a section to a report that keeps charts separate from each other. • Title – Enter a name to describe the charts and information. • Description – Enter a description, if applicable, to describe the charts. See “To add a section” on page 172.

Add Text Select to add a note or comment about a section or to include additional information about the charts that are in the report. See “To add a text” on page 173.

Note: Report layouts cannot be deleted if they are associated with a report schedule; if you want to delete a report layout, remove that layout from the schedule it is associated with, and then delete it.





4 Select one of the device types from the Device Type drop-down list. The available types are FortiGate, FortiClient and FortiMail. The report’s log information will come from the selected device type. For example, if you selected FortiMail, the log information used is only FortiMail logs.

5 Select a category or all categories of charts from the Category drop-down list. Customized charts (Custom Charts) are under Others category.

6 In Chart Name, select the plus (+) symbol in the row containing the main chart name, such as Network Analysis, to add all charts of the category to the report. Select the plus (+) symbol in each row, such as Top Sources by Volume, to add charts individually. When the plus (+) symbol is selected, a minus (-) symbol appears. Select the minus (-) symbol in each row to remove the selected chart or charts.

7 Select OK.

To add a section1 Go to Report > Config > Layout. 2 Click Create New. 3 Click Add Section.

Main chart name

Individual chart name






FRh

4 In the Title field, enter a title for the chart. 5 In the Description field, enter a description, if applicable, to describe the charts. 6 Select OK.

To add a text1 Go to Report > Config > Layout. 2 Click Create New. 3 Click Add Text.

4 Add a note or comment about a section or to include additional information about the charts that are in the report.

5 Select OK.

Editing charts in a report layoutAfter adding charts, sections, and texts, you can edit charts in a report layout at any time as well as rearrange the charts from within the Chart List. You can also edit Text and Section. You cannot edit the charts of the default report layouts.The following procedures assume you have already selected the report layout in which you want to edit charts, texts and sections. You do so by going to Report > Config > Layout.





When editing charts in a report layout, certain options are available when other options are selected. For example, if you select a bar chart style, Time Scale will appear. Options such as User and Group disappear when an LDAP query is selected.

To edit a chart 1 Go to Report > Config > Layout.2 Click the Edit icon of a report layout.

You cannot edit the charts of the default report layouts.

3 Go to Chart List and click the Edit Chart icon beside the chart name.






FRh

4 Enter the appropriate information for the selected chart. The following is a sample chart for Total IM Events per Protocol.

Name of the GUI item DescriptionChart Output Select one of the following to display chart information:

• Table & Graph – displays both a table and graph• Table Only – displays only a table• Graph Only – displays only a graph

Chart Style Select a style for the chart. You can choose a bar style, column style or pie style. If you select a Bar chart style, Time Scale appears. This is available only to the Bar chart style.

Maximum Entries (TopN) Enter a number for the top ranked log information, such as top number of viruses, and if applicable, select the check box List All Results. If you select List All Results, it means that the FortiAnalyzer unit will need to list all logs for this chart, which will hang or delay report generation. Select this check box only when it is necessary.When entering a number for the maximum top entries (with pie chart style selected), any item whose percentage is less than one percent will not appear in the pie diagram; also, if no items’ percentage is greater than one percent, “Other” occupies the pie diagram, or 100 percent of the pie diagram. For example, if you enter the number five, any of the five items that have less than one percent are considered under “Other” and only “Other” displays on the pie diagram. This issue occurs only when the pie chart style is selected. The bar chart style is not affected.

Time Scale Select what type of time period you want the focus of the report to be on.

Source ID (certain charts only)

Select from the drop-down list whether to have the user name or IP address (or both) as the identification of the source. This option does not appear for all charts.

Advanced Select the following to specify the number and appearance of results in the report.

Resolve Host Names Select to display host name by an alias or reverse DNS lookup rather than IP addresses. For more information about configuring IP aliases, see “Configuring IP aliases” on page 104. If the DNS server is slow and/or does not support reverse DNS, the FortiAnalyzer report generation would hang. Select this check box only when it is necessary.

Resolve Service Names

Select to display network service names rather than port numbers such as HTTP instead of port 80.





5 Click OK. If you want to rearrange the charts so that they are presented in a different order, click and drag a chart to a position above or below another chart. The order is reflected in the generated report.

To edit a section1 Go to Report > Config > Layout.2 Click the Edit icon of a report layout.3 Go to Chart List and click the Edit Section icon beside the section name.

Max. number of rows for 2nd parameter (appears when Bar or Line chart style is selected)

Enter the number of rows that you want for each variable. This is available only to certain chart types.

Include “Other” Category (in graphs)

Select to include the other results that are not included in the top entries, that display in a graph.

Include Web Clicks Only

Select this option to differentiate the user-requested URLs from the non-user-driven web activities that are included in the web logs. For example, popup advertisements and images are not web clicks. The following criteria helps to determine what is considered a web click when the report is being generated: • If the file name extensions to the URL of the web log does not

match the file types that are specified in the configuration attributes in “file filter” and “custom filter”.

• If the URL does not belong to the advertisement category.• If there is no previous web log from the same source IP address

and user name within a short interval such as two seconds.

Consolidate URLs by root domain

Select to group together the URLs under the same root domain.

Override Run-time Variables

Select to specify the following that will be associated with this chart.

Device/Group – Select to specify a device or device group from the drop-down list. You can also select all devices, if applicable.

Virtual Domain (FortiGate charts only) – Enter to specify a virtual domain.

User – Enter the user’s name that you want to use in the report. You can enter multiple names in the field, using commas to separate the user names. This option disappears when an LDAP query is selected.

Group – Enter a group’s name that you want to use in the report. You can enter multiple names in the field, using commas to separate the group names.This option disappears when an LDAP query is selected.

LDAP Query– Select an LDAP directory from the drop-down list to restrict report scope using a list of user names from the LDAP directory, instead of a group name configured on a device. For information on configuring LDAP servers, see “Configuring LDAP queries for reports” on page 111.

LDAP Group – Enter an LDAP group. This option appears only when LDAP Query is selected.






FRh

4 Clear the appropriate information that appears in either Title or Description fields, or both fields.

5 Enter the new information in either Title or Description fields, or both fields. 6 Click OK.

To edit text 1 Go to Report > Config > Layout.2 Click the Edit icon of a report layout.3 Go to Chart List and click the Edit Text icon beside the text name.

4 Clear the appropriate information that appears in the Message field. 5 Enter the new information in the Message field. 6 Click OK.





Configuring data filter templates You can configure multiple data filter templates for reports. These templates can be applied to any report schedule you want. Data filters are configured to sort through and omit specific log information, enabling you to include or exclude log messages to focus your report on certain types of log messages that match your criteria. For example, you want to include a specific range of IP addresses. In the Source(s) field you input the IP addresses range, 172.16.110.0-255, which will match all IP addresses in the 172.16.110.0/255.255.255.0 or 172.16.120.110/24. If you do not want to match this specific IP address range, you would enter the IP address range and mark the not check box. Data filter options operate on specific log message fields. For information about log message fields, see the FortiGate Log Message Reference. To view the data filter templates, go to Report > Config > Data Filter.

Figure 74: Data filter templates

To configure a data filter template1 Go to Report > Config > Data Filter.2 Click Create New.

Name of the GUI item DescriptionName The name of the data filter template.

Description Any comments entered in the Description field when configuring the data filter template.







FRh


Name of the GUI item DescriptionName Enter a name for the new data filter configuration. This name concerns

only this particular data filter configuration, not the report itself.


Filter logic Select all to include only logs in the report that match all filter criteria. If any aspect of a log message does not match all criteria, the FortiAnalyze unit will exclude the log message from the report. Select any to include logs in the report that match any of the filter criteria. If any aspect of a log message matches any of the filter criteria, the FortiAnalyzer unit will include the log in the report.

Source(s) Enter the source or sources of IP addresses to include matching logs. You can also select from the alias list. Separate multiple sources with a comma. You can filter on IP ranges or subnets. The following formats are supported:• IP Range: xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx• Subnet: xxx.xxx.xxx.xxx/xxx.xxx.xxx.xxx or xxx.xxx.xxx.xxx/cidrNote that you cannot use a format like 172.20.110.0-255.

Alias Select the appropriate alias from the drop-down list. For more information about configuring IP aliases, see “Configuring IP aliases” on page 104.

not Select to instead include only log messages that do not match this criterion. For example, you might include logs except those matching a specific source IP address.





Destination(s) Enter the destination IP address to include matching logs, or select from the Alias list. Separate multiple sources with a comma. For more information about configuring IP aliases, see “Configuring IP aliases” on page 104. You can filter on IP ranges or subnets. The following formats are supported:• IP Range: xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx• Subnet: xxx.xxx.xxx.xxx/xxx.xxx.xxx.xxx or xxx.xxx.xxx.xxx/cidrNote that you cannot use a format like 172.20.110.0-255.

Alias Select the appropriate alias. Select the appropriate alias from the drop-down list. See “Configuring IP aliases” on page 104 for more information about configuring IP aliases.

not Select to instead include only log messages that do not match this criterion. For example, you might include logs except those matching a specific destination IP address.

Interface(s) Enter the network interface or interfaces to include matching logs. Separate multiple interface names with a comma.

not Select to instead include only log messages that do not match this criterion. For example, you might include logs except those matching a specific network interface.

Policy ID(s) Enter the FortiGate firewall policy ID numbers to include matching logs. The report will include logs from all FortiGate log files containing firewall policy ID numbers, which excludes event and DLP archive logs. Separate multiple policy IDs with a comma.

not Select to instead include only log messages that do not match this criterion. For example, you might include logs except those matching a specific policy ID.

Service(s) Enter specific services to include matching logs. Separate multiple services with a comma.

not Select to instead include only log messages that do not match this criterion. For example, you might include logs except those matching a specific service.

Email Domain(s)(only FortiMail reports)

Enter the email domain or domains that you want included in the filter.An email domain is a set of email accounts that reside on a particular email server. The email domain is the portion of the user’s email address following the “@” symbol. For more information about email domains, see the FortiMail Administration Guide. This field is used only when creating FortiMail reports.

not Select to instead include only log messages that do not match this criterion. For example, you might include logs except those matching a specific email domain.

Email Direction(s) (only FortiMail reports)

Enter one of the following types of email directions: • IN – the incoming email traffic direction• OUT – the outgoing email traffic direction• UNKNOWN – the unknown email traffic directionThis field is used only when creating FortiMail reports.

not Select to instead include only log messages that do not match this criterion. For example, you might include logs except those matching a specific email direction.

Email Sender(s) Enter the sender or senders of the email.This field is used only when creating FortiMail reports.

not Select to instead include only log messages that do not match this criterion. For example, you might include logs except those matching a specific email sender.

Email Recipient(s) Enter the receiver or receivers of the email.This field is used only when creating FortiMail reports.



http://docs.forticare.com/fmail.html




FRh

4 Click OK.

Configuring report schedules

Report schedules are configured after you have configured report layouts. If you do not have a report layout, you cannot configure a report schedule. Report schedules provide a way to schedule a daily, monthly or weekly report so that the report will generate at a specific time period. You can configure multiple report schedules.To view the report schedule list, go to Report > Schedule > Schedule.

not Select to instead include only log messages that do not match this criterion. For example, you might include logs except those matching a specific email recipient.

Day of the Week Select specific days of the week to include matching logs.

Web Category Category List

Select the categories you want to filter logs by selectively including web filtering logs that match your criteria, then indicate included categories by selecting one or more category check box. Select to instead include only logs that do not match the criterion. You can select a whole category by selecting the check box beside the Expand Arrow of the category. You can also select the individual subcategories that are within the category by selecting the Expand Arrow to display the sub-categories. For example, you might select to include all web filtering logs with a category of Potentially Bandwidth Consuming, or you might select only Internet Radio and TV within that category.

Priority Select a severity level from the Available Levels column and then use the -> arrow to move the level to the Selected Levels column. If you want to remove a severity level from the Selected Levels column, select the level first and then use the <- arrow to move the level back to the Available Levels column.

Generic Filter(s) Enter a generic filter for the filter template.

Key Enter a keyword in this field.

Value Enter a number for the value. Select the not check box to instead include only log messages that do not match the generic filter criteria.

not Select to instead include only log messages that do not match this criterion. For example, you might include logs except those matching a specific generic filter.

Add Select Add to add the keyword and value number to the generic filter list. The generic filter list displays all configured generic filters in the field beside both Add and Delete.

Delete Select to delete the generic filter. Select the generic filter first, and then select Delete.

Caution: When configuring a report schedule, which contains both an output template and selected file formats in Output Types, the file formats sent by email are determined by the configuration settings. Only those file formats that are enabled in both output template and schedule output types are sent by email. For example, if PDF and Text formats are selected in the output template, and then PDF and MHT are selected in the report schedule, the report’s file format in the email attachment is PDF.





Figure 75: Report schedules

To configure report schedules1 Go to Report > Schedule > Schedule.2 Click Create New.


Name of the GUI item DescriptionRun Run a report schedule immediately, (on demand), instead of waiting

for the scheduled time.

Schedule Name The name given to the report schedule when configuring the report schedule.

Layout Name The name of the report layout that is associated with the report schedule.

Device The device or device group that is associated with the report schedule.

Schedule The time period or range for the report, in the following formats: • Daily: hh:mm• Weekly: hh:mm at [days of week] • Monthly: hh:mm at [dates of month]

Effective Period The start and end date, including the start and end time, of the schedule.






FRh

Name of the GUI item DescriptionName Enter a name for the schedule.

Description Enter a description for the schedule. This is optional.

Layout Select a configured report layout from the drop-down list. You must apply a report layout to a report schedule.

Language Select a language from the drop-down list or choose Default to use the default language.

Schedule Select one of the following to have the report generated only once, daily, weekly, or monthly at a specified date or time period.

Daily Select to generate the report every day at the same time. Enter the hour and minute time period for the report. The format is hh:mm.

Weekly Select to generate the report on specified days of the week. Select the days of the week check boxes.

Monthly Select to generate the report on a specific day or days of the month. Enter the days with a comma to separate the days. For example, you want to generate the report on the first day, the 21st day and 30th day: 1, 21, 30.

Once Select to have the report generated only once.

On Demand Select to have the report generated on demand.

Time Select the hour and minute (from the drop-down lists) of the time of day when you want to generate the report.

Start Date Select the calendar beside Start Date to select a date when the report will generate on. Select the time as well and then select OK. You can select the month and year if you need a different month or year for the report.





4 Click OK.

Configuring languageWhen creating a report layout, you can select which language the report will be written in. If your preferred languages require modification, you can create your own report language customization, which then becomes available for selection in the report layout.Report language components include:

End Date Select the calendar beside End Date to select a date when the report will stop generating on. Select the time as well and then select OK. You can select the month and year if you need a different month or year for the report.

Log Data Filtering You can specify the variables that were selected in the charts when configuring the report layout. If you did not specify any variables in the charts added to report layout, proceed to Data Filter.

Device/Group Select a device or device group from the list. If a layout is not selected, no FortiGate units or groups will appear in the list.

Virtual Domain Select to create a report based on virtual domains. Enter a specific virtual domain to include in the report.

User Select to create a report based on a network user. Enter the user or users in the field.

Group Select to create a report based on a group network users, defined locally. Enter the name of the group or groups in the field.

LDAP Query Select an LDAP directory from the drop-down list.

LDAP Group Enter an LDAP group. This option appears only when LDAP Query is selected.

Data Filter Select a data filter template from the drop-down list to the report schedule. For more information on data filter, see “Configuring data filter templates” on page 178.

Time Period Local Time for – Select to base the time period on the local time of the FortiAnalyzer unit or the selected devices.Log time stamps reflect when the FortiAnalyzer unit received the message, not when the device generated the log message. If you have devices located in different time zones, and are creating a report layout based on a span of time, ensure that the time span is relative to the device, not the FortiAnalyzer unit. For example, if you have a device and a FortiAnalyzer unit located three time zones apart, a report for the time frame from 9 AM to 11 AM will yield different results depending on whether the report time frame is relative to the device’s local time, or to the FortiAnalyzer unit’s local time. From – Select the beginning date and time of the log time range. To – Select the ending date and time of the log time range.

Output Select the type of output you want the report to be in and if you want to apply an output template as well.

Output Types Select the type of file format you want the generated report to be. You can choose from PDF, XML, HTML (default), MS Word, Text, and MHT. Note: Only those file formats that are enabled in both output template and schedule output types are sent by email. For example, if PDF and Text formats are selected in the output template, and then PDF and MHT are selected in the report schedule, the report’s file format in the email attachment is PDF.

Email/Upload Select the check box if you want to apply a report output template from the drop-down list. For more information on configuring report output, see “Configuring report output templates” on page 91.






FRh

• a string file, also known as a language resource file, containing report text• a format file specifying the language encoding, as well as file format specific settings• a font file whose glyphs support your encoding’s character setThe font file is used to render graph titles and Y-axis labels in a font of your choice. Some fonts, particularly for double-byte languages, do not support character rotation, which is required by the Y-axis label. Compatible fonts must be a TrueType (.ttf) font, and must support character rotation. Examples of known compatible fonts include Arial, AR PL Mingti2L Big5, AR PL SungtiL GB, DFPHSGothic-W5, and Verdana.The string file specifies pieces of text that may be used in various places throughout the report. Each string line consists of a key followed by an equal symbol (=) and its value. You can add comments to the string file by preceding them with a number symbol (#).For example, in these lines:

# Printed in place of report when zero log messages matched report filter.

no_match=No matching log data for this report

the comment is:

# Printed in place of report when zero log messages matched report filter.

the key is no_match, and the string value for that key is No matching log data for this report.Keys are required and must not be removed or changed. Keys map a string to a location in the report, and are the same in each language file. If you change or remove keys, the FortiAnalyzer unit cannot associate your string with a location in the report, string file validation will fail, and the string file upload will not succeed.String values may be changed to customize report text. If your custom string values use a different encoding or character set than the default language file, customize your format file to reflect your new character set and/or encoding.Comment lines are optional; you can add them throughout the file to provide notes on your work.The format file contains settings for the file format renderers, including encodings. The format file contains sections that are preceded by an output type label, consisting of the file format name followed by a colon character (:). Within each output type’s section, one or more settings exist, consisting of a variable name followed by an equal symbol (=) and its value, contained by quote characters (“”). You can add comments to the format file by preceding them with a number symbol (#).For example, in these lines:

# Localization uses a Latin character set.

html:

html_charset="iso-8859-1"

The comment is:

# Localization uses a Latin character set.

The output type label is html:, the variable name is html_charset, and the variable’s value is iso-8859-1.Variables are required and must not be removed or changed. If you change or remove variables, the FortiAnalyzer unit may not be able to properly format your reports.





If your custom string values use a different encoding or character set than the default language file, you must customize your format file to reflect your new character set and/or encoding. If your string file requires double-byte encoding, also set doublebytes="1". Otherwise, set doublebytes="0". The variable’s value must be in a pattern acceptable by the output type. If variable value syntax is not correct, format file validation will fail, and the format file upload will not succeed.Supported encodings used by the string file and referenced in the format file include those specified by the PDF, RTF, and HTML standards. For character set and encoding syntax and other specifications, see:• W3C HTML 4.01 Specification• Adobe PDF Reference• Microsoft Word 2003 Rich Text Format (RTF) Specification, version 1.8Comment lines are optional; you can add them throughout the file to provide notes on your work.If you require further format file customization, including adjustments to PDF objects, contact Fortinet Technical Support.

To view the language list, go to Report > Config > Language.

Figure 76: Languages tab

To customize a default report language1 Go to Report > Config > Language.2 Mark the check box of the default language that you want to customize.

Note: Both format and string files use Unix-style line endings (LF characters, not CR-LF).

Name of the GUI item DescriptionDelete Font File Remove the font file from the selected report language customization.

Download Select Download Format File to download the file format settings. Select Download String File to download the language resource. Select Download Font File to download the custom font file. This option does not appear for default languages and report language customizations using a default font.

Language The name of the report language customization.

Description The description of the report language customization.

Font If you uploaded a font file with your report language customization, the name of the font.This does not appear if the report language uses a default font.



http://www.w3.org/TR/REC-html40/charset.html

http://www.adobe.com/devnet/pdf/pdf_reference.html

http://www.microsoft.com/downloads/details.aspx?familyid=AC57DE32-17F0-4B46-9E4E-467EF9BC5540&displaylang=en





FRh

3 Go to Download > Download String File.

4 Open the string file using a plain text editor that supports Unix-style line endings and the string file’s encoding, such as jEdit. Verify that the correct encoding has been detected or selected.

5 Locate and edit text that you want to customize.Do not change or remove keys. Modifiable text is located to the right of the equal symbol (=) in each line.

6 Save the string file.7 If you changed the encoding of the string file, go to Download > Download Format File

and open the format file using a plain text editor that supports Unix-style line endings, such as jEdit, and edit the encoding and character set values for each file format. If you have switched between a single-byte and a double-byte encoding, also set the doublebytes value to true (1) or false (0).For specifications on how to indicate encoding and character set, refer to each file format’s specifications:• W3C HTML 4.01 Specification• Adobe PDF Reference• Microsoft Word 2003 Rich Text Format (RTF) Specification, version 1.8

8 Save the format file.

To create a report language customization1 Go to Report > Config > Language.2 Click Create New to create a separate language option, or mark the check box for an

existing language then click Edit.

3 If you are creating a new report language, enter the language of the report.The language name cannot contain spaces.

4 Enter a Description for the language.5 For the Format File, click Browse and locate your customized format file.




http://www.w3.org/TR/REC-html40/charset.html

http://www.adobe.com/devnet/pdf/pdf_reference.html

http://www.microsoft.com/downloads/details.aspx?familyid=AC57DE32-17F0-4B46-9E4E-467EF9BC5540&displaylang=en


6 For the String File, click Browse and locate your customized string file.7 If you want to customize the font of report graph titles and Y-axis labels, for Font File,

click Browse and locate your font.If your font is located in the system font folder, you may need to first copy the font from the system font folder to another location, such as a temporary folder or your desktop, to be able to select the font for upload.

8 Click OK.Time required to upload the language customization files varies by the size of the files and the speed of your connection. If there are any errors with your files, correct the errors, then repeat this procedure.

After successfully uploading and verifying, your custom language becomes available as a report output language.

Example reports (file system-based)The following scenarios are examples of how to configure reports based on specific log information from the proprietary indexed file storage system. These are examples that you can use when configuring your own reports. Each scenario covers a specific type of report, such as a FortiGate report or FortiMail report, and includes what types of logs you need to have before a report is configured, as shown in the examples. This topic contains the following: • Example: FortiGate report• Example: FortiClient report• Example: FortiMail report

Example: FortiGate reportThe IT manager suspects an individual is surfing the Internet during working hours and has asked you to send a report on this web activity only. The IT manager wants you to send it to him, your manager, and headquarters. The suspected IP address is 172.16.124.125.

Note: Some font licenses prohibit copying or simultaneous use on multiple hosts or by multiple users. Verify your font’s license.

Table 6: Language file error messages

Error message DescriptionSpecified format file contains invalid syntax.

Your format or string file contains syntax errors. To locate the errors, compare your customized file with a default language’s file. Refer to file format specifications or view default files for valid syntax.

Specified language string file is missing one or more strings.

Your string file is missing strings for one or more keys. To locate missing strings, compare your customized format file with a default language’s string file.

Specified font file is not a standard TrueType font (*.ttf).

Your font file is not a TrueType font. Only TrueType fonts are supported.

Note: The string file contains many keys, and each report type uses a subset of those keys. If your language modification does not appear in your report, verify that you have modified the string of a key used by that report type.






FRh

The log types that are necessary to configure this type of report are traffic, DLP archive and web filter logs.

Creating the report Most web sites visited by an individual employee1 To configure the output template that will be used in the report, go to System >

Config > Remote Output, click Create New.

2 Configure as follows:

3 To configure the report layout that will be used in the report, go to Report > Config > Layout, click Create New.


• In Name, enter Most_web_sites_visited_by_an_individual_employee. • In Output Format, select PDF and then deselect the defaulted HTML.• Select Send Report by Email.

• Select Compress Report Files to compress the report for attachment to the email message.

• Enter your email address in From.

• Select the email server, server.example.com.

• For Recipient, enter the individual’s email address and then select Add; repeat for the other email addresses (IT manager and headquarters).

• In the Subject field, enter Web activity for .125 computer user.

• In the Body field, enter the following: For internal use only. The attachment is a report created to explain allegations concerning computer user .125 using the Internet during work hours.

• Select Upload Report to Server then enter the company’s FTP server information in the fields.

• Select OK.





5 To configure the report data filter that will be used in the report, go to Report > Config > Data Filter, click Create New.


• In Name, enter Most_web_sites_visited_by_an_individual_employee. • In the Description field, enter the following:

For an employee that may or may not be surfing the Internet during working hours.

• In the Report Title field, enter Most visited web sites by an individual employee.

• In the Header field, enter the company’s name.

• In the Title Page Logo field, select the Browse logo files icon to locate the company’s title page logo.

• In the Header Logo field, select the Browse logo files icon to locate the company’s header logo.

• Select Add Chart(s) and then select the following charts under Web Activity: Web Volume by Time Period Top Web Clients by Volume Top Web Servers by ConnectionTop Web Servers by Volume and HitsTop Web Servers by Connections for Most Active Clients

• Select OK to include the charts in the layout.

• For the Web Volume by Time Period chart, select Edit and then from the Time Scale list, select Hour of Day. Select OK.

• For the Web Clients by Volume chart, select Edit and then from the Source ID list, select IP Address. Select OK.

• For the Top Web Servers by Connections for Most Active Clients, select Edit and then from the Source ID list, select IP Address. Select OK.

• Select OK.

• In Name, enter Most_web_sites_visited_by_an_individual_employee.

• In Sources, enter the IP address of the computer.

• In Day of Week, select the check boxes next to the days of the work week.

• Expand Web Category, and then select the check boxes beside:Potentially LiableObjectionable or ControversialPotentially Non-productivePotentially Bandwidth ConsumingPotentially Security Violating.






FRh

7 To configure the report schedule for generating the report, go to Report > Schedule > Schedule, click Create New.


Example: FortiClient reportThe IT department of your company wants to know exactly how many viruses were detected by FortiClient installations on the company’s widely distributed computers. They have asked you to send them a two-week report by email, showing the top 10 viruses that were detected by the FortiClient installations. The log types that are necessary to configure this type of report are traffic and antivirus.

Creating the report Total viruses detected by FortiClient 1 To configure the output template that will be used in the report, go to System >


• In Priority, select the level Notification in Available Levels and then use the left arrow to move it to Select Levels.

• Select OK.

• In Name, enter Most_web_sites_visited_by_an_individual_employee. • In Layout, select the report layout, Most visited web sites by an individual employee

from the list.

• In Schedule, select Once and then select the Calendar icon to configure today’s date and time.

• Under Log Data Filtering, select the FortiGate-50B unit in the Device/Group list, which logged the information needed to complete the report.

• Select the data filter from the Data Filter list.

• In Time Period, select Devices and then select Past Month from the Time Period list.

• In Output, select the check box beside PDF and then select the check box beside Email/Upload. In the Email/Upload list, select the output template.

• Select OK.








• In Name, enter Total_viruses_detected_by_FortiClient.

• In Output Format, select PDF and then deselect the defaulted HTML.• Select Send Report by Email.




• For Recipient, enter the IT department’s email address and then select Add.

• In the Subject field, enter the following: Total viruses that were detected by our FortiClients within the past two weeks.

• In the Body field, enter the following: Attached please find the report, Total viruses detected by FortiClient, which indicates how many viruses were found in the previous two weeks.


• Select OK.


• In Description field, enter the following: A FortiClient report that looks at the total amount of viruses which our company’s FortiClients are detecting.

• In the Report Title field, enter the following; Total_viruses_over_a_two_week_period_by_FortiClient.


• In the Title Page Logo field, select the Browse logo files icon to locate the company’s title page logo.


• Select Add Chart(s).

• Select FortiClient in the Device Type list, and then select the plus sign beside FortiClient Antivirus Activity to include all charts that are in that report group.






FRh



• Select OK.

• Select the Edit icon within the Top Viruses (from Antivirus log) chart to change the default settings.

• In the edit chart window, select Graph Only from the Chart Output list so that only a graph displays.

• Select Pie from the Chart Style list.

• Enter the number 5 in the Maximum Entries (TopN) field.

• Expand Advanced, and select the check boxes beside Resolve Host Names and Resolve Service Names.

• Select OK.

• Select the Edit icon within the Top Files (from Antivirus Log) chart to change the default settings.

• In the edit chart window, select Table Only from the Chart Output list so that only a table displays.

• Select Line from the Chart Style list.

• In Maximum Entries (TopN), select the check box beside List All Results. When you select the check box, a warning symbol appears beside Maximum Entries (TopN) which, if you hover your mouse over the symbol, explains that if you have a large number for this setting, the FortiAnalyzer unit’s performance may be degraded.

• Expand Advanced, and select the check boxes beside Resolve Host Names and Resolve Service Names.

• Select OK.

• Select Add Text

• In the Message field, enter the following: This report is based on the previous two weeks, July 20-31.

• Select OK.

• Drag Text Message to the top of the list of reports.

• Select OK.


• In Sources, choose the alias, headquarters_A, from the Alias list.

• In Destinations, choose the alias, FortiClient_PCs, from the Alias list.

• In Day of Week, select the check boxes beside all the days of the work week.







Example: FortiMail reportThe headquarter’s office requires a report containing how much spam email is getting through. This report must be sent to the CEO, managing director, and IT manager. The report must also be in XML format so that it can be uploaded to the company’s internal web site. The log type that is necessary to configure this type of report is email filter.

Creating the report Total spam email detected by FortiMail1 To configure the output template that will be used in the report, go to System >



• In Priority, select Information in the Available Levels and move it to the Selected Levels list.

• Select OK.


• In Layout, select the report layout, Total viruses detected by FortiClient.

• In Schedule, select Once and then select the Calendar icon to configure today’s date and time.

• In Log Data Filtering, select the configured data filter in the Data Filter list.

• In Time Period, select Selected Devices, select Past N Week from the Time Period list, and then enter the number 2 in the field that appears.

• In Output, select the check box beside PDF, and then select the check box beside Email/Upload.

• In the Email/Upload list, select the output template.

• Select OK.






FRh



• In Name, enter Total_spam_email_detected_by_FortiMail.

• In Output Format, select XML and then deselect the defaulted HTML.• Select Send Report by Email.



• Select the email server, server.example.com

• Enter the CEO’s email address and then select Add; repeat for the other email addresses.

• In the Subject field, enter the following: Spam activity report for the month of July.

• In the Body field, enter the following: For internal use only. The attachment is a report based on the total amount of spam activity our company’s FortiMail unit detected over the course of a month.


• Select OK.


• In the Description field, enter the following: This report is for finding out the total amount of spam email messages that are being detected by the FortiMail and getting through to the internal network.

• In the Report Title field, enter Total_spam_email_detected_in_June.


• In the Title page logo field, select the Browse logo files icon to locate the company’s title page logo.


• Select Add Chart(s).

• Select FortiMail in the Device Type list, and then select the plus sign beside Spam Activity to include all charts under this group.









• Select OK to include the charts in the layout.

• Select the Edit icon for each chart and change the Time Scale setting to Hour of Day.

• Select Add Section.

• In the Title field, enter Top Spam Activity.

• Drag the section to the top of the list of charts.

• Select OK.


• In Sources, enter the IP address range, 172.16.125.100/24.

• In Day of Week, select the check boxes for the days of the work week.

• In Priority, select Information in the Available Levels and move it to the Selected Levels list.

• Select OK.


• In Layout, select the report layout, Total_spam_email_detected_by_FortiMail.

• In Schedule, select Weekly, and then select On Demand so that the report can be run at any time.

• In Log Data Filtering, select the company’s FortiMail-400 unit in the Device/Group list.

• In Log Data Filtering, select the data filter configured for the report in the Data Filter list.





Reports Configuring reports from logs in a SQL database

FRh

Configuring reports from logs in a SQL databaseIf you have selected SQL database for log storage in System > Config > SQL Database, you must configure reports based on logs from a SQL database. For information on selecting the storage method, see “Configuring SQL database storage” on page 85.

Logs must be collected or uploaded before you can generate a report. Logs are the basis of all FortiAnalyzer reports. After logs are collected or uploaded, you can then configure reports based on the default or customized chart templates. In most cases, the default chart templates are sufficient for report configuration. However, you can create customized chart templates by configuring the data sets to get the exact chart data you want. FortiAnalyzer data sets are a collection of the log files from the devices monitored by the FortiAnalyzer unit. Reports are generated based on the data sets. For more information, see “Configuring data sets” on page 201 and “Configuring report chart templates” on page 197.A report for logs from the SQL database has three basic components: • report chart template (the report template and the data set)• graphics (optional component)• report schedule (log data parameters and time range)You need to configure a chart template before configuring a report, because the report requires a chart template. You also need to configure remote report output (see “Configuring report output templates” on page 91) if you want to upload completed report files to a server accepting FTP, SFTP, or SCP when configuring a report. The report chart templates can be applied to any reports.

Configuring report chart templatesThe FortiAnalyzer unit provides default report chart templates for each report category. You can create customized report chart templates using your own data set configuration. For information on data set configuration, see “Configuring data sets” on page 201.Go to Report > Chart > Template to view the list of both default and customized report chart templates.

• In Time Period, select Devices and then select This Month from the Time Period list.

• In Output, select the check box beside XML and then select the check box beside Email/Upload.

• In the Email/Upload list, select the output template.

• Click OK.

Note: You can only generate SQL database-based reports from the FortiGate log data.




Configuring reports from logs in a SQL database Reports

Figure 77: Report template list

To create a report chart template1 Go to Report > Chart > Template.2 Click Create New.

Name of the GUI item DescriptionClone Create a duplicate of a report chart template to use as a basis for

creating a new one. The cloned template shares the same name plus “Copy_<sequential-number>” at the end.

Favorite Click the arrow beside Favorite:• click Add to Favorite to add one or more selected report chart

templates to your favorite list. The star icon (Toggle Favorite State) turns orange.

• click Remove from Favorite to remove one or more selected report chart templates from your favorite list.The star icon (Toggle Favorite State) turns grey.

The favorite templates can be used to generate reports for quick and easy access. For more information, see “Adding report dashboards and widgets” on page 207.

Toggle Favorite State A grey star means that this report chart template is not in the favorite list. An orange star means that this report chart template is in the favorite list.Selecting the star toggles between adding a template into the favorite list or removing a template from the favorite list.

Output Capacity The format of the report, tabular, graphical, or both.

Name The name of the report chart template. The name of a default template is composed of the report category and the name of the data set.

Category The category for this chart template such as Antivirus or Traffic.

Title The description about the chart. For example, if the name of the chart is “vpn-ipsec-usr-dur”, the title can be “Top VPN IPsec User by Duration”.

Data Set The name of the data set used in this chart template.

Toggle Favorite State

Output Capacity






FRh

3 Configure the following, then click OK.


Description

Name Enter the name for the report chart template.

Description Enter any comments or notes about the chart template.

Category Select the log category for this chart template.

Data Set Select the data set for the selected category. For example, data set names for the AntiVirus category start with “av”. FortiAnalyzer data sets are a collection of the log files from the devices monitored by the FortiAnalyzer unit. Reports are generated based on the data sets. For information about data set configuration, see “Configuring data sets” on page 201.Depending on the selection of data set, values in the Field Output and Data Bindings fields vary.

Field Output Depending on the selection of data set, the values of this option vary. These values are used for marking the report graphs, such as X or Y axis in a bar graph, or column or row title in a table.

Resolve Host Name

Enable this option to display the device’s host name from an IP alias or reverse DNS lookup, rather than an IP address. For more information about configuring IP aliases, see “Configuring IP aliases” on page 104.

Field OutputField Output





Favorite Enable to add this chart template to the favorite list. See “Favorite” on page 198.

Data Bindings Depending on your selection in the Graph Type field, the values in this section vary.

If Graph Type = BarX-Axis Data Binding: Select a value for the X-Axis of the bar graph. The values in

this field change depending on your selection of the data set.Only Show First n Items: Select the check box and enter a number to show the top ranked log information, such as top number of viruses, in the report chart. The default is 6. The rest of the log information will be marked as “Others” in the chart.Overwrite Label: Mark the check box to modify the default value for the X-Axis, if required.

Y-Axis Data Binding: Select a value for the Y-Axis of the bar graph. The values in this field change depending on your selection of the data set.Overwrite Label: Mark the check box to modify the default value for the Y-Axis, if required.Group By: Mark the check box to group the log information according to the data set field output. This option appears only when a data set’s field output contains more than 3 fields.Only Show First n Items: Select the check box and enter a number to show the top ranked log information, such as top number of viruses, in the report chart. The default is 3. The rest of the log information will be marked as “Others” in the chart. This option appears only when a data set’s field output contains more than 3 fields.

If Graph Type = PieData Binding

Select a value to show the size of each segment of log information in the pie chart. The values in this field change depending on your selection of the data set.For example, in a pie chart called Top Services by Volume, one of the top services is SMTP and its percentage in the pie is 8.81. This percentage is generated by the selection in this field.Enable Only Show First n Items (Bundle rest into "Others") and enter a number to show the top ranked log information, such as top number of viruses, in the report chart. The default is 6. The rest of the log information will be marked as “Others” in the chart.

Label Binding

Select a value to label each segment of log information in the pie chart. The values in this field change depending on your selection of the data set.For example, in a pie chart called Top Services by Volume, one of the top services is labeled as SMTP. This label is generated by the selection in this field.

If Graph Type = TableDisplay Data In

Select Ranked to show the log information in ranked format, such as top x, or top y of top x, in the table. Select Raw to show the log information as an audit report which displays the results only, such as all blocked sites and all sites visited.

Add Column

Select to add a column to the table. This option only appears after you select the Remove the column icon.The data display in the table will be in raw format after selecting the Remove the column icon.

Field Output

Select a value to show the column title for the log information in the table. The values in these fields change depending on your selection of the data set.

Overwrite Header

Mark the check box to modify the Field Output value, if required.

Only Show First n Items

Mark the check box and enter a number to show the top ranked log information, such as top number of viruses, in the table. The default is 3. The rest of the log information will be marked as “Others” in the table.This option is only available if you select to display data in ranked format.






FRh

Configuring data setsFortiAnalyzer data sets are the collection of log files from the devices monitored by the FortiAnalyzer unit. Reports are generated based on the data sets. The FortiAnalyzer unit provides default data sets for each log category. You can modify the existing data sets by editing the query statements or create new data sets by writing your own SQL queries. To view the data set list, go to Report > Chart > Data Set.

Figure 78: Data set list

To create a data set1 Go to Report > Chart > Data Set.2 Click Create New.


Name of the GUI item DescriptionName The name of the data set.

Log Type The type of logs in the data set.





To test a SQL query1 Follow the procedures in “To create a data set” on page 201.2 After entering the SQL query, click Test.3 Configure the following, then click Close.


Description

Name Enter the name for the data set.

Log Type ($log)

Enter the type of logs to be used for the data set.$log is used in the SQL query to represent the log type you select.

Time Period Select to use logs from a time frame, or select Specified and define a custom time frame by selecting the Begin Time and End Time.

Past N Hours/Days/Weeks

If you selected Past N Hours/Days/Weeks for Time Period, enter the number.

Begin Time Enter the date (or use the calendar icon) and time of the beginning of the custom time range. This option appears only when you select Specified in the Time Period ($time) field.

End Time Enter the date (or use the calendar icon) and time of the end of the custom time range. This option appears only when you select Specified in the Time Period ($time) field.

