FortiRecorder 2.1 Administraton Guide, 1st Edition

FortiRecorder™ 2.1
Administration Guide
FortiRecorder 2.1 Administration Guide
March 30, 2015
1st Edition
Copyright © 2015 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and
FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other
Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All
other product or company names may be trademarks of their respective owners. Performance
and other metrics contained herein were attained in internal lab tests under ideal conditions,
and actual performance and other results may vary. Network variables, different network
environments and other conditions may affect performance results. Nothing herein represents
any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or
implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s
General Counsel, with a purchaser that expressly warrants that the identified product will
perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be
binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the
same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants,
representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves
the right to change, modify, transfer, or otherwise revise this publication without notice, and the
most current version of the publication shall be applicable.
Technical Documentation
http://help.fortinet.com
Knowledge Base
http://kb.fortinet.com
Forums
https://support.fortinet.com/forum
Customer Service & Support
https://support.fortinet.com
Training Services
http://training.fortinet.com
FortiGuard Threat Research & Response
http://www.fortiguard.com
Document Feedback
Email: techdocs@fortinet.com
Table of contents
Key concepts .................................................................................................... 7
FortiRecorder NVR................................................................................................... 7
Camera support ....................................................................................................... 7
Deployment scenarios and camera discovery.........................................................
Local camera deployments................................................................................
Same network deployments ........................................................................
Routed network deployments......................................................................
Private network vs office network ................................................................
Remote camera deployments............................................................................
8
8
8
8
8
9
Video clips ............................................................................................................... 9
Performance guidelines ........................................................................................... 9
NVR performance .............................................................................................. 9
Number of supported cameras .................................................................... 9
General performance factors ..................................................................... 10
Variable versus constant bit rate................................................................ 10
Bandwidth per camera or live view ............................................................ 10
Storage capacity ........................................................................................ 11
Client Performance .......................................................................................... 11
NVR configuration .......................................................................................... 12
Connecting to FortiRecorder web UI ..................................................................... 12
Connecting to FortiRecorder CLI........................................................................... 13
Basic NVR configuration........................................................................................
Setting the “admin” account password ...........................................................
Configuring the network settings .....................................................................
Configuring the DHCP server ..........................................................................
Setting the system time ...................................................................................
15
15
16
21
24
Advanced/optional NVR configuration ..................................................................
Configuring system timeout, ports, and public access ...................................
Configuring FortiRecorder system appearance...............................................
Configuring logging .........................................................................................
Alert email ........................................................................................................
25
25
26
26
29
Camera settings ............................................................................................. 30
Camera configuration workflow............................................................................. 30
Configuring video profiles ...................................................................................... 30
Configuring camera profiles................................................................................... 31
Configuring recording schedules........................................................................... 33
Camera groups ...................................................................................................... 35
Page 3
Camera connection ........................................................................................ 36
Camera discovery and DHCP service ................................................................... 36
Connecting FortiRecorder to the cameras ............................................................ 37
Configuring cameras.............................................................................................. 40
User management .......................................................................................... 48
User types.............................................................................................................. 48
User configuration workflow .................................................................................. 48
Configuring user accounts..................................................................................... 49
Configuring LDAP authentication .......................................................................... 53
Configuring RADIUS authentication ...................................................................... 58
Notifications.................................................................................................... 59
Notification configuration workflow ....................................................................... 59
Configuring FortiRecorder to send notification email ............................................ 59
Configuring FortiRecorder to send SMS messages .............................................. 61
Configuring cameras to send notifications ............................................................ 62
Video monitoring ............................................................................................ 64
Watching live video feeds ...................................................................................... 64
Watching recorded video clips .............................................................................. 66
Reviewing motion detection notifications.............................................................. 69
Video management ........................................................................................ 70
Local storage ......................................................................................................... 70
Remote storage ..................................................................................................... 70
System monitoring ......................................................................................... 72
The dashboard....................................................................................................... 72
SNMP traps & queries ...........................................................................................
Configuring an SNMP community ...................................................................
Configuring SNMP v3 users.............................................................................
MIB support .....................................................................................................
72
74
76
77
Logging .................................................................................................................
About logs........................................................................................................
Log types ...................................................................................................
Log severity levels......................................................................................
Viewing log messages .....................................................................................
Displaying & sorting log columns & rows.........................................................
Downloading log messages.............................................................................
Deleting log files...............................................................................................
Searching logs .................................................................................................
77
78
78
78
79
81
82
82
82
Secure connections and certificates............................................................ 84
Supported cipher suites & protocol versions...................................................
Replacing the default certificate for the web UI...............................................
Generating a certificate signing request ....................................................
Uploading & selecting to use a certificate .................................................
Table of contents
Page 4
84
85
88
90
FortiRecorder 2.0 Administration Guide
Uploading trusted CAs’ certificates .................................................................
Example: Downloading the CA’s certificate from
Microsoft Windows 2003 Server..............................................................
Revoking certificates........................................................................................
Revoking certificates by OCSP query........................................................
91
93
94
94
Updating the firmware ................................................................................... 95
Installing NVR firmware.......................................................................................... 95
Installing alternate firmware ............................................................................. 98
Booting from the alternate partition ................................................................. 99
Upgrading/downgrading the camera firmware.................................................... 100
Fine-tuning & best practices ....................................................................... 102
Hardening security...............................................................................................
Topology ........................................................................................................
Administrator access .....................................................................................
Operator access.............................................................................................
Patches ..........................................................................................................
102
102
103
104
104
Improving performance........................................................................................
Video performance.........................................................................................
System performance......................................................................................
Logging & alert performance .........................................................................
Packet capture performance .........................................................................
105
105
105
106
106
Regular backups .................................................................................................. 106
Restoring a previous configuration ................................................................ 108
Troubleshooting ........................................................................................... 109
Solutions by issue type........................................................................................
Video viewing issues......................................................................................
Live feed delay .........................................................................................
Video not being sent to the NVR..............................................................
Snapshot notification issues ..........................................................................
Login issues ...................................................................................................
When an administrator account cannot log in from a specific IP ............
Remote authentication query failures ......................................................
Resetting passwords ...............................................................................
Connectivity issues ........................................................................................
Checking hardware connections .............................................................
Bringing up network interfaces ................................................................
Examining the ARP table .........................................................................
Checking routing......................................................................................
Facilitating discovery ...............................................................................
DHCP issues ............................................................................................
Unauthorized DHCP clients or DHCP pool exhaustion......................
Establishing IP sessions...........................................................................
Resolving IP address conflicts.................................................................
Packet capture .........................................................................................
Table of contents
Page 5
109
109
110
110
110
111
111
111
111
112
113
113
114
114
118
118
119
119
121
122
FortiRecorder 2.0 Administration Guide
Resource issues............................................................................................. 127
Data storage issues ....................................................................................... 128
Resetting the configuration.................................................................................. 128
Restoring firmware (“clean install”) ...................................................................... 129
Questions and answers ............................................................................... 132
How to connect cameras to FortiRecorder for the first time ............................... 132
Scenario 1: Direct connection........................................................................ 132
Scenario 2: Connection with a third party DHCP server................................ 135
How to use recorded video clips ......................................................................... 136
How to use DIDO terminal connectors on FortiCam MB13 cameras.................. 139
Appendix A: Port numbers........................................................................... 142
Appendix B: Maximum values ..................................................................... 144
Index .............................................................................................................. 145
Table of contents
Page 6
FortiRecorder 2.0 Administration Guide
Key concepts
This chapter defines basic FortiRecorder concepts and terms.
If you are new to FortiRecorder, or new to digital video surveillance systems, this chapter can
help you to quickly understand how to use your FortiRecorder system.
• FortiRecorder NVR
• Camera support
• Deployment scenarios and camera discovery
• Video clips
• Performance guidelines
FortiRecorder NVR
The FortiRecorder network video recorder (NVR) provides central management for:
• configuring your cameras
• recording your video feeds
• viewing recordings and live video feeds
Camera support
The FortiRecorder NVR supports FortiCam series cameras from Fortinet and third-party
ONVIF-compliant cameras, although some of the third-party camera features may not be fully
supported. Therefore, you may want to configure those features through its built-in camera web
interface.
By default, every FortiRecorder or FortiRecorder-VM appliance supports one third-party
camera. If you want to connect more than one, you must purchase licenses from Fortinet. For
more information, please contact Fortinet or the resellers.
Page 7
Deployment scenarios and camera discovery
Cameras are deployed in two basic scenarios: local to the NVR and remote to the NVR.
FortiCamera deployments can combine both scenarios.
Local camera deployments
Local cameras deployments have two specific scenarios:
• Cameras are installed on the same network as the NVR.
• Cameras are installed on a local network, but there are one or more routers between the
NVR and the cameras.
Same network deployments
Installing the cameras on the same subnet as the NVR is the easiest deployment scenario since
the NVR can automatically discover the cameras.
Routed network deployments
If there are routers between the cameras and the NVR, the routers must be configured to allow
mDNS multicast packets between the camera network and the NVR network in order for the
NVR to automatically discover the cameras. Once the cameras are discovered, you can leave
the address mode as DHCP or change it to static.
If the routers are not configured to pass the mDNS packets, the cameras can be configured
manually by selecting the static address mode on the camera configuration page.
Private network vs office network
You can install the NVR and cameras on your existing network, which saves your efforts and
costs. You can also install the system on a dedicated private network only reachable by the
Key concepts
Page 8
FortiRecorder 2.0 Administration Guide
NVR. Although this involves installing a new network and thus increasing the costs, there are
some advantages of using a private network:
• the video streams are protected.