SQL Query Enter the SQL query syntax to retrieve the log data you want from the SQL database. For details about how to write the SQL statement, see “Appendix D: Querying FortiAnalyzer SQL log databases” on page 335.

Test Click to test whether or not the SQL query is successful. See “To test a SQL query” on page 202.


Description

Device Select a FortiGate unit, FortiMail unit, or FortiClient installation to apply the SQL query.

VDom If you want to apply the SQL query to a FortiGate VDOM, enter the name of the VDOM.

Time Period Select to query the logs from a time frame, or select Specified and define a custom time frame by selecting the Begin Time and End Time.






FRh

Uploading graphics for reportsYou can upload graphics, for example, the corporate logo, that can be added to the reports. To view and configure the list of graphics, go to Report > Config > Graphic.

Figure 79: Graphic list





SQL Query If necessary, modify the SQL query to retrieve the log data you want from the SQL database.

Run Click to execute the SQL query.The results display. If the query is not successful, check the SQL query you entered and make sure that the SQL database is working properly on the FortiAnalyzer unit.

Clear Select to remove the displayed query results.

Save Options

Select to save the SQL query console configuration to the data set configuration. The Device and VDOM configurations are not used by the data set configuration.

Close Click to return to the data set configuration page.

Name of the GUI item DescriptionUpload Click to import a graphic.

On the Import Graphic page, click Browse to locate the graphic you want to upload and click OK.

Graphic Name The name of the uploaded graphic.

Thumbnail The reduced-size version of the uploaded graphic.





Configuring report profiles

Report are configured after you have configured report chart templates and optional graphics. If you do not have a report chart template, you cannot configure a report. Reports provide a way to schedule a daily or weekly report so that the report will generate at a specific time period. To view the report list, go to Report > Config > Report.

Figure 80: Report list

To configure a report1 Go to Report > Config > Report.2 Click Create New.


Caution: When configuring a report, which contains both an output template and selected file formats in Output Format, the file formats sent by email are determined by the configuration settings. Only those file formats that are enabled in both output template and report output formats are sent by email. For example, if PDF and Text formats are selected in the output template, and then PDF and MHT are selected in the report, the report’s file format in the email attachment is PDF.

Name of the GUI item DescriptionClone Click to create a duplicate of a report to use as a basis for creating a

new report.

Run Run a report immediately, instead of waiting for the scheduled time.

Name The name given to the report when configuring the report.

Title The title name for the report, for example, Report_1.

Description Comments on this report.

Number of Charts The number of report chart templates added to the report.






FRh

Name of the GUI item DescriptionName Enter a name for the report. This name is for the FortiAnalyzer unit to

record the report in its report list.

Title Enter a title name for the report, for example, Report_1.

Sub Title Enter a sub title name for the report, for example, Report_1_AV.


Options Select Display Table of Contents if you want a table of contents for the report.

Schedule Select one of the following to have the report generated immediately, daily, or weekly at a specified date or time period.

Daily Select to generate the report every day at the same time. Enter the hour and minute time period for the report. The format is hh:mm.

Weekly Select to generate the report on specified days of the week. Select the day of the week and the hour on that day.

On Demand Select to generate the report immediately.

Output Format Select the type of file format you want the generated report to be. You can choose from HTML (default), PDF, MS Word, Text, MHT, and XML. Note: Only those file formats that are enabled in both remote output template (see “Configuring report output templates” on page 91) and the report configuration are sent by email. For example, if PDF and Text formats are selected in the output template, and then PDF and MHT are selected in the report schedule, the report’s file format in the email attachment is PDF.

Email/Upload Mark the check box if you want to apply a report output template from the drop-down list. For more information on configuring report output, see “Configuring report output templates” on page 91.

Report content





To add a report component1 Go to Report > Config > Report.2 Click Create New.3 In the Components section, click Add.

The Report Component Chooser page opens.You can only add one type of component each time.

Header Enter a header for the report and select to use normal text or graphic for the header.If you select Graphic, click Browse to find and add a graphic you have imported. For more information, see “Uploading graphics for reports” on page 203.Click Add to add a header and Delete to remove a header.

Footer Enter a footer for the report.Click Add to add a footer and Delete to remove a footer.

Components Click Add to add the components for the report. For more information, see “To add a report component” on page 206.

Type The type of report component. This information appears after you have added a report component.

Component The name of the report component. This information appears after you have added a report component.

Action Click Edit to modify a component (see “To add a report component” on page 206) or Delete to remove a component. This information appears after you have added a report component.






FRh

4 Finish adding the report components, then click Add.

Adding report dashboards and widgetsYou can create report dashboards and widgets for quick and easy access to the reports. Using the pre-defined or customized report chart templates, these reports are generated instantly. Up to three dashboards can be added.

To create a report dashboard and add its widgets1 Go to Report > Access.2 Click the name of an existing dashboard except Scheduled Report.


Description

Search Enter partial, one or more key words to search the components for this report.If you search before selecting a component type, all types of components containing the key word appear.If you search after selecting a component type, all components containing the key word of the selected type appear.

Text Select to add a heading or text to a report that keeps charts separate from each other. If you select a heading, enter the heading content in the Heading field. If you select Normal Text, enter the content in the Text field.

Charts Select to add default or user-defined chart templates to your report. Select the category for the chart template and then select one or more charts that display. To select more than one chart, press Ctrl and then select.Title: If you select one chart template and want to rename it, enter the new name. • Device: Select a device to apply the chart template.The report’s log

information for the selected chart template(s) will come from the selected device. For example, if you selected All FortiGates, the log information used for the chart template(s) is logs from all FortiGate units.

• VDOM: If you select a device other than All FortiGates and want to apply the chart template to one of its VDOM, enter the name of the VDOM.

Graphics Select to add an uploaded graphic to the report.

Misc Select to add page break to the report.

Search





3 Click Dashboard, then select Add Dashboard. Enter the name for the dashboard and click OK.

4 Select the name of the new dashboard and click Widget to add report components to the dashboard. For details, see “To add a report component” on page 206.

5 Click Add.

Example reports (SQL-based)The following scenario is an example of how to configure reports based on specific FortiGate log information from the SQL database.

This topic contains the following: • Example: FortiGate report

Example: FortiGate reportThe management of your company wants to know the top web surfers during working hours and has asked you to send a report on this information. You are asked to send the report to the headquarters.

Creating the report Top_web_surfers 1 To configure the output template that will be used in the report, go to System >



Dashboard name

Note: You can only generate SQL database-based reports from FortiGate log data.

• In Name, enter Top_web_surfers. • In Output Format, select PDF and then deselect the default, HTML.• Select Send Report by Email.






FRh

3 To configure the report chart template that will be used in the report, go to Report > Chart > Template, click Create New.


5 To configure the report, go to Report > Config > Report, click Create New.




• For Recipient, enter the email address provided by the headquarters and then select Add.

• In the Subject field, enter Web activity within past 24 hours.

• In the Body field, enter the following: For internal use only. The attachment is a report on the top Internet users within the past 24 hours.


• Select OK.

• In Name, enter Top_web_surfers. • In the Description field, enter the following:

Employees that surfed the Internet in the past 24 hours.

• In the Category field, select Application Control.

• In the Data Set field, select the default data set appctrl-top-web-users-last24hours. You can also create a data set. See “To create a data set” on page 201.

• In the Graph Type field, select Bar.

• Select Resolve Host Name.

• In the X-Axis Data Binding field, select Field(1)(f_user).

• Enter the number 10 for Only show First n Items.

• Select Overwrite Label and enter Top Users.

• In the Y-Axis Data Binding field, select Field(2)(totalnum).

• Select Overwrite Label and enter Past 24 Hours.

• Select OK.




Browsing reports Reports


Browsing reportsAfter reports are generated by the FortiAnalyzer unit using log data from either a SQL database or proprietary indexed file storage system, you can view them in Report > Access > Scheduled Report. This page displays all generated reports, including generated scheduled reports.

Figure 81: Viewing reports

• In Name, enter Top_web_surfers. • In Title, enter Top Web Surfers in the Past 24 Hours.

• In Schedule, select Daily and then enter the hour to generate the report.

• In Output Format, select PDF.

• Select the check box beside Email/Upload. In the Email/Upload list, select the output template.

• In Component, select Add.On the Report Component Chooser page, select Charts > Application Control, and then select the chart template top_web_users.

• In the Device field, select the FortiGate-50B which logged the information needed to complete the report.

• Select Add.

• On the New Report page, select OK.


Description

Delete Select to remove selected reports.

Current page





Reports Browsing reports

FRh

Rename Select to rename a selected report.

Refresh Select to refresh the list. If the FortiAnalyzer unit is in the process of generating a report, use Refresh to update the status of the report generation.

Device Type Select the device type for which you want to see the reports. For example, if you select FortiGate, all reports for FortiGate units appear.

Report Files Select the report name to view the entire report in HTML format.Select the Expand Arrow to view the individual reports in HTML format.

Device Type The type of device that was selected for collecting logs from.

Started The date and time when the FortiAnalyzer unit generated the report.

Finished The date and time when the FortiAnalyzer unit completed the report. If the FortiAnalyzer unit is in the process of generating a report, a progress bar will appear in this column. If the FortiAnalyzer unit has not yet started generating the report, which can occur when another report is not yet finished, Pending appears in this column.

Size (bytes) The file size of the report’s HTML format output, if any.The size does not reflect other output formats that may be present, such as PDF.

Other Formats Select a file format, if any, to view the generated report in that format.In addition to HTML, if any, the generated reports may also be available in PDF, RTF, XML/XSL, and ASCII text formats, depending on the output configuration. For more information about setting output options, see “Configuring report output templates” on page 91.





Browsing reports Reports






FRh

Vulnerability ManagementThe Vulnerability Management menu configures vulnerability scans and their resulting reports.New vulnerabilities appear in any organization's network due to problems such as flaws in software or faulty application configuration. The vulnerability management feature can determine whether your organization’s computers are vulnerable to attacks. With this feature, you can define your host assets or discover hosts in the network, configure vulnerability management scans, generate reports, and interpret the results. FortiAnalyzer units come with a default database of more than 2,500 vulnerabilities. For FortiGuard Vulnerability Management Service subscribers, this database can be periodically updated via the FortiGuard Distribution Network (FDN) to receive definitions of the most recently discovered vulnerabilities. For details, see “Scheduling & uploading vulnerability management updates” on page 116.The vulnerability scan is suitable for scanning many types of hosts, including those running Microsoft Windows or Unix variants such as Linux and Apple Mac OS X, as well as a variety of applications and services/daemons.The workflow of vulnerability scan is as following:

This topic includes:• How to use vulnerability management• Configuring host assets• Discovering network host assets• Preparing for authenticated scanning• Configuring vulnerability scans• Viewing host vulnerability statuses• Viewing the vulnerability database• Configuring compliance report templates• Viewing compliance reports

Parsing Scan Settings Detecting Live HostsScanning Ports if Required

Scanning OS if Required

Performing Service Scan

Performing Vulnerability Scan with Specified FIDs




How to use vulnerability management Vulnerability Management

How to use vulnerability management To configure vulnerability management scan, follow these general steps:1 Define which host assets that you want to scan, then group them. You can do this

either manually or automatically, by discovering hosts through a network map scan. For details, see “Configuring host assets” on page 214 or “Discovering network host assets” on page 217.

2 Group host assets. For more information, see “Configuring host assets” on page 214.3 Add sensors to define which vulnerabilities you want to discover. For more information,

see “Configuring vulnerability sensors” on page 226.4 Configure scan profiles to specify the port numbers, sensors, and other options to be

used for scanning host vulnerabilities. For more information, see “Configuring vulnerability scan profiles” on page 231.

5 Schedule network vulnerability scans. For more information, see “Scheduling vulnerability scans” on page 234.

When vulnerability scans are completed, the following reports are generated:• Summary report: Identifies overall network host vulnerabilities discovered by all scans

(see “Viewing host vulnerability statuses” on page 239)• Scan report: Identifies network host vulnerabilities discovered by a specific scan (see

“Viewing vulnerability scan reports” on page 235)• Compliance report: Reports on hosts’ compliance to the PCI data security standard

(see “Viewing compliance reports” on page 245)

Configuring host assetsVulnerability Management > Asset > Host displays the list of known host assets.Before the FortiAnalyzer unit can scan your hosts for vulnerabilities, you must define your host assets, and group them into asset groups. You can either add hosts to this list manually, or, alternatively, discover them through a network map scan. For details, see “Discovering network host assets” on page 217 and “Grouping host assets” on page 216.

Figure 82: Host asset list

Name of the GUI item DescriptionName The host name.

IP/Range The IP address of the host, or the IP address range of the hosts.

Authentication The green symbol indicates authentication credentials have been entered for this host. They can be Windows, UNIX, or SNMP.The authentication credentials are used by the FortiAnalyzer unit to access the hosts for vulnerability scan. For more information, see “Preparing for authenticated scanning” on page 223.

Location The location of the host. This is an optional information-only field.





Vulnerability Management Configuring host assets

FRh

To add a host asset1 Go to Vulnerability Management > Asset > Host.2 Click Create New.

3 Enter the appropriate information and click OK.

Function The function of the host. This is an optional information-only field.

Number of Vulnerabilities The number of vulnerabilities found on this host.

Name of the GUI item DescriptionName The name of the host. Names can not contain spaces.

Type Select Host for a single host, or IP Range for multiple hosts in a contiguous IP address range.

IP Address If you set Type to Host, enter the host IP address.If you set Type to IP Range, enter the first and last IP addresses of the range. All the hosts within the range will be included in the host asset.

Location An optional field containing the location of the host.

Function An optional field containing the function of the host.

Asset Tag An optional field containing the tag of the host.

Comments An optional field containing a comment relevant to the host.




Configuring host assets Vulnerability Management

Grouping host assetsVulnerability Management > Asset > Group displays the list of groups of host assets.Before hosts can be scanned, they must be grouped. These groups are then selected within network map configurations and scan schedules. Grouping hosts eliminates the need to select every host in each scan profile. When your groups have been created, simply select the required group in the scan profile. Hosts can be included in multiple groups.

Figure 83: Group list

To add a group1 Go to Vulnerability Management > Asset > Group.2 Click Create New.

Authentication Enter the authentication credentials for the host(s). The authentication credentials are used by the FortiAnalyzer unit to access the hosts for vulnerability scan.If you selected IP Range in the Type field and entered the host IP addresses in the range, you can enter the authentication credential for the hosts only if they share the same credential. Otherwise you can only enter the authentication credential on a host by host basis by selecting Host for Type and entering the IP address the host.

Windows For Windows authentication, select whether the host uses domain authentication or local authentication, and enter the user name and password. Domain authentication requires the domain name as well.For more information, see “Preparing for authenticated scanning” on page 223.

UNIX For UNIX authentication, enter the user name, password, and the PEM-encoded private RSA and DSA keys in text format. You may also give the FortiAnalyzer unit superuser privileges by selecting Enable Sudo.For more information, see “Preparing for authenticated scanning” on page 223.

SNMP Enter the required community strings.The SNMP community string specifies the relationship between an SNMP server system and the client systems. This string acts like a password to control the clients' access to the server.

Name of the GUI item DescriptionName The group name.

Host The hosts in the group.

Business Impact A rating indicating the relative importance of the hosts in the group.

Number of Vulnerabilities The number of vulnerabilities found on the hosts of this group.





Vulnerability Management Discovering network host assets

FRh


Discovering network host assetsVulnerability Management > Network Map > Config displays the list of network map profiles, which are used to discover host assets by scanning the network.Through network mapping, the FortiAnalyzer unit lists all the hosts it is able to discover on the local network segment in a report. The discovered hosts can be imported into an asset group to ensure that they are covered by the vulnerability scans.You can create multiple network map configurations to scan and discover the live hosts on your network. The configurations can have different scan targets such as asset groups, domains, or IP address ranges. Network map reports are generated based on these configurations. Depending on the scan targets you select, the network map process runs in two ways:• If you have selected an asset group or entered an IP range, the FortiAnalyzer unit will

attempt to detect the live hosts directly within the asset group or IP range. The host numbers may vary at different times because not all hosts may be reachable at all times.

Name of the GUI item DescriptionName The group name.

Host Select the available host assets and select the include icon to add them to the asset group.

Business Impact A rating indicating the relative importance of the hosts in the group.

Comments An optional comment describing the group.

Include

Exclude




Discovering network host assets Vulnerability Management

• If you have entered a domain name, the FortiAnalyzer unit will attempt to find the hosts under the domain by identifying the authoritative name server for the domain, and sending a request to list all the hosts under the domain managed by the name server. However, this request is not always permitted and may be forbidden by the Name Server administrator. If this is the case, the FortiAnalyzer unit will use brute force to query the name server to find out the IP address assigned to each FQDN. The FortiAnalyzer unit uses a proprietary list of roughly 100 common names, such as www or ftp, to form a list of FQDNs. Once it finds the IP address for the target domain, it will access the domain to discover its hosts.

The FortiAnalyzer unit uses the following host discovery methods: • ICMP• TCP ports• UDP ports• DNS• Reverse DNS• DNS zone transfer• TCP RST• Traceroute• Other protocol or ICMP• Other TCP ports

Figure 84: Network map profile list

To create a network map configuration1 Go to Vulnerability Management > Network Map > Config.

Name of the GUI item DescriptionRun Select to run a network map scan immediately. This may take a while

depending on the targets selected, number of hosts in the network, and network speed.

Cancel Select to stop running a network map scan.

Name The network map configuration name.

Target The asset group, domain, or IP address range on which the network map scan will be run.

Scan Ports The host ports to be checked by the network map scan. Select TCP, UDP, or TCP & UDP.

Schedule If the network map scan is configured to run on a repeating schedule, the frequency will be listed here. For example, “Daily at 16:00.”

Effective Period The first time a repeating schedule occurs will be listed here. For example, “From 2009-02-12.”






FRh

2 Click Create New.


Name of the GUI item DescriptionName The name of the network map configuration.

Target This section defines what part of your network will be examined by the network map scan.

Scan Ports The host ports to be checked. Select TCP, UDP, or TCP & UDP.

Asset Group The asset group on which the network map scan will be run.

Maintain Asset Group Select to have the network map scan automatically update the selected asset group if new hosts are discovered through domain or IP address range scan. No hosts will be removed even if they are unreachable. A domain or IP range must be entered if this option is selected.

Domain Enter a domain name in which the scan will be executed.

IP Range Enter an IP range in which the scan will be executed. The IP range must be within the same subnet.

Schedule Network map reports can be generated automatically at regular intervals, or on demand.

Run Now Select to specify an on-demand report. A report will be generated when the profile is saved, and when the Run Now icon is selected. No scheduled reports will be generated.





Viewing network map reportsVulnerability Management > Network Map > Report displays the list of network map reports generated by the FortiAnalyzer unit.Network map reports are generated by network map scans. For details, see “Discovering network host assets” on page 217.

Figure 85: Network map reports

Run Later Select to have reports generated at regular intervals.

Daily/Weekly/Monthly Select Daily, Weekly, or Monthly to have a report automatically generated at the specified interval.

Start Date Specify the date the first scheduled report is generated. From then on, it will be generated at daily, weekly, or monthly intervals.

Time Specify the time of day the scheduled report will be generated.

Output OptionFile output Select the formats in which the network map report will be generated.

HTML is the default format. Any or all other available formats may be selected.

Email/Upload To have the report delivered to an email address or FTP server, select an existing report output template or create a new one. For more information, see “Configuring report output templates” on page 91.

Name of the GUI item DescriptionRename Select to rename a selected report.

Import Select to import the hosts discovered by the network map scan into an asset group to ensure that they are covered by the vulnerability scans. The hosts you select can be added to an existing asset group or a new group. The host import page lists the following information on each host discovered:• IP Address: The IP address of the host.• DNS Hostname: The hostname indicated when querying the DNS

server.• NetBIOS Hostname: The NetBIOS name of the host, if any.• OS: The operating system running on the host.Note that the network map scan may discover more hosts than those specified in a target asset group because the scan can discover hosts via a specified domain. For more information, see “Discovering network host assets” on page 217.

Current page






FRh

To view a report1 Go to Vulnerability Management > Network Map > Report.

2 Click a report name.

Name The name of the report. The name is made up of the map configuration and the date and time the report was generated. Select the name to view the HTML version of the report. The Map Report Summary table lists the configuration profile options of the network map scan. See “To view a report” on page 221.

Started The date and time the report generation was started.

Finished The date and time the report generation was completed. Based on the Started and Finished times, you can calculate how long the FortiAnalyzer unit took to generate the report.

Size (bytes) The size, in bytes, of the HTML report.

Formats The formats in which the report was generated. HTML is the default format and any others are listed here.

Current page By default, the first page of reports is displayed. The total number of pages appears after the current page number. For example, if 2 of 10 appears, you are currently viewing page 2 of 10 pages. To view pages, select the left and right arrows to display the first, previous, next, or last page. To view a specific page, enter the page number in the field and then press Enter.






Description

Map Report SummaryDate The date and time the network map report was generated.

Asset Group The asset group on which the network map scan was run.

Domain The domain in which the scan was executed.

IP Range The IP range in which the scan was executed.

Total Hosts Found

The number of hosts found during the scan on the targets.





Vulnerability Management Preparing for authenticated scanning

FRh

Preparing for authenticated scanningYou can configure the FortiAnalyzer unit to perform authenticated network scan which can provide you with authenticated host-level configuration and security data.

Scan Started The starting date and time of the scan.

Scan Ended The ending date and time of the scan.

VM Engine Version

The Vulnerability Management engine version number and date of last update. This is updated via the FortiGuard distribution network if you are a FortiGuard Vulnerability Management Service subscriber.

VM Plugin Version

The Vulnerability Management module version number and date of last update. This is updated via the FortiGuard distribution network if you are a FortiGuard Vulnerability Management Service subscriber.

(TCPor UDP) Ports

The host port(s) that is configured to be checked.

Live Host Sweep

The status of netblock live host discovery. Live host sweep discovers live hosts in the IP address range specified. This option is enabled and disabled through the CLI command. For more information, see the command config vm in the FortiAnalyzer CLI Reference.By default, this option is enabled. If you disable it, the FortiAnalyzer unit will treat all hosts in the IP range as alive, even if some are not accessible.

Exclude Hosts Discovered Only By DNS

If this option is On, the network map scan will exclude hosts discovered by querying the DNS server. This option is enabled and disabled through the CLI. For more information, see the command config vm in the FortiAnalyzer CLI Reference.By default, this option is disabled.

Scan target Under each scan target (asset group, domain, or IP range) specified, the discovered hosts and their respective services are listed.

HostsHost The IP address of the discovered host.

DNS The hostname indicated when querying the DNS server.

NetBIOS The NetBIOS name of the host, if any.

Router The router used by the host.

OS The operating system running on the host.

Active Identifies whether the host was alive at the time of the discovery. A host is alive if it replies to the host discovery methods.X means alive and an empty field means dead.

Registered Identifies whether the host is registered as an host asset with the FortiAnalyzer unit. X means registered and an empty field means unregistered.

Approved Identifies whether the host in the approved host list. The approved hosts can be configured for the map scan via CLI. For more information, see the command config vm in the FortiAnalyzer CLI Reference.

Host ServicesDiscovery Method

The method used to discover a host.

Port The port number scanned by the discovery method.

Service The service running on the discovered host.







Preparing for authenticated scanning Vulnerability Management

Authenticated scan is optional but recommended. With authenticated scan, the FortiAnalyzer unit can log in to a target host and obtain system information that would otherwise not be available. For example, the FortiAnalyzer unit can detect installed service packs, hot fixes, security upgrades, and package versions and patches. It can more accurately detect the operating system, such as Windows version, and the particular distribution and product on each host, such as various Linux distributions. With the information gathered, the FortiAnalyzer unit can perform more in-depth vulnerability analysis since many vulnerabilities can only be detected via authenticated scan.Depending on your configurations, a regular network scan may not be thorough as it may be limited to a port scan or unable to accurately complete certain probes.The effectiveness of an authenticated scan is determined by the level of access the FortiAnalyzer unit obtains to the host operating system. Rather than using the system administrator’s account, it might be more convenient to set up a separate account for the exclusive use of the vulnerability scanner with a password that does not change.This section describes the requirements by Microsoft Windows hosts and Unix hosts for authenticated scan.

Microsoft Windows hosts - domain scanningThe user account provided for authentication must • have administrator rights• be a Security type of account • have global scope• belong to the Domain Administrators group• meet the Group Policy requirements listed below:

Group Policy - Security OptionsIn the Group Policy Management Editor, go to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.

Group Policy - System ServicesIn the Group Policy Management Editor, go to Computer Configuration > Windows Settings > Security Settings > System Services.

Group Policy - Administrative TemplatesIn the Group Policy Management Editor, go to Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile.

Setting ValueNetwork access: Sharing and security model for local accounts Classic

Accounts: Guest account status Disabled

Network access: Let Everyone permissions apply to anonymous users Disabled

Setting ValueRemote registry Automatic

Server Automatic

Windows Firewall Automatic





Vulnerability Management Preparing for authenticated scanning

FRh

or

1Windows prompts you for a range of IP addresses. Enter either “*” or the IP address of the FortiAnalyzer unit that is performing the vulnerability scan.

Microsoft Windows hosts - local (non-domain) scanningThe user account provided for authentication must • be a local account• belong to the Administrators groupThe host must also meet the following requirements: • Server service must be enabled. (Windows 2000, 2003, XP)• Remote Registry Service must be enabled.• File Sharing must be enabled.• Public folder sharing must be disabled. (Windows 7)• Simple File Sharing (SFS) must be disabled. (Windows XP)

Windows firewall settings• Enable the Remote Administration Exception in Windows Firewall. (Windows 2003,

Windows XP)• Allow File and Print sharing and Remote Administration traffic to pass through the

firewall. Specify the IP address or subnet of the FortiAnalyzer unit that is performing the vulnerability scan. (Windows Vista, 2008)

• For each of the active Inbound Rules in the File and Printer Sharing group, set the Remote IP address under Scope to either Any IP address or to the IP address or subnet of the FortiAnalyzer unit that is performing the vulnerability scan. (Windows 7)

Unix hostsThe user account provided for authentication must be able at a minimum to execute these commands:• The account must be able to execute "uname" in order to detect the platform for

packages.• If the target is running Red Hat, the account must be able to read /etc/redhat-release

and execute "rpm".

Setting ValueWindows Firewall: Protect all network connections Disabled

Setting ValueWindows Firewall: Protect all network connections Enabled

Windows Firewall: Allow remote administration exception Enabled

Allow unsolicited messages from1 *

Windows Firewall: Allow file and printer sharing exception Enabled


Windows Firewall: Allow ICMP exceptions Enabled





Configuring vulnerability scans Vulnerability Management

• If the target is running Debian, the account must be able to read /etc/debian-version and execute "dpkg".

Configuring vulnerability scansThe Vulnerability Management > Scan menu contains the tools you need to define how your assets are scanned, when they’re scanned, and the reports detailing the results.

Configuring vulnerability sensorsVulnerability Management > Scan > Sensor displays the list of vulnerability scan sensors.Sensors define which vulnerabilities the vulnerability scan checks your hosts for. The filters in each sensor include pre-defined vulnerability scan signatures. By adding filters, you group signatures into sensors for easy selection in profiles. You can define signatures for specific types of vulnerability scan in separate sensors, and then select those sensors in profiles designed to handle that type of vulnerability scan.For example, you could specify all of the application-related signatures in an sensor, and the sensor can then be used by a profile that specifies the means to be used for scanning host application vulnerabilities.The FortiGuard Vulnerability Management Service periodically updates the pre-defined signatures, with signatures added to discover new threats. Because the signatures included in filters are defined by specifying signature attributes, new signatures matching existing filter specifications will automatically be included in those filters. For example, if you have a filter that includes all signatures for the Windows operating system, your filter will automatically incorporate new Windows signatures as they are added. To display your FortiAnalyzer unit’s database of currently known vulnerability signatures, see “Viewing the vulnerability database” on page 242.FortiAnalyzer units come with pre-defined sensors. You cannot modify or delete the pre-defined sensors. They are updated with the vulnerability management engine and plug-in releases.

Figure 86: Sensor list

Name of the GUI item DescriptionView Vulnerability Details View all of the vulnerabilities included in the sensor. This is updated

via the FortiGuard service.

Name The sensor name.

# Entries The total number of filters and overrides in the sensor.





Vulnerability Management Configuring vulnerability scans

FRh

To add a sensor1 Go to Vulnerability Management > Scan > Sensor.2 Click Create New.

3 Enter a name and an optional comment for the sensor.4 Click OK.

Profiles The name of the vulnerability scan profile in which the sensor is used.

Comment An optional comment describing the sensor.


Description

FiltersInsert Select a filter and then Insert to place a new filter above the selection.

Move To Select a filter and then Move To to move the filter to a new position.

View Vulnerability Details

Select a filter and then View Vulnerability Details to view all of the vulnerability signatures included in the filter.

# Current position of each filter in the list.

Name The filter name.

Type Indicates whether the filter includes or excludes the matching vulnerability scan parameters.

Severity The severity level of the vulnerabilities in the filter.

Category The type of vulnerabilities included in the filter. The category includes application types, traffic types, and host types.





To configure a filter1 Go to Vulnerability Management > Scan > Sensor.

2 Either:• Click Create New to add a sensor. See “To add a sensor” on page 227.• Select an existing sensor and click Edit.

3 Under Filters, click Create New.

Authentica-tion

The specified host type(s) to be scanned for vulnerabilities. The scan requires host authentication credentials. For information on host authentication credentials configuration, see “Configuring host assets” on page 214.

Existent The attributes identified for the signatures. Only the signatures that have these attributes are used for this filter.

Non-existent The attributes identified for the signatures. Only the signatures that do not have these attributes are used for this filter.

Last Update Time

The time period during which the updated signatures were used for the vulnerability scan. This is useful if you only want to use some signatures for a scan.

Overrides Overrides are configured and work mainly in the same way as filters. Unlike filters, each override defines the behavior of one or more signatures.Overrides can be used in two ways:• To change the behavior of a signature already included in a filter. For

example, to scan application vulnerabilities, you could create a filter that includes all signatures related to applications. If you wanted to disable one of those signatures, the simplest way would be to create an override and mark the signature as excluded.

• To add an individual signature, not included in any filters, to a sensor. This is the only way to add custom signatures to the sensors.

# Current position of each override in the list.

Name The override name.

Type Indicates whether the override includes or excludes the specified vulnerability scan signatures.

FID The specified Fortinet ID of the vulnerability scan signature to be included or excluded in the sensor. The FID is a unique identifier assigned by the FortiGuard Vulnerability Management Service.






FRh



Description

Name The filter name.

Type Select whether the filter includes or excludes the matching vulnerability scan signature.

Severity The severity level of the vulnerabilities in the filter. Select all or specify any particular levels.Severity defines the relative importance of each signature. Signatures rated critical detect the most dangerous vulnerabilities while those rated as information pose a much smaller vulnerability.

Authentication Specify the host type(s) to be scanned for vulnerabilities. The scan requires host authentication credentials. For information on host authentication credentials configuration, see “Configuring host assets” on page 214.

Right Arrow

Left Arrow





To configure an override1 Go to Vulnerability Management > Scan > Sensor.

2 Either:• Click Create New to add a sensor. See “To add a sensor” on page 227.• Select an existing sensor and click Edit.

3 Under Overrides, click Create New.

Category The type of vulnerabilities included in the filter. The category includes application types, traffic types, and host types. Select all or specify any categories.Use the Right Arrow to move the specified categories into the Selected field.

Last Update Time

The time period during which the updated signatures will be used for the vulnerability scan. This is useful if you only want to use some signatures for a scan to save time.

Top20 Group Optionally, select to include Fortinet top 20 vulnerabilities or SANS (SANS Internet Storm Center) top 20 vulnerabilities in the filter.

Other Options The attributes in a vulnerability signature. Select to refine the signatures for the filtering.• Patch Availability: The availability of patches for the vulnerability of a host.• CVE ID: The Common Vulnerabilities and Exposures ID of the signature.

CVE IDs are unique, common identifiers for publicly known information security vulnerabilities.

• Bug Traq ID: The Bugtraq ID of this signature. Bugtraq is an electronic mailing list dedicated to issues about computer security.

• FortiGuard IPS Signature: The name of the FortiGuard IPS signature for this vulnerability.

• Vendor Reference: The remedy for the vulnerability recommended by the host vendor.

• Affected Hosts: The number of hosts affected by the vulnerability.

Ignore Ignore this attribute in the signature. All signatures with or without this attribute will be used for this filter.

Existent Only use the signatures that have this attribute for this filter.

Non-existent Only use the signatures that do not have this attribute for this filter.






FRh


Configuring vulnerability scan profilesVulnerability Management > Scan > Profile displays the list of vulnerability scan profiles.Profiles define what means are used to scan hosts for vulnerabilities. When configuring a profile, various ports can be specified as well as the sensor to be used. The FortiAnalyzer unit comes with pre-defined profiles. You cannot modify or delete the pre-defined profiles. They are updated with the vulnerability management engine and plug-in releases.


Description

Name The override name.

Type Select whether the override includes or excludes the specified vulnerability scan signatures (FIDs).

FID The specified Fortinet ID of the vulnerability signature to be included or excluded in the sensor. The FID is a unique identifier assigned by the FortiGuard Vulnerability Management Service.Select the Select Vulnerability ID icon to choose the FIDs and then select Import. The FIDs are inserted into this field.If you enter the FIDs manually, separate them with “,”.

Select Vulnerability ID





Figure 87: Profile list

To create a profile1 Go to Vulnerability Management > Scan > Profile.2 Click Create New.

Name of the GUI item DescriptionRun Select to run the profile on an asset group to scan the hosts in the

group. A vulnerability report will be generated. See “Viewing vulnerability scan reports” on page 235.

Name The profile name.

Sensor The sensor used in this profile.






FRh


Name of the GUI item DescriptionName Enter a name for the profile.

vulnerability Scan If you want to use this profile for a vulnerability scan, select this option and a sensor.

Port Scan Select the host ports to be scanned. A port must be selected for a profile.

TCP PortsNone The profile will not scan for open TCP ports.

Full The profile will scan all TCP ports, from 1-65535.

Standard The profile will scan about 2000 commonly used TCP ports.

Light The profile will scan about 160 commonly used TCP ports.

Additional Enable and enter any TCP ports or port ranges you wish to scan in addition to the previous selection. To scan only the entered ports, select None for the previous setting. Port ranges are defined with the start and and values separated by a hyphen, and ports and ranges are separated by commas. For example, a valid entry is 6000-7000,9725,11000.

UDP PortsNone The profile will not scan for open UDP ports.

Full The profile will scan all UDP ports, from 1-65535.

Standard The profile will scan about 180 commonly used UDP ports.

Light The profile will scan about 30 commonly used UDP ports.

Additional Enable and enter any UDP ports or port ranges you wish to scan in addition to the previous selection. To scan only the entered ports, select None for the previous setting. Port ranges are defined with the start and and values separated by a hyphen, and ports and ranges are separated by commas. For example, a valid entry is 6000-7000,9725,11000.

Other Options





Scheduling vulnerability scansVulnerability Management > Scan > Schedule displays the list of vulnerability scan schedules.Vulnerability reports are generated based on scheduled scans. Multiple schedules can be created to automatically generate the required reports when required.

Figure 88: Schedule list

To create a schedule1 Go to Vulnerability Management > Scan > Schedule.2 Click Create New.

Perform TCP 3-way Handshake

Establish a connection with the host using the TCP-standard 3-way handshake. Closing the connection is also performed the same way.

Scan Dead Host Scan hosts that appear to be unreachable. Some hosts may not return pings although they are still active. Enabling Scan Dead Hosts will force the FortiAnalyzer unit to scan these hosts.Enabling this option will significantly increase the time required to complete a scan.

Name of the GUI item DescriptionRun Select to run a scheduled scan immediately.

Cancel Select to stop running a scheduled scan.

Name The schedule name.

Target The asset group on which the scheduled scan will be run.

Profile The profile to be used for the schedule. For information about profile, see “Configuring vulnerability scan profiles” on page 231.

Schedule The recurrence time of the schedule.

Effective Period The starting date of the schedule.






FRh


Viewing vulnerability scan reportsVulnerability Management > Scan > Report displays the list of vulnerability scan reports.Reports detail the results of vulnerability scans, whether those reports are initiated on demand or by schedule.

Name of the GUI item DescriptionName The profile name

Profile The profile to be used for the schedule.

Enable PCI Compliance

Select to ensure that the scheduled vulnerability scan uses the pre-defined PCI scan profile. Selecting this option automatically populates the Profile field with the pre-defined PCI scan profile - vcm_pci_profile and the field becomes read-only.For more information about PCI compliance, see “About PCI DSS compliance reports” on page 247.

Asset Group The asset group on which the scheduled scan will be run.

Schedule Vulnerability scan reports can be generated automatically at regular intervals, or on demand.

Run Now Select to specify an on-demand report. A report will be generated when the schedule is saved, and when the Run Now icon is selected. No reports will be generated automatically.

Run Later Select to have reports automatically generated at regular intervals.

Daily/Weekly/Monthly Select Daily, Weekly, or Monthly to have a report automatically generated at the specified interval.

Start Date Specify the date the first scheduled report is generated. From then on, it will be generated at daily, weekly, or monthly intervals.

Time Specify the time of day the scheduled report will be generated.

Output OptionFile output Select the formats in which the report will be generated. HTML is the

default format. Any or all other available formats may be selected.

Email/Upload To have the report delivered to an email address or FTP server, select this option and enter the appropriate information.





Figure 89: Report list

To view a vulnerability scan report1 Go to Vulnerability Management > Scan > Report.

2 Select a report name.

Name of the GUI item DescriptionRename Change the name of a selected report.

Name The name of the report. The name is made up of the VM scan profile name and the date and time the report was generated. Select the name to view the HTML version of the report.

Started The date and time the report was started.

Finished The date and time the report was completed. Looking at the Started and Finished times, you can calculate how long the FortiAnalyzer unit took to generate the report.


Formats The formats in which the report was generated. HTML is the default format and any others are listed here.

Current page By default, the first page of reports is displayed. The total number of pages appears after the current page number. For example, if 2 of 10 appears, you are currently viewing page 2 of 10 pages. To view pages, select the left and right arrows to display the first, previous, next, or last page. To view a specific page, enter the page number in the field and then press Enter.

Current Page






FRh


Description

Report SummaryCreated The date and time the report was generated.

Total Hosts The number of hosts found during the scan on the targets.

Active Hosts The number of reachable hosts found during the scan on the targets. A host is reachable if it replies to the host discovery methods.





Inactive Hosts The number of unreachable hosts found during the scan on the targets.

PCI Compliance

The status PCI compliance in the scan schedule. For more information, see “Enable PCI Compliance” on page 235.

Start Time The starting date and time of the report generation.

End Time The ending date and time of the scan report generation.

VM Engine Version


VM Plugin Version


Scan Profile The name of the profile used by this scan schedule. It links to the Profile section of this report.

PCI Status If you enabled PCI compliance for the profile used for the scan, this information appears. For more information about PCI compliance, see “About PCI DSS compliance reports” on page 247.

Live IP Addresses Scanned

The active hosts scanned for PCI compliance.

Security Risk Rating

The vulnerability level rated for the host. There are 5 ratings with 5 being the highest risk.

PCI Status Indicates whether the host passed the PCI compliance scan.A PCI compliance status of PASSED for a single host/IP indicates that no vulnerabilities or potential vulnerabilities, as defined by the PCI DSS compliance standards set by the PCI Council, were detected on the host.A PCI compliance status of FAILED for a single host/IP indicates that at least one vulnerability or potential vulnerability, as defined by the PCI DSS compliance standards set by the PCI Council, was detected on the host.

Vulnerability Scan SummaryVulnerabili-ties by Severity

The total number of vulnerabilities detected are presented in a table and chart by severity level.

Vulnerabili-ties by Cat-egory

The total number of vulnerabilities detected are presented in a table and chart by category.

Top 10 Vulnerable Hosts

The top 10 vulnerable hosts discovered with their IP addresses, total vulnerabilities of each host, and number of vulnerabilities under each severity level.

OS and Services Detected

List the top 10 operating systems detected, top 10 services detected, top 10 TCP services detected, and top 10 UDP services detected in table and chart format.

Hosts List the following information on each active host:• Total vulnerabilities, scanned port type, and open ports.• Number of vulnerabilities under each severity level.• Number of vulnerabilities under each category.• Operating system.• Detailed vulnerability information by severity.

Profile The information of the profile used by this scan schedule. For more information, see “Configuring vulnerability scan profiles” on page 231.





Vulnerability Management Viewing host vulnerability statuses

FRh

Viewing host vulnerability statusesVulnerability Management > Summary > Host Status combines the results of the last scan performed against each defined host and summarizes the information in three ways on this page:• vulnerabilities by severity level• top 10 vulnerability categories• top 10 vulnerable hosts by business riskIn addition, the page displays a list of the top ten vulnerabilities that is kept updated by the FortiGuard Vulnerability Management subscription service. For information on scheduling FortiGuard service updates, see “Scheduling & uploading vulnerability management updates” on page 116.

Vulnerabilities by severity level & top 10 categoriesThe two charts on the host status summary page give you an at-a-glance view of the vulnerabilities detected when your hosts were last scanned.The FortiAnalyzer unit takes the results of the last scan performed on each host and combines them to form these two charts. Therefore, if some or all of your hosts have not been scanned recently, the summary may be out of date. Use recurring schedules to keep the summaries current.

Figure 90: Summary of vulnerabilities by severity level and category

Top 10 vulnerable hosts by business riskThe top 10 vulnerable hosts list shows the 10 hosts with the most significant business risk. Ratings are based on the business impact rating assigned to the host group, the vulnerabilities detected, and the severity levels of the detected vulnerabilities. The hosts appearing on this top 10 list should be the first to receive attention when increasing security on your network.

Name of the GUI item DescriptionVulnerabilities By Severity Level

The number of all detected vulnerabilities are displayed in a bar graph, broken down by severity level.

Top 10 Vulnerability Categories

The 10 most common vulnerability categories of all detected vulnerabilities are displayed in a pie graph.




Viewing host vulnerability statuses Vulnerability Management

Figure 91: Summary of vulnerable hosts

To view a complete list of all hosts with detected vulnerabilities1 Go to Vulnerability Management > Summary > Host Status.2 In the Top 10 Vulnerable Hosts (By Business Risk) area, click View All Hosts.

Name of the GUI item DescriptionIP Address The IP address of the host.

DNS Name The DNS name of the host, if any.

NetBIOS Name The NetBIOS name of the host, if any.

Business Impact The business impact rating assigned to the group the host belongs to.

Average Security Risk A calculated value indicating the security risk.

Business Risk If the host is vulnerable, the business risk is a calculated value showing the degree of risk.

Number of Vulnerabilities The number of vulnerabilities detected by the scan run on the host.

Last Scan Date The time and date the host was last scanned.

View All Hosts Click to view a complete list of all hosts with detected vulnerabilities. See “To view a complete list of all hosts with detected vulnerabilities” on page 240.

Name of the GUI item DescriptionColumn Settings Select to choose which columns are displayed, as well as their order.

For more information, see “Displaying and arranging log columns” on page 143.

IP Address The IP address of the host.

DNS Hostname The hostname indicated when querying the DNS server.

NetBIOS Hostname The NetBIOS name of the host, if any.

View All Hosts

Column Settings

Current Page





Vulnerability Management Viewing host vulnerability statuses

FRh

Top 10 vulnerabilitiesWith a FortiGuard Vulnerability Management Service subscription, the vulnerability database is automatically updated as new vulnerabilities are discovered. The 10 most common vulnerabilities are listed in the Top 10 Vulnerabilities table.The table lists only the vulnerability name, severity, and Fortinet ID. To see additional information about a vulnerability, select the vulnerability name.

Figure 92: Top 10 Vulnerabilities list

Business Impact The business impact rating assigned to the group the host belongs to.

Average Security Risk A calculated value indicating the security risk.

Business Risk If the host is vulnerable, the business risk is a calculated value showing the degree of risk.

Number of Vulnerabilities The number of vulnerabilities detected by the scan run on the host.

Last Scan Date The date the host was scanned.

Router The router used by the host.

OS The operating system running on the host.

Mapping Status Host status flags:• A Identifies whether the host in the approved host list. The

approved hosts can be configured for the map scan via CLI. For more information, see the command config vm in the FortiAnalyzer CLI Reference.

• L Identifies whether the host was active at the time of the discovery. A host is active if it replies to the host discovery methods.

• S Identifies whether the host is registered as an host asset.

Asset Group The name of the asset group the host is a part of.

View n per page Select the number of rows of log entries to display per page.

Current page By default, the first page of hosts is displayed. The total number of pages appears after the current page number. For example, if 2 of 10 appears, you are currently viewing page 2 of 10 pages. To view pages, select the left and right arrows to display the first, previous, next, or last page. To view a specific page, enter the page number in the field and then press Enter.

Name of the GUI item DescriptionVulnerability Indicator A red indicator will appear if the vulnerability was detected on a host

during its most recent scan.

Vulnerability Indicator





Viewing the vulnerability database Vulnerability Management

Viewing the vulnerability databaseVulnerability Management > Summary > Vulnerability Database displays the list of vulnerabilities that your FortiAnalyzer unit is currently capable of detecting.FortiAnalyzer units come with a default database of more than 2,500 vulnerabilities. For FortiGuard Vulnerability Management Service subscribers, this database can be periodically updated via the FortiGuard Distribution Network (FDN) to receive definitions of the most recently discovered vulnerabilities. For details, see “Scheduling & uploading vulnerability management updates” on page 116.You can configure sensors to define which subset of the vulnerability database will be used when scanning a host. For details, see “Configuring vulnerability sensors” on page 226.

Figure 93: Vulnerability list

FID The Fortinet ID of the vulnerability. The FID is a unique identifier assigned by the FortiGuard Vulnerability Management Service.

Severity The vulnerability severity rating.

Title The name of the vulnerability. Select the name for additional details.

Affected Hosts The number of hosts affected by a vulnerability.

Name of the GUI item DescriptionEnable Select to enable checking for any vulnerability. All vulnerabilities are

enabled by default.If a disabled, the FortiAnalyzer will not check hosts for the vulnerability even if it is included in the scan profile.date

Disable Select to disable checking for any vulnerability. All vulnerabilities are enabled by default.If a disabled, the FortiAnalyzer will not check hosts for the vulnerability even if it is included in the scan profile.

Column Settings Select to choose which columns are displayed, as well as their order. For more information, see “Displaying and arranging log columns” on page 143.

Filter icon Select to filter only those vulnerabilities that do or do not contain your specified content in that column. By default, most column headings contain a gray filter icon, which becomes green when a filter is configured and enabled. The use of this filtering tool is similar to that of the log filtering tool. For more information, see “Filtering logs” on page 144.

FID The Fortinet ID of the vulnerability. The FID is a unique identifier assigned by the FortiGuard Vulnerability Management Service.

Column SettingsFilter icon

Current Page





Vulnerability Management Configuring compliance report templates

FRh

Configuring compliance report templatesVulnerability Management > Compliance Report > Template displays the list of compliance report templates.Compliance report templates are pre-defined report formats designed to conform to the Payment Card Industry Data Security Standard (PCI DSS). You cannot modify or delete the pre-defined templates. They are updated with the vulnerability management engine and plug-in releases.Running a template generates a compliance report using the same scan configurations when you perform a vulnerability scan in Vulnerability Management > Scan > Schedule. The only difference is that the scan by running a compliance template uses the “vcm_pci_profile” by default. When you run a template, the window that appears allows you to limit the compliance report results to a specified time period and asset group.

Title The name of the vulnerability. Select the name for additional details.

Authentication The authentication type required to scan for this vulnerability. If the field is blank, no authentication is required.

Category The part of a host in which the vulnerability exists. Example categories include, Operating System, Applications, File Transfer, and Email.

Severity The vulnerability severity rating.

Affected Hosts The number of hosts affected by a vulnerability.

Status Select to enable or disable checking for any vulnerability. The green symbol indicates the vulnerability is enabled. The grey symbol indicates the vulnerability is disabled. All vulnerabilities are enabled by default.If a disabled, the FortiAnalyzer will not check hosts for the vulnerability even if it is included in the scan profile.date

Last Update Time The date when the vulnerability was last updated.

Patch Availability The availability of patches for the vulnerability of a host.

CVE ID The Common Vulnerabilities and Exposures ID of the vulnerability. CVE IDs are unique, common identifiers for publicly known information security vulnerabilities.

Bug Traq ID The Bugtraq ID of this vulnerability. Bugtraq is an electronic mailing list dedicated to issues about computer security.

FortiGuard IPS Signature The name of the FortiGuard IPS signature for this vulnerability.

Compliance The status PCI compliance in the vulnerability. For more information, see “Enable PCI Compliance” on page 235.

Vendor Reference The remedy for the vulnerability recommended by a host vendor.

Top20 Group Indicates whether this vulnerability is part of Fortinet top 20 vulnerabilities or SANS (SANS Internet Storm Center) top 20 vulnerabilities.

x Per Page Select the number of vulnerabilities to display per page. You can choose up to 1000 entries.

Current page By default, the first page of vulnerabilities is displayed. The total number of pages appears after the current page number. For example, if 2 of 10 appears, you are currently viewing page 2 of 10 pages. To view pages, select the left and right arrows to display the first, previous, next, or last page. To view a specific page, enter the page number in the field and then press Enter.




Configuring compliance report templates Vulnerability Management

Figure 94: Compliance report template list

To run a template to generate a compliance report1 Go to Vulnerability Management > Compliance Report > Template.2 Select a template and click Run now.

Note: The compliance report template uses existing vulnerability scan reports to create a compliance report, you must have scan results for the period and assets you specify when running a template. For more information, see “To run a template to generate a compliance report” on page 244.

Name of the GUI item DescriptionView Select to view a sample of the template report. The data does not

represent your network, but you can view the report format.

Run now Select to run the template and generate a compliance report. For more information, see “To run a template to generate a compliance report” on page 244.

Cancel Select to stop running the template.

Name The name of the template.

Last Update The date and time the report was last updated through the vulnerability management engine and plug-in releases.

Status If the template is running, the current stage of completion is reported here. If the template is not running, this field is blank.





Vulnerability Management Viewing compliance reports

FRh

3 Enter the appropriate information and click OK.Wait a moment for the scan to finish. You can refresh the page and update the Status column by selecting the Template tab. The scan is complete when the Status column is blank.

Viewing compliance reportsVulnerability Management > Compliance Report > Report displays the list of generated compliance reports.Compliance reports detail the scanned hosts compliance to the PCI data security standard. Compliance reports are generated from compliance report templates. For details, see “Configuring compliance report templates” on page 243.


Description

Report Name Enter the report name the FortiAnalyzer unit will display in the compliance report list. The date and time will be appended to the end of the name each time a compliance report is generated.

Report Title This field is auto-populated depending on the type of template you choose. You can change it.

Asset Group Choose an asset group. The compliance report results will be limited to the hosts defined in the specified asset group.

Period Scope Choose a start and end time. The compliance report results will be limited to the time period you specify.

Output OptionFile Output Select the formats in which the report will be generated. HTML is the default

format. Any or all other available formats may be selected.

Email/Upload

To have the report delivered to an email address or FTP server, select this option and select the output template or create a new one. For more information about output templates, see “Configuring report output templates” on page 91.




Viewing compliance reports Vulnerability Management

Figure 95: Compliance report list

To view a compliance report1 Go to Vulnerability Management > Compliance Report > Report.

2 Click the report name to view the HTML version of the report. If the report was generated in any additional formats, click the link in the Format column corresponding to the format you want to view.The following is a sample PCI Technical Report.

Name of the GUI item DescriptionName The name of the report. The name includes the date and time the

report was generated. Select the name to view the HTML version of the report. For more information, see “To view a compliance report” on page 246.

Started The date and time the report was started.

Finished The date and time the report was completed. Looking at the Started and Finished times, you can calculate how long the FortiAnalyzer unit took to generate the report.


Formats The formats in which the report was generated. The HTML report is accessed by selecting the report name. Other formats are listed here.

Current page By default, the first page of the list of reports is displayed. The total number of pages appears after the current page number. For example, if 2 of 10 appears, you are currently viewing page 2 of 10 pages. To view pages, select the left and right arrows to display the first, previous, next, or last page. To view a specific page, enter the page number in the field and then press Enter.

Current Page





Vulnerability Management Viewing compliance reports

FRh

About PCI DSS compliance reportsPayment Card Industry Data Security Standard (PCI DSS), defined by PCI Security Standards Council, is a set of data security requirements to which banks, online merchants and Member Service Providers (MSPs) must adhere, enforcing the safe handling of card holder information.To comply with the requirements, merchants and MSPs must perform the following:• Annually conduct an on-site audit or complete the PCI Self-Assessment Questionnaire.


Description

Report SummaryCreated The date and time network map report was generated.

Total Hosts The IP addresses or IP range of the hosts found during the scan on the targets.

Summary From Date

The starting date and time of the report generation.

Summary To Date

The ending date and time of the report generation.

VM Engine Version


VM Plugins Version


PCI StatusIP Addresses

The IP address of the host scanned.

Failed Times

The number of times the host failed the PCI compliance scan.

Passed Times

The number of times the host passed the PCI compliance scan.

Total Scanned Times

The total number of scans on the host.

Last Scan The status of the last scan.A PCI compliance status of PASSED for a single host/IP indicates that no vulnerabilities or potential vulnerabilities, as defined by the PCI DSS compliance standards set by the PCI Council, were detected on the host.A PCI compliance status of FAILED for a single host/IP indicates that at least one vulnerability or potential vulnerability, as defined by the PCI DSS compliance standards set by the PCI Council, was detected on the host.

Host Details The top 10 vulnerable hosts by vulnerabilities and by times.

Vulnerability Detail

The total number of vulnerabilities detected are presented by severity, category, and date. The top 20 vulnerabilities are also listed.

Host All services and vulnerabilities found for each host. The vulnerabilities that cause the host to fail compliance are highlighted. This option is only available for PCI Technical report.

Appendix Information about the Payment Card Industry (PCI) status and vulnerability levels.




Configuring authenticated network scan Vulnerability Management

• Quarterly conduct vulnerability scans on the entire Internet facing networks and systems. These scans must be performed by an approved scanning vendor to detect and eliminate security threats associated with electronic commerce, and provide the acquiring bank with a report demonstrating compliance status.

You can generate a PCI compliance report that provides a pass or failure status of your network.

Configuring authenticated network scanWhen adding host assets on the FortiAnalyzer unit, you can configure authenticated network scan by providing authentication credentials. With the credentials, the FortiAnalyzer unit is able to authenticate to target hosts and return important information, such as missing patches and current password settings.Authenticated scan allows the FortiAnalyzer unit to log in to each target host and obtain system information that would otherwise not be available, such as installed service packs, hot fixes, security upgrades, package versions, and patches. It can more accurately detect the operating system, for example, distinguishing between Windows XP, Windows 2000, and Windows 2003, and detect the particular distribution and product on each host, for example, distinguishing between various Linux distributions. Depending on the type of authentication, the scan engine can also gather information related to system variables, registry keys, and system configurations. With this information, the network scan engine can perform more in-depth vulnerability analysis, greatly increasing the number of vulnerabilities that may be detected, as many vulnerabilities require Authenticated scan for detection. If a scan job is not an authenticated one, the network scan may be limited to a port scan, or may be unable to accurately complete certain probes, as modules are limited by the privileges of the account that you configure in the scan job.2. Authentication to HostsFortiScan supports two types of authentication: Windows and Unix. Authentication credentials can be provided in asset detail page of Asset Inventory. For details, go to …..Authentication to hosts is required for authenticated scan. Before launching scans, you need to setup authentication credentials on target hosts. The account requirements depend on the target technology as described in the following sections. It is recommended that you fully review the account requirements for each technology. Account credentials must have sufficient privileges for each target host. When processing an authenticated scan, scan engine determines whether the account provided has sufficient privileges for each target host. If sufficient privileges are found, the assessment phase occurs and the most accurate and complete information is collected from the scan. If insufficient privileges are found, the assessment phase occurs using the credentials provided assuming the credentials allow login to the target host. Authenticated scan with insufficient privileges does not return the most complete and comprehensive vulnerability results since not enough information is gathered from the host. In this scenario, it's very possible that the scan results identify false-negatives and it's also possible that scan results identify false-positives. If the credentials do not allow login to the target host, the engine performs a non-authenticated scan.3. Windows authentication setup





Vulnerability Management Configuring authenticated network scan

FRh

It is recommended that you create a dedicated Windows user account with Administrator rights (such as "vcm_account") to be used solely by the scan engine for authentication purposes. We provide instructions showing how to setup a domain account for authentication and how to add this account to the Domain Administrators group. If possible, configure the user account so that the password does not expire.An account with Administrator rights allows the scan engine to collect information based on:?Registry keys?Administrative file shares (such as C$)?Running servicesUsing an account with Administrator rights is recommended. It's possible to use an account with less than Administrator rights, however this limits scan to fewer vulnerability checks and scans will return less accurate, less complete results.3.1 Windows Domain Account SetupFollow the sections below to learn how to create a domain account for authentication, add this account to the Domain Administrators Group, and set group policy settings. It is recommended that you verify the functionality of the account before using it for authenticated scan.3.1.1 Windows Domain Account: Create an Administrator AccountThese steps describe how to create a domain account for authentication and add the account to the Domain Administrators Group. After completing these steps, you must set group policy settings and then verify the functionality of the account before using it for authenticated scan.To create an administrator account:1.Log into the Domain Controller with an account that has administrator rights.2.Open the Active Directory Users and Computers MMC snap-in.3.Create a new user called "vcm_scan". Set scope to "Global" and type to "Security".4.Select the "vcm_scan" user and go to Properties (Action > Properties).5.In the Properties window, go to the "Member Of" tab. Click Add to add the "vcm_scan" user to the "Domain Admins" group. Click OK to save the change.3.1.2 Windows Domain Account: Group Policy SettingsBest practice Group Policy settings for authenticated scan of Windows 2003, XP, Vista, 7, and 2008 systems are described below. Please consult your network administrator before making changes to Group Policy as changes may have an adverse impact on your network operations, depending on your network configuration and security policies in place. Note that detailed documentation for many Group Policy settings listed below is available online when using the Group Policy Editor.Important! We highly recommended that you discuss making changes to Group Policy with your network administrator before implementation, as your local network configuration may depend on certain settings being in place. The scan engine does not verify that these settings are appropriate for your network. If you do make any Group Policy changes, it may take several hours before the changes take effect on the client.Please refer to your Microsoft documentation on Group Policy deployment for information.?Group Policy: Security OptionsThe Security Options settings are located here in Group Policy Management Editor :





Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options?SettingValueDescriptionNetwork access: Sharing and security model for local accountsClassic(Required) ?Local users authenticate as themselves. (This is the equivalent of turning off simple file sharing.)Accounts: Guest account statusDisabled(Optional) ?These settings ensure that systems are configured correctly. In many environments, it's likely this behavior is the default for a domain joined system.Network access: Let Everyone permissions apply to anonymous usersDisabled

?Group Policy: System ServicesThe System Services settings are located here:Computer Configuration > Windows Settings > Security Settings > System Services?SettingValueDescriptionRemote registryAutomatic(Required) ?This ensures that the Remote Registry service is running on the target machines in the domain.ServerAutomatic(Required)Windows FirewallAutomatic(Required) ?This setting must be set to Automatic in the System Services settings in order for the operating system to accept incoming connections. In the Windows Firewall section (in the Computer Configuration section), it may be set to Permissive or Blocking.?Group Policy: Administrative TemplatesThe Administrative Template settings are located here:Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile






FRh

For the setting "Windows Firewall: Protect all network connections" the value can be Disabled or Enabled. Your network administrator should decide on the best option for your networking environment. Choosing Disabled is the only way to ensure that every open port on your system is scanned. By choosing Enabled, if the firewall blocks a port, the port is not vulnerable unless the port is later opened. As best practice you should re-scan anytime you open a port that was previously not open.SettingValueDescriptionWindows Firewall: Protect all network connectionsDisabled(Recommended) ?This is the only way to ensure every open port on your system is scanned.Windows Firewall: Protect all network connectionsEnabledWhen set to Enabled, set the additional Windows Firewall settings below.?Additional Windows Firewall settings are required when "Windows Firewall: Protect all network connections" is Enabled, as indicated below.SettingValueDescriptionWindows Firewall: Allow remote administration exceptionEnabled(Required) ?See below about entering IPs in the field "Allow unsolicited messages from".*Windows Firewall: Allow file and printer sharing exceptionEnabled(Required) ?See below about entering IPs in the field "Allow unsolicited messages from".*Windows Firewall: Allow ICMP exceptionsEnabledThis must be set with the option "Allow inbound echo request".?*When configuring these firewall options, you are prompted to enter a range of IPs to allow in the field labeled "Allow unsolicited messages from". In this field, you can simply type "*" (do not include the quotes) or enter your FortiScan appliance’s IP addresses.3.1.3 Windows Domain Account: Verify Functionality of New AccountThe scan engine requires access to the administrative share and the registry to perform authenticated scan of Windows hosts. It is recommended that you verify the functionality of the new account from a remote host in the domain before using the account for Windows authenticated scan.Testing the New AccountUse one domain member to map the administrative share of another domain member:Select Run from the Start menu.





Enter cmd.exe and then click OK.?Test Administrative Share AccessRun this command to test administrative share access:net use Z: \\<ip address>\C$ /USER:your_domain\vcm_scan /PERSISTENT:no?Test Registry AccessRun this command to test registry access:runas /user:your_domain\vcm_scan "cmd /k reg.exe query\\<ip address>\HKLM\Software"Note: There's a space after "query" and before "\\<ip address>"?Running these tests is highly recommended to ensure that the scan engine has system level access to the target Windows hosts. Many vulnerability checks depend on system information that comes from the administrative share and registry on each target host.?3.2 Windows Non-Domain (Local) scanWhen preparing to run Windows authenticated ?scans on local systems, be sure that the following system settings are enabled when the system is not joined to a domain. Without theses settings enabled, the scan engine cannot perform Windows authenticated scan on target hosts in your network. The recommended system settings depend on the target operation system as shown in the following sections:3.2.1 Target Host Requirements: Windows 2000, 2003, XPNote: These requirements apply to non-domain (local) scan only.When preparing to run Windows authenticated scans on systems running Windows 2000, 2003 and XP, be sure that the following system settings are correct. Without these settings, the scan engine cannot perform Windows authenticated scan on target hosts in your network. ?

Local AccountA local account which is in the Administrator's group must be used.?

Enable Server ServiceThe Server Service is typically enabled. If disabled, you can enable it via policies or scripts. Note that File and Printer Sharing, which is required for authenticated scan, will function only when the Server Service is enabled.

Enable File and Printer Sharing on Network InterfaceFile and Printer Sharing must be enabled on the network interface of all hosts to be scanned (note that it is enabled by default). You can enable this manually via the Network Interface properties, or using a script with a tool such as "netset.exe" or "snetcfg.exe".Netset.exe is a Windows command-line tool that supports changing network interface settings. For information see:http://support.microsoft.com/default.aspx?scid=268781Snetcfg.exe is a Microsoft Development Kit tool. For information see:






FRh

http://groups.google.com/group/microsoft.public.scripting.vbscript/msg/bc2ef5a6df39fdadCompiled versions of snetcfg are available for Windows 2000 and Windows XP.Also, if Windows firewall is on locally, File and Printer Sharing service should be added Exceptions list in Windows Firewall setting in Control Panel.

Disable Simple File Sharing (SFS): Windows XPSimple File Sharing (SFS) must be disabled on Windows XP systems to be scanned. SFS is disabled by default when a Windows XP Pro system joins a domain, so no configuration should be necessary to support authenticated scan on Windows XP Pro systems in an enterprise network. It's possible for users to enable SFS so there may be a need to use a Group Policy or other means to ensure that this is disabled.If you wish to scan a Windows XP Home system or a Windows XP Pro system, which has not been added to a domain, then SFS must be disabled on these systems.It's possible to disable this option manually per machine. To do this on the local machine, open Windows Explorer (not IE) and go to Tools > Folder Options > View. Under Advanced settings, uncheck the setting "Use simple file sharing (Recommended)" and then click OK.

Enable Remote Registry ServiceThe scan engine must access the system registry to perform Windows authenticated scan. To allow the scan engine access to the system registry, the Remote Registry service must be enabled. To check this, go to Control Panel > Administrative Tools > Services and verify that the service is running and set to start automatically.

Allow Remote Administration on Windows Firewall: ?Windows 2003, XPTo allow access through Windows Firewall (if used), be sure to set the Remote Administration Exception within the Windows Firewall. Using Group Policy, this setting can be found under:Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile (Or replace Standard Profile with Domain Profile if your computer is a member of a Windows domain.)If you manage your firewall through the Control Panel, you must enable TCP ports 135 and 445.3.2.2 Target Host Requirements: Windows Vista, 2008Note: These requirements apply to non-domain (local) scan only.When preparing to run authenticated scans on Windows Vista and 2008 systems, there are certain system settings that must be enabled to allow the FortiScans through the firewall to reach target hosts on your network. If your system is not joined to a domain, then follow the steps below to set system settings.

Windows Firewall SettingsFor each target host, there are certain Windows Firewall settings that must be enabled. First activate firewall rules that are relevant to non-domain profiles in order to allow traffic for File and Print Sharing and Remote Administration. Then for each activated rule, add the FortiScan appliance IP address so that the FortiScan appliance traffic can reach the host.





To allow "File and Print Sharing" and "Remote Administration" traffic:1.Go to the Control Panel Home window.2.Under Security, click the link "Allow a program through Windows Firewall".3.Select the "File and Print Sharing" and "Remote Administration" check boxes.4.Click OK.By default, in a non-domain profile, a Windows Vista or 2008 system does not allow traffic from outside its own local subnet even when a firewall rule has been activated. For this reason, you must also provide the IP address or subnet of the FortiScan appliance.To allow FortiScan appliance traffic:1.????Go to the "Windows Firewall with Advanced Security" program. This resource is located in Start > Control Panel > System and Maintenance > Administrative Tools.2.????Click Inbound Rules.3.????Follow these steps for each entry in the "File and Printer Sharing" group with a green check mark and each entry in the "Remote Administration" group with a green check mark:???????Right-click on the entry and select Properties.???????Select the "Scope" tab.???????In the "Remote IP address" section, do one of the following: 1) Select "Any IP address" or 2) Click the "Add" button to add the IP address (or subnet) for the FortiScan appliance that has been configured to scan the target host, and then click OK.

Enable File SharingFile sharing must be turned on for each target host. To do so, follow these steps: ?1.Go to the Control Panel Home window.2.Under Network and Internet, click the link "Set up file sharing".3.In the Network and Sharing Center window, make sure these settings are correct: File sharing is On and Public folder sharing is Off.

Enable Remote Registry ServiceThe scan engine must access the system registry to perform Windows authenticated scan. To allow the scan engine access to the system registry, the Remote Registry service must be enabled. To check this on a Windows Vista system, go to Control Panel > Control Panel Home > System And Maintenance > Administrative Tools > Services and verify that the service is running and is set to start automatically.Select Run from the Start menu.Enter regedit and then click OK, open HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedExactPaths, add System\CurrentControlSet\Control\Session Manager\Environment and Software to the list.3.2.3 Target Host Requirements: Windows 7Note: These requirements apply to non-domain (local) scan only.When preparing to run authenticated scans on Windows 7 systems, there are certain system settings that must be enabled to allow the FortiScans through the firewall to reach target hosts on your network. If your system is not joined to a domain, then follow the steps below to set system settings.






FRh

Windows Firewall SettingsFor each target host, there are certain Windows Firewall settings that must be enabled. First activate firewall rules that are relevant to non-domain profiles in order to allow traffic for File and Print Sharing. Then for each activated rule, add the FortiScan appliance IP address so that the FortiScan appliance traffic can reach the host.To allow "File and Print Sharing" traffic:1.????Go to the Control Panel Home window.2.????Under System and Security > Windows Firewall, click the link "Allow a program through Windows Firewall".3.????Select the "File and Print Sharing" check box.4.????Click OK.By default, in a non-domain profile, a Windows 7 system does not allow traffic from outside its own local subnet even when a firewall rule has been activated. For this reason, you must also provide the IP address or subnet of the FortiScan appliance.To allow FortiScan appliance traffic:1.????Go to the "Windows Firewall with Advanced Security" program. This resource is located in Start > Control Panel > System and Security > Administrative Tools.2.????Click Inbound Rules.3.????Follow these steps for each entry in the "File and Printer Sharing" group with a green check mark:???????Right-click on the entry and select Properties.???????Select the "Scope" tab.???????In the "Remote IP address" section, do one of the following: 1) Select "Any IP address" or 2) Click the "Add" button to add the IP address (or subnet) for the FortiScan appliance that has been configured to scan the target host, and then click OK.?

Enable File SharingFile sharing must be turned on for each target host. To do so, follow these steps: ?1.????Go to the Control Panel Home window.2.????Under Network and Internet > HomeGroup, click the link "Change advanced sharing settings".3.????Change sharing options for the current network profile. For a non-domain target, select "Home or Work". For a domain target, select "Domain". Make sure these settings are correct: File sharing is On and Public folder sharing is Off.?

Enable Remote Registry ServiceThe scan engine must access the system registry to perform Windows authenticated scan. To allow the scan engine access to the system registry, the Remote Registry service must be enabled. To check this on a Windows 7 system, go to Control Panel > Control Panel Home > System And Maintenance > Administrative Tools > Services and verify that the service is running and is set to start automatically.Select Run from the Start menu.





Enter regedit and then click OK, open HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedExactPaths, add System\CurrentControlSet\Control\Session Manager\Environment and Software to the list.4.????? ?Unix Authentication SetupWhen supplying Unix authentication credentials, you must include a user account and password. During authenticated vulnerability scans, the scan engine is able to access patch history and system configuration information for target hosts, increasing the number of vulnerabilities that may be detected.

Account RequirementsThe user account provided for authentication must be able at a minimum to execute these commands:???????The account must be able to execute "uname" in order to detect the platform for packages.???????If the target is running Red Hat, the account must be able to read /etc/redhat-release and execute "rpm".???????If the target is running Debian, the account must be able to read /etc/debian-version and execute "dpkg".The scan engine sends many more commands than those listed above to perform information gathering and vulnerability assessment. The specific commands used vary over time as the vulnerability signatures and scan engine are updated. ?





Tools Network Analyzer

FRh

ToolsThe Tools menu provides the ability to view the files that are on your FortiAnalyzer unit using the File Explorer, and to view packets on your network using the Network Analyzer. By default, the Tools menu is hidden. To make it visible, go to System > Admin > Settings and enable Show Network Analyzer. For details, see “Configuring the web-based manager’s global settings” on page 84.This topic includes:• Network Analyzer• File Explorer

Network AnalyzerNetwork Analyzer can be used as an enhanced local network traffic sniffer to diagnose areas of the network where firewall policies may require adjustment, or where traffic anomalies occur.Network analyzer logs all traffic seen by the interface for which it is enabled. If that network interface is connected to the span port of a switch, observed traffic will include all traffic sent through the switch by other hosts. You can then locate traffic which should be blocked, or which contains other anomalies.All captured traffic information is saved to the FortiAnalyzer hard disk. You can then display this traffic information directly, search it, or generate reports from it.This section describes how to enable and view traffic captured by the network analyzer. It also describes network analyzer log storage configuration options.Network analyzer is not visible under the Tools menu until it is enabled in System > Admin > Settings. For more information, see “Configuring the web-based manager’s global settings” on page 84.

Connecting the FortiAnalyzer unit to analyze network trafficYou usually first connect the FortiAnalyzer unit to a hub or the span (or mirroring) port of an Ethernet switch to sniff traffic with the FortiAnalyzer unit. Both the management and sniffing ports can be connected to the same switch.




Network Analyzer Tools

Figure 96: Example network topology for network analyzer use

To connect the FortiAnalyzer unit for use with network analyzer1 Connect an Ethernet cable to a port on the FortiAnalyzer unit other than the port used

to collect device logs.For example, if you receive logs and quarantined files on port 1, you might use network analyzer on port 2. Using a separate port for sniffing prevents log and quarantine traffic from cluttering network analyzer messages, and enables you to analyze networks without tampering with network settings related to normal logging and quarantine activity.

2 Connect the other end of the Ethernet cable to the span or mirroring port of an Ethernet switch.If connected to the span or mirror port of a switch, network analyzer will be able to observe all traffic passing through the switch.

3 In the web-based manager, go to System > Admin > Settings > GUI Menu Customization, enable Show Network Analyzer and select Apply.

Internalnetwork

Hub or switch

Internet

Span/mirror port is connected

to Network Analyzer port






FRh

4 In the web-based manager, go to System > Network > Interface.5 If the interface you will use with network analyzer is currently down, select Bring Up to

enable it.6 Select Modify for the interface you will use with network analyzer.7 Enter the IP/Netmask.8 Select OK.

You can now configure network analyzer settings in Tools > Network Analyzer > Config.

Viewing network analyzer log messagesAfter attaching a FortiAnalyzer unit interface to the network and enabled the network analyzer for that interface, traffic information displays.The network analyzer’s log viewers display logs of traffic seen by the network interface you have configured for use with network analyzer, focusing on specific time frames.The network analyzer has two types of log viewing options:• Real-time displays the network analyzer log messages of traffic most recently

observed by the network interface for which network analyzer is enabled. The display refreshes every few seconds, and contains only the most current activity.

• Historical displays all network analyzer log messages whose time stamps are within your specified time frame.

Viewing current network analyzer log messagesThe real-time logs in network analyzer update continually, displaying the most recent traffic observed by the network analyzer.To view the most recent traffic, go to Tools > Network Analyzer > Historical and select the Realtime Log icon. You can view the details of a log message by double-clicking any of its columns.

Figure 97: Network Analyzer Realtime Log icon





Figure 98: Real-time Network Analyzer logs

Name of the GUI item DescriptionType The type of log you are viewing.

Historical Log Select to view the historical network analyzer log messages. For more information, see “Viewing historical network analyzer log messages” on page 261.

Pause Select to stop updating the real-time logs.

Column Settings Select to change the columns to view and the order they appear on the page. For more information, see “Displaying and arranging log columns” on page 265.

Search Enter a keyword to perform a simple search on the available log information, then press the Enter key to begin the search.

Last Activity The date and time the traffic was transmitted.

Source The IP address of the sender of the traffic.

Destination The IP address of the recipient of the traffic.

Source Port The port a UDP or TCP packet was being sent from.

Destination Port The port a UDP or TCP packet was being sent to.

Protocol The protocol used when sending the traffic.

Message Information payload of the traffic sent through the switch.



Change Display OptionsResolve Host Name Select to display host names by a recognizable name rather than IP

addresses. For more information about on configuring IP address host names, see “Configuring IP aliases” on page 104.

Resolve Service Select to display the network service names rather than the port numbers, such as HTTP rather than port 80.

Column SettingsHistorical Log Search

Pause

Current Page






FRh

Viewing historical network analyzer log messagesThe Historical tab in Tools > Network Analyzer displays network analyzer logs for a specific time range. When viewing log messages, you can filter the information to find specific traffic information.To view a historical network analyzer log, go to Tools > Network Analyzer > Historical and then select the log you want to view. You can view the details of a log message by double-clicking any of its columns.

Figure 99: Historical network analyzer logs

Formatted Select to display the network analyzer log files in columnar format. This is the default view. For more information, see “Customizing the network analyzer log view” on page 264.

Raw Select to display the network analyzer log information as it actually appears in the log file. For more information, see “Customizing the network analyzer log view” on page 264.

Name of the GUI item DescriptionType The type of log you are viewing.

Timeframe Select the time frame during which you want to view the logs.

Realtime Log Select to view the real-time network analyzer log messages. For more information, see “Viewing current network analyzer log messages” on page 259.

Column Settings Select to change the columns to view and the order they appear on the page. For more information, see “Displaying and arranging log columns” on page 265.

Printable Version Select to download an HTML file containing all log messages that match the current filters. The HTML file is formatted to be printable.Time required to generate and download large reports varies by the total amount of log messages, the complexity of any search criteria, the specificity of your column filters, and the speed of your network connection.

Download Current View Select to download only those log messages which are currently visible, according to enabled filters.

Search Enter a keyword to perform a simple search on the log information available. Press Enter to begin the search.

Advanced Search Select to search the network analyzer log files for matching text using two search types: Quick Search and Full Search. For more information, see “Searching the network analyzer logs” on page 268.

Last Activity The date and time the traffic was transmitted.

Column Settings Printable VersionRealtime Log Download Current View

Search

Current Page





Browsing network analyzer log filesThe Browse tab in Tools > Network Analyzer enables you to see all stored network analyzer log files, view the network analyzer logs, download log files to your hard disk or delete unneeded files.When a log file reaches its maximum size, or reaches the scheduled time, the FortiAnalyzer rolls the active log file by renaming the file. The file name will be in the form of xlog.N.log, where x is a letter indicating the log type and N is a unique number corresponding to the time the first log entry was received.For more information about setting the maximum file size and log rolling options, see “Rolling and uploading network analyzer logs” on page 270.To view the log file list, go to Tools > Network Analyzer > Browse.

Figure 100: Network analyzer log file list

Source The IP address of the sender of the traffic.

Destination The IP address of the recipient of the traffic.

Source Port The port a UDP or TCP packet was being sent from.

Destination port The destination port of the traffic.

Protocol The protocol used when sending the traffic.

Message Information payload on the traffic sent through the switch.



Change Display OptionsResolve Host Name Select to display host names by a recognizable name rather than IP

addresses. For more information about on configuring IP address host names, see “Configuring IP aliases” on page 104.

Resolve Service Select to display the network service names rather than the port numbers, such as HTTP rather than port 80.

Formatted Select to display the network analyzer log files in columnar format. This is the default view. For more information, see “Customizing the network analyzer log view” on page 264.

Raw Select to display the network analyzer log information as it actually appears in the log file. For more information, see “Customizing the network analyzer log view” on page 264.

Name of the GUI item DescriptionDisplay Select to view the contents of the selected log file.






FRh

Viewing network analyzer log file contents The Browse tab enables you to view all log messages within network analyzer log files.If you display the log messages in formatted view, you can display and arrange columns and/or filter log messages by column contents. For more information, see “Customizing the network analyzer log view” on page 264.

To view a log file1 Go to Tools > Network Analyzer > Browse.2 Select a log file and then select Display.

The log file’s contents appear. For more information on understanding the log file contents, see “Viewing network analyzer log messages” on page 259.

Downloading a network analyzer log fileYou can download a log file to save it as a backup or for use outside the FortiAnalyzer unit. You can choose to download either the entire file or only log messages selected by filtering.

To download a whole log file1 Go to Tools > Network Analyzer > Browse.2 Select a log file.3 Click Download.