• the cameras are protected because they cannot be reached from outside the network.
• easier to determine bandwidth requirements.
• better quality of service since bandwidth is known.
See also
• Facilitating discovery
Remote camera deployments
Remote camera deployments refer to scenarios where there is a firewall between the NVR and
the cameras – i.e. camera discovery will not work and the cameras will likely have virtual IP
addresses on the firewall. The cameras are configured by selecting the VIP address mode on
the camera configuration page.
Video clips
You can use FortiRecorder to:
• Manually record activities
• Continuously record activities by schedules
• Record sudden activities only (motion detection)
• Record audio activities (if the camera supports audio detection)
• Record on triggers from digital input (if the camera support DIDO)
• View live video
Motion detection will record a video clip up to about 40 seconds long each time the camera’s
sensor detects movement. In contrast, continuous video records for the entire duration of the
schedule, regardless of movement.
Performance guidelines
There are two components to consider when looking at FortiRecorder performance – the NVR
and the client.
Overall FortiRecorder performance is a combination of the video input (number of cameras,
camera streams, resolution, etc) and the video output (to the browser for live views and
playback).
The performance bottleneck in a FortiCamera deployment will likely be the client, which must
decode and render the video streams from the NVR. Displaying multiple video streams on the
client is very CPU intensive.
NVR performance
Number of supported cameras
The FortiRecorder-200D can support 64 cameras or more depending on the configuration.
Key concepts
Page 9
FortiRecorder 2.0 Administration Guide
General performance factors
The following factors affect the input side of performance:
• Total number of video streams from the cameras (i.e. not just the number of cameras)
• The video recording types (motion only or continuous) per camera
• The video stream parameters per camera – i.e. resolution, frame rate, bit rate mode
(constant or variable) and the bit rate mode parameters (bit rate or image quality)
The following factors affect the output side of performance:
• Number of administrator/operator/viewer sessions
• Peak number of simultaneous administrator/operator/viewer live views
• The video stream parameters per camera live view – i.e. resolution, frame rate, bit rate mode
(constant or variable) and the bit rate mode parameters (bit rate or image quality)
Variable versus constant bit rate
The variable bit rate mode means the bandwidth used by the camera will vary according to what
the camera is seeing and the video profile settings. The video profile settings for the variable bit
rate mode are resolution, frame rate and image quality. High resolution creates three times as
much data as medium resolution. Low resolution creates half as much data as medium
resolution (see following sections for more detail). The degree of motion present in a video
stream also affects the amount of data created.
The constant bit rate mode means the bandwidth used by the camera will stay relatively
constant regardless of what the camera is seeing. The constant bit rate mode is therefore more
predictable in deployments where bandwidth and/or storage capacities are important
considerations. The video profile settings for the constant bit rate mode are resolution, frame
rate and bit rate. The bandwidth used by the stream is dictated by the bit rate setting.
In general, using the variable bit rate mode results in higher quality video with higher bandwidth
requirements and using the constant bit rate mode results in predictable bandwidth
requirements with lower quality video. However, in most cases the difference in video quality
between the variable and constant bit modes is negligible (assuming the same resolution and
frame rates) and the constant bit rate mode produces more reliable output from the cameras.
Bandwidth per camera or live view
Variable bit rate
Each camera stream or live view will use the following (approximate) bandwidth:
• 320x256 @ 30 FPS, high quality, variable bit rate = 48kB/s
• 640x512 @ 30 FPS, high quality, variable bit rate = 107kB/s
• 1280x1024 @ 30 FPS, high quality, variable bit rate = 322kB/s
For variable bit rate streams, lowering the quality setting increases the amount of compression
resulting in lower video quality and lower data rates.
Constant bit rate
Each camera stream or live view will use the following (approximate) bandwidth:
• 320x256 @ 30 FPS, 1000 kb/s, constant bit rate = 50kB/s
• 640x512 @ 30 FPS, 1000 kb/s, constant bit rate = 150kB/s (see note below)
• 1280x1024 @ 30 FPS, 1000 kb/s, constant bit rate = 150kB/s (see note below)
Key concepts
Page 10
FortiRecorder 2.0 Administration Guide
For constant bit rate streams, lowering the bit rate setting increases the amount of compression
resulting in lower video quality and lower data rates.
This is not a typo. At medium or high resolution, 30 FPS and 1000 kb/s, both resolutions result
in the same approximate bandwidth usage since the high resolution stream is being
compressed more than the medium resolution stream.
Storage capacity
Variable bit rate
Assuming one camera at the specified resolution, the FortiRecorder-200D provides the
following (approximate) storage capacities:
• 320x256 @ 30 FPS, high quality, variable bit rate = 6700 hours of storage capacity
• 640x512 @ 30 FPS, high quality, variable bit rate = 3000 hours of storage capacity
• 1280x1024 @ 30 FPS, high quality, variable bit rate = 1000 hours of storage capacity
Constant bit rate
Assuming one camera at the specified resolution, the FortiRecorder-200D provides the
following (approximate) storage capacities:
• 320x256 @ 30 FPS, 1000 kb/s, constant bit rate = 6700 hours of storage capacity
• 640x512 @ 30 FPS1000 kb/s, constant bit rate = 2000 hours of storage capacity
• 1280x1024 @ 30 FPS, 1000 kb/s, constant bit rate = 2000 hours of storage capacity
Client Performance
If you need to display 8 or more camera live views, you may need to configure the second
camera stream so that viewing is done at a lower frame rate or resolution, depending on how
powerful the client PC is. RAM is less important than CPU for rendering video.
Video playback is very CPU intensive. If you are experiencing choppy video playback and
cameras “freezing” during playback, you likely have a client performance problem. Use the
diagnostic tools available on your client OS and look at the CPU usage when you are
experiencing video problems. If possible, keep the CPU usage below 50%.
To optimize client performance, use the video and camera profiles to define and assign a
second video stream for each camera. To increase the number of live views the client computer
can display, or to reduce the CPU requirement for a given number of live views, reduce the
resolution, quality and/or frames per second of the second video streams.
Ten FPS is a good general setting for live views, which provides a reasonable frame rate for the
live views, but significantly reduces the load on the client (compared to 30 FPS).
Key concepts
Page 11
FortiRecorder 2.0 Administration Guide
NVR configuration
To be able to configure the FortiRecorder NVR appliance, you must connect to its management
web UI or CLI console. This document mainly describes the web UI usage.
Connecting to FortiRecorder web UI
You can connect to the web UI using its default settings. (By default, HTTPS access to the
web UI is enabled.)
Table 1: Default settings for connecting to the web UI
Network Interface
port1
URL
https://192.168.1.99/
Administrator
Account
admin
Password
Requirements
• a computer with an RJ-45 Ethernet network port
• a web browser such as Microsoft Internet Explorer 8, Mozilla Firefox 3.5, Apple Safari 4, or
Google Chrome 6 or greater
• Apple QuickTime 7.1 or greater plug-in for video display
• a crossover Ethernet cable
To connect to the web UI
1. On your management computer, configure the Ethernet port with the static IP address
192.168.1.2 with a netmask of 255.255.255.0.
2. Using the Ethernet cable, connect your computer’s Ethernet port to the FortiRecorder
appliance’s port1.
3. Start your browser and enter the URL:
https://192.168.1.99/
(Remember to include the “s” in https://.)
Your browser connects the appliance.
Page 12
4. In the Name field of the login page, type admin, then click Login. (In its default state, there is
no password for this account.)
Login credentials entered are encrypted before they are sent to the FortiRecorder appliance.
If your login is successful, the web UI appears.
See also
• Connectivity issues
• Login issues
Connecting to FortiRecorder CLI
For initial configuration, you can access the CLI from your management computer using either
of these two ways:
• a local serial console connection
• an SSH connection, either local or through the network
To connect to the CLI using a local serial console connection, you must have:
• a computer with a serial communications (COM) port
• the RJ-45-to-DB-9 serial or null modem cable included in your FortiRecorder package
• terminal emulation software, such as HyperTerminal for Microsoft Windows
To connect to the CLI using an SSH connection, you must have:
• a computer with an Ethernet port
• a crossover Ethernet cable
• an SSH client, such as PuTTY
Table 2: Default settings for connecting to the CLI by SSH
NVR configuration
Network Interface
port1
IP Address
192.168.1.99
SSH Port Number
22
Administrator
Account
admin
Password
(none)
Page 13
FortiRecorder 2.0 Administration Guide
To connect to the CLI using a local serial console connection
The following procedure uses Microsoft HyperTerminal. Steps may vary with other terminal
emulators.
1. Using the RJ-45-to-DB-9 or null modem cable, connect your computer’s serial
communications (COM) port to the FortiRecorder unit’s console port.
2. Verify that the FortiRecorder unit is powered on.
3. On your management computer, start HyperTerminal.
4. On Connection Description, enter a Name for the connection, and select OK.
5. On Connect To, from Connect using, select the communications (COM) port where you
connected the FortiRecorder unit.
6. Select OK.
7. Select the following Port settings and select OK.
Bits per second
9600
Data bits
8
Parity
None
Stop bits
1
Flow control
None
8. Press Enter.
The terminal emulator connects to the CLI, and the CLI displays a login prompt.
9. Type admin and press Enter twice. (In its default state, there is no password for this
account.)
To connect to the CLI using an SSH connection
The following procedure uses PuTTY. Steps may vary with other SSH clients.
1. On your management computer, configure the Ethernet port with the static IP address
192.168.1.2 with a netmask of 255.255.255.0.