4 Select any of the following download options you want and click OK.

Download Select to save the selected log file to your local hard disk.

From The date and time when the FortiAnalyzer unit starts to generate the log file.

To The date and time when the FortiAnalyzer unit completes generating the log file when the file reaches its maximum size or the scheduled time.






5 If prompted by your web browser, select a location to save the file, or open it without saving.

To download a partial (filtered) log file1 Go to Tools > Network Analyzer > Browse.2 Select a log file.3 Click Display.

4 Select a filter icon to restrict the current view to only items which match your criteria, then select OK. For more information about filtering information, see “Filtering logs” on page 144.

5 Select Download Current View.6 Select any of the download options you want and click OK.


Customizing the network analyzer log viewLog messages can be displayed in either raw or formatted view.

Name of the GUI item DescriptionLog file format Downloads the log in text (.txt), comma-separated value (.csv), or

standard .log (Native) format. Each log element is separated by a comma. CSV files can be viewed in spreadsheet applications.

Compress with gzip Compress the .log or .csv file with gzip compression. For example, downloading a log-formatted file with gzip compression would result in a download with the file extension .log.gz.

Name of the GUI item DescriptionLog file format Downloads the log in text (.txt), comma-separated value (.csv), or

standard .log (Native) format. Each log element is separated by a comma. CSV files can be viewed in spreadsheet applications.







FRh

• Raw view displays log messages exactly as they appear in the log file.• Formatted view displays log messages in a columnar format. Each log field in a log

message appears in its own column, aligned with the same field in other log messages, for rapid visual comparison. When displaying log messages in formatted view, you can customize the log view by hiding, displaying and arranging columns and/or by filtering columns, refining your view to include only those log messages and fields that you want to see.

To display logs in raw or formatted view1 Go to a page which displays log messages, such as Tools > Network Analyzer >

Historical.2 Select Change Display Options.

3 Select Formatted or Raw.If you select Formatted, options appear that enable you to display and arrange log columns and/or filter log columns.

Displaying and arranging log columnsWhen viewing logs in formatted view, you can display, hide and re-order columns to display only relevant categories of information in your preferred order.For most columns, you can also filter data within the columns to include or exclude log messages which contain your specified text in that column. For more information, see “Filtering logs” on page 266.

To display or hide columns1 Go to a page which displays log messages, such as Tools > Network Analyzer >

Historical.2 Select Column Settings.





Lists of available and displayed columns for the log type appear.3 Select which columns to hide or display.

• In the Available Fields area, select the names of individual columns you want to display, then select the single right arrow to move them to the Display Fields area.Alternatively, to display all columns, select the double right arrow.

• In the Display Fields area, select the names of individual columns you want to hide, then select the single left arrow to move them to the Available Fields area.Alternatively, to hide all columns, select the double left arrow.

• To return all columns to their default displayed/hidden status, select Default.4 Select OK.

To change the order of the columns1 Go to a page which displays log messages, such as Tools > Network Analyzer >

Historical.2 Select Column Settings.

Lists of available and displayed columns for the log type appear.3 In the Display Fields area, select a column name whose order of appearance you want

to change.4 Select the up or down arrow to move the column in the ordered list.

Placing a column name towards the top of the Display Fields list will move the column toward the left side of the formatted log view.

5 Select OK.

Filtering logsWhen viewing log messages in formatted view, you can filter columns to display only those log messages that do or do not contain your specified content in that column. By default, most column headings contain a gray filter icon, which becomes green when a filter is configured and enabled.

Note: Filters do not appear in raw view, or for unindexed log fields in formatted view.When viewing real-time logs, you cannot filter on the time column: by definition of the real-time aspect, only current logs are displayed.






FRh

Figure 101: Filter icons in network analyzer

To filter log messages by column contents1 In the heading of the column that you want to filter, select the filter icon.2 Select Enable.3 If you want to exclude log messages with matching content in this column, select NOT.

If you want to include log messages with matching content in this column, deselect NOT.

4 Enter the text that matching log messages must contain.Matching log messages will be excluded or included in your view based upon whether you have selected or deselected NOT.

5 Select OK.A column’s filter icon is green when the filter is currently enabled.

To disable a filter1 In the heading of the column whose filter you want to disable, select the filter icon.

A column’s filter icon is green when the filter is currently enabled.2 To disable the filter on this column, deselect Enable.

Alternatively, to disable the filters on all columns, select Clear All Filters. This disables the filter; it does not delete any filter text you might have configured.

3 Select OK.A column’s filter icon is gray when the filter is currently disabled.

Filtering tipsWhen filtering by source or destination IP, you can use the following in the filtering criteria:• a single address (2.2.2.2)• an address range using a wild card (1.2.2.*)• an address range (1.2.2.1-1.2.2.100)You can also use a Boolean operator (or) to define mutually exclusive choices:• 1.1.1.1 or 2.2.2.2

• 1.1.1.1 or 2.2.2.*

• 1.1.1.1 or 2.2.2.1-2.2.2.10

Most column filters require that you enter the column’s entire contents to successfully match and filter contents; partial entries do not match the entire contents, and so will not create the intended column filter.For example, if the column contains a source or destination IP address (such as 192.168.2.5), to create a column filter, enter the entire IP address to be matched. If you enter only one octet of the IP address, (such as 192) the filter will not completely match any of the full IP addresses, and so the resulting filter would omit all logs, rather than including those logs whose IP address contains that octet.

Filter icon





Exceptions to this rule include columns that contain multiple words or long strings of text, such as messages or URLs. In those cases, you may be able to filter the column using a substring of the text contained by the column, rather than the entire text contained by the column.

Searching the network analyzer logsYou can search the network analyzer log files for matching text using two search types: Quick Search and Full Search.You can use Quick Search to find results more quickly if your search terms are relatively simple and you only need to search indexed log fields. Indexed log fields are those that appear with a filter icon when browsing the logs in column view; unindexed log fields do not contain a filter icon for the column or do not appear in column view, but do appear in the raw log view. Quick Search keywords cannot contain:• special characters such as single or double quotes (' or ") or question marks (?)• wild card characters (*), or only contain a wild card as the last character of a keyword

(logi*)You can use Full Search if your search terms are more complex, and require the use of special characters or log fields not supported by Quick Search. Full Search performs an exhaustive search of all log fields, both indexed and unindexed, but is often slower than Quick Search.To search the logs, go to Tools > Network Analyzer > Historical. Select Advanced Search.

Figure 102: Network analyzer log search button

Figure 103: Network analyzer log search

Name of the GUI item DescriptionTime Period Select to search logs from a time frame, or select Specify and define a

custom time frame by selecting the From and To date and times.

From Enter the date and select the time of the beginning of the custom time range.This option appears only when Date is Specify.






FRh

Search tipsIf your search does not return the results you expect, but log messages exist that should contain matching text, examine your keywords and filter criteria using the following search characteristics and recommendations.• Separate multiple keywords with a space (arp who-has 1.1.1.1).• Keywords cannot contain unsupported special characters. Supported characters vary

by selection of Quick Search or Full Search.• Keywords must literally match log message text, with the exception of case insensitivity

and wild cards; resolved names and IP aliases will not match.• Some keywords will not match unless you include both the log field name and its value,

surrounded by quotes (“Ack=2959769124”).• Remove unnecessary keywords and search filters which can exclude results. For a log

message to be included in the search results, all keywords must match; if any of your keywords does not exist in the message, the match will fail and the message will not appear in search results.

• You can use the asterisk (*) character as a wild card (192.168.2.*). For example, you could enter any partial term or IP address, and then enter * to match all terms that have identical beginning characters or numbers.

• You can search for IP ranges, including subnets. For example:• 172.168.1.1/24 or 172.168.1.1/255.255.255.0 matches all IP addresses

in the subnet 172.168.1.1/255.255.255.0• 172.168.1.1-140.255 matches all IP addresses from 172.168.1.1 to

172.168.140.255

To Enter the date and select the time of the end of the custom time range.This option appears only when Date is Specify.

Keyword(s) Enter search terms which will be matched to yield log message search results. To specify that results must include all, any, or none of the keywords, select from Match.

Quick Search Select to perform a Quick Search, whose keywords cannot contain special characters and that searches only indexed fields.

Full Search Select to perform a Full Search, whose keywords may contain special characters, and searches all log message fields. The time of the search varies by the complexity of the search query and the amount of log messages to be searched.

Stop Search Select to stop the search process.

More Options Select the blue arrow to hide or expand additional search options.

Other Filters Specify additional criteria, if any, that can be used to further restrict the search criteria.• Source IP: Enter an IP address to include only log messages

containing a matching source IP address. For example, entering 192.168.2.1 would cause search results to include only log messages containing src=192.168.2.1.

• Destination IP: Enter an IP address to include only log messages containing a matching destination IP address. For example, entering 192.168.2.1 would cause search results to include only log messages containing dst=192.168.2.1.





• The search returns results that match all of the search terms.For example, consider two similar keyword entries: 172.20.120.127 tcp and 172.20.120.127 udp. If you enter the keywords 172.20.120.127 tcp, UDP traffic would not be included in the search results, since although the first keyword (the IP address) matches, the second keyword, tcp, does not match.

• The search returns results that match all, any, or none of the search terms, according to the option you select in Match.For example, if you enter into Keyword(s):172.20.120.127 tcp

and if from Match you select All Words, log messages for UDP traffic to 172.20.120.127 do not appear in the search results, since although the first keyword (the IP address) appears in log messages, the second keyword (the protocol) does not match UDP log messages, and so the match fails for UDP log messages. If the match fails, the log message is not included in the search results.

Printing and downloading the search resultsAfter completing a search, you can use the Printable Version button to download and print a HTML copy of the search results. You can also use the Download Current View button to download the search results in text (.txt), comma-separated value (.csv), or standard log (.log) format (native format). To download and print search results, Select the Printable Version button to download the results. You can print this file immediately, save it to your computer for later use, or email it.

To download log search results1 Go to Tools > Network Analyzer > Historical.2 Perform a search using either simple or advanced search.3 Select Download Current View.

Options appear for the download’s file format and compression.4 Select the download options that you want, then select OK.


Rolling and uploading network analyzer logsYou can control log file size and manage log file consumption of the hard disk space with log rolling and uploading.

Note: Large logs require more time to download. Download times can be improved by selecting Compress with gzip.

Name of the GUI item DescriptionLog file format Downloads the log file in text (.txt), comma-separated value (.csv),

or standard .log (Native) file format.

Compress with gzip Compress the downloaded log file with gzip compression. For example, downloading a log-formatted file with gzip compression would result in a download with the file extension .log.gz.






FRh

The network analyzer captures a very detailed network traffic information, and its log volume can consume the FortiAnalyzer unit’s hard disk space more rapidly than standard logs. Rolling and uploading logs frees hard disk space to collect further data.As the FortiAnalyzer unit receives new log items, it performs the following tasks:• verifies whether the log file has exceeded its file size limit• if the file size is not exceeded, checks to see if it is time to roll the log file. You configure

the time to be either a daily or weekly occurrence, and when the roll occursWhen a current log file (tlog.log) reaches its maximum size, or reaches the scheduled time, the FortiAnalyzer unit rolls the active log file by renaming the file. The file name will be in the form of xlog.N.log (for example, tlog,1252929496.log), where x is a letter indicating the log type and N is a unique number corresponding to the time the first log entry was received. The file modification time will match the time when the last log was received in the log file.Once the current log file is rolled into a numbered log file, it will not be changed. New logs will be stored in the new current log called tlog.log.If log uploading is enabled, once logs are uploaded to the remote server or downloaded via the web-based manager, they are in the following format:FG3K6A3406600001-tlog.1252929496.log-2009-09-14-14-00-14.gz

If you have enabled log uploading, you can choose to automatically delete the rolled log file after uploading, thereby limiting the amount of disk space used by rolled log files.To enable log rolling, or to disable network analyzer, go to Tools > Network Analyzer > Config.

Figure 104: Traffic Log Settings

Name of the GUI item DescriptionEnable Network Analyzer on

Select the port on which network analyzer observes traffic.If you disable this option and log out, network analyzer will be hidden in the web-based manager menu. For more information about on re-enabling network analyzer and making it visible again, see “Connecting the FortiAnalyzer unit to analyze network traffic” on page 257.





Allocated Disk Space (MB) Enter the amount of disk space reserved for network analyzer logs. The dialog also displays the amount used of the allocated space.

When Allocated Disk Space is All Used

Select what the FortiAnalyzer unit does when the allocated disk space is filled up. Select to either overwrite the older log file or stop logging until you can clear some room.To avoid completely filling the hard disk space, use the log rolling and uploading options.

Reuse settings from standard logs

Select to use the same log rolling and uploading settings that you set for standard logs files in Logs > Config. This option is selected by default.

Log rolling settings Define when the FortiAnalyzer unit should roll its network analyzer log files. This option becomes active only if you deselect Reuse Settings from Standard Logs.

Log file should not exceed

Enter the maximum size of each network analyzer log file.When the log file reaches the specified maximum size, the FortiAnalyzer unit saves the current log file with an incremental number and starts a new active log file. For example, if the maximum size is reached, the current xlog.log is renamed to xlog.n.log, then a new xlog.log is created to receive new log messages.

Log file should be rolled... even if size is not exceeded

Set the time of day when the FortiAnalyzer unit renames the current log file and starts a new active log file. • Daily: Roll log files daily, even if the log file has not yet reached

maximum file size.• Weekly: Roll log files weekly, even if the log file has not yet

reached maximum file size.• Optional: Roll log files only when the log file reaches the

maximum file size, regardless of time interval.

Enable log uploading Select to upload log files to an server when a log file rolls.

Server type Select the protocol to use when uploading to the server:• File Transfer Protocol (FTP)• Secure File Transfer Protocol (SFTP)• Secure Copy Protocol (SCP)

Server IP address Enter the IP address of the log upload server.

Username Enter the user name required to connect to the upload server. By default, the user name is anonymous; select the field to enter a different user name.

Password Enter the password required to connect to the upload server.

Confirm Password Re-enter the password to verify correct entry.

Directory Enter a location on the upload server where the log file should be saved.

Upload Files Select when the FortiAnalyzer unit should upload files to the server.• When rolled: Uploads logs whenever the log file is rolled, based

upon Log file should be rolled.• Daily at hh:mm: Uploads logs at the configured time, regardless

of when or what size it rolls at according to Log file should be rolled.

Uploaded log format Select to upload the log file in text (.txt), comma-separated value (.csv), or standard .log (Native) file format.

Compress uploaded log files

Select to compress the log files in GZIP format before uploading to the server.

Delete files after uploading

Select to remove the log file from the FortiAnalyzer hard disk once the FortiAnalyzer unit completes the upload.





Tools File Explorer

FRh

File ExplorerTools > File Explorer > File Explorer displays the FortiAnalyzer unit’s directories and files.There are two main directories:• Archive: Contains files associated with eDiscovery, full DLP archiving, and the

quarantine. • Storage: Contains information unlikely to change once written, like logs and reports.

To expand or hide the two main directories or their sub-directories, click the plus or minus icon located beside each directory name. File Explorer is not visible under the Tools menu until enabled in System > Admin > Settings. For details, see “Configuring the web-based manager’s global settings” on page 84.

Figure 105: File Explorer

Note: The file explorer lists log files stored using the Proprietary Index file system only. If you have enabled SQL database storage, logs stored using that method will not appear in the file explorer.




File Explorer Tools





Maintaining firmware Firmware upgrade path and general firmware upgrade steps

FRh

Maintaining firmwareFortinet recommends reviewing this section before upgrading or downgrading the FortiAnalyzer firmware because it contains important information about how to properly back up your current configuration settings and log data, including what to do if the upgrade or downgrade is unsuccessful. In addition to firmware images, Fortinet releases patch releases – maintenance release builds that resolve important issues. Fortinet strongly recommends reviewing the release notes for the patch release before upgrading the firmware. Installing a patch release without reviewing release notes or testing the firmware may result in changes to settings or unexpected issues.

This topic includes:• Firmware upgrade path and general firmware upgrade steps• Backing up your configuration• Testing firmware before upgrading/downgrading• Installing firmware from the BIOS menu in the CLI• Upgrading your FortiAnalyzer unit

Firmware upgrade path and general firmware upgrade stepsFollow the path below to upgrade your FortiAnalyzer firmware. Failing to do so may cause unexpected problems.For more information about your specific firmware release, see the Release Notes for the release.

Figure 106: Firmware upgrade path

Follow the general upgrade steps below: • Download and review the release notes for the firmware release.• Download the firmware release from https://support.fortinet.com if you have registered

your FortiAnalyzer unit.• Back up the current configuration. See “Backing up your configuration” on page 276.

Note: Fortinet recommends upgrading the FortiAnalyzer unit during a low traffic period, for example at night, to re-index log data. During the upgrade process, the FortiAnalyzer unit re-indexes log data, which takes time to complete if there is a large amount of log data. You can verify that the indexing of log data is complete by viewing the Alert Message console on the Dashboard.

Downgrading from FortiAnalyzer 4.0 to FortiAnalyzer 3.0 MR7 is not supported.

V3.0 MR6 V3.0 MR7 V4.0 V4.0 MR1 V4.0 MR2





Backing up your configuration Maintaining firmware

• Testing the firmware. See “Testing firmware before upgrading/downgrading” on page 277 and “Installing firmware from the BIOS menu in the CLI” on page 279.

• Upgrade the firmware. See “Upgrading your FortiAnalyzer unit” on page 279.

Backing up your configuration

Fortinet recommends backing up all configuration settings from your FortiAnalyzer unit before upgrading. This ensures all configuration settings are not lost if you later want to downgrade and want to restore those configuration settings.

Backing up your configuration through the web-based managerThe following procedures describe how to back up your current configuration through the web-based manager.

To back up your configuration file through the web-based manager1 Go to System > Maintenance > Backup & Restore. 2 Select Local PC from the Backup Configuration to list. 3 Select Backup.

If you want to encrypt your configuration file, select the Encrypt configuration file check box, enter a password, and enter the password again to confirm.

Backing up your configuration through the CLIThe following procedure describes how to back up your current configuration through the CLI. You can enter a password for added security.

To back up your configuration file through the CLIEnter the following to back up the configuration: execute backup config <filename_str> <address_ipv4> <password_str>

This may take a few minutes.

Backing up your log files Backing up your log files uses the same procedure as downloading log files. You can back up log files through either the web-based manager or CLI. Fortinet recommends backing up all log files before upgrading/downgrading, resetting to factory defaults, or when testing a new firmware image.

To back up FortiAnalyzer 4.0 MR1/MR2 log files through the web-based manager1 Go to Log & Archive > Log > Browse.2 Select the device type from the Device Type list.3 In the Log Files column, locate a device and log type. Select Expand Arrows to reveal

the specific log file (wlog.log, elog.log, etc.) that you want to back up.4 Select Download.

Caution: Always back up your configuration and log data before installing a patch release, upgrading/downgrading firmware, or resetting configuration to factory defaults.





Maintaining firmware Testing firmware before upgrading/downgrading

FRh

5 Select one of the following:

6 Select OK.7 Select a location when prompted by your web browser to save the file.

To back up log files through the CLIEnter the following to back up all log files: execute backup logs all {ftp | sftp | scp} <server_ipv4> <username_str> <password_str> <directory_str>

After successfully backing up your configuration file, either from the CLI or the web-based manager, proceed with upgrading.

Testing firmware before upgrading/downgradingYou may want to test the firmware you want to install before upgrading to a new firmware version, maintenance or patch release. By testing the firmware image, you can familiarize yourself with the new features and changes to existing features, as well as understand how your configuration works with the firmware. You can test a firmware image by installing it from a system reboot and saving it to system memory. After the firmware is saved to system memory, the FortiAnalyzer unit operates using the firmware with the current configuration. The procedure does not permanently install the firmware; the next time the FortiAnalyzer unit restarts, it operates using the firmware originally installed on the FortiAnalyzer unit. You can install the firmware permanently using the procedures in “Upgrading your FortiAnalyzer unit” on page 279. You can use the following procedure for either a regular firmware image or a patch release. The following procedure assumes that you have already downloaded the firmware image to your management computer.

To test the firmware image before upgrading/downgrading 1 Copy the new firmware image file to the root directory of the TFTP server. 2 Start the TFTP server. 3 Log in to the CLI.4 Enter the following command to ping the computer running the TFTP server:

execute ping <server_ipaddress>

Pinging the computer running the TFTP server verifies that the FortiAnalyzer unit and TFTP server are successfully connected.

5 Enter the following to restart the FortiAnalyzer unit.execute reboot

Log file format Select to download log files in text (.txt), comma-separated value (.csv), or standard .log (Native) file format. Each log element is separated by a comma. CSV files can be viewed in spreadsheet applications.


Note: After you test the firmware, and reboot the FortiAnalyzer unit, the original configuration is cleared. You need to restore the configuration after testing the firmware.




Testing firmware before upgrading/downgrading Maintaining firmware

6 As the FortiAnalyzer unit reboots, a series of system startup messages appears. When the following message appears, Press any key to display configuration menu…

7 Immediately press any key to interrupt the system startup. You have only three seconds to press any key. If you do not press a key soon enough, the FortiAnalyzer unit reboots and you must log in and repeat steps 3 to 7 again. If you successfully interrupt the startup process, the following message appears: [G]: Get firmware image from TFTP server.[F]: Format boot device.[B]: Boot with backup firmware and set as default.[C]: Configuration and information.[Q]: Quit menu and continue to boot with default firmware.[H]: Display this list of options.

8 Type G to get the new firmware image from the TFTP server. The following message appears:Enter TFTP server address [192.168.1.168]:

9 Type the address of the TFTP server and press Enter. The following message appears: Enter Local Address [192.168.1.188]:

10 Type the internal IP address of the FortiAnalyzer unit. This IP address connects the FortiAnalyzer unit to the TFTP server. This IP address must be on the same network as the TFTP server, but make sure you do not use an IP address of another device on the network. The following message appears: Enter firmware image file name [image.out]:

11 Enter the firmware image file name and press Enter. The TFTP server uploads the firmware image file to the FortiAnalyzer unit and the following appears: Save as Default firmware/Backup firmware/Run image without saving: [D/B/R]

12 Type R. The FortiAnalyzer firmware image installs and saves to system memory. The FortiAnalyzer unit starts running the new firmware image with the current configuration.

When you are done testing the firmware, you can reboot the FortiAnalyzer unit and resume using the original firmware. You will need to restore the original configuration file after the testing.





Maintaining firmware Installing firmware from the BIOS menu in the CLI

FRh

Installing firmware from the BIOS menu in the CLI

If you encounter access problems to the web-based manager after upgrading the firmware, you can re-install the previous firmware image from the BIOS menu in the CLI. During some upgrades, the firmware image may not successfully install on the FortiAnalyzer unit, which may be caused by the corrupted firmware image. To install firmware from the BIOS menu, use the procedure in “Testing firmware before upgrading/downgrading” on page 277. At step 12 in the procedure, enter D instead of R. The option D installs the firmware permanently on the FortiAnalyzer unit, as the default firmware.

Upgrading your FortiAnalyzer unitAfter backing up your current configuration, you can now upgrade the firmware on your FortiAnalyzer unit. The following procedures are used every time you are upgrading the firmware, whether it is a maintenance release or patch release. You can also use the following procedure when installing a patch release. A patch release is a maintenance release build that resolves important issues. You can install a patch release whether the FortiAnalyzer unit was upgraded to the current firmware version or not.

Upgrading/downgrading through the web-based manager

The following procedure uses the web-based manager for upgrading the FortiAnalyzer unit from version 4.0 MR1 to MR2. The following procedure assumes that you have already downloaded the firmware image to your management computer.

To upgrade through the web-based manager1 Copy the firmware image file to your management computer. 2 Log in to the web-based manager as the administrative user. 3 Go to System > Dashboard > Status. 4 In the System Information area, select Update for Firmware Version.

Caution: You must back up your current configuration before using the following procedure. The following procedure resets all settings to their default state, which includes interface IP addresses, HTTP, HTTPS, SSH, and telnet access.

Note: The FortiAnalyzer upgrade path is as following: Version 3.0 MR6 > MR7 > Version 4.0 > 4.0 MR1 > 4.0 MR2. However, the RVS configuration will not be carried forward and the FortiGuard configuration will be reset to its defaults.





Upgrading your FortiAnalyzer unit Maintaining firmware

5 Enter the path and filename of the firmware image file, or select Browse and locate the file.

6 Select OK.7 The FortiAnalyzer unit uploads the firmware image file, upgrades to the new firmware

version, restarts, and displays the FortiAnalyzer login. This process may take a few minutes.

When the upgrade is successfully installed:• Ping to your FortiAnalyzer unit to verify there is still a connection.• Clear the browser’s cache and log in to the web-based manager.After logging back in to the web-based manager, you should save the configuration settings that are carried forward. Go to System > Maintenance > Backup & Restore to save the configuration settings that carried forward.

Upgrading/downgrading through the CLI

The following procedure uses the CLI and a TFTP server to upgrade the FortiAnalyzer unit from 4.0 MR1 to MR2. The CLI upgrade procedure reverts all current firewall configurations to factory default settings.The following procedure assumes that you have already downloaded the firmware image to your management computer. The procedures may vary depending on the firmware versions you use for the upgrade.

To upgrade to FortiAnalyzer 4.0 MR2 through the CLI1 Copy the new firmware image file to the root directory of the TFTP server. 2 Start the TFTP server. 3 Log in to the CLI.4 Enter the following command to ping the computer running the TFTP server:

execute ping <server_ipaddress>

Pinging the computer running the TFTP server verifies that the FortiAnalyzer unit and TFTP server are successfully connected.






Maintaining firmware Upgrading your FortiAnalyzer unit

FRh

5 Enter the following command to copy the firmware image from the TFTP server to the FortiAnalyzer unit: execute restore image tftp <name_str> <tftp_ip4>

Where <name_str> is the name of the firmware image file and <tftp_ip> is the IP address of the TFTP server. For example, if the firmware image file name is image.out and the IP address of the TFTP server er is 192.168.1.168, enter: execute restore image tftp image.out 192.168.1.168

The FortiAnalyzer unit responds with a message similar to the following: This operation will replace the current firmware version! Do you want to continue? (y/n)

6 Type y.The FortiAnalyzer unit uploads the firmware image file, upgrades to the new firmware version, and restarts. This process takes a few minutes.

7 Reconnect to the CLI.8 Enter the following command syntax to confirm the firmware image installed

successfully: get system status

Verifying the upgrade After upgrading, you should verify that the configuration settings have been carried forward. Verifying your configuration settings also enables you to familiarize yourself with the new features and changes in the new firmware. You can verify your configuration settings by: • going through each menu and tab in the web-based manager• using the show command in the CLI




Upgrading your FortiAnalyzer unit Maintaining firmware





Best practices and fine tuning System security tuning

FRh

Best practices and fine tuningThis chapter is a collection of best practice and fine tuning guidelines to ensure the most secure and reliable operation of FortiAnalyzer units.This topic includes:• System security tuning• System maintenance tips• Performance tuning

System security tuning• As soon as possible during initial FortiAnalyzer setup, give the default administrator,

admin, a password. This administrator has the highest level of permissions available and access to this administrator should be limited to as few people as possible. Change all administrator passwords regularly. Set a policy—such as every 60 days—and follow it. For more information, see “Changing an administrator’s password” on page 79.

• Do not use the default administrator access profile for all new administrators. Create one or more access profiles with limited permissions tailored to the responsibilities of the new administrator accounts. For more information, see “Configuring access profiles” on page 80.

• By default, an administrator login that is idle for more than five minutes times out. You can change this to a longer period, but Fortinet does not recommend it. A web-based manager GUI or CLI session left unattended lets anyone change your settings. For more information, see “Configuring administrator-related settings” on page 77.

• Instead of allowing administrative access to the FortiAnalyzer unit from any source, restrict it to trusted internal hosts. For more information, see “Configuring administrator accounts” on page 77.

• Restrict the interface used for administrative access (usually port1) to just the access protocols administrators need. For best results, use only the most secure protocols. Disable telnet. Disable ping except during troubleshooting. Use HTTP only if the network interface connects to a trusted private network. For more information, see “Configuring the network interfaces” on page 63.

• Verify that the system time and time zone are correct. Many features, including FortiGuard updates, log timestamps, and scheduled reports, rely on a correct system time. For more information, see “System Information widget” on page 38.

System maintenance tips• Before upgrading or downgrading the firmware and running CLI commands that can

change your settings, such as execute factoryreset and execute restore, always perform a complete configuration backup. For information on backing up configuration, see “Backing up the configuration & installing firmware” on page 114.




Performance tuning Best practices and fine tuning

• Upgrade to the latest available firmware. After downloading the firmware file from Fortinet Technical Support (https://support.fortinet.com/), back up the configuration and other data, then go to Monitor > System Status > Status, and, in the Firmware Version row, select the Update link.

• Configure the FortiAnalyzer unit to accept both scheduled and push updates of antivirus and attack definitions. FortiGuard updates are configured in Maintenance > FortiGuard > Update.

• Before a FortiAnalyzer unit can receive FortiGuard Antivirus and/or FortiGuard Antispam updates, it must be able to connect to the FortiGuard Distribution Network (FDN). FDN connection status can be checked in Maintenance > FortiGuard > Update.

• Allow the FortiAnalyzer unit access to a valid DNS server. DNS services are required for many FortiMail features, including scheduled updates and FortiGuard Antispam rating queries. The DNS server used by the FortiAnalyzer unit is configured in System > Network > DNS.

Performance tuning• Verify that the system time and time zone are correct. Many features rely on a correct

system time. See “Configuring the time & date” on page 38.• To reduce latency associated with DNS queries, use a DNS server on your local

network as your primary DNS. See “Configuring DNS” on page 69.• When editing a network interface (System > Network > Interface), you can enable

Override default MTU value (1500) to change the maximum transmission unit (MTU) value, then enter the maximum packet size in bytes.To improve network performance, adjust the MTU so that it equals the smallest MTU of all devices between this interface and traffic’s final destinations.If the MTU is larger than other devices’ MTU, other devices through which the traffic travels must spend time and processing resources to break apart large packets to meet their smaller MTU, which slows down transmission.The default value is 1500 bytes. The MTU size must be between 576 and 1500 bytes

• If applicable, configure RAID array to maximize performance. See “Configuring RAID” on page 106.

• When choosing a FortiAnalyzer model, consider your network’s log frequency, and the number of devices to support. For networks with more demanding logging scenarios, an appropriate device ratio may be less than the allowed maximum. Performance will vary according to your network size, device types, logging thresholds, and many other factors. See “Maximum number of devices” on page 126.

• Avoid recording log messages using low severity thresholds, such as information or notification, to the local hard disk for an extended period of time. Excessive logging frequency saps system resources and can cause undue wear on the hard disk and may cause premature failure. See “Alert Message Console widget” on page 51.

• Regularly delete or backup old reports to reduce the number of reports on the local disk.

• Schedule resource-intensive and non-time-critical tasks, such as report generation, to low-traffic periods.






Troubleshooting Troubleshooting process

FRh

TroubleshootingThis chapter provides troubleshooting techniques for some frequently encountered problems. It includes general troubleshooting methods and specific troubleshooting tips using both the command line interface (CLI) and the web-based manager. Some CLI commands provide troubleshooting information not available through the web-based manager. The web-based manager is better suited for viewing large amounts of information on screen, reading logs and archives, and viewing status through the dashboard.For late-breaking troubleshooting information, see the Fortinet Knowledge Base.This topic includes:• Troubleshooting process• Troubleshooting FortiAnalyzer issues

Troubleshooting processBefore you begin troubleshooting anything but the most minor issues, you need to prepare. Doing so will shorten the time to solve your issue.

Establish a baselineNote that many of these questions are some form of comparing the current situation to normal operation. For this reason it is recommended that you know what your normal operating status is. This can easily be accomplished through logs, or regularly running information gathering commands and saving the output. Then when there is a problem, this regular operation data will enable you to determine what is different. It is a good idea to back up the FortiAnalyzer configuration for your unit on a regular basis. Apart from troubleshooting, if you accidently change something the backup can help you restore normal operation quickly and easily.

Define the problemBefore starting to troubleshoot a problem, ask the following questions:• What is the problem?

Do not assume that the problem is being experienced is the actual problem. First determine that the problem does not lie elsewhere before starting to troubleshoot the FortiAnalyzer device.

• Has it ever worked before?If the device never worked from the first day, you may not want to spend time troubleshooting something that could well be defective.

• Can the problem be reproduced at will or is it intermittent?If the problem is intermittent, it may be dependent on system load. Also an intermittent problem can be very difficult to troubleshoot due to the difficulty reproducing the issue.




http://kb.fortinet.com/

Troubleshooting process Troubleshooting

• What has changed?Do not assume that nothing has changed in the network. Use the FortiAnalyzer event log to see if any configuration changes were made.If something has changed, see what the effect is if the change is rolled back.

• After you have isolated the problem, what applications, users, devices, and operating systems does it effect?

Before you can solve a problem, you need to understand it. Often this step can be the longest in this process.Ask questions such as:• What is not working? Be specific.• Is there more than one thing not working? • Is it partly working? If so, what parts are working?• Is it a connectivity issue for the whole device, or is there an application that isn’t

reaching the Internet?Be as specific as possible with your answers, even if it takes awhile to find the answers. These questions will help you define the problem. Once the problem is defined, you can search for a solution and then create a plan on how to solve it.

Gathering FactsFact gathering is an important part of defining the problem. Consider the following:• Where did the problem occur?• When did the problem occur and to whom?• What components are involved?• What is the affected application?• Can the problem be traced using a packet sniffer?• Can the problem be traced in the session table?• Can log files be obtained that indicate a failure has occurred?Answers to these questions will help you narrow down the problem, and what you have to check during your troubleshooting. The more things you can eliminate, the fewer things you need to check during troubleshooting.

Search for a solutionAn administrator can save time and effort during the troubleshooting process by first checking if the issue has been experienced before. Several resources are available to provide valuable information about FortiAnalyzer technical issues, including:

Technical DocumentationInstallation Guides, Administration Guides, Quick Start Guides, and other technical documents are available online at the following URL:







FRh

Release NotesIssues that are uncovered after the technical documentation has been published will often be listed in the Release Notes that accompany the device.

Knowledge CenterThe Fortinet Knowledge Center provides access to a variety of articles, white papers, and other documentation providing technical insight into a range of Fortinet products. The Knowledge Center is available online at the following URL:

http://kc.fortinet.com

Fortinet Technical Discussion ForumsAn online technical forum allows administrators to contribute to discussions about issues related to their Fortinet products. Searching the forum can help the administrator identify if an issue has been experienced by another user. The support forums can be accessed at the following URL:

http://support.fortinet.com/forum

Fortinet Training Services Online CampusThe Fortinet Training Services Online Campus hosts a collection of tutorials and training materials which can be used to increase knowledge of the Fortinet products.

http://campus.training.fortinet.com

Create a troubleshooting planOnce you have defined the problem, and searched for a solution you can create a plan to solve that problem. Even if your search didn’t find a solution to your problem you may have found some additional things to check to further define your problem.The plan should list all the possible causes of the problem that you can think of, and how to test for each possible cause. The plan will act as a checklist so that you know what you have tried and what is left to check. This is important to have if more than one person will be doing the troubleshooting. Without a written plan, people will become easily confused and steps will be skipped. Also if you have to hand over the problem to someone else, providing them with a detailed list of what data has been gathered and what solutions have been already tried demonstrates a good level of professionalism.Be ready to add to your plan as needed. After you are part way through, you may discover that you forgot some tests or a test you performed discovered new information. This is normal.Also if you contact support, they will require information about your problem as well as what you have already tried to fix the problem. This should all be part of your plan.

Providing Supporting ElementsIf the Fortinet Technology Assistance Center (TAC) needs to be contacted to help you with your issue, be prepared to provide the following information:• The firmware build version (use the get system status command)• A recent configuration file• A recent debug log• A network topology diagram





• Tell the support team what troubleshooting steps have already been performed and the results.

Gather system informationYour FortiAnalyzer unit provides many features to aid in troubleshooting and performance monitoring.Use the web-based manager's dashboard and the CLI commands to define the scope and details of your problem. Keep track of the information you gather—Fortinet customer support may request it if you contact them for assistance.Table 1: Web-based manager information gathering features

Table 2: CLI information gathering features

The above CLI commands explain how to display data. Many of these commands also have options for modifying data. For CLI command syntax details for these and other commands, see the FortiAnalyzer CLI Reference.

Check port assignmentsThere are 65 535 ports available for each of the TCP and UDP stacks that applications can use when communicating with each other. If someone recently changed a FortAnalyzer or network port, that may be part of your problem.

System > Dashboard > Status Displays a dashboard with widgets that each indicates performance level or other status.By default, widgets appear display the serial number and current system status of the FortiAnalyzer unit, including uptime, system resource usage, host name, firmware version, system time, and log throughput. The dashboard also contains a CLI widget that enables you to use the command line through the web-based manager. These widgets appear on a single dashboard.

System > Network > Interface Displays details about each configured system interface (port).

System > Network > Routing Displays a list of configured static routes including their IPs, masks, and gateways.

diagnose debug crashlog list

Displays details on application proxies that have backtraces, traps, and registration dumps.

diagnose debug report Displays the FortiAnalyzer configuration.

diagnose fortiguard status Displays the running status of the FortiGuard daemon.

diagnose netlink Displays the netlink information, including the FortiAnalyzer unit’s interface statistics, interface status and parameters, the physical and virtual IP addresses associated with the network interfaces of the FortiAnalyzer unit, routing table contents, routing cache information, TCP socket information, and UDP sockets information.

diagnose sniffer packet Performs a packet trace on a specified network interface.

diagnose sys Displays the system information.

diagnose test Tests the connectivity of the remote LDAP authentication server.

execute ping Tests connectivity to other devices on your network or elsewhere.

execute traceroute Traces the route of packets between the FortiAnalyzer unit and a specified server.

get system performance Displays CPU usage, memory usage, and up-time.

get system status Provides the firmware version, serial number, bios, and host name.







FRh

For information on FortiAnalyzer port assignment, see “Appendix E: Port Numbers” on page 379.In addition, some ports may be assigned to other Fortinet appliances on your network. See the Fortinet Knowledge Base article, "Traffic Types and TCP/UDP Ports used by Fortinet Products" at:


Many UDP and TCP port numbers have internationally recognized IANA port assignments and are commonly associated with specific applications or protocols.

Troubleshoot connectivity issuesThis section includes troubleshooting questions related to connectivity issues.• Are all cables and interfaces connected properly?

See “Check hardware connections” on page 289.• Are you experiencing packet loss or device connectivity problems?

See “Run ping and traceroute” on page 290.• Are there routes in the routing table for default and static routes? Do all connected

subnets have a route in the routing table? See “Verify the contents of the routing table” on page 292.

• Are the ARP table entries correct for the next-hop destination? See “Verify the contents of the ARP table” on page 292.

• Is traffic entering the FortiAnalyzer unit and, if so, does it arrive on the expected interface? Is the traffic exiting the FortiAnalyzer unit to the expected destination? Is the traffic being sent back to the originator?Perform a sniffer trace. See “Perform a sniffer trace” on page 293.

Check hardware connectionsIf there is no traffic flowing from the FortiAnalyzer unit, it may be a hardware problem.