2. Using the Ethernet cable, connect your computer’s Ethernet port to the FortiRecorder unit’s
port1.
3. Verify that the FortiRecorder unit is powered on.
4. On your management computer, start your SSH client.
5. In Host Name (or IP Address), type 192.168.1.99.
6. In Port, type 22.
7. From Connection type, select SSH.
8. Select Open.
The SSH client connects to the FortiRecorder unit.
The SSH client may display a warning if this is the first time you are connecting to the
FortiRecorder unit and its SSH key is not yet recognized by your SSH client, or if you have
NVR configuration
Page 14
FortiRecorder 2.0 Administration Guide
previously connected to the FortiRecorder unit but it used a different IP address or SSH key.
If your management computer is directly connected to the FortiRecorder unit with no
network hosts between them, this is normal.
9. Click Yes to verify the fingerprint and accept the FortiRecorder unit’s SSH key. You will not
be able to log in until you have accepted the key.
The CLI displays a login prompt.
10.Type admin and press Enter. (In its default state, there is no password for this account.)
Basic NVR configuration
Either to integrate the FortiRecorder NVR into your existing network or to set it up in its
dedicated, private network, you must configure the following settings to have the appliance up
and running:
• Setting the “admin” account password
• Configuring the network settings
• Configuring the DHCP server
• Setting the system time
Setting the “admin” account password
The default administrator account, named admin, initially has no password.
Unlike other administrator accounts, the admin administrator account exists by default and
cannot be deleted. This administrator account always has full permission to view and change all
FortiRecorder configuration options, including viewing and changing all other administrator
accounts. Its name and permissions cannot be changed.
For security reasons, you must set a password for the admin account after you log on to
FortiRecorder. Set a strong password for the admin administrator account, and change the
password regularly.
To change the admin administrator password
1. Log in to the admin administrator account.
2. Go to System > Administrator > Administrator.
3. Change the password and log out.
The new password takes effect the next time that administrator account logs in.
See also
• Login issues
NVR configuration
Page 15
FortiRecorder 2.0 Administration Guide
Configuring the network settings
When shipped, each of the FortiRecorder appliance’s physical network adapter ports has a
default IP address and netmask. If these IP addresses and netmasks are not compatible with
the design of your unique network, you must configure them.
Table 3: Default IP addresses and netmasks
Network Interface*
IP Address
Netmask
port1
192.168.1.99
255.255.255.0
port2
192.168.2.99
255.255.255.0
port3
192.168.3.99
255.255.255.0
port4
192.168.4.99
255.255.255.0
* The number of network interfaces may vary by model.
To connect to the CLI and web UI, you should configure the following FortiRecorder network
settings:
• Interface: you must configure at least one network interface on your FortiRecorder
appliance (usually port1) with an IP address and netmask so that it can receive your
connections.
• Static route: Depending on your network, you also usually must configure a static route so
that the FortiRecorder can connect to the Internet, your computer, and FortiCam cameras.
• DNS server: FortiRecorder appliances require connectivity to DNS servers for DNS lookups.
The appliance will query the DNS servers whenever it needs to resolve a domain name into
an IP address, such as for NTP servers defined by their domain names.
To configure a network interface’s IP address
1. Log in to the admin administrator account.
2. Go to System > Network > Interface.
3. Double-click the row to select the physical network interface that you want to modify.
4. If you want to manually assign an IP address and subnet mask to this network interface,
select Manual and then provide the IP address and netmask in IP/Netmask. IPv4 and IPv6
subnet masks should be provided in CIDR format, e.g. /24 instead of 255.255.255.0. The
IP address must be on the same subnet as the network to which the interface connects. Two
network interfaces cannot have IP addresses on the same subnet.
Otherwise, select DHCP and enable Connect to server to retrieve a DHCP lease when you
save this configuration. If you want the FortiRecorder appliance to also retrieve DNS and
default route (“gateway”) settings, also enable Retrieve default gateway and DNS from
server.
If you use DHCP on an interface and there are cameras connected to the interface, you must
make sure the IP address will not change on that interface because the cameras need to
communicate with the NVR and thus need to be aware of the IP address of the NVR.
NVR configuration
Page 16
FortiRecorder 2.0 Administration Guide
Retrieve default gateway and DNS from server will overwrite the existing DNS and default route,
if any.
5. Configure these settings:
Setting name
Description
Discover cameras Enable to send multicast camera discovery traffic from this network
on this port
interface. For more information, see “Connecting FortiRecorder to the
cameras” on page 37.
Access
Enable the types of administrative access that you want to permit to
this interface.
Caution: Enable administrative access only on network interfaces
connected to trusted private networks or directly to your management
computer. If possible, enable only secure administrative access
protocols such as HTTPS or SSH. Failure to restrict administrative
access could compromise the security of your FortiRecorder
appliance.
HTTPS
Enable to allow secure HTTPS connections to the web UI through this
network interface. To configure the listening port number, see
“Configuring system timeout, ports, and public access”. To upload a
certificate, see “Replacing the default certificate for the web UI”.
PING
Enable to allow:
• ICMP type 8 (ECHO_REQUEST)
• UDP ports 33434 to 33534
for ping and traceroute to be received on this network interface.
When it receives an ECHO_REQUEST, FortiRecorder will reply with
ICMP type 0 (ECHO_RESPONSE).
Note: Disabling PING only prevents FortiRecorder from receiving
ICMP type 8 (ECHO_REQUEST) and traceroute-related UDP.
It does not disable FortiRecorder CLI commands such as execute
ping or execute traceroute that send such traffic.
HTTP
Enable to allow HTTP connections to the web UI through this network
interface. To configure the listening port number, see “Configuring
system timeout, ports, and public access”.
Caution: HTTP connections are not secure, and can be intercepted
by a third party. If possible, enable this option only for network
interfaces connected to a trusted private network, or directly to your
management computer. Failure to restrict administrative access
through this protocol could compromise the security of your
FortiRecorder appliance.
NVR configuration
SSH
Enable to allow SSH connections to the CLI through this network
interface.
SNMP
Enable to allow SNMP queries to this network interface, if queries
have been configured and the sender is a configured SNMP manager.
To configure the listening port number and configure queries and
traps, see “SNMP traps & queries”.
Page 17
FortiRecorder 2.0 Administration Guide
Setting name
TELNET
Description
Enable to allow Telnet connections to the CLI through this network
interface.
Caution: Telnet connections are not secure, and can be intercepted
by a third party. If possible, enable this option only for network
interfaces connected to a trusted private network, or directly to your
management computer. Failure to restrict administrative access
through this protocol could compromise the security of your
FortiRecorder appliance.
FRCCentral
MTU
Enable to allow access from FortiRecorder Central.
Enable to change the maximum transmission unit (MTU) value, then
enter the maximum packet or Ethernet frame size in bytes.
If network devices between the FortiRecorder unit and its traffic
destinations require smaller or larger units of traffic, packets may
require additional processing at each node in the network to fragment
or defragment the units, resulting in reduced network performance.
Adjusting the MTU to match your network can improve network
performance.
The default value is 1500 bytes. The MTU size must be between 576
and 1500 bytes. Change this if you need a lower value. For example,
RFC 2516 prescribes a value of 1492 for PPPoE.
Administrative
status
Select either:
• Up — Enable (that is, bring up) the network interface so that it can
send and receive traffic.
• Down — Disable (that is, bring down) the network interface so that
it cannot send or receive traffic.
6. Click OK.
If you were connected to the web UI through this network interface, you are now
disconnected from it.
7. To access the web UI again, in your web browser, modify the URL to match the new IP
address of the network interface. For example, if you configured the network interface with
the IP address 10.10.10.5, you would browse to: https://10.10.10.5
If the new IP address is on a different subnet than the previous IP address, and your
computer is directly connected to the FortiRecorder appliance, you may also need to modify
the IP address and subnet of your computer to match the FortiRecorder appliance’s new IP
address.
To add a static route
If you used DHCP and Retrieve default gateway and DNS from server when configuring your
network interfaces, skip this step — the default route was configured automatically.
1. Log in to the admin administrator account.
Other accounts may not have permissions necessary to change this setting.
2. Go to System > Network > Routing.
3. Click New.
NVR configuration
Page 18
FortiRecorder 2.0 Administration Guide
4. Configure these settings:
Setting name
Description
Destination
IP/netmask
Type the destination IP address and network mask of packets that will
be subject to this static route, separated by a slash ( / ).
The value 0.0.0.0/0 results in a default route, which matches all
packets.
Gateway
Type the IP address of the next-hop router where the FortiRecorder
appliance will forward packets subject to this static route. This router
must know how to route packets to the destination IP addresses that
you have specified in Destination IP/netmask, or forward packets to
another router with this information.
For a direct Internet connection, this will be the router that forwards
traffic towards the Internet, and could belong to your ISP.
Note: The gateway IP address must be in the same subnet as a
network interface’s IP address.
5. Click OK.
The FortiRecorder appliance should now be reachable to connections with networks
indicated by the mask. When you add a static route through the web UI, the FortiRecorder
appliance evaluates the route to determine if it represents a different route compared to any
other route already present in the list of static routes. If no route having the same destination
exists in the list of static routes, the FortiRecorder appliance adds the static route, using the
next unassigned route index number.
For small networks with only a few devices, often you will only need to configure one route: a
default route that forwards packets to your router that is the gateway to the Internet.
If you have redundant gateway routers (e.g. dual Internet/ISP links), or a larger network with
multiple routers (e.g. each of which should receive packets destined for a different subset of IP
addresses), you may need to configure multiple static routes.
6. To verify connectivity, from a computer on the route’s network destination, attempt to ping
one of FortiRecorder’s network interfaces that should be reachable from that location.
If the connectivity test fails, you can use the CLI commands:
execute ping <destination_ipv4>
to determine if a complete route exists from the FortiRecorder to the host, and
execute traceroute <destination_ipv4>
to determine the point of connectivity failure.
Also enable PING on the FortiRecorder’s network interface, then use the equivalent
tracert or traceroute command on the computer (depending on its operating system)
NVR configuration
Page 19
FortiRecorder 2.0 Administration Guide
to test routability for traffic traveling in the opposite direction: from the host to the
FortiRecorder.
• If these tests fail, or if you do not want to enable PING, first examine the static route
configuration on both the host and FortiRecorder.
To display the cached routing table, enter the CLI command:
diagnose netlink rtcache list
You may also need to verify that the physical cabling is reliable and not loose or broken,
that there are no IP address or MAC address conflicts or blacklisting, and otherwise rule
out problems at the physical, network, and transport layer.
• If these tests succeed, a route exists, but you cannot connect using HTTP or HTTPS, an
application-layer problem is preventing connectivity.
Verify that you have enabled HTTPS and/or HTTP on the network interface. Also examine
routers and firewalls between the host and the FortiRecorder appliance to verify that they
permit HTTP and/or HTTPS connectivity between them. Finally, you can also use the CLI
command:
diagnose system top 5 30
to verify that the daemons for the web UI and CLI, such as sshd, newcli, and httpd are
running and not overburdened.
To configure DNS settings
If you will use the settings DHCP and Retrieve default gateway and DNS from server when you
configure your network interfaces, skip this — DNS is configured automatically.
1. Log in to the admin administrator account.
Other accounts may not have permissions necessary to change this setting.
2. Go to System > Network > DNS and enter the IP addresses of a primary and secondary DNS
server. Your Internet service provider (ISP) may supply IP addresses of DNS servers, or you
may want to use the IP addresses of your own DNS servers.
Incorrect DNS settings or unreliable DNS connectivity can cause issues with other features,
including the NTP system time. For improved performance, use DNS servers on your local
network.
3. Click Apply.
4. To verify your DNS settings, in the CLI, enter the following commands:
execute traceroute www.fortinet.com
DNS tests may not succeed if you have not yet completed “To add a static route”.
NVR configuration
Page 20
FortiRecorder 2.0 Administration Guide
If the DNS query for the domain name succeeds, you should see results that indicate that
the host name resolved into an IP address, and the route from FortiRecorder to that IP
address:
traceroute to www.fortinet.com (192.0.43.10), 30 hops max, 60 byte
packets
1
172.20.130.2 (172.20.130.2)
0.426 ms
0.238 ms
0.374 ms
2 static-209-87-254-221.storm.ca (209.87.254.221)
ms 2.552 ms
2.223 ms
3 core-g0-0-1105.storm.ca (209.87.239.161)
3.357 ms
3.079 ms
2.491
3.334 ms
...
16
ms
43-10.any.icann.org (192.0.43.10)
57.243 ms
57.146 ms
57.001
If the DNS query fails, you will see an error message such as:
www.fortinet.com: Temporary failure in name resolution
Cannot handle "host" cmdline arg `www.fortinet.com' on position 1
(argc 3)
Verify your DNS server IPs, routing, and that your firewalls or routers do not block or proxy
UDP port 53.
See also
• Connectivity issues
Configuring the DHCP server
If you need the FortiRecorder DHCP service to connect cameras to the NVR, you can configure
the DHCP server on the interface that the cameras connect to. For information about DHCP
service and camera connection, see “Camera connection” on page 36.
To configure FortiRecorder's DHCP server via the web UI
1. Go to System > Network > DHCP.
2. Click New.
3. Mark the check box for Enable DHCP server.
4. Configure these settings:
Setting name
Description
Interface
Select the name of the network interface where this DHCP server will
listen for requests from DHCP clients.
Gateway
Type the IP address that DHCP clients will use as their next-hop
router.
On smaller networks, this is usually the same router that
FortiRecorder uses. It could be your office’s router, or cable/DSL
modem.
DNS options
Select either:
• Default — Leave DHCP clients’ DNS settings at their default
values.
• Specify — Configure DHCP clients with the DNS servers that you
specify in DNS server 1 and DNS server 2.
NVR configuration
Page 21
FortiRecorder 2.0 Administration Guide
Setting name
Description
DNS server 1
Type the IP address of a DNS server that DHCP clients can use to
resolve domain names. For performance reasons, if you have one, it
is preferable to use a DNS server on your local network.
This setting is available only if DNS options is set to Specify.
DNS server 2
Type the IP address of an alternative DNS server that DHCP clients
can use to resolve domain names. For performance reasons, if you
have one, it is preferable to use a DNS server on your local network.
This setting is available only if DNS options is set to Specify.
NVR configuration
Domain
Optional. Type the domain name, if any, that DHCP clients will use
when resolving host names on the local domain.
Netmask
Type the subnet mask that DHCP clients will use in conjunction with
the IP address that is assigned by FortiRecorder’s DHCP server.
Page 22
FortiRecorder 2.0 Administration Guide
5. If you want to fine-tune the behavior, configure these settings:
Setting name
Description
Conflicted IP
timeout (Seconds)
Type the maximum amount of time that the DHCP server will wait for
an ICMP ECHO (ping) response from an IP before it determines that it
is not used, and therefore safe to allocate to a DHCP client that is
requesting an IP address. The default is 1,800 seconds (3 minutes).
To ensure that the DHCP server does not cause IP address conflicts
with misconfigured computers that are accidentally using the pool of
IP addresses used for DHCP, when a client request a new DHCP
lease, the built-in DHCP server will ping an unused IP address in the
pool first. If the ping test is successful, then a misconfigured
computer is currently using that IP, and allocating it also to the DHCP
client would cause an IP address conflict. To prevent this, the DHCP
server will temporarily abandon that IP (mark it as used by a static
host) and look for an other, available IP to give to the DHCP client. (It
will not try abandoned IPs again until the pool is exhausted.)
However, before the DHCP server can determine if the ping test is
successful, the it must first wait to see if there is any reply. This slows
down the search for an available IP address, and in rare cases, could
cause a significant delay before the DHCP client receives its
assigned IP address and other network settings. If your network is
smaller or typically has low latency to ping replies, you can safely
decrease this setting’s value to improve DHCP speed and
performance. In most cases, 3 seconds is enough.
Lease time
(Seconds)
Type the maximum amount of time that the DHCP client can use the
IP address assigned to it by the server. When the lease expires, the
DHCP client must either request a new IP address from the DHCP
server or renew its existing lease. Otherwise, the DHCP server may
attempt to assign it to the next DHCP client that requests an IP. The
default is 604,800 seconds (7 days).
If you have more or almost as many DHCP clients (cameras) as the
number of IP addresses available to give to DHCP clients, you can
decrease the lease. This will free up IP addresses from inactive
clients so that IPs are available to give to clients that are currently in
need of IP addresses. Keep in mind, however, that if the DHCP
server is attached to your overall network rather than directly to
cameras, this will slightly increase traffic volume and slightly
decrease performance.
DHCP IP Range
To configure the DHCP lease pool — the range of IP addresses that
the DHCP server can assign to its clients — click New and configure
the first and last IP address in the range. To avoid DHCP pool
exhaustion that can occur in some cases, the pool should be slightly
larger than the total number of clients.
If you need to exclude some IP addresses from this range (e.g.
printers permanently occupy static IPs in the middle of the range),
also configure DHCP Excluded Range.
Tip: The built-in DHCP server can provide IP addresses to the
computers on your network too, not just to cameras.
NVR configuration
Page 23
FortiRecorder 2.0 Administration Guide
Setting name
Description
DHCP Excluded
Range
To configure IPs that should be omitted from the DHCP pool and
never given to DHCP clients (such if there are printers with manually
assigned static IP addresses in the middle of your DHCP range),
click New.
Reserved IP
Address
To bind specific MAC addresses to a specific DHCP lease,
guaranteeing that the DHCP server will never assign it to another
DHCP client, click New.
Caution: Reserved leases cannot prevent misconfigured computers
from taking the IP address, causing an IP address conflict, and
breaking the FortiRecorder NVR’s connection with the camera. See
“Resolving IP address conflicts”.
Tip: To mimic a static IP address for your cameras, yet still provide
the benefit that IP addresses are still centrally managed and
configured on your DHCP server, configure reserved IP addresses.
6. Click Create.
As cameras join the network, they should appear in the list of DHCP clients on Monitor >
DHCP Status > DHCP.
See also
• DHCP issues
Setting the system time
For many features to work, including camera synchronization, scheduling, logging, and
SSL/TLS-dependent features, the FortiRecorder system time must be accurate.
You can either manually set the FortiRecorder system time or configure the FortiRecorder
appliance to automatically keep its system time correct by synchronizing with a Network Time
Protocol (NTP) server.
NTP is recommended to achieve better time accuracy. NTP requires that your FortiRecorder be
able to connect to the Internet on UDP port 123. Adjust your firewall, if any, to allow these
connections.
Later, when cameras are added to your surveillance system, your FortiRecorder NVR will
synchronize the camera clocks with its own to keep them in agreement.
To configure the system time
1. Go to System > Configuration > Time.
2. Either manually set the date and time or select to synchronize with NTP server.
3. Click Apply.
If you manually configured the time, or if you enabled NTP and the NTP query for the current
time succeeds, the new clock time should appear in System time. (If the query reply is slow,
NVR configuration
Page 24
FortiRecorder 2.0 Administration Guide
you may need to wait a couple of seconds, then click Refresh to update the display in
System time.)