To check hardware connections• Ensure the network cables are properly plugged in to the interfaces on the

FortiAnalyzer unit.• Ensure there are connection lights for the network cables on the unit.• Change the cable if the cable or its connector are damaged or you are unsure about

the cable’s type or quality.• Connect the FortiAnalyzer unit to different hardware to see if that makes a difference.• In the web-based manager, select System > Network > Interface and ensure the link

status is up (up arrow on green circle) for the interface.If the status is down (down arrow on red circle), click Bring Up next to it in the Status column.You can also enable an interface in CLI, for example:config system interfaceedit port2set status up

end

If any of these checks solve the problem, it was a hardware connection issue. You should still perform some basic software tests to ensure complete connectivity.





http://www.iana.org/assignments/port-numbers


If the hardware connections are correct and the unit is powered on but you cannot connect using the CLI or web-based manager, you may be experiencing bootup problems. See “Bootup issues” on page 302.

Run ping and traceroutePing and traceroute are useful tools in network troubleshooting. Both tools accept either IP addresses or fully-qualified domain names as parameters. This can help you determine why particular services, such as email or web browsing, are not working properly.

Both ping and traceroute require particular ports to be open on firewalls to function. Since you typically use these tools to troubleshoot, you can allow them in the firewall policies and on interfaces only when you need them, and otherwise keep the ports disabled for added security.

Check connections with pingThe ping command sends a small data packet to the destination and waits for a response. The response has a timer that may expire, indicating the destination is unreachable. Ping is part of Layer-3 on the OSI Networking Model. Ping sends Internet Control Message Protocol (ICMP) “echo request” packets to the destination, and listens for “echo response” packets in reply. However, many public networks block ICMP packets because ping can be used in a denial of service (DoS) attack, or by an attacker to find active locations on the network. By default, FortiAnalyzer units have ping enabled.If ping does not work from your FortiAnalyzer unit, make sure it was not disabled. Go to System > Network > Interface. Examine the list of allowed protocols in the Access column for the port used by the web-based manager (usually port1). If ping is not in the list, add it.

To enable ping1 Go to System >Network >Interface.2 Click the Edit icon in the applicable row. A dialog appears.3 Select PING on the Edit Interface dialog. 4 Click OK.

What ping can tell youBeyond the basic connectivity information, ping tells you the amount of packet loss (if any), how long it takes the packet to make the round trip, and the variation in that time from packet to packet.If ping shows any packet loss, you should investigate:• possible ECMP, split horizon, or network loops• cabling to ensure no loose connectionsIf ping shows total packet loss, you should investigate:• hardware to ensure cabling is correct• all equipment between the two locations to determine they are properly connected• addresses and routes to ensure all IP addresses and routing information along the

route is configured as expected• firewalls to ensure they are set to allow ping to pass through

Note: If ping does not work, you likely have it disabled on at least one of the interface settings, and firewall policies for that interface.






FRh

How to use pingYou can ping from the FortiAnalyzer unit in the CLI Console widget of the web-based manager or through CLI. For example:

execute ping 172.20.120.169

See the execute ping command in the FortiAnalyzer CLI Reference for an explanation of the command output and see execute ping-options for a description of the many options to tailor the ping response to your needs..If the FortiAnalyzer web-based manager and CLI are not available, you can run ping on a Windows or Linux PC.

To ping a device from a Windows PC1 Open a command window.

• In Windows XP, select Start > Run, enter cmd, and select OK.• In Windows 7, select the Start icon, enter cmd in the search box, and select

cmd.exe from the list.2 In the command window, enter the ping command and an IP address, for example:

ping 172.20.120.169

Ping options include:• -t, to send packets until you press Control-C• -a, to resolve addresses to domain names where possible• -n x, where x is an integer stating the number of packets to send

To ping a device from a Linux PC1 Go to a command line prompt.2 Enter:

“/bin/etc/ping 172.20.120.169”

Check routes with tracerouteTraceroute sends ICMP packets to test each hop along the route. It sends three packets, and then increases the time to live (TTL) setting by one each time. This effectively allows the packets to go one hop farther along the route. This explains why most traceroute commands display their maximum hop count before they start tracing the route—that is the maximum number of steps it will take before declaring the destination unreachable. Also the TTL setting may result in steps along the route timing out due to slow responses. There are many possible reasons for this to occur.Traceroute by default uses UDP with destination ports numbered from 33434 to 33534. The traceroute utility usually has an option to specify use of ICMP echo request (type 8) instead, as used by the Windows tracert utility. If you have a firewall and you want traceroute to work from both machines (Unix-like systems and Windows) you will need to allow both protocols inbound through your firewall (UDP with ports from 33434 to 33534 and ICMP type 8).

What traceroute can tell youWhere ping only tells you if the signal reached its destination and came back successfully, traceroute shows each step of its journey to its destination and how long each step takes. If ping finds an outage between two points, use traceroute to locate exactly where the problem is. The traceroute output can identify other problems, such as an inability to connect to a DNS server.






How to use tracerouteYou can run a route trace from the FortiAnalyzer unit in the CLI Console widget of the web-based manager or through CLI, for example:

execute traceroute docs.fortinet.com

See the execute traceroute command in the FortiAnalyzer CLI Reference for an explanation of the command output.If the FortiAnalyzer web-based manager and CLI are not available, you can trace a route on a Windows or Linux PC.

To use traceroute on a Windows PC1 Open a command window.

• In Windows XP, select Start > Run, enter cmd, and select OK.• In Windows 7, select the Start icon, enter cmd in the search box, and select

cmd.exe from the list.2 Enter the tracert command to trace the route from the host PC to the destination web

site, for example:tracert fortinet.com

In the tracert output, the first, or left column, is the hop count, which cannot go over 30 hops. The second, third, and fourth columns are how long each of the three packets takes to reach this stage of the route. These values are in milliseconds and normally vary quite a bit. Typically a value of <1ms indicates a local connection.The fifth, or far right column, is the domain name of that device and its IP address or possibly just the IP address.

To use traceroute on a Linux PC1 Go to a command line prompt. 2 Enter:

“/bin/etc/traceroute fortinet.com”

The Linux traceroute output is very similar to the MS Windows tracert output.

Verify the contents of the routing tableWhen you have little connectivity, a good place to look for information is the routing table. The routing table is where the FortiAnalyzer unit stores currently used static routes. If a route is in the routing table, it saves the time and resources of a lookup. If a route was not used for a while and a new route needs to be added, the oldest, least-used route is bumped if the routing table is full. This ensures the most recently used routes stay in the table. To check the routing table in the CLI, enter:

diagnose network route list

Verify the contents of the ARP tableWhen you have poor connectivity, another good place to look for information is the address resolution protocol (ARP) table. A functioning ARP is especially important in high-availability configurations.To check the ARP table in the CLI, enter:

diagnose system arp







FRh

Perform a sniffer traceWhen troubleshooting networks and routing in particular, it helps to look inside the headers of packets to determine if they are traveling along the route you expect. Packet sniffing is also called a network tap, packet capture, or logic analyzing.

What can sniffing packets tell youPacket sniffing can tell you if the traffic is reaching its destination, what the port of entry is on the FortiAnalyzer unit, if the ARP resolution is correct, and if the traffic is being sent back to the source as expected. Packet sniffing can also tell you if the FortiAnalyzer unit is silently dropping packets.

To sniff packetsThe general form of the internal FortiAnalyzer packet sniffer command is:

diagnose sniffer packet <interface_name> <filter_str> <verbose-level> <count_int>

This example checks network traffic on port1, with no filter, and captures 10 packets:diagnose network sniffer packet port1 none 1 10

See the FortiAnalyzer CLI Reference for an explanation of the command and its parameters.

Obtain any required additional equipmentYou may require additional networking equipment, computers, or other equipment to test your solution. Normally network administrators have additional networking equipment available either to loan you, or a lab where you can bring the FortiAnalyzer unit to test.If you do not have access to equipment, check for shareware applications that can perform the same task. Often there are software solutions when hardware is too expensive.

Ensure you have administrator level access to required equipmentBefore troubleshooting your FortiAnalyzer unit, you will need administrator access to the equipment. Also, you may need access to other networking equipment such as switches, routers, and servers to help you test. If you do not normally have access to this equipment, contact your network administrator for assistance.

Contact Fortinet customer support for assistanceAfter you define your problem, researched a solution, created a plan, and executed that plan, and if you have not solved the problem, it is time to contact Fortinet customer support for assistance.To receive technical support and service updates, your Fortinet product must be registered. Registration, support programs, assistance, and regional phone contacts are available at the following URL:


Note: If you configure virtual IP addresses on your FortiAnalyzer unit, it will use those addresses in preference to the physical IP addresses. You will notice this when you are sniffing packets because all traffic will use the virtual IP addresses. This is due to the ARP update that is sent out when the virtual IP address is configured.






Troubleshooting FortiAnalyzer issues Troubleshooting

When you are registered and ready to contact support:1 Prepare the following information first:

• your contact information• the firmware version• a recent server policy configuration• access to recent event, traffic and attack logs• a network topology diagram and IP addresses• a list of troubleshooting steps performed so far and the resultsFor bootup problems:• provide all console messages and output• if you suspect a hard disk issue, provide your evidence

2 Document the problem and the steps you took to define the problem.3 Open a support ticket.For details on using the Fortinet support portal and providing the best information, see the Knowledge Base article, "Fortinet Support Portal for Product Registration, Contract Registration, Ticket Management, and Account Management" at:


Troubleshooting FortiAnalyzer issuesThis section lists the common issues you may encounter in using the FortiAnalyzer unit and the solutions.

Report issueFortiAnalyzer reports show the same users twice (name in upper case and lower case).

SolutionWhen a FortiGate unit is set to require authentication, it may use two methods to authenticate: LDAP and FSAE.The behavior is different depending on the method used and this will cause the FortiAnalyzer unit to have two different log entries for the same user: one with upper case name and one with lower case name).The FortiAnalyzer reports will show the same user twice. This is because the FortiAnalyzer filter is case-sensitive.This issue was resolved in FortiOS 4.0 MR1 with the addition of a new CLI command to allow ALL user names logged to be in upper case. This is useful when the same servers are shared by LDAP and FSAE.

Binary files issueThe Alert Message Console on the Dashboard may display a message similar to the following:

2 of 70 binary files need to be regenerated.






Troubleshooting Troubleshooting FortiAnalyzer issues

FRh

SolutionThe binary files indicated in the message are used by the FortiAnalyzer report engine to generate reports. During a firmware upgrade, the binary files may have changed due to some new features. In such a case, the affected binary files are regenerated. This message means that some of the binary file have not yet regenerated.The speed of regeneration (how long it takes to complete) depends on the activity of the FortiAnalyzer unit, such as the logging rate and number of reports running.The number displayed in the message will steadily decrease. It may briefly increase when log files are manually imported, or in some cases during log rolling on a non-processed file.This is a normal process, and will resolve itself once the regeneration is complete.

CPU usage issueThe FortiAnalyzer unit’s CPU usage can appear to be continually high.

SolutionThere are three key CPU-intensive operations on a FortiAnalyzer unit:• Log indexing

A FortiAnalyzer unit deployed in a network can receive hundreds of log messages per second throughout the day. The FortiAnalyzer unit indexes nearly all fields in a log message to include it in the database. This process can be very CPU intensive, as the indexing component is continually running to keep up with the incoming log messages.

• Report generation and other enhanced featuresDue to the many reporting functions, various report generations can be running at any time during the day, including:• security event reports• traffic summary reports• regular reports whose complexity can vary depending on the requirements• quota checking with log rolling• network sniffing• vulnerability scan.





• Summary reports daemonThe summary reports daemon (sumreportsd) is responsible for computing data for drill down widgets configured on the dashboard.The widgets are:• Top Web Traffic• Intrusion Activity• Virus Activity• Top FTP Traffic• Top Email Traffic• Top IM/P2P Traffic• Top Traffic By default, none of these drill down widgets is enabled.Depending on the hardware platform or the amount of logs present in the FortiAnalyzer unit, sumreportsd may consume a considerable amount of CPU when running and may run for a considerable amount of time (from a few minutes, to hours, or even longer if it has to compute new data while still processing old ones). The resulting effect is that drill down widgets may be empty or not up to date.

All these tasks can be CPU intensive, especially when a combination of them is occurring at the same time. This can cause the CPU usage to stay at 90% or more a lot of the time. It is important to set the indexing operation to the lowest priority so that the critical processes such as receiving log messages will not be affected. On smaller devices, such as the FortiAnalyzer-100A, where the CPU and disk speeds are not as fast as the higher-end models, the CPU usage can appear more pronounced.In case of high CPU usage and depending on the current environments on the FortiAnalyzer unit, it is suggested to:• reduce the devices being monitored to only the ones needed.• reduce the Time Scope of a widget to a lower value (Hour or Day).• disable all drill down widgets from all admin accounts.

HA log issueWhen sending FortiGate logs to the FortiAnalyzer unit with a secure connection, only the primary unit's logs are successfully received by the FortiAnalyzer unit.

SolutionWhen configuring a secure connection to send log information, you need to set the secure connection for all units in an HA cluster on the FortiAnalyzer unit. For more information, see “Secure” on page 125.If the FortiAnalyzer unit will still not accept log information from the FortiGate unit for which you have enabled secure connection, check if you entered the preshared key and the device information correctly.

NFS server connection issueWhen attempting to connect to the FortiAnalyzer unit as an NFS server, the connection times out or does not connect.






FRh

SolutionThe FortiAnalyzer unit uses the DNS settings to enable connections for network file sharing. If the DNS settings are not configured correctly, or have incorrect DNS entries, the FortiAnalyzer unit will not be able to perform reverse lookups for users attempting to connect. If the FortiAnalyzer unit cannot perform this check, the operation times out, appearing to the user as being unable to connect.To verify your DNS configuration, go to System > Network > DNS. For more information, see “Configuring DNS” on page 69.Note that the FortiAnalyzer unit uses the DNS settings for a number of network functions. The DNS settings must be valid to ensure the system functions correctly.

Vulnerability management issues

ProblemOn the Dashboard, Vulnerability Management under License Information showing as not registered.

SolutionVulnerability Management is an additional service which, similar to FortiGuard Services, must be purchased and registered.Even if the FortiAnalyzer unit has been registered and licensed, Vulnerability Management Service will show as “Not Registered” if it has not been purchased and registered.

ProblemVulnerability management updates are not working.

Solution1 Make sure you have a valid license

Vulnerability management is a separate subscription that must be purchased. Make sure that there is a valid VM subscription before starting to troubleshoot. For more information, see “Scheduling & uploading vulnerability management updates” on page 116.

2 Check the default gateway.The FortiAnalyzer unit needs a default gateway to be able to access the Internet and download updates. Go to System > Network > Routing and make sure the default gateway is configured correctly.If the default gateway is configured correctly, it should be possible to ping IP addresses on the Internet (assuming that nothing is blocking the pings). This can be tested by using the command:exec ping <IP address on the Internet>

3 Make sure nothing is blocking port 443 from the FortiAnalyzer unit.The FortiAnalyzer unit will contact the update servers on port 443. If something (usually a firewall) is blocking port 443 from the FortiAnalyzer unit, it will not be able to receive updates. Check if something is blocking port 443 by sniffing the traffic using the command:diag sniff packet any 'port 443' 4

If something is blocking port 443, TCP SYNs will be seen going out but with no TCP SYN/ACKs coming back in.





4 Enable Debug.There are a number of other issues that may be causing a problem with VM updates. The easiest way to check all of them is to enable debugging and check the output for errors. Run the commands below:diag debug output enablediag debug application fortiguard 8exec update-vm

The output will show any errors that are happening with the update process. Once the update is complete, it is important to disable debug using the commands:diag debug application fortiguard 0diag debug output disable

Upgrade issueThe message "Upload file is too big or invalid" may be seen when upgrading a FortiAnalyzer unit from the web-based manager.

SolutionAssuming that the correct firmware image has been downloaded from support.fortinet.com, a possible cause of this problem is related to the free memory on a FortiAnalyzer unit that has had a long uptime. In order to load the required firmware image, it is necessary to reboot the FortiAnalyzer unit so that more system resources become available. Once the device has been rebooted, the upgrade will proceed as required.

Web-based manager issueAfter logging in to the web-based manager, the following occur:• Console access window opens blank• Menu, tabs and button bar do not work• Log view settings are not saved.

SolutionEnable cookies and JavaScript in your browser. Make sure that cookies are not erased when you close your browser.Cookies store preferences for the browser you use to access the web-based manager. If the cookies are erased when you close the browser (session cookies), the preferences are not saved, and will not be available the next time you open the browser.JavaScript is used for navigation of the menus and tabs in the web-based manager.The following procedures describe how to enable cookies and JavaScript in Internet Explorer and Firefox.

In Internet Explorer 6 and 7:1 Go to Tools > Internet Options.2 Select the Privacy Tab.3 Select a level of Medium or lower for the Privacy level.4 Select OK.5 Select the Security Tab.6 Select Custom Level.



http://support.fortinet.com




FRh

7 In Settings, under Scripting, enable Active Scripting and Scripting of Java Applets.8 Select OK.

In Firefox:1 Go to Tools > Options.2 Select Privacy.3 Select Allow sites to set cookies.4 Select Keep cookies until they expire.5 Select Content.6 Select Enable JavaScript.7 Select OK.

Disk usage issueDisk usage on a FortiAnalyzer unit shows different values than on a monitored FortiGate unit.

SolutionThe disk usage on a FortiGate unit shows the usage of the allocated space for that particular FortiGate unit configured on the FortiAnalyzer unit. While the disk usage on the FortiAnalyzer unit represents the total disk usage on the FortiAnalyzer unit as a whole.For information about configuring allocated space for a device, see “Manually adding or deleting a device or HA cluster” on page 129.

Device IP issueDevice IP address displays as 0.0.0.0 on the FortiAnalyzer unit device list (Devices > All Devices > Allowed) even if the FortiGate unit is already registered on the FortiAnalyzer unit.

SolutionThe FortiAnalyzer unit will change the IP once it receives logs from the FortiGate unit. The IP address of the FortiGate unit is 0.0.0.0 if the FortiAnalyzer unit has not received logs from the FortiGate unit.The FortiAnalyzer unit may not be receiving logs even if the Test Connectivity test on the FortiGate unit shows that the FortiGate unit is connected to the FortiAnalyzer unit (On the FortiGate unit: Log&Report > Log Config > Log Settings > FortiAnalyzer > Test Connectivity). This can be due to the fact that the FortiGate unit is configured to send logs to the FortiAnalyzer unit but is not generating any logs yet or that a connectivity problem between the FortiGate unit and the FortiAnalyzer unit on port 514 UDP (Test connectivity runs on port 514 TCP).

Non encrypted connectionYou can use sniffer commands to check if the FortiGate unit is generating logs and if the FortiAnalyzer unit is receiving them. Note that the commands below are for a non-encrypted traffic. On the FortiGate unit:

diagnose sniffer packet any 'host <IP address of FortiAnalyzer> and port 514' 4

On the FortiAnalyzer unit:





diagnose sniffer packet any 'host <IP address of the FortiGate> and port 514'

This will show us whether the FortiGate unit is sending traffic and whether the FortiAnalyzer unit is receiving it. The TCP sessions in the sniffer outputs are for content archive logs while UDP session are for normal logs just about everything else.Common Cases:1 The FortiGate unit is generating logs but the FortiAnalyzer unit is not receiving them.

This is usually due to something dropping (filtering) out port 514 (UDP or TCP) between the FortiGate and the FortiAnalyzer units.

2 The FortiGate unit is not generating logs. Check the logging options on the firewall policies and the protection profiles. Make sure they are set to send logs to the FortiAnalyzer unit. Also check the logging level on the FortiGate unit and make sure it is not set too high (Log&Report > Log Config > Log Settings > FortiAnalyzer > Minimum log level). If these are set correctly you can check the filters on the FortiGate unit by running the CLI command:show full log fortianalyzer filters

Encrypted ConnectionsYou can sniff the connection between the FortiGate unit and the FortiAnalyzer unit using the commands:On the FortiGate unit:

diagnose sniffer packet any 'host <IP address of FortiAnalyzer>'4

On the FortiAnalyzer unit:diagnose sniffer packet any 'host <IP address of FortiGate>'

UDP port 500 is for IKE trying to create the VPN tunnel between the FortiGate unit and the FortiAnalyzer unit. If this is the only thing you see between the two devices, then the encryption settings between the FortiGate unit and FortiAnalyzer unit are not correct and the tunnel cannot be established.IP protocol 50 is for ESP which carries the encrypted traffic. If you see IP protocol 50 leaving the FortiGate unit but not reaching the FortiAnalyzer unit, then something is dropping the packets in the middle, although seeing IP protocol 50 means that the connection settings are correct between the two devices.

Running an HQIP for hardware integrity controlThe Hardware Quick Inspection Package (HQIP) test image can be used to check the FortiAnalyzer unit's system function and its interfaces. HQIP will check almost all components, including CPU, memory, Compact Flash, hard disk and PCI devices (NIC/ASIC). It will also check the critical benchmarks and system configurations.HQIP cannot detect all hardware malfunctions. If the FortiAnalyzer unit is rebooting or unstable, HQIP cannot detect the issues.If an HQIP test is required, follow the instructions in Fortinet Knowledge Base.

Packet capture (CLI sniffer) best practiceFortinet devices include a built-in sniffer that you can use for debugging purposes. Details on its usage are explained in the Fortinet Knowledge Base.The following are suggestions to improve the usability of this tool:



http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD30363&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=1304868&stateId=0%200%201306618





FRh

• Always include ICMP in the sniffer filter. You may capture an ICMP error message that can help identify the cause of the problem. For example, diag sniff packet interface wan1 'tcp port 3389 or icmp' 3.

• Use the "any" interface if you want to confirm that a specific packet is received or sent by the Fortinet device, without specifically knowing on which interface this may be. This will essentially enable the sniffer for all interfaces. For example, diag sniff packet interface any 'tcp port 3389' 3.

• The Fortinet device may not display all packets if too much information is requested to be displayed, or the traffic being sniffed is significant. When this occurs, the unit will log the following message once the trace is terminated:

12151 packets received by filter 3264 packets dropped by kernel

When this occurs, it is possible that what you were attempting to capture was not actually captured. In order to avoid this, you may try to tighten the display filters, reduce the verbose level, or perform the trace during a lower traffic period.

• The packet timestamps as displayed by the sniffer may become skewed or delayed under high load conditions. This may occur even if no packets were dropped (as mentioned above). Therefore, it is not recommended that you rely on these values in order to troubleshoot or measure performance issues that require absolute precise timing.

• Enabling the sniffer will consume additional CPU resources. This can be as high as an additional 25% of CPU usage on low-end models. Therefore, enabling it on a unit that is experiencing excessively high CPU usage can only render the situation worse. If you must perform a sniff, keep the sniffing sessions short.

• The Ethernet source and/or destination MAC addresses may be incorrect when using the "any" interface. They may be displayed as all zeros (00:00:00:00:00:00) or 00:00:00:00:00:01.

No logs received with encryption enabled between a FortiGate unit and a FortiAnalyzer unit

Logs are being sent correctly from the FortiGate unit to the FortiAnalyzer unit when encryption is disabled but no logs are received once encryption is enabled. Sniffing the traffic between the FortiGate unit and the FortiAnalyzer unit only shows UDP port 500 (IKE) but does not show IP protocol 50 (ESP):On the FortiGate unit, run the command:

diag sniff packet any 'host <IP address of FortiAnalyzer> and port 514' 4

On the FortiAnalyzer unit, run the command:diag sniff packet any 'host <IP address of the FortiGate> and

port 514' 4

The VPN monitor on the FortiGate unit (VPN > IPSec > Monitor) also shows the tunnel as down.The most common cause of this problem is that the Local ID on the FortiGate unit is not configured correctly. Use the following commands to enable encryption between the FortiGate unit and the FortiAnalyzer unit:On the FortiGate unit:

config log fortianalyzer setting





set encrypt enableset psksecret <presharedkey_str>set localid <devname_str>

end

On the FortiAnalyzer unit:config log deviceedit <devname_str>set secure pskset psk <presharedkey_str>set id <devid_str>

end

Note that the local ID on the FortiGate unit (line 4) needs to match the device name on the FortiAnalyzer unit (line 2). If these values do not match, the IPSec tunnel will not be established.

Bootup issuesWhen powering on your FortiAnalyzer unit, you may experience problems. Bootup issues, while rare, can be very difficult to troubleshoot due to the lack of information about your issue. When the unit not running, you do not have access to your typical tools such as diagnose CLI commands. This section walks you through some possible issues to give you direction in these situations.To troubleshoot a bootup problem with your unit, go to the section that lists your problem. If you have multiple problems, go the problem closest to the top of the list first, and work your way down the list. Note: It is rare that units experience any of the symptoms listed here. Fortinet hardware is reliable with a long expected operation life.

The issues covered in this section all refer to various potential bootup issues including:• A. You have text on the screen, but you have problems• B. You do not see the boot options menu• C. You have problems with the console text• D. You have visible power problems• E. You have a suspected defective FortiAnalyzer unit• Examples: Error message "EXT3-fs error (device...)"

A. You have text on the screen, but you have problems

Solution1 If the text on the screen is garbled, ensure your Console Communication parameters

are correct. Check your Quick Start Guide for settings specific to your model. 2 If that fixes your problem, you are done.3 If not, go to B. You do not see the boot options menu

B. You do not see the boot options menu

Solution1 Ensure your serial communication parameters are set to no flow control, and the

proper baud rate and reboot the FortiAnalyzer unit by powering off and on.






FRh

Note: FortiAnalyzer units ship with a baud rate of 9600 by default. If you have access, verify this with the CLI command config system console get , or parse an archived configuration file for the term baudrate.

2 If that fixes your problem, you are done.3 If it doesn’t fix your problem, go to E. You have a suspected defective FortiAnalyzer

unit.

C. You have problems with the console text1 Do you have any console message?

• If Yes, go to D. You have visible power problems• If No, continue.

2 Is there garbage text onscreen ?• If Yes, ensure Console Communication parameters are ok.

•If that fixes the problem, you are done. 3 If no, does the unit stop before the Press Any Key to Download Boot Image

prompt ?• If Yes, go to E. You have a suspected defective FortiAnalyzer unit.• If No, go to Step 4.

4 Console Message - Press any key to Download Boot Image5 When pressing a key do you see one of the following messages?

[G] Get Firmware image from TFTP server[F] Format boot device[B] Boot with backup firmware and act as default[Q] Quit menu and continue to boot with default firmware[H] Display this list of options

• If Yes, go to E. You have a suspected defective FortiAnalyzer unit.6 If No, ensure you serial communication parameters are set to no flow control, and

the proper baud rate and reboot the FortiAnalyzer unit by powering off and on.Note: FortiAnalyzer units ship with a baud rate of 9600 by default. If you have access, parse an archived configuration file for the term baudrate or verify this setting with the CLI command:

config system console get

7 Did the reboot fix the problem? • If that fixes your problem, you are done.• If that doesn’t fix your problem, go to E. You have a suspected defective

FortiAnalyzer unit.

D. You have visible power problems1 Is there any LED on?

• If No, ensure power is on. If that fixes the problem you are done. If not, continue.• If Yes, continue.

2 Do you have an external power adapter?• If No, go to E. You have a suspected defective FortiAnalyzer unit.• If Yes, try replacing the power adapter.





3 Is the power supply defective or you can’t determine one way or the other?• If No, go to E. You have a suspected defective FortiAnalyzer unit.• If Yes, go to A. You have text on the screen, but you have problems

E. You have a suspected defective FortiAnalyzer unitIf you have followed these steps and determined there is a good chance your unit is defective, follow these steps.1 Open a support ticket through FortiCare at https://support.fortinet.com2 In the ticket, document the problem or problems, and these steps that you have taken.3 Provide all console messages and output.4 Indicate if you have a suspected hard disk issue, and provide your evidence.Fortinet Customer Support will contact you to help you with your ticket and issue.

Examples: Error message "EXT3-fs error (device...)"FortiAnalyzer unit doesn't boot properly and/or some errors are displayed on console during the boot.

Example 1:Reading boot image 1463602 bytes.Initializing firewall...System is started.EXT3-fs error (device md(9,0)): ext3_readdir: bad entry in directory #1474561: rec_len is smaller than minimal - offset=0, inode=0, rec_len=0, name_len=0EXT3-fs error (device md(9,0)): ext3_readdir: bad entry in directory #1474561: rec_len is smaller than minimal - offset=0, inode=0, rec_len=0, name_len=0

Example 2:Reading boot image 1463602 bytes.Initializing firewall...System is started.EXT3-fs error (device ide0(3,1)): ext3_get_inode_loc: unable to read inode block - inode=65409, block=131074EXT3-fs error (device ide0(3,1)) in ext3_reserve_inode_write: IO failureEXT3-fs error (device ide0(3,1)): ext3_get_inode_loc: unable to read inode block - inode=65409, block=131074EXT3-fs error (device ide0(3,1)) in ext3_reserve_inode_write: IO failureEXT3-fs error (device ide0(3,1)): ext3_get_inode_loc: unable to read inode block - inode=130817, block=262146EXT3-fs error (device ide0(3,1)) in ext3_reserve_inode_write: IO failureEXT3-fs error (device ide0(3,1)): ext3_get_inode_loc: unable to read inode block - inode=65409, block=131074EXT3-fs error (device ide0(3,1)) in ext3_reserve_inode_write: IO failur






FRh

Some error details may vary from a device to another, but the EXT3-fs error indicates there is an issue with the local file system.

SolutionThis issue appears to be due to some corruption in the file system that affects the boot device and/or firmware loading.In most cases the issue may be resolved by reformatting the boot device and then reinstalling the firmware via TFTP.Make sure to reload the same firmware version as the one used to save the configuration backup file. In case there is no configuration backup file, the unit needs to be reconfigured from scratch.To reload the firmware:1 Connect to the FortiAnalyzer unit on the serial console.2 Reboot the unit and hit any key to enter the Boot Menu.3 Select "format boot device".4 Select "Reload Firmware via TFTP".5 When the unit is up, open the web-based manager and go to System > Maintenance >

Backup & Restore and restore the latest configuration from backup.




Appendix A: SNMP MIB support

FRh

Appendix A: SNMP MIB supportThe FortiAnalyzer SNMP agent supports the following management information blocks (MIBs):

You can obtain these MIB files from the Fortinet Technical Support web site, https://support.fortinet.com.To be able to communicate with your FortiAnalyzer unit’s SNMP agent, you must first compile these MIBs into your SNMP manager. If the standard MIBs used by the SNMP agent are already compiled into your SNMP manager, you do not have to compile them again.To view a trap or query’s name, object identifier (OID), and description, open its MIB file in a plain text editor.All traps sent include the message, the FortiAnalyzer unit’s serial number, and host name.For instructions on how to configure traps and queries, see “Configuring the SNMP agent” on page 94.

Table 3: FortiAnalyzer MIBs

MIB or RFC DescriptionFORTINET-CORE-MIB This Fortinet-proprietary MIB enables your SNMP

manager to query for system information and to receive traps that are common to multiple Fortinet devices.

FORTINET-FORTIANALYZER-MIB This Fortinet-proprietary MIB enables your SNMP manager to query for FortiAnalyzer-specific information and to receive FortiAnalyzer-specific traps.

RFC-1213 (MIB II) The FortiAnalyzer SNMP agent supports MIB II groups, except:• There is no support for the EGP group from MIB II

(RFC 1213, section 3.11 and 6.10).• Protocol statistics returned for MIB II groups (IP,

ICMP, TCP, UDP, etc.) do not accurately capture all FortiAnalyzer traffic activity. More accurate information can be obtained from the information reported by the FortiAnalyzer MIB.

RFC-2665 (Ethernet-like MIB) The FortiAnalyzer SNMP agent supports Ethernet-like MIB information except the dot3Tests and dot3Errors groups.


https://support.fortinet.com/Login/UserLogin.aspx



Appendix A: SNMP MIB support





Appendix B: Report templates FortiGate report templates

FRh

Appendix B: Report templatesThis appendix describes the pre-defined report templates for the FortiGate units, FortiMail units, and FortiClient installations. For more information about reports in general, such as how to create a report, including scheduling reports, see “Reports” on page 167. This topic includes:• FortiGate report templates• FortiClient Report Templates• FortiMail Report Templates

FortiGate report templates Depending on your selection of the log storage system (see “Configuring SQL database storage” on page 85), the following categories of FortiGate report templates are available: • Proprietary Indexed file system

• Intrusion Activity • Antivirus Activity• Webfilter Activity• Email Filter Activity• IM Activity• DLP Activity• Network Analysis• Web Activity• Mail Activity• FTP Activity• Terminal Activity• VPN Activity• Event Activity• P2P Activity• VoIP Activity• Data Leak Activity• Application Control Activity• Network Scan




FortiGate report templates Appendix B: Report templates

• SQL database• Application _Control• Intrusion_Detection• AntiVirus• Data_Leak_Prevention• Email Filter• Event• Traffic

Intrusion ActivityIntrusion Activity report templates contain statistics about the FortiGate intrusion activity.

Antivirus ActivityAntivirus Activity report templates contain statistics about the FortiGate antivirus activity.

Table 4: Intrusion Activity report templates

Report DescriptionTop Attacks The most frequently detected attack types over the reporting period.

Top Attacks per Category (signature/Anomaly)

The number of attacks for each attack category over the reporting period, broken down by attack type.

Top Attack Sources The most frequent sources of attacks over the reporting period.

Top Attack Destinations

The most frequently attacked destinations over the reporting period.

Attacks by Time Period

The time period breakdown of the number of detected attacks.

Top Attack Protocols The protocols used most frequently for attacks.

Top Attacks per Traffic Direction

The number of attacks over the reporting period, broken down by direction and attack ID.

Top Attacks per Counter-Measure

The number of attacks over the reporting period, broken down by attack status and attack type.

Top Attacks for Most Common Protocols

The protocols carrying the most attacks over the reporting period, broken down by attack type.

Top Attack Sources per Traffic Direction

The number of attacks over the reporting period, broken down by direction and source IP address.

Top Sources for Most Common Attacks

The most frequently detected attack types over the reporting period, broken down by sources.

Top Sources for the Most Common Destinations

The most frequently attacked destinations over the reporting period, broken down by source.

Top Attacks per Device

The most frequently attacked destinations over the reporting period, broken down by device and attack ID.

Top Devices by Number of Attack Detections

The most frequently detected attack target devices over the reporting period.

Top Devices by Number of Attack Detections for Most Common Attacks

The most frequently detected attack types over the reporting period, broken down by device.






FRh

Table 5: Antivirus Activity report templates

Report DescriptionTop Viruses The most frequently detected viruses over the reporting period.

Antivirus Violations Breakdown (Infected/Oversize/Filename)

The antivirus events for each event type.

Antivirus Actions per Violation Type (Infected/Oversize/Filename)

The breakdown of the antivirus actions for each violation type (infected/oversize/filename) over the reporting period.

Top Virus Sources The most frequent sources of virus.

Top Virus Destinations The most frequent destinations for viruses.

Top Virus Protocols The protocols with the most frequent virus infections.

Top Infected FIles The most frequently infected files over the reporting period.

Top Infected File Extensions The most frequently infected file extensions.

Top Viruses per Traffic Direction The most frequently detected viruses for each traffic direction over the reporting period.

AV Events by Top Senders and Virus Name (MM1)

The most frequent senders of virus over the reporting period, broken down by virus name.

AV Events by Top Receivers and Virus Name (MM1)

The most frequent receivers of virus over the reporting period broken down by virus name.

Total Number of Unique Infected MSISDN per Country

The total number of infected MSISDN per protection profile per VDOM over the reporting period.

Infected Customer Base The number of infected MSISDN customers over the reporting period and last period.

Overall Trends Trends of the overall trend, all MMS/intercepted, detected malware, and infected MSISDN over the reporting period in comparison with last period.

Total Number of Virus Senders per Country (MM1)

The total number of virus senders per protection profile per VDOM over the reporting period.

Top Virus per Virus Class The number of occurrences of the variations of viruses over the reporting period.

Top Virus Sources over POP3 The most frequent sources of virus over POP3.

Top Virus Sources over SMTP The most frequent sources of virus over SMTP.

Top Virus Sources over IMAP The most frequent sources of virus over IMAP.

Top Virus Sources over FTP The most frequent sources of virus over FTP.

Top Virus Sources over HTTP The most frequent sources of virus over HTTP.

Top Virus Receivers over Email The most frequent receivers of virus infected mail over the reporting period.

Top Virus Destinations over POP3

The most frequent sources of virus over POP3.

Top Virus Destinations over SMTP

The most frequent sources of virus over SMTP.

Top Virus Destinations over IMAP

The most frequent sources of virus over IMAP.

Top Virus Destinations over FTP The most frequent sources of virus over FTP.

Top Virus Destinations over HTTP

The most frequent sources of virus over HTTP.

Top Infected File Extensions over POP3

The most frequently infected file extensions over POP3.

Top Infected File Extensions over SMTP

The most frequently infected file extensions over SMTP.





Webfilter ActivityWebfilter Activity report templates contain statistics about the FortiGate webfiltering activity.

Top Infected File Extensions over IMAP

The most frequently infected file extensions over IMAP.

Top Infected File Extensions over FTP

The most frequently infected file extensions over FTP.

Top Infected File Extensions over HTTP

The most frequently infected file extensions over HTTP.

Top Devices by Antivirus Violations

The total number of antivirus events over the reporting period, broken down by device.

Top Sources with Antivirus Violations Breakdown (Infected/Oversize/Filename)

The source of the most AV events over the reporting period, broken down by event type.

Top Sources (Email or IP) Antivirus Violations Breakdown (Infected/Oversize/Filename)

The senders (email or IP address) of the most AV events over the reporting period, broken down by event type

Top Destinations (IP) with Antivirus Violations Breakdown (Infected/Oversize/Filename)

The destinations of the most AV events over the reporting period, broken down by event type.

Top Destinations (Email or IP) with Antivirus Violations Breakdown (Infected/Oversize/Filename)

The receivers (email or IP address) of the most AV events over the reporting period, broken down by event type.

Top Devices with Antivirus Violations Breakdown (Infected/Oversize/Filename)

The total number of antivirus events over the reporting period broken down by device and event type.

Top Protocols with Antivirus Violations Breakdown (Infected/Oversize/Filename)

The total number of antivirus events over the reporting period, broken down by Internet service and by event type.

Top Virus Sources per Traffic Direction

The most frequent sources of virus over the reporting period for each traffic direction.

Top Viruses for Most Common Sources (IP)

The most frequent sources of virus over the reporting period, broken down by virus name.

Top Viruses for Most Common Sources (Email or IP)

The most frequent sources of virus over the reporting period, broken down by virus name.

Top Viruses for Most Common Destinations (IP)

The most frequent virus destinations over the reporting period, broken down by virus name.

Top Infected Files for Most Common Sources

The most frequent sources of virus over the reporting period, broken down by infected file name.

Top Infected Files for Most Common Destinations (IP)

The most frequent virus destinations over the reporting period, broken down by infected file name.

Table 5: Antivirus Activity report templates

Table 6: Webfilter Activity report templates

Report DescriptionAll Allowed Web Sites Breakdown of sites by permitted categories.

All Blocked Web Sites Breakdown of sites by blocked categories.

Top Allowed Categories The most frequently allowed web categories over the reporting period.

Top Blocked Categories The most frequently blocked web categories over the reporting period.

All Requested Web Sites by Time Period

Breakdown of web sites by access time.






FRh

Top Allowed Web Sites The most frequently allowed web sites over the reporting period.

Top Blocked Web Sites The most frequently blocked web sites over the reporting period.

Top Allowed Web Users The sources with the most allowed web page requests over the reporting period.

Top Blocked Web Users The users with the most blocked web site connection attempts over the reporting period.

Top Active Web Users The clients with the most web page requests over the reporting period.

Top Requested Web Domains

The destinations with the most web page access attempts.

Top Requested Web Pages

The most frequently requested web pages.

Allowed Web Activity over Time Period

The number of web page requests listed by time.

Blocked Web Activity over Time Period

The number of blocked web page requests list by time.

Top Requested File Types

The most frequently requested file types over the reporting period.

Estimated Browse Time Breakdown of estimated browse time.

Total Hits per Status (allowed/blocked/etc)

Breakdown of web filter events by status.

Total Hits per Device Breakdown of web filter events by devices.

Total Hits per Web Filter Type

The number of web hits for each filter type.

Top Web Users per Device

The sources with the most web page requests for each device over the reporting period.

Top Web Users with Status Breakdown (allowed/blocked/etc)

The sources with the most web page requests over the reporting period, broken down by webfilter status.

Top Web Sites with Status Breakdown (allowed/blocked/etc)

The most frequently requested web sites over the reporting period, broken down by webfilter status.

Top Web Pages with Status Breakdown (allowed/blocked/etc)

The most frequently requested web pages over the reporting period.

Top Requested Categories

The most frequently requested categories over the reporting period.

Top Block Web Risk Groups

The most frequently blocked web risk groups over the reporting period.

Top Requested Web Risk Groups

The most frequently requested web risk groups over the reporting period.

Top Web Sites for Most Active Users

The clients with the most web page requests over the reporting period, broken down by web site.

Top Web Sites for Most Blocked Users

The clients with the most blocked web page requests over the reporting period, broken down by web site.

Top Web Sites + Category for Most Active Users

The clients with the most web page requests over the reporting period, broken down by web site.

Top Allowed Categories for Most Active Users

The sources with the most allowed web page requests over the reporting period, broken down by web site.

Top Blocked Categories for Most Active Blocked Users

The sources with the most blocked web page requests over the reporting period, broken down by category.






Email Filter ActivityEmail Filter Activity report templates contain statistics about the FortiGate antispam activity.

IM ActivityInstant Message (IM) Activity report templates contain statistics about instant messaging activity filtered by the FortiGate unit.

Top Users for Most Requested Web Pages

The web pages that received the most hits over the reporting period, broken down by web client.

Top Web Overrides The most frequently overridden web page requests over the reporting period.

Top Users for Web Overrides

The sources with the most overridden web page requests over the reporting period, broken down by web site.


Table 7: Email Filter Activity report templates

Report DescriptionMail Summary (by Email Count)

The mail count over the reporting period, broken down by status.

Mail Summary (by Email Size)

The mail traffic volume over the reporting period, broken down by status.

Top Spam Sources The most frequent spam senders over the reporting period.

Top Spam Destinations The most frequent spam receivers over the reporting period.

Spam Activity by Time Period

Breakdown of spam activities.

Top Spam Sources with Blocking Criteria Breakdown

The spammers that sent the most spam emails over the reporting period, broken down by blocking criteria.

Top Spam Sources per Device

The spammers that sent the most spam emails for each device over the reporting period.

Top Spam Destinations per Device

The most frequent mail receivers for each device over the reporting period.

Total Spam per Device (by Email Count)

The spam count over the reporting period, broken down by device.

Total Spam per Device (by Email Size)

The spam traffic volume over the reporting period, broken down by device.

Top Spam Sources for Most Common Destinations

The most frequent spam email receiver over the reporting period, broken down by mail senders.

Top Spam Blocking Criteria per Device

The most frequent mail blocking criteria for each device over the reporting period.

Table 8: IM Activity report templates

Report DescriptionTotal IM Events per Protocol The number of established IM sessions for each IM protocol over the

reporting period.

Total IM Events per Message Category (chat/file/etc.)

The established IM sessions over the reporting period, broken down by permitted action.






FRh

DLP ActivityDLP Activity report templates contain statistics about the DLP archive activity filtered by the FortiGate unit.

Top IM Sources by Messages

The local IM users with the most messages over the reporting period.

Top IM Sources by Traffic Volume

The local IM users with the most traffic volume over the reporting period.

Top IM Destinations by Messages

The remote IM users with the most messages over the reporting period.

Top Destinations by Traffic Volume

The remote IM users with the most traffic volume over the reporting period.

Top Local IM Users The local IM users with the most connection attempts.

Top Local IM Users (FortiOS 4.0 GA or earlier)

The local IM users with the most connection attempts, for configuring reports with log information that is FortiOS 4.0 GA or earlier.

Top Allowed Local IM Users per IM Protocol

The local IM users with the most established sessions for each IM protocol over the reporting period.

Top Blocked Local IM Users per IM Protocol

The local IM users with the most blocked sessions for each IM protocol over the reporting period.

Top Blocked Local IM Users per IM Protocol (FortiOS 4.0 GA or earlier)

The local IM users with the most blocked sessions for each IM protocol over the reporting period, for configuring reports with log information that is FortiOS 4.0 GA or earlier.

Top Allowed Local IM Users The local IM users with the most allowed sessions.

Top Blocked Local IM Users The local IM users with the most blocked sessions.

Top Blocked Local IM Users (FortiOS 4.0 GA or earlier)

The local IM users with the most blocked sessions, for configuring reports with log information that is FortiOS 4.0 or earlier.

Top Allowed Remote IM Users

The remote IM users with the most allowed sessions.

Top Blocked Remote IM Users

The remote IM users with the most blocked sessions.

Top Blocked Remote IM Users(FortiOS 4.0 GA or earlier)

The remote IM users with the most blocked sessions, for configuring reports with log information that is FortiOS 4.0 GA or earlier.

The Local IM Users per Message Category (chat/file/etc)

The local IM users with the most connection attempts over the reporting period, broken down by action.

Top Local IM Users per Message Category (chat/file/ect) (FortiOS 4.0 GA or earlier)

The local IMM users with the most connection attempts over the reporting period, broken down by action, for configuring reports with log information that is FortiOS 4.0 GA or earlier.

Top Actions for Most Active Sources

The local IP with the most actions over the reporting period.

Top Local IM Users for Most Active Sources

The local IP with the most active local users over the reporting period.

Top Remote IM Users for Most Active Sources

The local IP with the most active remote users over the reporting period.

Table 8: IM Activity report templates

Table 9: DLP Activity report templates

Report DescriptionNumber of Inspected Messages per Application

The units of filtered content, broken down by Internet service.





Network Analysis Network Analysis report templates contain statistics about the network activity going through the FortiGate unit.

Volume of Filtered DLP content per Application

The volume of content filtered traffic, broken down by Internet service.

Volume of Filtered DLP content per Device

The traffic of filtered content, broken down by device.

Volume of Filtered DLP content per Source

The traffic of filtered content, broken down by source.

Volume of Filtered DLP content per Destination

The traffic of filtered content, broken down by destination.

Top HTTP Servers by Volume

Breakdown of web traffic by servers.

Top HTTP Servers by Volume per Virus Status

Breakdown of web traffic by virus status and servers.

Table 9: DLP Activity report templates

Table 10: Network Activity report templates

Report DescriptionTraffic Volume by Direction

The traffic volume for the reporting period, broken down by direction.

Top Services by Volume

The Internet services with the most traffic volume over the reporting period.

Top Sources by Volume The sources with the most traffic volume over the reporting period.

Top Destinations by Volume

The destinations with the most traffic volume over the reporting period.

Top Source-Destination Pairs by Volume

The sources with the most traffic volume over the reporting period, broken down by destination.

Top Destination-Source Pairs by Volume

The destinations with the most traffic volume over the reporting period, broken down by source.

Top Denied Sources The sources with the most policy violation attempts.

Top Denied Destinations

The destination with the most policy violation attempts.

Top Denied Services The Internet services with the most policy violation attempts.

Top Denied Policies The firewall policies with the most violation attempts.

Top Allowed Policies by Number of Firewall Sessions

The firewall policies with the most allowed sessions.

Top Allowed Policies by Volume

The firewall policies with the most allowed traffic volume.

Traffic Volume per Device

The traffic volume over the reporting period, broken down by device.

Top Services by Volume per Device

The traffic volume over the reporting period, broken down by device.

Top Services by Volume per Traffic Direction

The Internet services with the most traffic volume over the reporting period, broken down by direction.

Top Services by Volume for most Common Sources

The sources with the most traffic volume over the reporting period, broken down by Internet service.






FRh

Web ActivityWeb Activity report templates contain statistics about the web activity going through the FortiGate unit.

Top Services by Volume for most Common Destinations

The destinations with the most traffic volume over the reporting period, broken down by Internet service.

Top Sources by Firewall Sessions Duration

The sources with the longest cumulated traffic duration over the reporting period.

Top Destinations by Firewall Session Duration

The destinations with the longest cumulated traffic duration over the reporting period.

Top User Groups by Firewall Duration

The groups with the longest cumulated traffic duration over the reporting period.

Top Allowed Policies by Firewall Session Duration

The firewall policies with the most allowed session duration.

Top Allowed/Denied Policies by Number of Firewall Sessions

The firewall policies with the most allowed/denied sessions.

Overall Bandwidth Optimization

The overall bandwidth optimization over the reporting period list by time.

Optimization Bandwidth by Application

The most bandwidth-optimized application over the reporting period.

LAN Bandwidth Composition

The composition of LAN bandwidth over the reporting period.

WAN Bandwidth Composition

The composition of WAN bandwidth over the reporting period.

Optimized Bandwidth by Source

The most bandwidth-optimized sources over the reporting period.

Optimized Bandwidth by Destination

The most bandwidth-optimized destinations over the reporting period.

Optimized Bandwidth by Rule

The most bandwidth-optimized rules over the reporting period.

Overall Bandwidth Optimization by Device

The overall bandwidth optimization over the reporting period, broken down by device.

LAN Bandwidth Composition by Device

The composition of LAN bandwidth over the reporting period, broken down by device.

WAN Bandwidth Composition by Device

The composition of WAN bandwidth over the reporting period, broken down by device.

Optimized Bandwidth Sources by Device

The most bandwidth-optimized sources over the reporting period, broken down by device.

Optimized Bandwidth Destinations by Device

The most bandwidth-optimized destinations over the reporting period, broken down by device.

Optimized Bandwidth Rules by Device

The most bandwidth-optimized rules over the reporting period, broken down by device.

Table 10: Network Activity report templates

Table 11: Web Activity report templates

Report DescriptionWeb Volume by Time Period

The web traffic volume over the reporting period list by time.

Web Volume per Traffic Direction

The web traffic volume over the reporting period, broken down by direction.





Mail ActivityMail Activity report templates contain statistics about the email activity going through the FortiGate unit.

Top Web Servers by Volume

The web sites that produced the most traffic volume over the reporting period.

Top Web Clients by Volume

The web clients that generated the most web traffic volume over the reporting period.

Top Web Servers by Volume for most Active Clients

The web clients that generated the most web traffic volume over the reporting period, broken down by web site.

Top Web Servers by Connections

The web sites that were accessed most often over the reporting period.

Top Web Servers by Volume and Hits

The web sites that produced the most traffic volume over the reporting period, with hit count information.

Top Web Clients by Connections

The web clients with the most web server connections over the reporting period. This connection may include more than one web page hit.

Top Web Servers by Connections for most Active Clients

The web clients with the most server connections over the reporting period, broken down by web site. This connection may include more than one web page hit.

Top Web Servers by Firewall Session Duration

The web sites with the longest cumulated traffic duration over the reporting period.

Top Web Clients by Firewall Session Duration

The web clients with the longest cumulated traffic duration over the reporting period.

Top Web Servers by Firewall Session Duration for most Active Clients

The web clients with the longest cumulated traffic duration over the reporting period, broken down by web site.

Top Web Sites by Traffic Volume For Most Active Sources

The clients with the most traffic volume over the reporting period.

Top Web Sites By Hits For Most Active Sources

The clients with the most hits over the reporting period.

Table 11: Web Activity report templates

Table 12: Mail Activity report templates

Report DescriptionIncoming Mail Activity by Time Period (POP3/IMAP)

Breakdown of incoming mail activity by time slice.

Outgoing Mail Activity by Time Period (SMTP)

Breakdown of outgoing email activity by time slice.

Mail/Volume/Size by Time

The mail traffic volume over the reporting period list by time.

Top Mail Clients (by Volume)

The mail clients that produced the most amount of traffic volume over the reporting period.

Top Mail Servers (by Volume)

The mail servers that produced the most traffic volume over the reporting period.

Top Mail Clients for Most Common Mail Servers (by Volume)

The mail servers that produced the most amount of traffic volume over the reporting period, broken down by mail client.






FRh

FTP ActivityFTP Activity report templates contain statistics about the FTP activity going through the FortiGate unit.

Mail Volume/Size by Traffic Direction

The mail traffic volume over the reporting period, broken down by direction.

Top Mail Clients (Connections)

The mail clients that accessed mail servers the most often over the reporting period.

Top Mail Servers (Connections)

The mail servers that were accessed the most often over the reporting period.

Top Mail Clients for Most Common Mail Servers (Connections)

The mail servers that were accessed the most often over the reporting period, broken down by mail clients.

Top Mail Sources for each Spam Detection Status (client/spam/etc)

The mail traffic volume over the reporting period, broken down by filtering status and by mail sender.

Top Mail Destinations for each Spam Detection Status (clean/spam/etc)

The mail traffic volume over the reporting period, broken down by filtering status and by mail receiver.

Top Sender by Volume for each Mail Protocol

The mail traffic volume over the reporting period, broken down by mail service (POP3, SMTP, IMAP, etc) and by mail sender.

Top Receiver by Volume for each Mail Protocol

The mail traffic volume over the reporting period, broken down by mail service (POP3, SMTP, IMAP, etc) and by mail receiver.

Top Email Senders By Traffic Volume For Most Active Sources

The local IP and email sender with traffic volume over the reporting period.

Top Email Senders By Number Of Emails For Most Active source

The local IP and email sender with connections over the reporting period.

Top Email Recipients By Traffic Volume For Most Active Sources

The local IP and email recipient with traffic volume over the reporting period.

Top Email Recipients By Number of Emails For Most Active Sources

The local IP and email recipient with number of emails over the reporting period.

Top Email Recipients By Traffic Volume For Most Active Sender

The email recipient and email sender with traffic volume over the reporting period.

Top Email Recipients By Number of Emails For Most Active Sender

The email recipient and email sender with number of emails over the reporting period.

Top Senders By Traffic Volume For Most Active Recipients

The email recipient and email sender with traffic volume over the reporting period.

Top Senders By Number Of Emails For Most Active Recipients

The email recipient and email sender with number of emails over the reporting period.

Top Protocols By Traffic Volume For Most Active Sources

The local IP and email protocols with traffic volume over the reporting period.

Table 12: Mail Activity report templates





Terminal ActivityTerminal Activity report templates contain statistics about the terminal activity (including SSH and Telnet) going through the FortiGate unit.

Table 13: FTP Activity report templates

Report DescriptionFTP Volume by Time Period

The FTP traffic volume over the reporting period listed by time.

FTP Volume per Traffic Direction

The FTP traffic volume over the reporting period, broken down by direction.

Top FTP Servers by Volume

The FTP traffic volume over the reporting period, broken down by direction.

Top FTP Clients by Volume

The FTP clients that generated the most traffic volume over the reporting period.

Top Client-Server Pairs by Volume

The FTP clients that generated the most traffic volume over the reporting period, broken down by FTP server.

Top FTP Servers by Connections

The FTP sites that were accessed the most often over the reporting period.

Top FTP Clients by Connections

The FTP clients with the most FTP server connections over the reporting period.

Top Client-Server Pairs by Connections

The FTP clients with the most server connections over the reporting period, broken down by FTP server.

Top FTP Servers By Traffic Volume For Most Active Sources

The FTP servers that generated the most traffic volume over the reporting period.

Top FTP Servers By Number of Actions For Most Active Sources

The FPT clients with the most server connections over the reporting period.

Table 14: Terminal Activity report templates

Report DescriptionTerminal Traffic Volume per Service (Telnet+SSH)

The terminal traffic volume, broken down by service.

Top Terminal Servers by Traffic Volume (per Service)

The terminal servers with the most traffic volume over the reporting period, broken down by service.

Top Terminal Clients by Traffic Volume (per Service)

The terminal clients with the most traffic volume over the reporting period, broken down by service.

SSH Traffic Volume per Direction

The SSH traffic volume for each direction.

Top SSH Servers by Traffic Volume for Most Active Client

The SSH clients with the most traffic volume over the reporting period, broken down by server.

Telnet Traffic Volume per Direction

The Telnet traffic volume for each direction.

Top Telnet Servers by Traffic Volume for Most Active Clients

The Telnet clients with the most traffic volume over the reporting period, broken down by server.

Top Terminal Servers by Connections (per Service)

The terminal servers with the most connections over the reporting period, broken down by service.






FRh

VPN ActivityVPN Activity report templates contain statistics about VPN tunnel activity going through the FortiGate unit.

Event Activity Event Activity report templates contain statistics about the FortiGate event activity.

Top Terminal Clients by Connections (per Service)

The terminal clients with the most connections over the reporting period, broken down by service.

Top SSH Servers by Connections for Most Active Clients

The SSH clients with the most connections over the reporting period, broken down by server.

Top Telnet Servers by Connections for Most Active Clients

The Telnet clients with the most connections over the reporting period, broken down by server.

Table 14: Terminal Activity report templates

Table 15: VPN Activity report templates

Report DescriptionTop VPN Tunnels The VPN tunnels with the most traffic volume over the reporting period.

VPN Traffic Volume per Direction

The VPN traffic volume over the reporting period, broken down by direction.

Top VPN Sources The sources with the most VPN traffic volume over the reporting period.

Top VPN Destinations The destinations with the most VPN traffic volume over the reporting period.

Top VPN Peers per Device (by Traffic Volume)

The VPN peers with the most traffic volume for each device over the reporting period.

VPN Traffic Volume per Device

The VPN traffic volume for each device over the reporting period.

Total VPN Tunnels per Device

The number of VPN tunnels for each device over the reporting period.

Top VPN Peers per Device (by Number of Tunnels)

The VPN peers with the most tunnels for each device over the reporting period.

Top Protocols over VPN per Device (by Traffic Volume)

The Internet services with the most traffic volume for each device over the reporting period.

IPSec Tunnel Activity per Device

The statistics related to IPSec tunnel activity for each device over the reporting period.

PPTP Tunnel Activity per Device

The statistics related to PPTP tunnel activity for each device over the reporting period.

L2TP Tunnel Activity per Device

The statistics related to L2TP tunnel activity for each device over the reporting period.

SSL Reverse Proxy Activity per Device

The statistics related to SSL reverse proxy activity for each device over the reporting period.

SSL Tunnel Activity per Device

The statistics related to the SSL tunnel activity for each device over the reporting period.





P2P ActivityP2P Activity report templates contain statistics about the peer-to-peer (P2P) activity filtered by the FortiGate unit.

Table 16: Event Activity report templates

Report DescriptionTotal Event Count per Severity

The most frequently occurring event severities over the reporting period.

Total Event Count per Software Module

The most frequently occurring event types over the reporting period.

System Administration Summary

Audit of all administrative activity over the reporting period.

System Administration Details

Detailed audit of all administrative activity over the reporting period.

CPU Usage by Time Period

This report shows FortiGate CPU usage by time.

Memory Usage by Time Period

This report shows FortiGate memory usage by time.

Active Firewall Sessions by Time Period

This report shows the number of FortiGate active sessions by time.

Total Event Count per Device

This report provides information about the total events count triggered on each Firewall.

Top Events (by Log ID) The most frequently occurring events over the reporting period.

Top Events per Device (by Log ID)

This report provides information about the events triggered on each firewall.

Top Emergency Events (by Log ID)

The most frequently occurring emergency events.

Top Critical Events (by Log ID)

The most frequently occurring critical events.

Top Alert Events (by Log ID)

The most frequently occurring alert events.

Top Error Events(by Log ID)

The most frequently occurring error events.

Top Warning Events (by Log ID)

The most frequently occurring warning events.

Top Notification Events (by Log ID)

The most frequently occurring notification events.

Top Information Events (by Log ID)

The most frequently occurring information events.

Top Event Severities per Device

This report provides information about the events triggered by device and severity.

Top Software Module Events per Device

This report provides information on the types of events that are occurring on a particular system.

Overall MMS Traffic Measures

This report provides information of overall scanned messages, infected/blocked messages, intercepted messages, suspicious messages for the period.

Total Virus Notification per Profile by VDOM

The total number of virus notifications per protection profile per VDOM over the reporting period.






FRh

Table 17: P2P Activity report templates

Report DescriptionTotal Events per P2P Protocol

The number of P2P sessions established over the reporting period, broken down by protocol.

Total Events per P2P Protocol (FortiOS 4.0 GA or earlier)

The number of P2P sessions established over the reporting period, broken down by protocol, for configuring reports containing log information that is FortiOS 4.0 GA or earlier.

Total Pass/Block Events (All Protocols)

The established P2P sessions, broken down by action type.

Total Pass/Block Events (All Protocols) (FortiOS 4.0 or earlier)

The established P2P sessions, broken down by action type, for configuring reports containing log information that is FortiOS 4.0 or earlier.

Top P2P Sources by Traffic Volume

The local P2P peers with the most traffic volume.

Top P2P Destinations by Traffic Volume

The remote P2P peers with the most traffic volume.

Top Allowed P2P Local Peers

The local P2P peers with the most allowed sessions.

Top Allowed P2P Local Peers (FortiOS 4.0 GA or earlier)

The local P2P peers with the most allowed sessions, for configuring reports containing log information that is FortiOS 4.0 GA or earlier.

Top Blocked P2P Local Peers

The local P2P peers with the most blocked sessions.

Top Blocked P2P Local Peers (FortiOS 4.0 GA or earlier)

The local P2P peers with the most blocked sessions, for configuring reports containing log information that is FortiOS 4.0 GA or earlier.

Top Allowed P2P Remote Peers

The remote P2P peers with the most allowed sessions.

Top Allowed P2P Remote Peers (FortiOS 4.0 GA or earlier)

The remote P2P peers with the most allowed sessions, for configuring reports containing log information that is FortiOS 4.0 GA or earlier.

Top Blocked P2P Remote Peers

The remote P2P peers with the most blocked sessions.

Top Blocked P2P Remote Peers (FortiOS 4.0 GA or earlier)

The remote P2P peers with the most blocked sessions, for configuring reports containing log information that is FortiOS 4.0 GA or earlier.

Top P2P Protocols For Most Active Sources By Traffic Volume

The local IP with the most protocols and traffic volume over the reporting period.

Top P2P Protocols By Traffic Volume

The most protocols with traffic volume over the reporting period.

Top Allowed BitTorrent Local Peers

The local BitTorrent peers with the most allowed sessions.

Top Allowed BitTorrent Local Peers (FortiOS 4.0 GA or earlier)

The local BitTorrent peers with the most allowed sessions, for configuring reports containing log information that is FortiOS 4.0 GA or earlier.

Top Blocked BitTorrent Local Peers

The local BitTorrent peers with the most blocked sessions.

Top Blocked BitTorrent Local Peers (FortiOS 4.0 GA or earlier)

The local BitTorrent peers with the most blocked sessions, for configuring reports containing log information that is FortiOS 4.0 GA or earlier.

Top Allowed eDonkey Local Peers

The local eDonkey peers with the most allowed sessions.





VoIP ActivityVoIP Activity report templates contain statistics about the Voice-over-IP activity filtered by the FortiGate unit.

Top Allowed eDonkey Local Peers (FortiOS 4.0 GA or earlier)

The local eDonkey peers with the most allowed sessions, for configuring reports containing log information that is FortiOS 4.0 GA or earlier.

Top Blocked eDonkey Local Peers

The local eDonkey peers with the most blocked sessions.

Top Blocked eDonkey Local Peers (FortiOS 4.0 GA or earlier)

The local eDonkey peers with the most blocked sessions, for configuring reports containing log information that is FortiOS 4.0 GA or earlier.

Top Allowed Gnutella Local Peers

The local Gnutella peers with the most allowed sessions.

Top Allowed Gnutella Local Peers (FortiOS 4.0 GA or earlier)

The local Gnutella peers with the most allowed sessions, for configuring reports containing log information that is FortiOS 4.0 GA or earlier.

Top Blocked Gnutella Local Peers

The local Gnutella peers with the most blocked sessions.

Top Blocked Gnutella Local Peers (FortiOS 4.0 GA or earlier)

The local Gnutella peers with the most blocked sessions, for configuring reports containing log information that is FortiOS 4.0 GA or earlier.

Top Allowed KaZaa Local Peers

The local KaZaa peers with the most allowed sessions.

Top Allowed KaZaa Local Peers (FortiOS 4.0 GA or earlier)

The local KaZaa peers with the most allowed sessions, for configuring reports containing log information that is FortiOS 4.0 GA or earlier.

Top Blocked KaZaa Local Peers

The local KaZaa peers with the most blocked sessions.

Top Blocked KaZaa Local Peers (FortiOS 4.0 GA or earlier)

The local KaZaa peers with the most blocked sessions, for configuring reports containing log information that is FortiOS 4.0 GA or earlier.

Top Allowed Skype Local Peers

The local Skype peers with the most allowed sessions.

Top Allowed Skype Local Peers (FortiOS 4.0 GA or earlier)

The local Skype peers with the most allowed sessions, for configuring reports containing log information that is FortiOS 4.0 GA or earlier.

Top Blocked Skype Local Peers

The local Skype peers with the most blocked sessions.

Top Blocked Skype Local Peers (FortiOS 4.0 GA or earlier)

The local Skype peers with the most blocked sessions, for configuring reports containing log information that is FortiOS 4.0 GA or earlier.

Top Allowed WinNY Local Peers

The local WinNY peers with the most allowed sessions.

Top Allowed WinNY Local Peers (FortiOS 4.0 GA or earlier)

The local WinNY peers with the most allowed sessions, for configuring reports containing log information that is FortiOS 4.0 GA or earlier.

Top Blocked WinNY Local Peers

The local WinNY peers with the most blocked sessions.

Top Blocked WinNY Local Peers (FortiOS 4.0 GA or earlier)

The local WinNY peers with the most blocked sessions, for configuring reports containing log information that is FortiOS 4.0 GA or earlier.

Table 17: P2P Activity report templates






FRh

Table 18: VoIP Activity report templates

Report DescriptionTotal Pass/Block Events (All VoIP Protocols

The Voice-over-IP activity over the reporting period, broken down by action.

Total Events per VoIP Protocol

The Voice-over-IP activity over the reporting period, broken down by protocol.

VoIP Traffic Volume per Direction

The Voice-over-IP traffic volume for the reporting period, broken down by direction.

VoIP Traffic Volume by Time Period

The time period breakdown of Voice-over-IP traffic volume over the reporting period.

Top VoIP Sources by Traffic Volume

The Voice-over-IP sources that generated the most traffic volume over the reporting period.

Top VoIP Destinations by Traffic Volume

The Voice-over-IP destinations that generated the most traffic volume over the reporting period.

Top SIP Called Numbers The most frequently called SIP numbers over the reporting period.

Top SIP Users by Number of Calls

The SIP users that produced the most amount of calls over the reporting period.

Top SIP Users by Duration The SIP users the produced the longest cumulated call durations over the reporting period.

Top Blocked SIP Users The most frequently blocked SIP users over the reporting period.

Top Blocked SIP Users (FortiOS 4.0 GA or earlier)

The most frequently blocked SIP users over the reporting period, for configuring reports containing log information that is FortiOS 4.0 GA or earlier.

Top Blocked SIP Callers The most frequently blocked SIP callers over the reporting period.

Top Blocked SIP Callers (FortiOS 4.0 GA or earlier)

The most frequently blocked SIP callers over the reporting period, for configuring reports containing log information that is FortiOS 4.0 GA or earlier.

Total SIP Calls by Duration Ranges

The SIP call durations over the reporting period, broken down by range.

Top SCCP Called Numbers The most frequently called SCCP numbers over the reporting period.

Top SCCP Users by Number of Calls

The SCCP users that produced the most amount of calls over the reporting period.

Top SCCP Users by Duration

The SCCP users that produced the longest cumulated call durations over the reporting period.

Top Blocked SCCP Users The most frequently blocked SCCP users over the reporting period.

Top Blocked SCCP Users (FortiOS 4.0 GA or earlier)

The most frequently blocked SCCP users over the reporting period, for configuring reports containing log information that is FortiOS 4.0 or earlier.

Top Blocked SCCP Callers The most frequently blocked SCCP callers over the reporting period.

Top Blocked SCCP Callers (FortiOS 4.0 GA or earlier)

The most frequently blocked SCCP callers over the reporting period, for configuring reports containing log information that is FortiOS 4.0 GA or earlier.

Total SCCP calls by Duration Ranges

The SCCP call durations over the reporting period, broken down by range.

Top VoIP Sources by Connections

The Voice-over-IP sources with the most connections over the reporting period.

Top VoIP Destinations by Connections

The Voice-over-IP destinations with the most connections over the reporting period.

Top Blocked SIP Users by Blocking Criteria

The most frequently blocked SIP users, broken down by reason.





Data Leak Activity Data Leak Activity report templates contain log information from Data Leak Protocol logs.

Top Blocked SIP Users by Blocking Criteria (FortiOS 4.0 GA or earlier)

The most frequently blocked SIP users, broken down by reason, for configuring reports containing log information that is FortiOS 4.0 GA or earlier.

Top Blocked SIP Callers by Blocking Criteria

The most frequently blocked SIP callers, broken down by reason.

Top Blocked SIP Callers by Blocking Criteria

The most frequently blocked SIP callers, broken down by reason, for configuring reports containing log information that is FortiOS 4.0 or earlier.

Total SIP Calls per Status (Start/End/etc)

The number of SIP calls over the reporting period, broken down by status.

Total SIP Call Registrations by Time Period

The time period breakdown of the number of SIP call registers over the reporting period.

Top SIP Called Numbers for Most Active Callers

Top SIP callers over the reporting period, broken down by called numbers.

Top Blocked SCCP Users by Blocking Criteria

The most frequently blocked SCCP users, broken down by reason.

Top Blocked SCCP Users by Blocking Criteria (FortiOS 4.0 GA or earlier)

The most frequently blocked SCCP users, broken down by reason, for configuring reports containing log information that is FortiOS 4.0 GA or earlier.

Top Blocked SCCP Callers by Blocking Criteria

The most frequently blocked SCCP callers, broken down by reason.

Top Blocked SCCP Callers by Blocking Criteria

The most frequently blocked SCCP callers, broken down by reason, for configuring reports containing log information that is FortiOS 4.0 or earlier.

Total SCCP Calls per Status (Start/End/etc)

The number of SCCP calls over the reporting period, broken down by status.

Total SCCP Call Registrations by Time Period

The time period breakdown of the number of SCCP call registers over the reporting period.

Top SCCP Called Numbers for Most Active Callers

Top SCCP callers over the reporting period, broken down by called numbers.

Table 18: VoIP Activity report templates

Table 19: Data Leak Activity report templates

Report DescriptionTop Data Leak Rules The most frequently triggered data leak prevention rules over the

reporting period.

Top Data Leak Sources The most frequent sources for data leaks over the reporting period.

Top Data Leak Destinations The most frequent destinations for data leaks over the reporting period.

Top Data Leak Protocols The protocols causing the most data leaks over the reporting period.

Top Data Leak Mail Senders The mail senders causing the most data leaks over the reporting period.

Top Data Leak Mail Receivers

The mail receivers causing the most data leaks over the reporting period.

Top Data Leak Web Servers The web servers causing the most data leaks over the reporting period.

Top Data Leak FTP Servers The FTP servers causing the most data leaks over the reporting period.






FRh

Application Control ActivityApplication Control Activity report templates contain statistics about the FortiGate application control activity.

Network ScanNetwork Scan report templates contain statistics about the FortiGate vulnerability management activity.

Application _ControlApplication_Control report templates contain statistics about the FortiGate application control activity.

Table 20: Application control report templates

Report DescriptionTop Applications The most frequently used applications by number of events.

Top Application By Type The top applications for the most frequently used application types.

Top Users By Application The top users of the most frequently used applications.

Top Allowed Applications The top allowed applications by number of events.

Top Blocked Applications The top blocked applications by number of events.

Table 21: Network scan report templates

Report DescriptionVulnerabilities by Severity The network scanned vulnerabilities listed by severity.

Vulnerabilities by Category The network scanned vulnerabilities listed by category.

Top Scanned Operating Systems

The operating systems scanned by the FortiGate unit.

Top Scanned Services The top services scanned by the FortiGate unit.

Top Scanned TCP Services The top TCP services scanned by the FortiGate unit.

Top Scanned UDP Services The top UDP services scanned by the FortiGate unit.


Report Descriptionappctrl-count-p2p-events-last24hours

The count of P2P pass/block events over last 24 hours.

appctrl-dist-type-last24hours The distribution of applications by type in last 24 hours.

appctrl-top10-apps-bandwidth-last24hours

The top 10 applications by bandwidth in last 24 hours.

appctrl-top10-apps-used-last24hours

The top 10 applications used in last 24 hours.

appctrl-top10-email-users-last24hours

The top 10 email users in last 24 hours.

appctrl-top10-media-dest-last24hours

The top 10 media downloads by destination in last 24 hours.

appctrl-top10-media-source-last24hours

The top 10 media downloads by source in last 24 hours.

appctrl-top10-media-users-last24hours

The top 10 media users in last 24 hours.

appctrl-top10-p2p-app-volume-last24hours

The top 10 P2P volume per application last 24 hours.





Intrusion_DetectionIntrusion_Detection report templates contain statistics about the FortiGate intrusion activity.

AntiVirus AntiVirus report templates contain statistics about the FortiGate antivirus activity.

Data_Leak_PreventionData Leak Prevention report templates contain log information from Data Leak Protocol logs.

appctrl-top10-p2p-local-peers-bittorrent-blocked-last24hours

The top 10 blocked bittorrent local peers over last 24 hours.

appctrl-top10-p2p-local-peers-blocked-last24hours

The top 10 blocked P2P local peers over last 24 hours.

appctrl-top10-web-users-last24hours

The top 10 web users in last 24 hours.


Table 23: Intrusion detection report templates

Report Descriptionattack-dist-protocol-last24hours

The distribution of attack protocols over the last 24 hours.

attack-top10-last24hours

The top 10 attacks over the last 24 hours.

attack-top10-source-last24hours

The top 10 attack sources over the last 24 hours.

Table 24: Antivirus report templates

Report Descriptionav-dist-protocol-last24hours The distribution of infections by protocol in the last 24 hours.

av-dist-violations-last24hours The violation breakdown (infected/oversize/file) block in the last 24 hours.

av-top10-file-extension-last24hours

The top 10 infected file extensions in the last 24 hours.

av-top10-file-name-last24hours The 10 infected filenames in then last 24 hours.

av-top10-sources-http-last24hours

The top 10 HTTP virus sources over the last 24 hours.

av-top10-sources-last24hours The top 10 virus sources over the last 24 hours.

av-top10-virus-last24hours The top 10 viruses detected in last 24 hours.

Table 25: Data Leak Prevention report templates

Report Descriptiondlp-dist-protocol-last24hours The distribution of data leaks by protocol over the last 24 hours.

dlp-top10-email-receivers-last24hours

The top 10 email receivers triggering DLP rules in the last 24 hours.

dlp-top10-email-senders-last24hours

The top 10 email senders triggering DLP rules in the last 24 hours.





Appendix B: Report templates FortiClient Report Templates

FRh

Email Filter Email Filter report templates contain statistics about the FortiGate antispam activity.

EventEvent report templates contain statistics about the FortiGate event activity.

TrafficTraffic report templates contain statistics about the network traffic activity going through the FortiGate unit.

FortiClient Report Templates

Table 26: Email filter report templates

Report Descriptionemail-count-volume-last24hours

The count of mail by size over the last 24 hours.

email-top10-receivers-last24hours

The top 10 receivers over the last 24 hours.

email-top10-senders-last24hours

The top 10 senders over the last 24 hours.

email-top10-spam-sources-last24hours

The top 10 spam sources over the last 24 hours.

email-usage-incoming-last24hours

The number of incoming mails (POP3/IMAP) over the last 24 hours.

email-usage-outgoing-last24hours

The number of outgoing mails (SMTP) over the last 24 hours.

Table 27: Event report templates

Report Descriptionevent-count-sessions-last24hours

The count of Active Firewall Sessions over the last 24 hours.

event-dist-last24hours The event distribution over the last 24 hours.

event-top10-all-last24hours

The top 10 events in the last 24 hours.

event-top10-critical-last24hours

The top 10 critical events in the last 24 hours.

event-top10-emergency-last24hours

The top 10 emergency events in the last 24 hours.

event-usage-cpu-last24hours

The CPU usage over the last 24 hours.

event-usage-mem-last24hours

The memory usage over the last 24 hours.

Table 28: Traffic report templates

Report Descriptiontraffic-count-network-session-last24hours

The count of network sessions over the last 24 hours.

traffic-count-port1-volume-last24hours

The traffic volume count for port1 interface over the last 24 hours.




FortiClient Report Templates Appendix B: Report templates

The following are FortiClient report templates that are only available for Proprietary Index file system. FortiClient logs are the only logs used when compiling FortiClient reports.

traffic-count-terminal-ssh-volume-last24hours

The count of SSH terminal client by volume over the last 24 hours.

traffic-count-terminal-telnet-volume-last24hours

The count of telnet terminal client by volume over the last 24 hours.

traffic-count-wanopt-bandwidth-last24hours

The Wan Optimization bandwidth over the last 24 hours.

traffic-dist-network-bandwidth-last24hours

The network bandwidth composition over last 24 hours.

traffic-dist-wanopt-app-lan-bandwidth-last24hours

The Wan Opt application in LAN composition over the last 24 hours.

traffic-dist-wanopt-app-wan-bandwidth-last24hours

The Wan Opt application in WAN composition over the last 24 hours.

traffic-top10-ftp-client-volume-last24hours

The Top 10 FTP clients by volume over the last 24 hours.

traffic-top10-ftp-pair-volume-last24hours

The top 10 FTP client server pairs by volume over the last 24 hours.

traffic-top10-ftp-servers-volume-last24hours

The top 10 FTP servers accessed by volume over the last 24 hours.

traffic-top10-im-user-blocked-last24hours

The top 10 blocked IM users over the last 24 hours.

traffic-top10-im-user-volume-last24hours

The top 10 IM users by volume over the last 24 hours.

traffic-top10-network-dest-blocked-last24hours

The top 10 network destinations blocked (denied) over the last 24 hours.

traffic-top10-network-dest-volume-last24hours

The top 10 network destinations by volume over the last 24 hours.

traffic-top10-network-policies-blocked-last24hours

The top 10 network policies blocked (denied) over the last 24 hours.

traffic-top10-network-source-blocked-last24hours

The top 10 network sources blocked (denied) over the last 24 hours.

traffic-top10-network-source-volume-last24hours

The top 10 network sources by volume over the last 24 hours.

traffic-top10-network-users-source-bandwidth-last24hours

The top 10 users by source and bandwidth over the last 24 hours.

traffic-top10-terminal-volume-last24hours

The top 10 terminal clients by volume over the last 24 hours.

Table 29: FortiClient Network Activity

Top Denied Sources The top attempts to violate a policy configured on a FortiClient by the attempt’s source IP address.

Top Denied Destinations

The top attempts to violate a policy configured on a FortiClient by the attempt’s target IP address.

Table 28: Traffic report templates





Appendix B: Report templates FortiMail Report Templates

FRh

FortiMail Report TemplatesThe following are FortiMail report templates that are available for Proprietary Index file system. FortiMail logs are the only logs used when compiling FortiMail reports.