If the NTP query fails, the system clock will continue without adjustment.
NTP on FortiRecorder complies with RFC 5905. If the current system time differs greatly from
the actual time, NTP will adjust the clock slowly to avoid incongruous jumps in log message
timestamps and other time-dependent features. If you want the time to be corrected
immediately, set the time zone and time manually first, then switch to NTP.
If FortiRecorder’s time was 3 hours late, for example, and NTP fails, the time will still be
exactly 3 hours late. Verify your DNS server IPs, your NTP server IP or name, routing, and
that your firewalls or routers do not block or proxy UDP port 123.
NTP queries may fail until you have configured gateway and DNS settings. See “Configuring the
network settings”.
See also
• Connectivity issues
Advanced/optional NVR configuration
After you have a basic working setup, depending on your specific requirements, you may want
to configure some advanced or optional settings.
• Configuring system timeout, ports, and public access
• Configuring FortiRecorder system appearance
• Configuring logging
• Alert email
Configuring system timeout, ports, and public access
Go to System > Configuration > Options to configure the system idle timeout, the HTTP, HTTPS,
SSH, Telnet, and FortiRecorder Central access ports, and the host name for public/remote
access.
NVR configuration
Page 25
FortiRecorder 2.0 Administration Guide
If you want remote access — connecting from a home or a branch office through the Internet to
your FortiRecorder NVR— for either using the web UI or snapshot notification video clips while
you are out of the office, you must configure both your network and the NVR.
First, on your office’s firewall or Internet router, configure port forwarding and/or a virtual IP (VIP)
to forward remote access connections from the Internet to your FortiRecorder NVR’s private
network IP. (See “Appendix A: Port numbers”.)
Remote access opens ports and can weaken the strength of your network security. To prevent
attackers on the Internet from gaining access to your surveillance system, configure your
firewall or router to require authentication, restrict which IP addresses can use your port
forward/virtual IP, and scan requests for viruses and hacking attempts.
If you are not sure what your network’s Internet address is, while connected to your office
network, you can use an online utility such as:
http://ping.eu/
Next, go to System > Configuration > Options and configure these settings:
Setting name
Description
Public Access
Host name
Type either your network’s IP on the Internet, or its domain
name, such as www.example.com.
This is either your Internet router’s WAN IP, or a virtual IP (VIP)
on your firewall whose NAT table will forward incoming
connections from this public network IP to your FortiRecorder
NVR’s private network IP.
HTTP/ HTTPS
Port number
Type the port number, such as 8080, on your public IP that
your Internet router or firewall will redirect to your
FortiRecorder NVR’s listening port.
FortiRecorder supports live streaming (HLS) for mobile devices. You can use the FortiRecorder
Mobile drop-down menu to enable live streaming over HTTP or HTTPS.
Configuring FortiRecorder system appearance
To customize the logo and product name appearing on the FortiRecorder web UI, go to System
> Customization > Appearance.
Configuring logging
To diagnose problems or to track actions that the FortiRecorder appliance does as it receives
and processes video, configure the FortiRecorder appliance to record log messages. Log
messages can record camera and/or FortiRecorder appliance events.
To configure logging
1. Go to either Logs and Alerts > Log Setting > Local Log Settings or Log > Log Setting >
Remote Log Settings (depending on whether you want logs to be stored on FortiRecorder’s
hard drive, or remotely, on a Syslog server or FortiAnalyzer).
NVR configuration
Page 26
FortiRecorder 2.0 Administration Guide
2. If configuring local log storage, configure the following settings:
Setting name
Description
Log file size
Type the file size limit of the current log file in megabytes (MB).
The log file size limit must be between 1 MB and 1000 MB.
Note: Large log files may decrease display and search
performance.
Log time
Type the time (in days) of the file age limit. If the log is older than
this limit, even if has not exceeded the maximum file size, a new
current log file will be started.
Valid range is between 1 and 366 days.
At hour
Select the hour of the day (24-hour format) when the file rotation
should start.
When a log file reaches either the age or size limit, the
FortiRecorder appliance rotates the current log file: that is, it
renames the current log file (elog.log) with a file name indicating
its sequential relationship to other log files of that type (elog2.log,
and so on), then creates a new current log file. For example, if you
set the log time to 10 days at hour 23, the log file will be rotated at
23 o’clock of the 10th day.
Log level
Select the severity level that a log message must equal or exceed
in order to be recorded to this storage location.
For information about severity levels, see “Log severity levels”.
Caution: Avoid recording log messages using low severity
thresholds such as Information or Notification to the local hard
disk for an extended period of time. A low log severity threshold is
one possible cause of frequent logging. Excessive logging
frequency can cause undue wear on the hard disk and may cause
premature failure.
Log options when
disk is full
Select what the FortiRecorder will do when the local disk is full
and a new log message is caused, either:
• Do not log — Discard all new log messages.
• Overwrite — Delete the oldest log file in order to free disk
space, and store the new log message.
3. If configuring remote log storage, click New, then configure the following settings:
Setting name
Description
IP
Type the IP address of a Syslog server or FortiAnalyzer.
Port
Type the UDP port number on which the Syslog server listens for
log messages.
The default is 514.
NVR configuration
Page 27
FortiRecorder 2.0 Administration Guide
Setting name
Description
Level
Select the severity level that a log message must equal or exceed
in order to be recorded to this storage location.
For information about severity levels, see “Log severity levels”.
Caution: Avoid recording log messages using low severity
thresholds such as Information or Notification to the local hard
disk for an extended period of time. A low log severity threshold is
one possible cause of frequent logging. Excessive logging
frequency can cause undue wear on the hard disk and may cause
premature failure.
Facility
Select the facility identifier the FortiRecorder will use to identify
itself to the Syslog server if it receives logs from multiple devices.
To easily identify log messages from the FortiRecorder when they
are stored on a remote logging server, enter a unique facility
identifier, and verify that no other network devices use the same
facility identifier.
CSV format
Enable if your Syslog server requires comma-separated values
(CSV).
Note: Do not enable this option if the remote host is a
FortiAnalyzer. FortiAnalyzer does not support CSV-formatted log
messages.
4. Mark the check box for Enable.
5. In the Logging Policy Configuration area, mark the check boxes of all events that you want to
cause a log message, such as When configuration has changed.
6. Click Apply or Create.
7. To verify logging connectivity, from FortiRecorder, trigger a log message that matches the
type and severity levels that you have chosen to store on the remote Syslog server or
FortiAnalyzer. Then, on the remote host, confirm that it has received that log message.
If you will be sending logs to a FortiAnalyzer appliance, you must add the FortiRecorder NVR to
the FortiAnalyzer’s device list, and allocate enough disk space. Otherwise, depending on its
configuration for unknown devices, FortiAnalyzer may ignore the logs. When the allocated disk
space is full, it may drop subsequent logs.
If the remote host does not receive the log messages, verify the FortiRecorder’s static routes
(see “NVR configuration”) and the policies on any intermediary firewalls or routers (they must
allow Syslog traffic from the FortiRecorder network interface that is connected to the
gateway between it and the Syslog server). To determine the point of connectivity failure
along the network path, if the FortiAnalyzer or Syslog server is configured to respond to
ICMP ECHO_REQUEST (ping), go to Monitor > System Status > Console and enter the
command:
execute traceroute <syslog_ipv4>
where <syslog_ipv4> is the IPv4 address of your FortiAnalyzer or Syslog server.
See also
• Connectivity issues
• Data storage issues
NVR configuration
Page 28
FortiRecorder 2.0 Administration Guide
Alert email
As the FortiRecorder system administrator, you can receive alert email whenever an important
system event occurs, such as the hard disk being full and so on. Before you configure alert
email, you must configure the mail server settings so that FortiRecorder can send out email. For
details see “Configuring FortiRecorder to send notification email”.
You can configure up to 10 alert email addresses.
To configure alert email settings
1. Go to Logs and Alerts > Alert Email > Configuration.
2. Click New.
3. Type your email address, such as admin@example.com.
This setting is the recipient only for appliance-related notifications, such as the hard disk
being full. It does not configure the recipient of camera-related notifications, such as motion
detection. For this kind of video-related notifications, see “Notifications”.
4. Click Create.
5. Go to Logs and Alerts > Alert Email > Categories. Mark the check boxes of all appliance
events that you want to trigger an alert email to be sent, such as:
Setting name
Description
Critical events
Enable to notify when serious system events occur such as
daemon crashes. See also “Resource issues”.
Disk is full
Enable to notify when the disk partition that stores log data is full.
See also “Data storage issues”.
Camera device
Enable to notify when a defined camera configuration has been
enabled or disabled, or if there are problems with the camera.
(The FortiRecorder NVR will not control or record video from a
camera that is not enabled in its list of known, configured devices.
See “Camera settings”.)
Camera
communications
Enable to notify when there has been a network error during
communications between the NVR and camera. See also
“Connectivity issues”.
Camera recording
Enable to notify when an issue prevents a camera from recording.
See also “Video viewing issues” and “Connectivity issues”.
Camera disk
Enable to notify when the disk partition that stores video data is
full. See also “Data storage issues”.
6. Click Apply.
NVR configuration
Page 29
FortiRecorder 2.0 Administration Guide
Camera settings
Before connecting to your cameras, you must configure the settings that will be used by them.
To reduce overhead, you don’t need to create settings for each camera. Instead, configure
items such as schedules and video quality once, then re-use those same settings for all
cameras that should be similarly configured.
Camera configuration workflow
Camera configuration involves the following steps:
1. Video profiles define video quality. Video profiles are used in camera profiles. To configure
video profiles, go to Camera > Configuration > Video Profile. For details, see “Configuring
video profiles”.
2. Recording schedules define when to start and stop video recording. Recording profiles are
used in the camera profiles. To configure recording schedules, go to Camera > Schedule >
Recording Schedule. For details, see “Configuring recording schedules”.
3. Camera profiles define video storage options and recording schedules (either continuous or
motion detection). Camera profiles will be used when you configure the discovered cameras.
To configure camera profiles, go to Camera > Configuration > Camera Profile. For details,
see “Configuring camera profiles”.
4. Connect the camera to the NVR. FortiRecorder NVR can discover the connected cameras
automatically and display them under Camera > Configuration > Camera with Status as Not
Configured. See “Connecting FortiRecorder to the cameras”.
5. After you configure the above settings, go to Camera > Configuration > Camera to configure
all other camera settings, such as IP address, motion detection windows, and so on. See
“Configuring cameras”.
6. Go to Camera > Configuration > Camera Group to add individual camera to different groups
to facilitate camera management. For details, see “Camera groups”. Camera groups are
used in user profiles. For details, see “User configuration workflow”.
Configuring video profiles
Video profiles define the video quality that you want the camera to capture and stream to the
NVR. Note that the higher the video quality, the more bandwidth it consumes.
The video profiles will be used in the camera profiles. For details, see “Configuring camera
profiles”.
To configure a video profile
1. Go to Camera > Configuration > Video Profile.
2. Click New.
Page 30
3. Configure the following, then click Create.
Setting name
Description
Name
Type a name (such as live-stream1) that can be referenced
by other parts of the configuration. Do not use spaces or
special characters. The maximum length is 35 characters.
Resolution
Select the amount of detail (the number of pixels) in the
image.
• High — 1280 x 1024 pixels
• Medium — 640 x 512 pixels
• Low — 320 x 256 pixels
Lower resolution is faster to transmit and results in less delay
between reality and live video, but shows less detail. High
resolution may therefore be preferable if the camera is
recording a large space such as a parking lot, where small
details could in reality be large objects such as people or cars.
Note: Resolution greatly impacts performance, bandwidth,
and the rate at which disk space is consumed. See “Video
performance”.
Frames per second
Type the number of frames per second (FPS).
Conventional video is 24 frames per second. More frames per
second may be useful if you need to record very fast motion,
but increasing FPS will also increase disk usage and CPU
usage.
Bit rate mode
Select the bit rate.
• Variable — Automatically adjust the stream to the
minimum bit rate required by the current video frames
while maintaining video quality.
• Fixed — Manually specify a constant bit rate in Bit rate.
Specifying a bit rate that is too low may result in poor
quality. Specifying a bit rate that is too high may
needlessly consume extra bandwidth.
Bit rate
Type the bit rate that will be used.
This setting appears and is applicable only if Bit rate mode is
Fixed.
Quality
Select the degree of compression.
Greater compression reduces required network bandwidth
but causes greater CPU usage.
Configuring camera profiles
A camera profile defines the video profiles to use, video storage options, and recording
schedules.
To configure camera profiles
1. Go to Camera > Configuration > Camera Profile.
2. Click New.
Camera settings
Page 31
FortiRecorder 2.0 Administration Guide
3. Configure the following, then click Create.
Setting name
Description
Name
Type a name (such as camera-settings1) that can be
referenced by other parts of the configuration. Do not use
spaces or special characters. The maximum length is 35
characters.
Recording Stream profile Select the video profile that will be used when recording
video from the camera.
Note: This will determine video quality and size for video files
downloaded or when playing previously recorded clips (see
“The notification window will be replaced with a video clip
player.”), and therefore usually should be better or equal in
quality to Viewing Stream profile.
Viewing Stream profile
Select the video profile that will be used when streaming live
video feeds to an operator’s or viewer’s web UI. It does not
affect:
• previously recorded video files
• streams to the web UI for administrator accounts
Note: If Viewing Stream profile has better resolution than
Recording Stream profile, this setting will be ignored and
Recording Stream profile will be used instead. (The purpose
of this setting is to define how FortiRecorder will conserve
bandwidth when multiple people are watching the live feed. A
higher-bandwidth video profile would contradict this purpose,
and is therefore considered by the FortiRecorder to be a
misconfiguration.)
Camera settings
Page 32
FortiRecorder 2.0 Administration Guide
Setting name
Description
Storage option
Select whether to:
• Keep — Retain video until all available disk space is
consumed
• Delete — Remove video when it exceeds a maximum age.
• Move — Relocate video to external storage when it
exceeds a maximum age. This option appears if you have
configured network storage (see “Remote storage”).
If you choose to delete old video, also configure the maximum
amount of time to keep video recording files from this camera.
Files whose start time is older than this age will be deleted in
order to free disk space for new video recordings.
Large recordings will be stored on the hard disk as multiple
video files. In that case, the oldest part of the recording will be
deleted first.
Schedules
From the Available column, select one or more schedules that
you want this camera to follow, then click the right arrow to
move them into the Selected column. (Available contains both
the list of predefined schedules and schedules that you
configured in “Configuring recording schedules”, if any.)
According to your selected schedules, the FortiRecorder NVR
will tell the camera to start and stop continuous or
motion-triggered recording. It will periodically poll the camera
to make sure that it is following the prescribed schedule.
Note: Only non-overlapping, non-conflicting schedules
should be selected. The camera cannot, for example, follow
both a continuous and motion-detecting schedule at the
same time. If you select conflicting schedules, when you try to
click OK to save the camera settings, an error message such
as the following will appear:
A schedule conflict was detected. (Schedules
weekdays and business_hours conflict on
Wednesday 2013-02-20 at 01:00)
Configuring recording schedules
Schedules actually combine 2 things: schedule, and whether recording is continuous or
triggered by motion detection.
Schedule configuration is not required unless the predefined schedule/recording trigger types
do not fit your requirements. Alternatively, you can manually record without a schedule, by
using the manual control buttons on Monitor > Video Monitor > Live Video Feed. However, for
set-it-and-forget-it ease of use, and to enable the FortiRecorder NVR to monitor for unexpected
camera IP address changes and other connectivity interruptions, schedules are recommended.
To configure recording schedules
1. Go to Camera > Schedule > Recording Schedule.
Camera settings
Page 33
FortiRecorder 2.0 Administration Guide
2. Click New and configure the settings, then click Create.
Setting name
Description
Enable
Select to enable this schedule so that it can be selected when
configuring camera profiles. See “Configuring camera profiles”.
Name
Enter a name for the schedule.
Description
Optionally enter a description.
Mode
Select a schedule mode:
• Recurring: for schedules that recur at specified time on selected
days.
• On Dates: for schedules on specific dates and time.
When selecting schedules in a camera profile, the On Dates
schedules can overlap the Recurring schedules with the On Dates
schedules taking precedence. For example, if there is a recurring
9AM-5PM Monday to Friday continuous recording on a camera, but
on holidays only motion-detection recording is desired, then an On
Dates schedule with 9AM-5PM motion-detection recording on those
holidays can be applied together with the recurring continuous
recording schedule.
Schedule Entries
For Recurring mode, you can specify the recording type (either
continuous or motion-detection) and the days and time for recording.
For On Dates mode, you can specify the recording type (either
continuous or motion-detection) and the time interval for recording.
For Recording Type, select one or more of the following:
• Continuous: records video for the entire duration of the schedule,
regardless of movement or any other triggers.
• Motion detection: records a video clip up to about 40 seconds
long each time the camera’s sensor detects movement.
• Digital input: records a video clip up to about 40 seconds long
each time the camera receives a trigger from the digital input. For
details about how to use digital input and output (DIDO), see
“Configuring cameras” on page 40.
This option only takes effect if the camera supports DIDO.
• Audio detection: records a video clip up to about 40 seconds
long each time the camera detects audio activities. You can define
the audio sensitivity when configuring camera settings. For
details, see “Configuring cameras” on page 40.
This option only takes effect if the camera supports audio
surveillance.
You cannot create a recurring recording schedule where the hours vary by the day of the week,
but you can achieve the same effect if you create multiple schedules, then select all of them
when configuring the camera profile.
Camera settings
Page 34
FortiRecorder 2.0 Administration Guide
Camera groups
After you have configured the cameras, you can group them to facilitate the camera
management. When you add administrators/operators/viewers later on, you can specify the
camera group they can access, instead of single cameras. For details, see “User management”.
To configure camera groups, go to Camera > Configuration > Camera Group.
Camera settings
Page 35
FortiRecorder 2.0 Administration Guide
Camera connection
After you have configured the NVR and camera settings, you can install and connect cameras to
the FortiRecorder NVR. For information about how to physically install a camera, see the
camera’s QuickStart Guide.
Camera discovery and DHCP service
In order for the FortiRecorder NVR to be able to discover cameras and receive video, cameras
must first get their IP addresses and other network settings from either the FortiRecorder
built-in DHCP server or any other third-party DHCP server on your network.
• FortiRecorder DHCP server — If you do not have a DHCP server in your network, or you
are installing the FortiRecorder and the cameras in their dedicated network, you must
configure the built-in DHCP server on the FortiRecorder. For example, if you configured the
built-in DHCP server to provide DHCP service through port2, and port2 is connected to a
PoE switch, you would connect the cameras to the PoE switch. The switch would supply
power to the cameras, and through it, the cameras would be able to access the DHCP
server. For information about FortiRecorder DHCP server configuration, see “Configuring the
DHCP server” on page 21.