Table 30: FortiClient Web Filter Activity

Top Blocked Web Sites Breakdown of blocked web sites.

Top Blocked Web Sites by User

Breakdown of blocked web sites by user.

Top Visited Web Sites Breakdown of visited web sites.

Top Visited Web Sites by User

Breakdown of visited web sites by user.

Table 31: FortiClient Email Filter Activity

Top Blocked Mail Senders Breakdown of the most blocked sender email addresses.

Top Blocked Mail Receivers Breakdown of the most blocked receiver email addresses.

Table 32: Mail High Level reports

Report DescriptionTop Client IP Breakdown of Top Client IPs.

Top Local User Breakdown of Top Local Users.

Top Remote Address Breakdown of Top Remote Addresses.

Spam Filter Breakdown of spam filters.

Disposition Action Breakdown of disposition actions.

Top Virus Breakdown of top virus names.

Top Client MSISDN Breakdown of top client MSISDNs.

Table 33: Mail Activity reports

Report DescriptionTop Sender Breakdown of top senders.

Top Sender IP Breakdown of top sender IPs.

Top Local Sender Breakdown of top local senders.

Top Remote Sender Breakdown of top remote senders.

Top Sender MSISDN Breakdown of top sender MSISDNs.

Top Recipient Breakdown of top recipients.

Top Local Recipient Breakdown of top local recipients.

Top Remote Recipient Breakdown of top remote recipients.

Top Mail Destination IP Breakdown of top mail destination IPs.

Total Sent and Received Total sent and received.

Total Spam and NonSpam Total spam and non-spam.

Table 34: Spam Activity reports

Report DescriptionTop Spam Sender Breakdown of top spam senders.




FortiMail Report Templates Appendix B: Report templates

Top Spam Domain Breakdown of top spam domains.

Top Spam IP Breakdown of top spam IPs.

Top Local Spam Sender Breakdown of top local spam senders.

Top Local Spam Domain Breakdown of top local spam domains.

Top Remote Spam Sender Breakdown of top remote spam senders.

Top Remote Spam Domain Breakdown of top remote spam domains.

Top Spam MSISDN Breakdown of top spam MSISDNs.

Top Spam Recipient Breakdown of top spam recipients.

Top Local Spam Recipient Breakdown of top local spam recipients.

Top Remote Spam Recipient

Breakdown of top remote spam recipients.

Top Spam Destination IP Breakdown of top spam destination IPs.

Table 35: Virus Activity reports

Report DescriptionTop Virus Sender Breakdown of top virus senders.

Top Virus Domain Breakdown of top virus domains.

Top Virus IP Breakdown of top virus IPs.

Top Local Virus Sender Breakdown of top local virus senders.

Top Local Virus Domain Breakdown of top local virus domains.

Top Remote Virus Sender Breakdown of top remote virus senders.

Top Remote Virus Domain Breakdown of top remote virus domains.

Top Virus MSISDN Breakdown of top virus MSISDNs.

Top Virus Recipient Breakdown of top virus recipients.

Top Local Virus Recipient Breakdown of top local virus recipients.

Top Remote Virus Recipient Breakdown of top remote virus recipients.

Top Virus Destination IP Breakdown of top virus destination IPs.

Table 34: Spam Activity reports





Appendix C: Maximum values matrix

FRh

Appendix C: Maximum values matrixTable 36: Maximum values of FortiAnalyzer models

Feature FortiAnalyzer-100B, 100C

FortiAnalyzer-400B

FortiAnalyzer-800, 800B

FortiAnalyzer-1000,1000C

FortiAnalyzer-2000, 2000A, 2000B

FortiAnalyzer-4000, 4000A, 4000B

Administrative domains (ADOMs)

1 10 50 50 100 250

Devices per ADOM 100 200 500 2000 2000 2000

Administrators 10 20 100 100 200 500

Administrator access profiles

10 20 100 100 200 500

RADIUS servers 6 6 6 6 6 6

RADIUS authentication groups

6 6 6 6 6 6

RADIUS servers per authentication group

6 6 6 6 6 6

Static routes 32 32 32 32 32 32

SMB shares 16 32 64 64 64 64

SMB users 16 32 64 64 64 64

SMB groups 16 32 64 64 64 64

SMB users per group 16 32 64 64 64 64

SMB read-only users & groups per share

16 32 64 64 64 64

SMB read-write users & groups per share

16 32 64 64 64 64

NFS exports 16 32 64 64 64 64

NFS RO clients per export

16 32 64 64 64 64

NFS RW clients per export

16 32 64 64 64 64

Registered log devices (FGT/FMG/FML/SL+FC)

100 200 500 2000 2000 2000

HA members per log device

5 5 5 5 5 5

Log device groups 50 100 250 1000 1000 1000

Log devices per device group

100 200 500 2000 2000 2000

Unregistered log devices

100 200 500 2000 2000 2000

Blocked log devices 100 200 500 2000 2000 2000




Appendix C: Maximum values matrix

Report LDAP servers 6 6 6 6 6 6

Report IP aliases 256 256 512 512 512 512

Report schedules 250 250 500 500 750 1000

Report layouts 250 250 500 500 750 1000

Objects/queries per report layout

500 500 500 500 500 500

Report outputs 250 250 500 500 750 1000

Report filters 250 250 500 500 750 1000

Report datasets 250 250 500 500 750 1000

Outputs per report dataset

3 3 3 3 3 3

Report custom charts 250 250 500 500 750 1000

SQL report layouts 250 250 500 500 750 1000

SQL report chart templates

250 250 500 500 750 1000

SQL report datasets 250 250 500 500 750 1000

SQL report components per layout

500 500 500 500 500 500

Alerts/SNMP managers (CmdGens/NotRcvrs)

31 31 31 31 31 31

Alerts/SNMP managers per community

10 10 10 10 10 10

Alerts email servers 1 8 16 16 32 32

Alerts Syslog servers 1 8 16 16 32 32

Alerts events 10 100 100 100 256 256

Alerts destinations per event

16 16 32 32 64 64

VM host assets 100 200 200 500 500 1000

VM business risks 1 1 1 1 1 1

Administrator sessions

300 300 300 300 300 300

NTP servers 20 20 20 20 20 20

Table 36: Maximum values of FortiAnalyzer models





Appendix D: Querying FortiAnalyzer SQL log databases Creating datasets

FRh

Appendix D: Querying FortiAnalyzer SQL log databases

The FortiAnalyzer unit supports local PostgreSQL and remote MySQL databases for storage of log tables. To create a report based on the FortiGate log messages in a local or remote database, you can use either the predefined datasets, or create your own custom datasets by querying the log messages in the SQL database on the FortiAnalyzer unit. This document describes the procedure for creating datasets, and describes the fields in each type of log table to assist in writing SQL queries.This section contains the following topics:• Creating datasets• SQL tables• Examples

Creating datasetsThe following procedure describes how to create datasets in the web-based manager. You can also use the CLI command config sql-report dataset to create datasets. For details, see the FortiAnalyzer CLI Reference and the “Examples” section.

To create a custom data set in the web-based manager1 Go to Report > Chart > Data Set.2 Click Create New.3 Configure the following, then click OK.


Description

Name Enter the name for the data set.

Log Type ($log)

Enter the type of logs to be used for the data set. $log is used in the SQL query to represent the log type you select, and it is run against all tables of this type.





Creating datasets Appendix D: Querying FortiAnalyzer SQL log databases

To test a SQL query1 Follow the procedures in “To create a custom data set in the web-based manager” on

page 335.2 After entering the SQL query, click Test.3 Configure the following, then click Run to view the query results.

Time Period ($filter)

Select to use logs from a time frame, or select Specified and define a custom time frame by selecting the Begin Time and End Time. $filter is used in the SQL query "where" clause to limit the results to the period you select.





SQL Query Enter the SQL query syntax to retrieve the log data you want from the SQL database.Different SQL systems use different query syntaxes to deal with date/time format. The FortiAnalyzer unit uses PostgreSQL as the local database and supports MySQL as the remote database. To facilitate querying in both MySQL and PostgreSQL systems, you can use the following default date/time macros and query syntaxes for the corresponding time period you choose:• Hour_of_day: For example, you can select Yesterday for the Time Period

and enter the syntax "select $hour_of_day as hourstamp, count(*) from $log where $filter group by hourstamp order by hourstamp ".

• Day_of_week: For example, you can select This Week for the Time Period and enter the syntax "select $day_of_week as datestamp, count(*) from $log where $filter group by datestamp order by datestamp".

• Day_of_month: For example, you can select This Month for the Time Period and enter the syntax "select $day_of_month as datestamp, count(*) from $log where $filter group by datestamp order by datestamp”.

• Week_of_year: For example, you can select This Year for the Time Period and enter the syntax "select $week_of_year as weekstamp, count(*) from $log where $filter group by weekstamp order by weekstamp”.

• Month_of_year: For example, you can select This Year for the Time Period and enter the syntax "select $month_of_year as monthstamp, count(*) from $log where $filter group by monthstamp order by monthstamp”.

The results of running the queries will display the date and time first, followed by the log data.

Test Click to test whether or not the SQL query is successful. See “To test a SQL query” on page 336.





Appendix D: Querying FortiAnalyzer SQL log databases Creating datasets

FRh

Figure 1: SQL Query test results


Description

Device Select a specific FortiGate unit, FortiMail unit, or FortiClient installation, or select all devices, to apply the SQL query to.

VDom If you want to apply the SQL query to a FortiGate VDOM, enter the name of the VDOM.

Time Period ($filter)

Select to query the logs from a time frame, or select Specified and define a custom time frame by selecting the Begin Time and End Time. $filter is used in the where clause of the SQL query to limit the results to the period you select.



Begin Time Enter the date (or use the calendar icon) and time of the beginning of the custom time range. This option appears only when you select Specified in the Time Period ($filter) field.

End Time Enter the date (or use the calendar icon) and time of the end of the custom time range. This option appears only when you select Specified in the Time Period ($filter) field.

SQL Query Enter the SQL query to retrieve the log data you want from the SQL database.

Run Click to execute the SQL query.The results display. If the query is not successful, see “Troubleshooting” on page 338.

Clear Select to remove the displayed query results.




SQL tables Appendix D: Querying FortiAnalyzer SQL log databases

TroubleshootingIf the query is unsuccessful, an error message appears in the results window indicating the cause of the problem.

SQL statement syntax errorsHere are some example error messages and possible causes:You have an error in your SQL syntax (remote/MySQL) or ERROR: syntax error at or near... (local/PostgreSQL)

• Check that SQL keywords are spelled correctly, and that the query is well-formed.• Table and column names are demarked by grave accent (`) characters. Single (') and

double (") quotation marks will cause an error.No data is covered.

• The query is correctly formed, but no data has been logged for the log type. Check that you have configured the FortiAnalyzer unit to save that log type. Under System > Config > SQL Database, make sure that the log type is checked.

Connection problemsIf well formed queries do not produce results, and logging is turned on for the log type, there may be a database configuration problem with the remote database. Ensure that:• MySQL is running and using the default port 3306.• You have created an empty database and a user with create permissions for the

database.Here is an example of creating a new MySQL database named fazlogs, and adding a user for the database:#Mysql –u root –p

mysql> Create database fazlogs;

mysql> Grant all privileges on fazlogs.* to ‘fazlogger’@’*’ identified by ‘fazpassword’;

mysql> Grant all privileges on fazlogs.* to ‘fazlogger’@’localhost’ identified by ‘fazpassword’;

SQL tablesThe FortiAnalyzer™ unit creates a database table for each managed device and each log type, when there is log data. If the FortiAnalyzer unit is not receiving data from a device, or logging is not enabled under System > Config > SQL Database, it does not create log tables for that device. SQL tables follow the naming convention of [Device Name]-[SQL table type]-[ timestamp], where the SQL table type is one of the types listed in Table 37 on page 339.

Save Options

Select to save the SQL query console configuration to the data set configuration. The Device and VDOM configurations are not used by the data set configuration.

Close Click to return to the data set configuration page.





Appendix D: Querying FortiAnalyzer SQL log databases SQL tables

FRh

To view all the named tables created in a database, you can use: • local (PostgreSQL) database: SELECT * FROM pg_tables• remote (MySQL): SHOW TABLESThe names of all created tables and their types are stored in a master table named table_ref.

Table 37: Log types and table types

FortiAnalyzer™ logs also include log sub-types, which are types of log messages that are within the main log type. For example, in the event log type there are the subtype admin log messages. FortiAnalyzer™ log types and subtypes are numbered, and these numbers appear within the log identification field of the log message.

Note: The timestamp portion of the log name depends on the FortiAnalyzer unit firmware release. It is either the creation time of the table (in releases before 4.2.1), or the timestamp of the log on disk (in releases 4.2.1 and later).

Log Type SQL table type

Description

Traffic log tlog The traffic log records all traffic to and through the FortiGate interface.

Event log elog The event log records management and activity events. For example, when an administrator logs in or logs out of the web-based manager.

Antivirus log vlog The antivirus log records virus incidents in Web, FTP, and email traffic.

Webfilter log wlog The web filter log records HTTP FortiGate log rating errors including web content blocking actions that the FortiGate unit performs.

Attack log alog The attack log records attacks that are detected and prevented by the FortiGate unit.

Spamfilter log slog The spam filter log records blocking of email address patterns and content in SMTP, IMAP, and POP3 traffic.

Data Leak Prevention log

dlog The Data Leak Prevention log records log data that is considered sensitive and that should not be made public. This log also records data that a company does not want entering their network.

Application Control log

rlog The application control log records data detected by the FortiGate unit and the action taken against the network traffic depending on the application that is generating the traffic, for example, instant messaging software, such as MSN Messenger.

DLP archive log clog The DLP archive log, or clog.log, records all log messages, including most IM log messages as well as the following session control protocols (VoIP protocols) log messages: • SIP start and end call• SCCP phone registration• SCCP call info (end of call)• SIMPLE log message

Vulnerability Management log

nlog The vulnerability management log, or netscan log, contains logging events generated by a network scan.





Table 38: Log Sub-types

Log Type Sub-Type traffic (Traffic Log)

• allowed – Policy allowed traffic• violation – Policy violation traffic • Other

event(Event Log)

For FortiGate devices:• system – System activity event• ipsec – IPSec negotiation event• dhcp – DHCP service event• ppp – L2TP/PPTP/PPPoE service event• admin – admin event• ha – HA activity event• auth – Firewall authentication event• pattern – Pattern update event• alertemail – Alert email notifications• chassis – FortiGate-4000 and

FortiGate-5000 series chassis event • sslvpn-user – SSL VPN user event• sslvpn-admin – SSL VPN administration event• sslvpn-session – SSL VPN session even• his-performance – performance statistics• vipssl – VIP SSL events• ldb-monitor – LDB monitor events

dlp (Data Leak Prevention)

• dlp – Data Leak Prevention

app-crtl (Application Control Log)

• app-crtl-all – All application control

DLP archive(DLP Archive Log)

• HTTP – Virus infected• FTP – FTP content metadata• SMTP – SMTP content metadata• POP3 – POP3 content metadata• IMAP – IMAP content metadata

virus (Antivirus Log)

• infected – Virus infected• filename – Filename blocked• oversize – File oversized

webfilter (Web Filter Log)

• content – content block• urlfilter – URL filter• FortiGuard block• FortiGuard allowed• FortiGuard error• ActiveX script filter• Cookie script filter• Applet script filter

ips (Attack Log) • signature – Attack signature• anomaly – Attack anomaly

emailfilter (Spam Filter Log)

• SMTP• POP3• IMAP






FRh

Log severity levelsYou can define what severity level the FortiGate unit records logs at when configuring the logging location. The FortiGate unit logs all message at and above the logging severity level you select. For example, if you select Error, the unit logs Error, Critical, Alert, and Emergency level messages.

The Debug severity level, not shown in Table 39, is rarely used. It is the lowest log severity level and usually contains some firmware status information that is useful when the FortiGate unit is not functioning properly. Debug log messages are only generated if the log severity level is set to Debug. Debug log messages are generated by all types of FortiGate features.

Log fields in each tableThis section describes the fields of each log table stored in an SQL database. Because of differences in SQL dialects, some fields have different types depending on whether they are stored locally or remotely. The tables described in this section are:• “Common log fields,” on page 341• “Application control log fields” on page 343• “Attack log fields” on page 345• “DLP archive / content log fields” on page 346• “Data Leak Prevention log fields” on page 351• “Email filter log fields” on page 352• “Event log fields” on page 353• “Traffic log fields” on page 367• “Antivirus log fields” on page 369• “Web filter log fields” on page 371• “Netscan log fields” on page 372

Common log fieldsAll log tables share some common fields, described in Table 40.

Table 39: Log Severity Levels

Levels Description Generated by0 - Emergency The system has become unstable. Event logs, specifically

administrative events, can generate an emergency severity level.

1 - Alert Immediate action is required. Attack logs are the only logs that generate an Alert severity level.

2 - Critical Functionality is affected. Event, Antivirus, and Spam filter logs.

3 - Error An error condition exists and functionality could be affected.

Event and Spam filter logs.

4 - Warning Functionality could be affected. Event and Antivirus logs.

5 - Notification Information about normal events. Traffic and Web Filter logs.

6 - Information General information about system operations.

Content Archive, Event, and Spam filter logs.





Table 40: Common Fields

Field Type Description TablesPostgreSQL MySQL

id int not null primary key

int unsigned not null primary key

ID / primary key for the record all

itime timestamp datetime The time the log event was received by the FortiAnalyzer.

all

dtime timestamp datetime The time the log event was generated on the device. all

cluster_id varchar(24) varchar(24) The HA cluster ID if the FortiGate runs in HA mode. all

device_id varchar(16) varchar(16) The serial number of the device. all

log_id int default 0 smallint unsigned default 0

A ten-digit number. The first two digits represent the log type and the following two digits represent the log subtype. The last one to five digits are the message id.For more detail about what the combination of type, subtype and message ID means, see the FortiGate Log Message Reference.

all

subtype varchar(255) varchar(255) The subtype of the log message. The possible values of this field depend on the log type. See Table 38 for a list of subtypes associated with each log type.

all

type varchar(255) varchar(255) The log type. all

timestamp int default 0 int unsigned default 0

Timestamp for the event all

pri varchar(255) varchar(255) The log priority level. See Table 39 for a list of priority levels and the log types that generate them.

all

vd varchar(255) varchar(255) The virtual domain where the traffic was logged. If no virtual domains are enabled and configured, this field contains the virtual domain, root.

all

user varchar(255) varchar(255) The name of the user creating the traffic. all except nlog

group varchar(255) varchar(255) The name of the group creating the traffic. all except nlog

src varchar(40) (255 for alog)

varchar(40) (255 for alog)

The source IP address. all except nlog

dst varchar(40) (255 for alog)

varchar(40) (255 for alog)

The destination IP address. all except nlog

src_port int default 0 smallint unsigned default 0

The source port of the TCP or UDP traffic. The source protocol is zero for other types of traffic.

all except nlog

dst_port int default 0 smallint unsigned default 0

The destination port number of the TCP or UDP traffic. The destination port is zero for other types of traffic.

all except nlog

src_int varchar(255) varchar(255) The interface where the through traffic comes in. For outgoing traffic originating from the firewall, it is “unknown”.

all except clog and nlog

dst_int varchar(255) varchar(255) The interface where the through traffic goes to the public or Internet. For incoming traffic to the firewall, it is “unknown”.

all except clog and nlog

policyid bigint default 0

int unsigned default 0

The ID number of the firewall policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. For more information, see the Fortinet Knowledge Base article, Firewall policy=0.

all except nlog






FRh

Application control log fieldsThe table below lists the fields defined in application control log tables (type rlog).

service varchar(255) varchar(255) The service of where the activity or event occurred, whether it was on a web page using HTTP or HTTPs. This field is an enum, and can have one of the following values:• http • https • smtp • pop3 • imap • ftp • mm1 • mm3 • mm4 • mm7 • nntp • im • smtps • pop3s • imaps

all except clog

identidx bigint default 0

int unsigned default 0

The identity index number. all except nlog

profile varchar(255) varchar(255) The protection profile associated with the firewall policy that traffic used when the log message was recorded.

all except dlog, tlog, and nlog

profiletype varchar(255) varchar(255) The type of profile associated with the firewall policy that traffic used when the log message was recorded.


profilegroup varchar(255) varchar(255) The profile group associated with the firewall policy that traffic used when the log message was recorded.


Table 40: Common Fields

Field Type DescriptionPostgreSQL MySQL

status varchar(255) varchar(255) The status of the action the FortiGate unit took when the event occurred.For application control logs, this field can be:• request • cancel • accept • fail • download • stop • start • end • timeout • blocked • succeeded • failed • authentication-required • pass • block

carrier_ep varchar(255) varchar(255) The FortiOS Carrier end-point identification. For example, it would display MSISDN of the phone that sent the MMS message. This field will always display N/A in FortiOS.





kind varchar(255) varchar(255) This field is an enum, and can be one of the following values:• login• chat• file• photo• audio• call• regist• unregister• call-block• request• response

dir varchar(255) varchar(255) The direction of the traffic. This field is an enum, and can be one of the following:• incoming• outgoing• N/A

src_name varchar(255) varchar(255) The name of the source or the source IP address.

dst_name varchar(255) varchar(255) The destination name or destination IP address.

proto int default 0 smallint unsigned default 0

The protocol number that applies to the session or packet. The protocol number in the packet header that identifies the next level protocol. Protocol number’s are assigned by the Internet Assigned Number Authority (IANA).

serial bigint default 0 int unsigned default 0

Serial number of the log message.

app_list varchar(255) varchar(255) The application control list (under UTM > Application Control > Application Control List on the FortiGate unit) that contains the policy that triggered this log item.

app_type varchar(255) varchar(255) The application category.

app varchar(255) varchar(255) The application name. You can look the application type up in UTM > Application Control > Application List, and then select the name that is in the field to go to more detailed information on the FortiGuard Encyclopedia.

action varchar(255) varchar(255) The action the FortiGate unit took for this session or packet.This field is an enum and can be one of the following values:• pass• block• monitor• kickout• encrypt-kickout• reject

count bigint default 0 int unsigned default 0

Total number of blocked applications.

filename varchar(255) varchar(255) The file name associated with the blocked application.

filesize bigint default 0 int unsigned default 0

The file size of the file.

message varchar(255) varchar(255) The blocked message of chat applications.

content varchar(255) varchar(255) Content of the blocked applications.







FRh

Attack log fieldsThe table below lists the fields defined in attack log tables (type alog).

reason varchar(255) varchar(255) The reason why the log was recorded.This field is an enum, and can be one of the following values:• meter-overload-drop• meter-overload-refuse• rate-limit• dialog-limit• long-header• unrecognized-form• unknown• block-request• invalid-ip• exceed-rate

req varchar(255) varchar(255) Request.

phone varchar(255) varchar(255) Phone number of the blocked application.

msg varchar(255) varchar(255) Explains why the log was recorded.

attack_id bigint default 0 int unsigned default 0

Attack ID.



status varchar(255) varchar(255) The status of the action the FortiGate unit took when the event occurred.For attack logs, this field can be:• detected• dropped• reset• reset_client• reset_server• drop_session• pass_session• clear_session


The serial number of the log message.

attack_id bigint default 0 int unsigned default 0

The identification number of the attack log message.

severity varchar(255) varchar(255) The specified severity level of the attack.This field is an enum, and can have one of the following values:• info• low• medium• high• critical

carrier_ep varchar(255) varchar(255) The FortiOS Carrier end-point identification. For example, it would display the MSISDN of the phone that sent the MMS message. If you do not have FortiOS Carrier, this field always display N/A.

sensor varchar(255) varchar(255) The DLP sensor that was used.





DLP archive / content log fieldsThe table below lists the fields defined in application DLP / Content log tables (type clog).

icmp_id varchar(255) varchar(255) The Internet Control Message Protocol (ICMP) message ID (returned for ECHO REPLY).

icmp_type varchar(255) varchar(255) The ICMP message type.

icmp_code varchar(255) varchar(255) The ICMP message code.

proto smallint default 0 tinyint unsigned default 0

The protocol of the event.

ref varchar(255) varchar(255) A reference URL to the Fortiguard IPS database for more information about the attack.

count bigint default 0 int unsigned default 0

The number of times that attack was detected within a short period of time. This is useful when the attacks are DoS attacks.

incident_serialno bigint default 0 int unsigned default 0

The unique ID for this attack. This number is used for cross-references IPS packet logs.

msg varchar(255) varchar(255) Explains the activity or event that the FortiGate unit recorded. In this example, an attack occurred that could have caused a system crash.



status varchar(255) varchar(255) The status of the action the FortiGate unit took when the event occurred.

clogver smallint default 0 tinyint unsigned default 0 The version of the content log.

epoch bigint default 0 int unsigned default 0 The unique number for each archive. It is used for cross reference purposes.

eventid bigint default 0 int unsigned default 0 The ID of the archive event.

SN bigint default 0 int unsigned default 0 The session number.

endpoint varchar(255) varchar(255) The ID of the endpoint, such as MSISDN or account ID.

client varchar(40) varchar(40) The IP of the client.

server varchar(40) varchar(40) The IP of the server.

laddr varchar(40) varchar(40) The local IP.

raddr varchar(40) varchar(40) The remote IP.






FRh

cstatus varchar(255) varchar(255) The cstatus field can be any one of the following:• clean• infected• heuristic• banned_word• blocked• exempt• oversize• carrier_endpoint_filter (FortiOS Carrier only)• mass_mms (FortiOS Carrier only)• dlp• fragmented• spam• im_summary• im-message• im_file_request (a file was transferred• im_file_accept (an file was accepted)• im_file_cancel• im_voice (an IM voice chat)• im_photo_share_request (a photo was shared)• im_photo_share_cancel• im_photo_share_stop• im_photo_xfer (a photo was transferred during the

chat)• voip• error






infection varchar(255) varchar(255) The infection type. This field is an enum, and can be one of the following:• bblock• fileexempt• file intercept• mms block• carrier end point filter• mms flood• mms duplicate• virus• virusrm• heuristic• html script• script filter• banned word• exempt word• oversize• virus• heuristic• worm• mime block• fragmented• exempt• ip blacklist• dnsbl• FortiGuard - AntiSpam ip blacklist• helo• emailblacklist• mimeheader• dns• FortiGuard - AntiSpam ase block• banned word• ipwhitelist• emailwhitelist• fewhitelist• headerwhitelist• wordwhitelist• dlp• dlpban• pass• mms content checksum

virus varchar(255) varchar(255) The virus name.

rcvd bigint default 0 int unsigned default 0 The number of bytes that were received from the client.

sent bigint default 0 int unsigned default 0 The number of bytes that were received from the server.

method varchar(255) varchar(255) The type of HTTP command used. For example, GET.

url varchar(255) varchar(255) The URL address of the web site that was accessed.

cat varchar(255) varchar(255) The http/https category.

cat_desc varchar(255) varchar(255) The http/https category description.

to varchar(255) varchar(255) To

from varchar(255) varchar(255) From

subject varchar(255) varchar(255) Subject

direction varchar(255) varchar(255) Incoming or outgoing.







FRh

attachment smallint default 0 tinyint unsigned default 0 Mail attachment present.

ftpcmd varchar(255) varchar(255) The FTP command. This field is an enum and can be one of:• NONE• USER• PASS• ACCT• STOR• RETR• QUIT

file varchar(255) varchar(255) The archive file name.

local varchar(255) varchar(255) The local user.

remote varchar(255) varchar(255) The remote user.

proto varchar(255) varchar(255) The protocol.

kind varchar(255) varchar(255) The kind field can be any one of the following:• summary• chat• file (a file was transferred)• photo (photo sharing)• photo-xref (a photo was transferred)• audio (a voice chat)• oversize (an oversized file)• fileblock (a file was blocked)• fileexempt• virus• dlp• call-block (SIP call blocked)• call-info (SIP call information)• call (SIP call)• register (SIP register)• unregister (SIP unregister)

action varchar(255) varchar(255) The action.

dir varchar(255) varchar(255) The direction, either "inbound" or "outbound".

messages bigint default 0 int unsigned default 0 The message number.

start-date varchar(255) varchar(255) The local start date.

end-date varchar(255) varchar(255) The local end date.

content varchar(255) varchar(255) IM chat content.

filename varchar(255) varchar(255) File name.

filesize bigint default 0 int unsigned default 0 File size.

message varchar(255) varchar(255) Message.

conn-mode varchar(255) varchar(255) Connection mode.

heuristic varchar(255) varchar(255) Heuristic.

duration bigint default 0 int unsigned default 0 The duration of the session.

reason varchar(255) varchar(255) The reason.

phone varchar(255) varchar(255) Phone number.

dlp_sensor varchar(255) varchar(255) DLP sensor.






message_type varchar(255) varchar(255) The message type. This field is an enum, and be one of:• request• response

request_name varchar(255) varchar(255) Request name.

malform_desc varchar(255) varchar(255) Malformed content description. This field is an enum, and can be one of the values listed in Table 41 on page 350.

malform_data bigint default 0 int unsigned default 0 Malform data.

line varchar(255) varchar(255) Line.

column bigint default 0 int unsigned default 0 Column.


Table 41: Values for malform-desc

<att-field>-expected

<att-value>-expected

<bandwidth>-expected

<bwtype>-execpted

<callid>-expected <CSeq-num>-expected

<delta-seconds>-expected

<encoding-name>-expected-in-rtpmap

<fmt>-expected <gen-value>-expected

<generic-param>-with-invalid-<gen-value>

<integer>-expected

<m-attribute>-expected-after-SEMI

<m-subtype>-expected

<m-type>-expected <media>-expected <method>-does-not-match-the-request-line

<method>-expected

<Method>-expected-after-<CSeq-num>

<payload-type>-expected-in-rtpmap

<proto>-expected <repeat-interval>-expected

<response-num>-expected

<seq>-number-expected

<sess-id>-expected

<sess-version>-expected

<text>-expected <time>-expected <token>-expected-in-<proto>-after-slash

<typed-time>-expected

<username>-exepcted

<word>-expected boundary-parameter-appears-more-than-once

colon-expected digits-expected domain-label-oversize

domain-name-invalid

domain-name-oversize

duplicated-sip-header

empty-quoted-string

end-of-line-error EQUAL-expected-after-<m-attribute>

expires-header-repeated

header-line-oversize

header-parameter-expected

IN-expected invalid-<clock-rate>-in-rtpmap

invalid-<encoding-parameters>-in-rtpmap

invalid-<gen-value>

invalid-<m-value> invalid-<protocol-name>

invalid-<protocol-version>

invalid-<quoted-string>-in-<gen-value>

invalid-<quoted-string>-in-<m-value>

invalid-<SIP-Version>-on-request-line

invalid-<start-time> invalid-<stop-time> invalid-<transport> invalid-<userinfo> invalid-branch-parameter

invalid-candidate-line

invalid-escape-encoding-in-<reason-phrase>

invalid-escape-encoding-in-<userinfo>

invalid-escape-encoding-in-uri-header

invalid-escape-encoding-in-uri-parameter

invalid-expires-parameter

invalid-fqdn invalid-ipv4-address

invalid-ipv6-address

invalid-maddr-parameter

invalid-max-forwards

invalid-method-uri-parameter

invalid-port invalid-port-after-ip-address-in-alt-line

invalid-port-after-ip-address-in-candidate-line

invalid-port-in-rtcp-line

invalid-q-parameter invalid-quoted-string-in-display-name

invalid-quoting-character

invalid-received-parameter

invalid-rport-parameter

invalid-status-code invalid-tag-parameter

invalid-transport-uri-parameter

invalid-ttl-parameter

invalid-ttl-uri-parameter

invalid-uri-header-name

invalid-uri-header-name-value-pair

invalid-uri-header-value

invalid-uri-parameter-pname






FRh

Data Leak Prevention log fieldsThe table below lists the fields defined in data leak prevention log tables (type dlog).

invalid-uri-parameter-value

invalid-user-uri-parameter

IP-expected IP4-or-IP6-expected

ipv4-address-expected

IPv4-or-IPv6-address-expected

ipv6-address-expected

left-angle-bracket-is-mandatory

line-order-error LWS-expected missing-mandatory-field

msg-body-oversize

multipart-Content-Type-has-no-boundary

no-matching-double-quote

no-METHOD-on-request-line

no-SLASH-after-<protocol-name>

no-SLASH-after-<protocol-version>

no-tag-parameter

o-line-not-allowed-on-media-level

port-expected port-not-allowed r-line-not-allowed-on-media-level

right-angle-bracket-not-found

s-line-not-allowed-on-media-level

sdp-alt-line-before-m-line

sdp-candidate-line-before-m-line

sdp-invalid-alt-line sdp-rtcp-line-before-m-line

sdp-v-o-s-t-lines-are-mandatory

sip-udp-message-truncated

sip-Yahoo-candidate-invalid-protocol

slash-expected-after-<encoding-name>-in-rtpmap

SLASH-expected-after-<m-type>

space-violation syntax-malformed t-line-not-allowed-on-media-level

token-expected too-many-c-lines too-many-candidate-lines

too-many-i-lines too-many-m-lines too-many-o-lines

too-many-rtcp-lines too-many-s-lines too-many-v-line trailing-bytes unexpected-character

unknown-header

unknown-scheme uri-expected uri-parameter-repeat

uri-parameters-not-allowed-by-RFC

v-line-not-allowed-on-media-level

via-parameter-repeat

whitespace-expected

z-line-not-allowed-on-media-level

Table 41: Values for malform-desc


status varchar(255) varchar(255) The status of the action the FortiGate unit took when the event occurred.For DLP logs, this field can be:• detected• blocked

service varchar(255) varchar(255) The service of where the activity or event occurred. For DLP logs, this field is an enum, and can have one of the following values:• http• https• smtp• pop3• imap• ftp• mm1• mm3• mm4• mm7• nntp• im• smtps• pop3s• imaps

serial bigint default 0 int unsigned default 0 The serial number of the log message.





Email filter log fieldsThe table below lists the fields defined in email filter log tables (type slog).

sport int default 0 smallint unsigned default 0

The source port.

dport int default 0 smallint unsigned default 0

The destination port.

hostname varchar(255) varchar(255) The host name or IP address.

url varchar(255) varchar(255) The URL address of the web site that was visited.

from varchar(255) varchar(255) The sender’s email address.

to varchar(255) varchar(255) The receiver’s email address.

msg varchar(255) varchar(255) Explains the activity or event that the FortiGate unit recorded.

rulename varchar(255) varchar(255) The name of the rule within the DLP sensor.

compoundname varchar(255) varchar(255) The compound name.

action varchar(255) varchar(255) The action that was specified within the rule. In some ruleswithin sensors, you can specify content archiving. If no logtype is specified, this field displays log-only.This field is an enum, and can have one of the following values:• log-only• block• exempt• ban• ban sender• quarantine ip• quarantine interface

severity smallint default 0 tinyint unsigned default 0

The level of severity for the specified rule.



status varchar(255) varchar(255) The status of the action the FortiGate unit took when the event occurred.For email filter logs, this field can be:• exempted • blocked • detected






FRh

Event log fieldsThe table below lists the fields defined in event log tables (type elog).

service varchar(255) varchar(255) The service of where the activity or event occurred. For DLP logs, this field is an enum, and can have one of the following values:• http• smtp• pop3• imap• ftp• mm1• mm3• mm4• mm7• im• nntp• https• smtps• imaps• pop3s



The source port.



carrier_ep varchar(255) varchar(255) The FortiOS Carrier end-point identification. For example, it would display the MSISDN of the phone that sent the MMS message. If you do not have FortiOS Carrier, this field always displays N/A.

from varchar(255) varchar(255) The sender’s email address.

to varchar(255) varchar(255) The receiver’s email address.

banword varchar(255) varchar(255) The name of the Banned Word policy.

tracker varchar(255) varchar(255) Tracker

dir varchar(255) varchar(255) The email direction. This field is an enum, and can have one of the following values:• tx• rx

agent varchar(255) varchar(255) This field is for FortiGate units running FortiOS Carrier. If you do not have FortiOS Carrier running on your FortiGate unit, this field always displays N/A.

msg varchar(255) varchar(255) Explains the activity or event that the FortiGate unit recorded. In this example, the sender’s email address is in the blacklist and matches the fourth email address in that list.







status varchar(255) varchar(255) The status of the action the FortiGate unit took when the event occurred.For event logs, the possible values of this field depend on the subcategory:subcategory ipsec• success• failure• negotiate_error• esp_error• dpd_failuresubcategory voip• start• end• timeout• blocked• succeeded• failed• authentication-requiredsubcategory gtp• forwarded• prohibited• rate-limited• state-invalid• tunnel-limited• traffic-count• user-data

msg varchar(255) varchar(255) Explains the activity or event that the FortiGate unit recorded.

ssid varchar(255) varchar(255) The service set identifier.






FRh

action varchar(255) varchar(255) The action the FortiGate unit should take for this firewall policy.For event logs, the possible values of this field depend on the subcategory of the event:subcategory ipsec:• negotiate• error• install_sa• delete_phase1_sa• delete_ipsec_sa• dpd• tunnel-up• tunnel-down• tunnel-stats• phase2-up• phase2-down

subcategory nac-quarantine:• ban-ip• ban-interface• ban-src-dst-ip

subcategory sslvpn-user• tunnel-up• tunnel-down• ssl-login-fail

subcategory sslvpn-admin• info

subcategory sslvpn-session• tunnel-stats• ssl-web-deny• ssl-web-pass• ssl-web-timeout• ssl-web-close• ssl-sys-busy• ssl-cert• ssl-new-con• ssl-alert• ssl-exit-fail• ssl-exit-error• tunnel-up• tunnel-down• tunnel-statsssl-tunnel-unknown-tag• ssl-tunnel-error






action (continued)

subcategory voip:• permit• block• monitor• kickout• encrypt-kickout• cm-reject• exempt• ban• ban-user• log-only

subcategory his-performance• perf-stats

session_id bigint default 0 int unsigned default 0 The session ID

count bigint default 0 int unsigned default 0 The number of dropped SIP packets.

proto varchar(255) varchar(255) The protocol

cpu smallint default 0 tinyint unsigned default 0 The CPU usage, for performance.

epoch bigint default 0 int unsigned default 0 The unique number for each archive. It is used for cross reference purposes.

mem smallint default 0 tinyint unsigned default 0 The memory usage, for performance.

duration bigint default 0 int unsigned default 0 The duration of the interval for item counts (such as infected, scanned, etc) in this log entry.

infected bigint default 0 int unsigned default 0 The number of infected messages.

from varchar(255) varchar(255) Source IP address.

ha_group smallint default 0 tinyint unsigned default 0 High availability group

tunnel_id bigint default 0 int unsigned default 0 Tunnel ID

bssid varchar(255) varchar(255) The basic service set identifier.

tunnel_type varchar(255) varchar(255) Tunnel type

event_id bigint default 0 int unsigned default 0 Event ID

ip varchar(40) varchar(40) IP address

ha_role varchar(255) varchar(255) High availability role.

rem_ip varchar(40) varchar(40) Remote IP (used in ipsec subcategory logs).

suspicious bigint default 0 int unsigned default 0 The number of suspicious messages.

sn varchar(255) varchar(255) Serial number of the event

to varchar(255) varchar(255) Destination IP address..

total_session bigint default 0 int unsigned default 0 Total IP sessions.

ap varchar(255) varchar(255) The physical AP name.

scanned bigint default 0 int unsigned default 0 The number of scanned messages.

vcluster bigint default 0 int unsigned default 0 Virtual cluster.

remote_ip varchar(40) varchar(40) Remote IP (Used in sslvpn-* subcategory logs).