• Other DHCP server — If you already have a DHCP server in your network and the
FortiRecorder and cameras will be installed in the existing network, the cameras will get their
IP addresses from the DHCP server after you connect and power up the cameras.
If you connect a camera to FortiRecorder before any DHCP server is configured, the camera will
assign itself a default IP address, which might not be working in your subnet. In this case, you
must reboot the camera after you have configured a DHCP server, so that the camera can get
network settings from the DHCP server.
Since you can configure the camera to use a static IP address, you only need the DHCP server
for the initial camera discovery.
Later, after each camera has network settings from DHCP, you can either:
• Continue using DHCP— Leave the cameras plugged into their current network location.
Configure the DHCP server to reserve a specific IP lease for each camera. This will mimic
Page 36
configuring the cameras with a static IP address, yet will provide the advantage that IP
addresses remain centrally managed.
If you continue to let your cameras use DHCP, you should configure Reserved IP Address (or,
on a third-party DHCP server, the equivalent setting). Failure to do this may appear to work
initially, but eventually could periodically, temporarily interrupt connectivity with the NVR,
resulting in lost video.
This can happen if either the DHCP pool is too small for the number of cameras, or if a
misconfigured computer accidentally takes a camera’s DHCP lease: the DHCP server will
ultimately be forced to assign the camera’s IP address to a different client. If this happens,
when the camera next requests a lease, it will receive a new, different IP address, and the NVR
will not be notified.
Connectivity interruptions are usually self-correcting: within a few minutes, the
FortiRecorder NVR should detect the camera’s IP address change. To restore connectivity
manually, either manually update the camera’s definition on the NVR to reflect the new IP, or
discover the camera again.
• Switch the camera to a static IP — Use the FortiRecorder NVR to configure the camera
with a static IP address. This removes the requirement of your cameras to remain within
reach of the DHCP server, which provides 2 advantages:
• You can disable DHCP if not otherwise required (recommended for better security).
• You can move the cameras to a remote location on your network that would not ordinarily
be reachable by your DHCP server.
Connecting FortiRecorder to the cameras
After you configure the DHCP server (you do not have to if you already have one), you can
connect and configure the cameras.
Once you connect the cameras to the NVR, the NVR can automatically discover the cameras.
Then you can configure the discovered cameras.
Requirements
• On your computer, the Apple QuickTime 7.1 or greater plug-in installed for your web
browsers
• At the camera’s location on the network, power over Ethernet (PoE)
This could be provided by a FortiSwitch-80-PoE or perhaps your ISP’s cable modem.
Camera connection
Page 37
FortiRecorder 2.0 Administration Guide
To connect FortiRecorder to your cameras
1. If this is the first time you connect to FortiRecorder, change your PC’s IP address to be on
the same subnet as the FortiRecorder port1’s default IP address 192.168.1.99. For example,
set your PC’s IP to 192.168.1.98.
2. Connect your PC and FortiRecorder’s port1to a PoE switch. Do not connect the camera to
the switch at this stage.
3. On your PC, open a web browser and connect to https://192.168.1.99. Log in to the admin
administrator account with Name: admin and Password: (none).
4. If you want to use the FortiRecorder DHCP service, configure the DHCP server as described
in the next step. If you already have a DHCP server to use on your network, skip the next
step.
5. On the FortiRecorder web UI, go to System > Network > DHCP, and click New to create a
new DHCP server on port1.
Make sure to enable
DHCP server
Make sure to select
port1
Camera connection
Page 38
FortiRecorder 2.0 Administration Guide
6. Go to System > Network > Interface. Select port1 and click Edit.
Make sure to
enable it
7. Make sure Discover cameras on this port is enabled.
8. Connect the camera to the PoE switch now.
If you connect the camera to the switch before you have configured and enabled the DHCP
server on FortiRecorder, the camera will use its default IP address, which might not be working
on your network. Therefore, you must reboot the camera to get an IP address from the
FortiRecorder DHCP server by unplugging the camera from the switch and plugging it back.
Camera connection
Page 39
FortiRecorder 2.0 Administration Guide
9. Go to Camera > Configuration > Camera, and click Discover. After several seconds, a list of
discovered cameras should appear. Newly discovered cameras will be highlighted in yellow,
and their Status column will contain Not Configured.
Discover button
Yellow: discovered but not configured cameras
Configured cameras
10.Double click on the discovered camera to configure the camera settings. For details, see
“Configuring cameras” on page 40.
11.Go to Monitor > Video Monitor to view the live feed from the camera.
Configuring cameras
After you have connected the cameras to FortiRecorder, you can start to configure the
discovered cameras. Because most of the camera information has been retrieved from the
camera, you do not have to change the settings. But if you are adding a remote camera or
adding a new camera before connecting it to FortiRecorder, you must specify all the camera
settings.
1. Go to Camera > Configuration > Camera. For each discovered camera, click its row to select
it, click Configure, then configure these settings:
Setting name
Description
Camera connection
Enable
Mark this check box to enable the FortiRecorder NVR to
communicate with this IP address. Communications are
required to trigger scheduled recordings and other camera
commands.
Name
Type a name (such as front-door1) that can be referenced
by other parts of the configuration. Do not use spaces or
special characters. The maximum length is 35 characters.
Location
Optional. Type a description of the camera’s physical location
that can be used if the camera is hidden, in case it is forgotten
or lost.
Page 40
FortiRecorder 2.0 Administration Guide
Setting name
Description
Vendor/Camera
FortiRecorder supports Fortinet cameras (FortiCam series)
and third-party, ONVIF-compliant cameras.
If you are configuring a discovered camera, most of the
camera information has been retrieved and displayed. You
can also click the Camera detail button to refresh the camera
information.
If you are adding a remote camera, or adding a new camera
before it is connected, you must specify all the settings. For
the Fortinet FortiCam cameras, you must specify the models;
for the non-Fortinet cameras, you must specify the camera’s
login credentials (user name and password) for FortiRecorder
to access it.
Model
Select the name of the camera model, such as FCM-20A for a
FortiCam 20A.
Address mode
Select either:
• Wired — Select this option if you want to keep the camera
connected with the Ethernet cable on the same subnet.
• Wireless — Select this option if you want to change the
camera connection from wired to wireless. Also configure
the WiFi settings on the WiFi tab.
• VIP — Allow the camera to continue using DHCP to
determine its IP address, but the camera will be on a
remote network, and therefore the FortiRecorder NVR will
not connect to the camera’s DHCP address. Instead, the
NVR will connect through the static external, usually
public network IP address and port numbers (called a
virtual IP or VIP on FortiGate firewalls) specified in
Address, (HTTPS) Port, and (RTSP) Port. The router or
firewall will translate and forward connections to the
camera’s private network address.
Likewise, communications in the other direction — from
the camera to the FortiRecorder NVR — are also affected:
the camera will use the public IP setting as its destination
(see “Configuring system timeout, ports, and public
access”), not the private network address of port1, for
example, which it would use if you select DHCP or Static.
Tip: Use this option if the camera is not located on the
same private network as the FortiRecorder NVR due to
NAT/ port forwarding, especially if the camera and NVR
are separated by the Internet.
Address
If you want to deploy the camera to a different subnet, you
can specify its new IP address or the VIP that it will be using.
(HTTPS) Port
Type the port number of configuration communications from
the FortiRecorder that the firewall or router will forward to the
camera. If using only a WAN/virtual IP without port
forwarding/translation, leave this setting at its default value,
443.
This setting is available only when Address mode is set to VIP.
Camera connection
Page 41
FortiRecorder 2.0 Administration Guide
Setting name
Description
(RTSP) Port
Type the port number of video streaming commands (RTSP)
from the FortiRecorder that the firewall or router will forward
to the camera, such as when beginning a continuous
recording schedule. If using only a WAN/virtual IP without port
forwarding/translation, leave this setting at its default value,
554.
This setting is available only when Address mode is set to VIP.
Transport Type
Normally RTSP is used for video streaming, which is UDP. If
you want to use TCP, you can use HTTP tunnelling. If you
want the communication to be secure/encrypted, you can use
HTTPS tunnelling.
The tunnel is between the camera and the NVR.
Profile
Select the camera profile that indicates the recording
schedule, video quality, and other settings that will be used by
this camera (see “Connecting FortiRecorder to the cameras”).
Or click New to create a new camera profile.
If a camera is disabled while you change its settings, or while it would normally be scheduled to
begin continuous or motion detection recording, the FortiRecorder NVR will not connect to the
camera.
This can break communications between them: if you reconfigure the IP while the camera is
disabled, your FortiRecorder NVR may later attempt to communicate with the camera at the
new address/gateway, but the camera will still be using the old address/gateway. It can also
cause cameras to become out-of-sync, because they will not receive time setting changes
while disabled. To fix this, disable the camera definition, revert the settings, enable the camera
definition again, then apply your changes while the camera definition is enabled.
2. Click the Preview button to retrieve a single still image from the camera. Then click Use As
Icon to use the captured image as the icon for the camera in the camera list. When you
select the camera from the list, the icon will pop up.
3. Depending on the camera model you are configuring, different tabs appear.
Camera connection
Page 42
FortiRecorder 2.0 Administration Guide
4. If the address mode is wired or wireless, under the network tab, configure the following:
Setting name
Description
Wired settings
Select DHCP if you want the camera to continue using DHCP to
dynamically determine its IP address. The FortiRecorder NVR will
attempt to keep track of any DHCP-related IP address changes
automatically using periodic mDNS probes. This requires that the
camera remain on the same subnet as the NVR.