FRh

imsi varchar(255) varchar(255) An International Mobile Subscriber Identity or IMSI is a unique number associated with all GSM and UMTS network mobile phone users.

loc_ip varchar(40) varchar(40) Local IP

from_vcluster bigint default 0 int unsigned default 0 From virtual cluster.

rem_port int default 0 smallint unsigned default 0 Remote port.

msisdn varchar(255) varchar(255) The MSISDN of the carrier endpoint.

tunnel_ip varchar(40) varchar(40) Tunnel IP.

intercepted bigint default 0 int unsigned default 0 The number of intercepted messages.

vap varchar(255) varchar(255) The virtual AP name.

apn varchar(255) varchar(255) The access point name.

out_intf varchar(255) varchar(255) The out interface.

blocked bigint default 0 int unsigned default 0 The number of blocked messages.

mac varchar(255) varchar(255) MAC address.

to_vcluster bigint default 0 int unsigned default 0 To virtual cluster.

acct_stat varchar(255) varchar(255) The accounting state. This is an enum and can have one of the following values:• Start• Stop• Interim-Update• Accounting-On• Accounting-Off

selection varchar(255) varchar(255) The selection. This is an enum and can have one of the following values:• apns-vrf• ms-apn-no-vrf• net-apn-no-vrf

reason varchar(255) varchar(255) The reason this log was generated.

rate smallint default 0 tinyint unsigned default 0 Traffic rate

loc_port int default 0 smallint unsigned default 0 Local port.

vcluster_member

bigint default 0 int unsigned default 0 Virtual cluster member.

vcluster_state varchar(255) varchar(255) Virtual cluster state.

app-type varchar(255) varchar(255) Application type.

nsapi smallint default 0 tinyint unsigned default 0 Network Service Access Point Identifier, an identifier used in cellular data networks.

dport int default 0 smallint unsigned default 0 Destinatlon port.

channel smallint default 0 tinyint unsigned default 0 Channel.

cookies varchar(255) varchar(255) Cookies.

checksum bigint default 0 int unsigned default 0 The number of content checksum blocked messages.

dst_host varchar(255) varchar(255) Destination host name or IP.






nf_type varchar(255) varchar(255) The notification type. This is an enum and can have one of the following values:• bword• file_block• carrier_ep_bwl• flood• dupe• alert• mms_checksum• virus

vdname varchar(255) varchar(255) The VDOM name.

linked-nsapi smallint default 0 tinyint unsigned default 0 Linked Network Service Access Point Identifier.

next_stats bigint default 0 int unsigned default 0 Next Statistics.

virus varchar(255) varchar(255) Virus name.

imei-sv varchar(255) varchar(255) International Mobile Equipment Identity or IMEI is a number, usually unique,to identify GSM, WCDMA, and iDEN mobile phones, as well as some satellite phones.

devintfname varchar(255) varchar(255) The device interface name.

security varchar(255) varchar(255) The wireless security. This field is an enum, and can have one of the following values:• open• wep64• wep128• wpa-psk• wpa-radius• wpa• wpa2• wpa2-auto

policy_id bigint default 0 int unsigned default 0 The policy ID that triggered this log.

rai varchar(255) varchar(255) Routing Area Identification.

hostname varchar(255) varchar(255) The host name or IP

xauth_user varchar(255) varchar(255) Authenticated user name.

uli varchar(255) varchar(255) User Location Information.

xauth_group varchar(255) varchar(255) Authenticated user group.

sent numeric(20) default 0

bigint unsigned default 0 Number of bytes sent.

rcvd numeric(20) default 0

bigint unsigned default 0 Number of bytes received.

sess_duration bigint default 0 int unsigned default 0 The duration of the session.

hbdn_reason varchar(255) varchar(255) Heartbeat down reason. This field is an enum, and can have one of the following values:• linkfail• neighbor-info-lost

banned_src varchar(255) varchar(255) Banned source. This field is an enum, and can have one of the following values:• ips• dos• dlp-rule• dlp-compound• av







FRh

end-usr-address

varchar(40) varchar(40) End user address.

msg-type smallint default 0 tinyint unsigned default 0 Message type.

sync_type varchar(255) varchar(255) Synchronization type. This field is an enum, and can have one of the following values:• configurations• external-files

banned_rule varchar(255) varchar(255) Banned rule / reason.

vpn_tunnel varchar(255) varchar(255) VPN tunnel.

sync_status varchar(255) varchar(255) Synchronization status. This field is an enum, and can have one of the following values:• out-of-sync• in-sync

alert varchar(255) varchar(255) Alert.

sensor varchar(255) varchar(255) Sensor name.

endpoint varchar(255) varchar(255) The endpoint.

stage smallint default 0 tinyint unsigned default 0 Stage.

voip_proto varchar(255) varchar(255) This field is an enum, and can have one of the following values:• sip • sccp

deny_cause varchar(255) varchar(255) This field is an enum, and can have one of the following values:• packet-sanity • invalid-reserved-field • reserved-msg • out-state-msg • reserved-ie • out-state-ie • invalid-msg-length • invalid-ie-length • miss-mandatory-ie • ip-policy • non-ip-policy • sgsn-not-authorized • sgsn-no-handover • ggsn-not-authorized • invalid-seq-num • msg-filter • apn-filter • imsi-filter • adv-policy-filter

desc varchar(255) varchar(255) Description

dir varchar(255) varchar(255) Direction (inbound or outbound).

kind varchar(255) varchar(255) This field is an enum, and can have one of the following values:• register • unregister • call • call-info • call-block






init varchar(255) varchar(255) This field is an enum, and can have one of the following values:• local • remote

mode varchar(255) varchar(255) This field is an enum, and can have one of the following values:• aggressive • main • quick • xauth • xauth_client

cert-type varchar(255) varchar(255) Certificate type. This field is an enum, and can have one of the following values:• CA • CRL • Local • Remote

ui varchar(255) varchar(255) User interface.

exch varchar(255) varchar(255) This field is an enum, and can have one of the following values:• NSA_INIT • AUTH • CREATE_CHILD

rat-type varchar(255) varchar(255) This field is an enum, and can have one of the following values:• utran • geran • wlan • gan • hspa

error_num varchar(255) varchar(255) This field is an enum, and can have one of the following values:• Invalid ESP packet detected. • Invalid ESP packet detected (HMAC validation

failed). • Invalid ESP packet detected (invalid padding). • Invalid ESP packet detected (invalid padding length). • Invalid ESP packet detected (replayed packet). • Received ESP packet with unknown SPI.

method varchar(255) varchar(255) The method.

phase2_name varchar(255) varchar(255) IPSec VPN Phase 2 name

spi varchar(255) varchar(255) IPSec VPN SPI.

c-sgsn varchar(40) varchar(40) SGSN IP address for GTP signalling.

request_name varchar(255) varchar(255) Request name

seq varchar(255) varchar(255) Sequence number

c-ggsn varchar(40) varchar(40) GGSN IP address for GTP signalling.

in_spi varchar(255) varchar(255) Remote SPI in IPSec VPN configuration.

u-sgsn varchar(40) varchar(40) SGSN IP address for GTP user traffic.

out_spi varchar(255) varchar(255) Local SPI in IPSec VPN configuration.

u-ggsn varchar(40) varchar(40) GGSN IP address for GTP user traffic.







FRh

c-sgsn-teid bigint default 0 int unsigned default 0 SGSN TEID (Tunnel endpoint identifier) for signalling.

enc_spi varchar(255) varchar(255) Encryption SPI in IPSec VPN.

c-ggsn-teid bigint default 0 int unsigned default 0 GGSN TEID for signalling.

dec_spi varchar(255) varchar(255) Decryption SPI in IPSec VPN.

message_type varchar(255) varchar(255) Message type. This field is an enum, and can have one of the following values:• request • response

malform_desc varchar(255) varchar(255) Malformed description. This field is an enum. See “Malform Description Values” on page 363 for possible values.

tunnel varchar(255) varchar(255) Tunnel name

u-sgsn-teid bigint default 0 int unsigned default 0 SGSN TEID for user traffic.

u-ggsn-teid bigint default 0 int unsigned default 0 GGSN TEID for user traffic.

malform_data bigint default 0 int unsigned default 0 Malformed data.

tunnel-idx bigint default 0 int unsigned default 0 VPN tunnel index.

line varchar(255) varchar(255) The content of misformed SIP line.

column bigint default 0 int unsigned default 0 The syntax error point in the SIP line.

c-pkts numeric(20) default 0

bigint unsigned default 0 Number of packets for signalling.

phone varchar(255) varchar(255) SCCP phone device name.

profile_group varchar(255) varchar(255) Profile group name.

c-bytes numeric(20) default 0

bigint unsigned default 0 Number of bytes for signalling.

u-pkts numeric(20) default 0

bigint unsigned default 0 Number of packets used for traffic.

profile_type varchar(255) varchar(255) Profile type.

u-bytes numeric(20) default 0

bigint unsigned default 0 Number of bytes used for traffic.

next_stat bigint default 0 int unsigned default 0 Next stat.

user_data varchar(255) varchar(255) User data.

role varchar(255) varchar(255) This field is an enum, and can have one of the following values:• responder • initiator

result varchar(255) varchar(255) This field is an enum, and can have one of the following values:• ERROR • OK • DONE • PENDING

xauth_result varchar(255) varchar(255) Authorization result. This field is an enum, and can have one of the following values:• XAUTH authentication successful • XAUTH authentication failed






esp_transform varchar(255) varchar(255) ESP Transform. This field is an enum, and can have one of the following values:• ESP_NULL • ESP_DES • ESP_3DES • ESP_AES

esp_auth varchar(255) varchar(255) ESP Authorization. This field is an enum, and can have one of the following values:no authentication • HMAC_SHA1 • HMAC_MD5 • HMAC_SHA256

error_reason varchar(255) varchar(255) Text explanation for the error. This field is an enum, and can have one of the following values:• invalid certificate • invalid SA payload • probable preshared key mismatch • peer SA proposal not match local policy • peer notification • not enough key material for tunnel • encapsulation mode mismatch • no matching gateway for new request • aggressive vs main mode mismatch for new request







FRh

Malform Description Values• unexpected-character • invalid-quoting-character • trailing-bytes • header-line-oversize • msg-body-oversize • domain-name-oversize • domain-label-oversize • syntax-malformed

peer_notif varchar(255) varchar(255) Peer Notification. This field is an enum, and can have one of the following values:• NOT-APPLICABLE • INVALID-PAYLOAD-TYPE • DOI-NOT-SUPPORTED • SITUATION-NOT-SUPPORTED • INVALID-COOKIE • INVALID-MAJOR-VERSION • INVALID-MINOR-VERSION • INVALID-EXCHANGE-TYPE • INVALID-FLAGS • INVALID-MESSAGE-ID • INVALID-PROTOCOL-ID • INVALID-SPI • INVALID-TRANSFORM-ID • ATTRIBUTES-NOT-SUPPORTED • NO-PROPOSAL-CHOSEN • BAD-PROPOSAL-SYNTAX • PAYLOAD-MALFORMED • INVALID-KEY-INFORMATION • INVALID-ID-INFORMATION • INVALID-CERT-ENCODING • INVALID-CERTIFICATE • BAD-CERT-REQUEST-SYNTAX • INVALID-CERT-AUTHORITY • INVALID-HASH-INFORMATION • AUTHENTICATION-FAILED • INVALID-SIGNATURE • ADDRESS-NOTIFICATION • NOTIFY-SA-LIFETIME • CERTIFICATE-UNAVAILABLE • UNSUPPORTED-EXCHANGE-TYPE • UNEQUAL-PAYLOAD-LENGTHS • CONNECTED • RESPONDER-LIFETIME • REPLAY-STATUS • INITIAL-CONTACT • R-U-THERE • R-U-THERE-ACK • HEARTBEAT • RETRY-LIMIT-REACHED






• duplicated-sip-header • space-violation • invalid-ipv4-address • invalid-ipv6-address • invalid-port • invalid-fqdn • no-matching-double-quote • empty-quoted-string • invalid-<userinfo> • invalid-escape-encoding-in-<userinfo> • invalid-escape-encoding-in-uri-parameter • invalid-escape-encoding-in-uri-header • invalid-escape-encoding-in-<reason-phrase> • port-expected • port-not-allowed • domain-name-invalid • <gen-value>-expected • invalid-<gen-value> • invalid-<quoted-string>-in-<gen-value> • ipv4-address-expected • ipv6-address-expected • uri-expected • invalid-transport-uri-parameter • invalid-user-uri-parameter • invalid-method-uri-parameter • invalid-ttl-uri-parameter • invalid-uri-parameter-pname • invalid-uri-parameter-value • uri-parameter-repeat • invalid-uri-header-name • invalid-uri-header-value • invalid-uri-header-name-value-pair • invalid-quoted-string-in-display-name • left-angle-bracket-is-mandatory • right-angle-bracket-not-found • invalid-status-code • no-METHOD-on-request-line • uri-parameters-not-allowed-by-RFC • unknown-scheme • whitespace-expected






FRh

• LWS-expected • invalid-<SIP-Version>-on-request-line • invalid-<protocol-name> • invalid-<protocol-version> • invalid-<transport> • no-SLASH-after-<protocol-name> • no-SLASH-after-<protocol-version> • header-parameter-expected • invalid-ttl-parameter • invalid-maddr-parameter • invalid-received-parameter • invalid-branch-parameter • invalid-rport-parameter • via-parameter-repeat • <seq>-number-expected • <method>-expected • <method>-does-not-match-the-request-line • <response-num>-expected • <CSeq-num>-expected • <Method>-expected-after-<CSeq-num> • expires-header-repeated • <delta-seconds>-expected • invalid-max-forwards • token-expected • invalid-expires-parameter • invalid-q-parameter • <generic-param>-with-invalid-<gen-value> • <m-type>-expected • SLASH-expected-after-<m-type> • <m-subtype>-expected • <m-attribute>-expected-after-SEMI • boundary-parameter-appears-more-than-once • EQUAL-expected-after-<m-attribute> • invalid-<quoted-string>-in-<m-value> • invalid-<m-value> • multipart-Content-Type-has-no-boundary • digits-expected • IN-expected • IP-expected • IP4-or-IP6-expected





• IPv4-or-IPv6-address-expected • line-order-error • z-line-not-allowed-on-media-level • <time>-expected • <typed-time>-expected • r-line-not-allowed-on-media-level • <repeat-interval>-expected • <bwtype>-execpted • colon-expected • <bandwidth>-expected • t-line-not-allowed-on-media-level • invalid-<start-time> • invalid-<stop-time> • too-many-i-lines • <text>-expected • too-many-c-lines • too-many-v-line • v-line-not-allowed-on-media-level • too-many-o-lines • o-line-not-allowed-on-media-level • <username>-exepcted • <sess-id>-expected • <sess-version>-expected • too-many-s-lines • s-line-not-allowed-on-media-level • too-many-m-lines • <media>-expected • <integer>-expected • <proto>-expected • <token>-expected-in-<proto>-after-slash • <fmt>-expected • <att-field>-expected • <att-value>-expected • <payload-type>-expected-in-rtpmap • <encoding-name>-expected-in-rtpmap • slash-expected-after-<encoding-name>-in-rtpmap • invalid-<clock-rate>-in-rtpmap • invalid-<encoding-parameters>-in-rtpmap • invalid-candidate-line • sdp-candidate-line-before-m-line






FRh

• sip-Yahoo-candidate-invalid-protocol • invalid-port-after-ip-address-in-candidate-line • too-many-candidate-lines • sdp-invalid-alt-line • sdp-alt-line-before-m-line • invalid-port-after-ip-address-in-alt-line • sdp-rtcp-line-before-m-line • invalid-port-in-rtcp-line • too-many-rtcp-lines • <callid>-expected • <word>-expected • invalid-tag-parameter • no-tag-parameter • sdp-v-o-s-t-lines-are-mandatory • unknown-header • end-of-line-error • sip-udp-message-truncated • missing-mandatory-field

Traffic log fieldsThe table below lists the fields defined in traffic log tables (type tlog).


status varchar(255) varchar(255) The status of the action the FortiGate unit took when the event occurred.For traffic logs, this field can be:• accept• deny• start

dir_disp varchar(255) varchar(255) The direction of the sessions. Org displays if a session is not a child session or the child session originated in the same direction as the master session. Reply displays if a different direction is taken from the master session.

tran_disp varchar(255) varchar(255) The packet is source NAT translated or destination NAT translated. This field is an enum, and can have one of the following values:• noop • snat • dnat

srcname varchar(255) varchar(255) The source name or the IP address.

dstname varchar(255) varchar(255) The destination name or IP address.

tran_ip varchar(40) varchar(40) The translated IP in NAT mode. For transparent mode, it is “0.0.0.0”.





tran_port int default 0 smallint unsigned default 0 The translated port number in NAT mode. For transparent mode, it is zero (0).

proto int default 0 smallint unsigned default 0 The protocol that applies to the session or packet. The protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA).

app_type varchar(255) varchar(255) The application or program used. This field is an enum, and can have one of the following values:• N/A • BitTorrent • eDonkey • Gnutella • KaZaa • Skype • WinNY • AIM • ICQ • MSN • YAHOO

duration bigint default 0 int unsigned default 0 This represents the value in seconds.

rule bigint default 0 int unsigned default 0 The rule number.

sent bigint default 0 int unsigned default 0 The total number of bytes sent.

rcvd bigint default 0 int unsigned default 0 The total number of bytes received.

sent_pkt bigint default 0 int unsigned default 0 The total number of packets sent during the session.

rcvd_pkt bigint default 0 int unsigned default 0 The total number of packets received during the session.

vpn varchar(255) varchar(255) The name of the VPN tunnel used by the traffic.

SN bigint default 0 int unsigned default 0 The serial number of the log message.


wanopt_app_type varchar(255) varchar(255) The type of WAN optimization that was used. This field is an enum, and can have one of the following values:• web-cache• cifs• tcp• ftp• mapi• http

wan_in bigint default 0 int unsigned default 0 This field always displays WAN in.

wan_out bigint default 0 int unsigned default 0 This field always displays WAN out.

lan_in bigint default 0 int unsigned default 0 This field always displays LAN in.

lan_out bigint default 0 int unsigned default 0 This field always displays LAN out.







FRh

Antivirus log fieldsThe table below lists the fields defined in antivirus log tables (type vlog).

app varchar(255) varchar(255) The type of application. On the FortiGate unit, you can look the application type up in UTM > Application Contol > Application List, and then select the name that is in the field to go to more detailed information on the FortiGuard Encyclopedia.

app_cat varchar(255) varchar(255) The application category that the application is associated with.

shaper_drop_sent bigint default 0 int unsigned default 0 The number of sent traffic shaper bytes that were dropped.

shaper_drop_rcvd bigint default 0 int unsigned default 0 The number of received traffic shaper bytes that were dropped.

perip_drop bigint default 0 int unsigned default 0 The number of per-IP traffic shaper bytes that were dropped.

shaper_sent_name varchar(255) varchar(255) The name of the traffic shaper sending the bytes.

shaper_rcvd_name varchar(255) varchar(255) The name of the traffic shaper receiving the bytes

perip_name varchar(255) varchar(255) The name of the per-IP traffic shaper.



status varchar(255) varchar(255) The status of the action the FortiGate unit took when the event occurred.For antivirus logs, this field can be:• blocked• passthrough• monitored

msg varchar(255) varchar(255) Explains the activity or event that the FortiGate unit recorded. For example, the file that was downloaded from the web site exceeded the specified size limit.


The source port of where the traffic is originating from.


The destination port of where the traffic is going to.


The serial number of the log message.

dir varchar(255) varchar(255) Direction

filefilter varchar(255) varchar(255) The file filter. This field is an enum, and can have one of the following values:• none • file pattern • file type





filetype varchar(255) varchar(255) The file type. This field is an enum, and can have one of the following values:• arj • cab • lzh • rar • tar • zip • bzip • gzip • bzip2 • bat • msc • uue • mime • base64 • binhex • com • elf • exe • hta • html • jad • class • cod • javascript • msoffice • fsg • upx • petite • aspack • prc • sis • hlp • activemime • jpeg • gif • tiff • png • bmp • ignored • unknown

file varchar(255) varchar(255) The file name.

checksum varchar(255) varchar(255) The file checksum.

quarskip varchar(255) varchar(255) This field is an enum, and can have one of the following values:• No skip • No quarantine for HTTP GET file pattern block. • No quarantine for oversized files. • File was not quarantined.

virus varchar(255) varchar(255) The virus name.

ref varchar(255) varchar(255) The URL reference that gives more information about the virus. If you enter the URL in your web browser’s address bar, the URL directs you to the specific page that contains information about the virus.







FRh

Web filter log fieldsThe table below lists the fields defined in web filter log tables (type wlog).

url varchar(255) varchar(255) The URL address of where the file was acquired.



from varchar(255) varchar(255) The from email address.

to varchar(255) varchar(255) The to email address.

command varchar(255) varchar(255) Protocol specific command, such as “POST” and “GET” for HTTP, “MODE” and “REST” for FTP.

dtype varchar(255) varchar(255) Detection type, possible values:• virus• grayware



status varchar(255) varchar(255) The status of the action the FortiGate unit took when the event occurred.For web filter logs, this field can be:• blocked• exempted• allowed• passthrough• filtered• DLP



The source port.



hostname varchar(255) varchar(255) The host name or IP.


req_type varchar(255) varchar(255) The request type. This field is an enum, and can have one of the following values:• direct • referral

url varchar(255) varchar(255) The URL.

msg varchar(255) varchar(255) A text message explaining the log entry. For example, 'Message was blocked because it contained a banned word.'

dir varchar(255) varchar(255) The direction.






Netscan log fieldsThe table below lists the fields defined in vulnerability / netscan log tables (type nlog).

from varchar(255) varchar(255) From

to varchar(255) varchar(255) To

banword varchar(255) varchar(255) The name of the banned word policy that triggered the log event.

error varchar(255) varchar(255) The webfilter error.

method varchar(255) varchar(255) The HTTP method. This field is an enum, and can have one of the following values:• ip • domain

class smallint default 0 tinyint unsigned default 0

Class

class_desc varchar(255) varchar(255) Class description

cat smallint default 0 tinyint unsigned default 0

Category

cat_desc varchar(255) varchar(255) Category description

mode varchar(255) varchar(255) The mode. Can be 'rule' or 'off-site'.

rule_type varchar(255) varchar(255) Rule type. This field is an enum, and can have one of the following values:• directory • domain • rating

rule_data varchar(255) varchar(255) Rule data

ovrd_tbl varchar(255) varchar(255) Override table

ovrd_id bigint default 0 int unsigned default 0 Override ID

count bigint default 0 int unsigned default 0 The number of scripts blocked by the scriptfilter within the page.

url_type varchar(255) varchar(255) URL Type. This field is an enum, and can have one of the following values:• http • https • ftp • telnet • mail

urlfilter_idx bigint default 0 int unsigned default 0 URL Filter Index

urlfilter_list varchar(255) varchar(255) URL Filter List

quota_exceeded varchar(255) varchar(255) Quota Exceeded. Can be 'yes' or 'no'.

quota_used bigint default 0 int unsigned default 0 Quota time used (in seconds).

quota_max bigint default 0 int unsigned default 0 Maximum quota time allowed (in seconds).






Appendix D: Querying FortiAnalyzer SQL log databases Examples

FRh

ExamplesThe following examples illustrate how to write custom datasets. After you create the datasets, you can use them when you configure chart templates under Report > Chart > Template.


action varchar(255) varchar(255) The nature of the event. This field is an enum, and can have one of the following values:• scan • vuln-detection • host-detection • service-detection

start bigint default 0 int unsigned default 0 GMT epoch time the scan was started.

end bigint default 0 int unsigned default 0 GMT epoch time the scan was started

engine varchar(255) varchar(255) The netscan engine version.

plugin varchar(255) varchar(255) The version of netscan plugins.

ip varchar(40) varchar(40) The IP of the scanned asset.

proto varchar(255) varchar(255) The protocol. Can be: • tcp• udp

port int default 0 smallint unsigned default 0 The port scanned.

vuln varchar(255) varchar(255) The name of the vulnerability found.

vuln_cat varchar(255) varchar(255) The found vulnerability category.

vuln_id bigint default 0 int unsigned default 0 The found vulnerability ID.

vuln_ref varchar(255) varchar(255) A link to the detected vulnerability in FortiGuard.

severity varchar(255) varchar(255) The severity of the vulnerability. This field is an enum, and can have one of the following values:• critical • high • medium • low • info

os varchar(255) varchar(255) The operating system of the scanned asset.

os_family varchar(255) varchar(255) The family of the operating system on the scanned asset.

os_gen varchar(255) varchar(255) The generation of the operating system on the scanned asset.

os_vendor varchar(255) varchar(255) The vendor of the operating system on the scanned asset.

message varchar(255) varchar(255) Informational message.




Examples Appendix D: Querying FortiAnalyzer SQL log databases

Figure 2: Adding a dataset to a chart template

Then you can use add the chart template to a report when you create the new report under Report > Config > Report.

Figure 3: Adding a chart to a report

Select the dataset

Select the chart






FRh

Example 1: Distribution of applications by type in the last 24 hours

Figure 4: Creating a dataset

GUI procedure1 Go to Report > Chart > Data Set. 2 Click Create New to create a new dataset and enter a name (such as

"apps_type_24hrs"). 3 Under Log Type($log), select Application Control. 4 Under Time Period, select Past N Hours, and enter 24 in Past N Hours.5 Enter the query:SELECT app_type, COUNT( * ) AS totalnumFROM $logWHERE $filterAND app_type IS NOT NULL GROUP BY app_typeORDER BY totalnum DESC

CLI procedureTo perform the same task using the CLI, use these commands:config sql-report dataset

edit apps_type_24hrsset log-type app-ctrlset time-period last-n-hoursset period-last-n 24set query "SELECT app_type, COUNT( * ) AS totalnum FROM $log

WHERE $filter AND app_type IS NOT NULL GROUP BY app_type ORDER BY totalnum DESC"

end

Notes:• $log queries all application control logs.

Note: On the FortiGate unit, custom datasets can only be created via the CLI. On the FortiAnalyzer unit, datasets can be created via the CLI or the GUI. As well, on the FortiAnalyzer unit, queries support additional variables for log types ($log) and time periods ($filter) that make authoring queries easier.





• $filter restricts the query result to the time period specified; in this case, it’s the past 24 hours.

• The application control module classifies each firewall session in app_type. One firewall session may be classified to multiple app_types. For example, an HTTP session can be classified to: HTTP, Facebook, etc.

• Some app/app_types may not be able to detected, then the ‘app_type’ field may be null or ‘N/A’. These will be ignored by this query.

• The result is ordered by the total session number of the same app_type. The most frequent app_types will appear first.

Example 2: Top 100 applications by bandwidth in the last 24 hours


"top_100_aps_24hrs"). 3 Under Log Type($log), select Traffic. 4 Under Time Period, select Past N Hours, and enter 24 in Past N Hours.5 Enter the query:SELECT (TIMESTAMP - TIMESTAMP %3600) AS hourstamp, app, service, SUM( sent + rcvd ) AS volumeFROM $log WHERE $filter and app IS NOT NULL GROUP BY appORDER BY volume DESC LIMIT 100


edit top_100_apps_24hrsset log-type trafficset time-period last-n-hoursset period-last-n 24set query "SELECT ( TIMESTAMP - TIMESTAMP %3600 ) AS

hourstamp, app, service, SUM( sent + rcvd ) AS volume FROM $log WHERE $filter and app IS NOT NULL GROUP BY app ORDER BY volume DESC LIMIT 100"

end

Notes:• (timestamp-timestamp%3600) as hourstamp - this calculates an "hourstamp" to

indicate bandwidth per hour.• SUM( sent + rcvd ) AS volume - this calculates the total sent and received

bytes.






FRh

• ORDER BY volume DESC - this orders the results by descending volume (largest volume first)

• LIMIT 100 - this lists only the top 100 applications.

Example 3: Top 10 attacks in the past one hour


"top_attacks_1hr"). 3 Under Log Type($log), select Attack. 4 Under Time Period, select Past N Hours, and enter 1 in Past N Hours.5 Enter the query:SELECT attack_id, COUNT( * ) AS totalnumFROM $log WHERE $filter and attack_id IS NOT NULL GROUP BY attack_idORDER BY totalnum DESC LIMIT 10


edit top_attacks_1hrset log-type attackset time-period last-n-hoursset period-last-n 1set query "SELECT attack_id, COUNT( * ) AS totalnum FROM

$log WHERE $filter and attack_id IS NOT NULL GROUP BY attack_id ORDER BY totalnum DESC LIMIT 10"

end

Notes:• The result is ordered by the total attack number of the same attack_id. The most

frequent attack_id will appear first.

Example 4: Top WAN optimization applications in the past 24 hours

GUI procedure1 Go to Report > Chart > Data Set. 2 Click Create New to create a new dataset and enter a dataset name (such as

"WAN_OPT_24hrs"). 3 Under Log Type($log), select Traffic. 4 Under Time Period, select Past N Hours, and enter 24 in Past N Hours.5 Enter the query:SELECT wanopt_app_type, SUM( wan_in + wan_out ) AS bandwidth





FROM $logWHERE $filterAND subtype = 'wanopt-traffic'GROUP BY wanopt_app_typeORDER BY SUM( wan_in + wan_out ) DESC LIMIT 5


edit WAN_OPT_24hrsset log-type trafficset time-period last-n-hoursset period-last-n 24set query "SELECT wanopt_app_type, SUM( wan_in + wan_out )

AS bandwidth FROM $log WHERE $filter AND subtype = 'wanopt-traffic' GROUP BY wanopt_app_type ORDER BY SUM( wan_in + wan_out ) DESC LIMIT 5"

end

Notes:• The WAN optimizer module will log each application bandwidth. All bandwidth data is

logged in traffic logs and wan opt data will have the subtype ‘wanopt-traffic’• SUM( wan_in + wan_out ) AS bandwidth - this calculates the total in and out

traffic.





Appendix E: Port Numbers

FRh

Appendix E: Port NumbersThe following tables describe the port numbers that the FortiAnalyzer unit uses:• ports for traffic originating from units (outbound ports)• ports for traffic receivable by units (listening ports)• ports used to connect to the Fortinet Distribution Network (FDN ports)Traffic varies by enabled options and configured ports. Only default ports are listed.

Table 42: FortiAnalyzer outbound ports

Functionality Port(s)DNS lookup UDP 53

NTP synchronization UDP 123

Windows share UDP 137-138

SNMP traps UDP 162

Syslog, log forwarding UDP 514Note: If a secure connection has been configured between a Fortigate and a FortiAnalyzer, Syslog traffic will be sent into an IPSec tunnel. Data will be exchanged over UDP 500/4500, Protocol IP/50.

Log and report upload TCP 21 or TCP 22

SMTP alert email TCP 25

User name LDAP queries for reports TCP 389 or TCP 636

Vulnerability Management updates TCP 443

RADIUS authentication TCP 1812

Log aggregation client TCP 3000

Device registration of FortiGate or FortiManager units; remote access to quarantine, logs & reports from a FortiGate unit; remote management from a FortiManager unit (configuration retrieval) (OFTP)

TCP 514




Appendix E: Port Numbers

Table 43: FortiAnalyzer listening ports

Functionality Port(s)Windows share UDP 137-139 and

TCP 445

Syslog, log forwarding UDP 514Note: If a secure connection has been configured between a Fortigate and a FortiAnalyzer, Syslog traffic will be sent into an IPSec tunnel. Data will be exchanged over UDP 500/4500, Protocol IP/50.

SSH administrative access to the CLI TCP 22

Telnet administrative access to the CLI TCP 23

HTTP administrative access to the web-based manager TCP 80

HTTPS administrative access to the web-based manager; remote management from a FortiManager unit

TCP 443

Device registration of FortiGate or FortiManager units; remote access to quarantine, logs & reports from a FortiGate unit; remote management from a FortiManager unit (configuration retrieval) (OFTP)

TCP 514

NFS share TCP 2049

HTTP or HTTPS administrative access to the web-based manager's CLI dashboard widget (v3.0 MR5 only)Protocol used will match the protocol used by the administrator when logging in to the web-based manager.

TCP 2032

Log aggregation serverLog aggregation server support requires model FortiAnalyzer-800 or greater.

TCP 3000

Remote management from a FortiManager unit (configuration installation) TCP 8080

Remote MySQL database connection TCP 3306

Table 44: FortiAnalyzer FDN ports

Functionality Port(s)Vulnerability Management updates TCP 443





Index

FRh

IndexSymbols_email, 18_fqdn, 18_index, 18_int, 18_ipv4, 18_ipv4/mask, 18_ipv4mask, 18_ipv6, 18_ipv6mask, 18_name, 18_pattern, 18_str, 18_url, 18_v4mask, 18_v6mask, 18

Aaccess profile, 25, 27adding configuring defining

log severity levels, 341administrative access

interface settings, 65restricting, 64, 65, 77

administrative domains. See ADOMsadministrator

admin, accessing ADOMs, 32assigning to ADOM, 32

ADOMs, 27access privileges, 25accessing as admin administrator, 32admin account privileges, 25assigning administrators, 32disabling, 31enabling, 28Global, 27maximum number, 333permissions, 25root, 31

aggregation client, 101alerts, 87, 96, 98

testing, 91alias, 104ARP, 292authenticated network scan

preparing, 223

Bbacking up log files, 276backing up the configuration

using the CLI, 276using web-based manager, 276

backup & restore, 114baud rate, 303blocking device connection attempts, 134

Boolean operator, 267Bootup issues, 302browse

network analyzer, 262sniffer, 262

browser, 23

Ccharts, 173CIDR, 18classifying FortiGate network interfaces, 137CLI

commands, 288clock, 38, 39column view

network analyzer logs, 265command line interface (CLI), 16, 17, 35, 53, 77

Console widget, 53prompt, 39

command prompt, 39connection attempt handling, 133contract, 40conventions, 16count, 152CPU usage, 41, 42

Ddashboard, 35, 207data filter template, 178data set, 201DC (duplicate count), 153default

password, 16delete after upload

network analyzer log, 272device

adding or deleting, 131groups, 136list, 123maximum number, 126registration and reports, 152unregistered vs. registered, 126

disk spaceallocated to Network Analyzer, 272

DLP archive, 149backing up, 158

DNS server, 69test connection, 291

documentationconventions, 16

dotted decimal, 18down, 64download

logs, 156, 270network analyzer logs, 263search results, 270




Index

EeDiscovery, 160expected input, 17

FFederal Information Processing Standards (FIPS), 13file

extension, 46, 264, 270filter

criteria, 267icon, 264, 266, 268logs, 144network analyzer, 266tip, 267tips, 145

firmwareinstall, 38version, 35, 38

formatted viewnetwork analyzer logs, 265

FortinetKnowledge Base, 15Technical Documentation, 15

comments, 15conventions, 16

Technical Support, 14Training Services, 15

Fortinet Discovery Protocol (FDP), 64, 65, 66FTP, 272fully qualified domain name (FQDN), 18

Ggraphical user interface (GUI), 23gzip, 46, 264, 270, 272

HHA cluster, 128, 131hard disk, 49historical viewer

network analyzer, 261host name, 35, 39hot swap, 49HTTP, 65HTTPS, 64, 65

IICMP, 65importing log files, 155index number, 18indexed log fields, 268input constraints, 17installation, 15IP alias, 104

resolve host names, 151IPsec VPN tunnel, 128

JJavaScript, 53

Llanguage, 24, 184license information, widget, 40lightweight directory access protocol (LDAP), 111, 114Linux, 292local console access, 53log forwarding, 103logs, 38

backing up, 158content. See DLP archiveCSV format, 270download, 270gzip, 46, 264, 270indexed fields, 268raw view, 266, 268search, 268search tips, 148unindexed fields, 266, 268

Mmail server, 91maximum transmission unit (MTU), 66, 284Maximum Values Matrix, 333media access control (MAC) address, 65memory usage, 41Microsoft

Internet Explorer, 23migrating data, 118Mozilla Firefox, 23MS Windows, 292

Nnetwork

sniffer, 262network analyzer

browse, 262column view, 260delete after download, 272download logs, 263enable, 271filter, 266gzip, 272historical viewer, 261real-time viewer, 259resolve host names, 260, 262roll settings, 270upload to, 272

network analyzer logscolumn view, 265formatted view, 265

network file share (NFS), 13network interface

administrative access, 65status, 64

network interfaces, classifying (FortiGate), 137network maps, 217





Index

network share, 13, 70Network Time Protocol (NTP), 38new disk

adding for 2000B and 4000B, 50

Ppassword, 79

administrator, 16log upload, 272

patch releases, 275pattern, 18Payment Card Industry Data Security Standard (PCI DSS),

247performance, 35permissions

access profile, 80ADOMs, 25

ping, 65port

destination, 260number, 24numbers, 288scan, 13source, 260

portsUDP ports 33434-33534, 291

powering on, 302prompt, 53protocol

FTP, 272SCP, 272SFTP, 272

Qquarantine, 151

count, 152duplicate count, 153ticket number, 153

query, 111, 114DNS, 69

Rraid monitor, widget, 47random access memory (RAM), 43real-time viewer

network analyzer, 259regular expression, 18remote authentication dial in user service (RADIUS), 82report

browsing, 210chart template, 197charts, 173data filter, 178FortiClient example, 191FortiGate example, 188, 208FortiMail example, 194language, 184layout, 168, 173, 181, 184output template, 91profiles, 173

schedule, 181uploading graphics for, 203

report engine, widget, 47resolution, 23resolve host names, 151

network analyzer, 260, 262roll settings

network analyzer, 270root (Management Administrative Domain), 31root ADOM, 27, 31

Sscheduling, 38SCP, 272search

DLP archive, 149download results, 270Network Analyzer logs, 257, 268tips, 148, 269user data, 149

secure connection, 152Secure Shell (SSH), 53, 64, 65serial number, 38serial port parameters, 302severity levels (logs), 341SFTP, 272share, 13simple network management protocol (SNMP)

system name, 39sniffer, 257, 262

See also network analyzerSNMP

community, 96event, 98manager, 97queries, 98

spam, 194span port, 257special characters, 40SSL, 38statistics widget, 44string, 18subnet, 269supported RFCs

1213, 951918, 162665, 95, 307

sync interval, 39syntax, 17Syslog server, 98system information, widget, 38system operation, widget, 41system resource usage, 35system resources, widget, 41system time, 35, 288

TTechnology Assistance Center (TAC), 287Telnet, 53, 65





Index

throughput, 35ticket number, 153time, 38time to live (TTL), 291traceroute, 291tracert, 292troubleshooting, 285

packet sniffing, 293routing table, 292

Uunindexed log fields, 266, 268unknown, 133unregistered, 126, 152up, 64upgrading, 279uptime, 35, 288US-ASCII, 40

Vvalue parse error, 18virus

See quarantinevulnerability management, 213

asset groups, 216assets, 214database, 213, 242host status, 239network map, 217

scan profiles, 231scheduling scans, 234sensors, 226signatures, 213, 242summary, 239

Wweb browser, 23web filtering, 148web services, 66widget, 35

intrusion activity, 62license information, 40log receive monitor, 50logs/data received, 43raid monitor, 47report engine, 47statistics, 44system information, 38system operation, 41system resources, 41top email traffic, 57top ftp traffic, 58top im/p2p traffic, 59top traffic, 54top web traffic, 56virus activity, 61

wild cards, 18WSDL file

obtaining, 68





Index





www.fortinet.com

for ti analyzer admin 40 mr2

Documents