Select Static to re-configure the camera with a static private network
IP address that you specify in Address. It will no longer use DHCP. This
option requires that the camera and NVR not be separated by NAT.
Caution: It is strongly recommended to either:
• configure your cameras with a static IP, or
• configure your DHCP server with lease reservations (see
“Configuring the DHCP server”).
Without reservations, the IP address provided by the DHCP server may
appear to work initially, but later, in some cases, the DHCP server could
change the IP address lease. If this happens, the DHCP server will not
update the list of known cameras with the camera’s new dynamic IP.
Until the appliance discovers that the IP address has changed,
FortiRecorder will still be trying to control the camera’s old address,
which no longer works. Connections with that camera will be
broken and all video from that camera will be lost during that
interruption.
Wireless settings This area displays the wireless DHCP settings for the camera. You can
change the camera to use a static IP address. For more information
about wireless connection, see the following WiFi section.
5. If the camera has wireless function and you want it to connect to FortiRecorder through a
wireless router, you can specify the WiFi settings on the WiFi tab. After you configure the
WiFi settings, you can disconnect the discovered camera and connect it to the router.
Setting name
Description
Enable
Select to Enable the WiFi function of the camera.
SSID
Specify the wireless router’s SSID that the camera will connect to.
Security
Specify the security settings.
6. If the camera supports infra red recording or LED lighting, configure the settings on the Light
or Infrared tab.
Setting name
Description
Mode
Either off or auto. Auto means to turn on infra red mode at the
threshold.
LED
Either off or auto. Auto means to turn on the LED lights when the infra
red mode is turned on.
Enable threshold Enter the light level when infra red mode should turn on.
Disable threshold Enter the light level when infra red mode should turn off.
Camera connection
Threshold time
Enter the time interval (in seconds) when the camera should wait to
turn on or off the infra red mode after the threshold is reached.
Current light
level
Display the current light level that the camera detects.
Refresh
Click to get instant light level reading.
Page 43
FortiRecorder 2.0 Administration Guide
7. Configure the video and audio settings on the Video/Audio tab. Available setting vary on
different camera models. If the setting is greyed out, the setting is not supported on the
selected model.
Setting name
Description
Horizontal flip
Enable if the camera is positioned looking at a mirror or on a ceiling,
and the preview image appears to be reversed left to right.
Vertical flip
Enable if the camera is positioned on a ceiling, and the preview image
appears to be upside down.
WDR
If the camera supports WDR (wide dynamic range), enable it if there is
intense backlight in the camera view.
Environment
Select if the camera is installed indoor or outdoor.
View angle
Select the view angle if the camera support it.
Get feed/Stop
feed
Click to view or stop the live video feed.
(Other settings)
Configure the brightness, contrast, saturation, sharpness, zoom level,
and audio input level as required.
8. In some cases, you may want to mask an area and do not want to show a certain portion of
the image. For example, for privacy reason, you may want to mask the area where an
employee sits. To do this, on the Privacy Mask tab, click the plus sign beside Mask Window
and tweak the window size. To add another mask window, click the plus sign again.
9. All FortiCam cameras are capable of detecting motion. Some camera models also supports
audio surveillance and digital input and output (DIDO).
By default, while using motion detection, cameras will be triggered to record if any motion
occurs within their entire field of vision. If some parts of the view, such as a fan, traffic, or
strobe light, would inadvertently trigger motion detection, in the Motion detection windows
area on the Detection tab, click the plus sign. A rectangle with a thick, white border will
appear over the preview image, indicating the area that will be monitored for movement. To
resize it to your intended area, click and drag the edges of the rectangle. To move it, hold
down the Shift key while you click and drag it. To add another motion detection area, click
the plus sign again.
For audio detection and DIDO, configure the following settings:
Setting name
Description
Audio Sensitivity
Camera connection
If the camera supports audio surveillance, specify the sensitivity level
that the camera recording will be triggered. You may need to tweak the
sensitivity level, for example, when there are some background noises.
Page 44
FortiRecorder 2.0 Administration Guide
Setting name
Description
PIR Sensitivity
Digital
input/output
Some cameras come with DIDO terminals and support digital input
and output. For example, on the FortiCam MB13 camera, according to
your configuration, power signal from the digital input can trigger the
camera to record a video clip. You can also optionally connect other
devices to the digital output, such as a relay to turn on/off another
device.
DIDO connection diagram on FortiCam MB13
4. Power output +5V
3. Digital output
2. Digital input
1. Ground
The digital input (DI) can be configured to trigger when the signal is:
• LOW (ground)
• HIGH (+5V)
• Rising (transitioning from LOW to HIGH)
• or Falling (transitioning from HIGH to LOW)
If not connected, the camera will see the digital input as HIGH.
The digital output (DO) can be configured to either be grounded or
open when in the triggered state. When not triggered it will be in the
opposite state.
For example, if opening a door causes a sensor switch to open, then
the switch could be wired between DI and ground. DI will be grounded
(LOW) while the door is closed and will go HIGH when the door opens.
DI could then be configured to trigger on the rising edge. When the
door opens, DO would be set to its triggered state and a video clip will
also be recorded.
Triggering on the rising or falling edge can be useful if the DI might be
held in the triggered state for a long period. In the example above, if DI
were set to trigger on HIGH and the door is left open for a long period
then the camera would trigger repeatedly.
Camera connection
Page 45
FortiRecorder 2.0 Administration Guide
10.On the Miscellaneous tab, configure the following settings:
Setting name
Description
Privacy button
FortiCam MB13 has a privacy button on it. If enabled, you can press
the privacy button on the camera to stop and resume video and audio
monitoring.
To enable the functionality of the privacy button on the camera, select
the Privacy button checkbox.
To disable the functionality of the privacy button on the camera, clear
the Privacy button checkbox.
Status LEDs
Most cameras come with LED indicators (for details, see the LED
description section in the camera’s QuickStart Guides). You can
enable or disable the LEDs by selecting or deselecting the Status
LEDS checkbox.
11.Click OK.
If you kept the Enabled check box marked, at this time, FortiRecorder connects to the
camera’s discovered IP address. FortiRecorder configures the camera with:
• the camera’s new Address and other network settings (if Address mode is set to Static)
• NTP settings (if you configured them for FortiRecorder during “Setting the system time”)
Afterwards, in order to control the camera according to your selected schedules,
FortiRecorder will periodically connect to the camera’s configured IP address. It will also
keep video recordings sent by that camera from its new IP address.
12.To confirm that FortiRecorder can receive video from the camera at its new IP address, go to
Monitor > Video Monitor.
If no video is available from that camera, verify that:
• Other video software such as Windows Media Player or VLC has not stolen the RTSP file
type association from QuickTime (Installing other video software after QuickTime is a
common cause of changes to media file type associations.)
• A route exists to the camera’s new IP address and, if applicable, its virtual IP/port forward
To confirm, go to Monitor > System Status > Console and enter the command:
execute ping <camera_ipv4>
where <camera_ipv4> is the camera’s IP address or virtual IP/port forward. If you
receive messages such as Timeout..., to locate the point of failure on the network,
enter the command:
execute traceroute <camera_ipv4>
• Firewalls and routers, if any, allow both RTSP and RTCP components of the RTP
streaming video protocol between FortiRecorder and the camera and between your
computer and FortiRecorder (see “Appendix A: Port numbers”)
• Web proxies or firewalls, if any, support streaming video
If you did not discover the camera but instead manually configured FortiRecorder with the
camera’s IP address, confirm that the camera is actually located at that address.
To receive notifications if the camera’s connection with the FortiRecorder NVR is interrupted,
see “Alert email”.
Camera connection
Page 46
FortiRecorder 2.0 Administration Guide
See also
• Watching live video feeds
• Connectivity issues
Camera connection
Page 47
FortiRecorder 2.0 Administration Guide
User management
In its factory default configuration, FortiRecorder has one administrator account named admin.
This administrator has permissions that grant full access to FortiRecorder’s settings and
features.
To prevent accidental changes to the configuration, it’s best if only network administrators —
and if possible, only a single person — use the admin account. You can use the admin
administrator account to configure more accounts for other people.
User types
To serve different purposes, you can configure the following three user types:
• Administrator — Suited to network technicians or administrators. Depending on the access
privileges, the administrator account can have full or partial access to configure all
FortiRecorder NVR network and camera settings, create accounts, receive all notifications
via email, and view live video feeds and previous recordings from all cameras.
• Operator — Suited to an office manager or perhaps security guard. The account can view
assigned live camera feeds and associated previous recordings, including camera-based
notifications via email (“snapshot notifications”). It can change its own password, but
otherwise cannot change the FortiRecorder NVR or camera configuration, reducing risk of
accidental misconfiguration.
• Viewer — Suited to a security guard. Only assigned live camera feeds. It cannot view
previous recordings, and therefore cannot receive snapshot notifications. It can change its
own password, but otherwise cannot change the FortiRecorder NVR or camera
configuration.
Multiple administrators should not be logged in simultaneously. If configuring the same item at
the same time, the administrators could inadvertently overwrite each others’ changes.
For user authentication, FortiRecorder supports local user authentication, LDAP authentication
and RADIUS authentication. Fort details, see “Configuring LDAP authentication” and
“Configuring RADIUS authentication”.
User configuration workflow
Administrators user type can access all the cameras all the time. For operator and viewer user
types, you can specify when and which cameras the users can access. To achieve this, you
must configure access schedules and user profiles first.
1. Go to System > Administrator > Access Profile to configure the access privileges for the
administrator accounts. The access profile will be used in the administrator settings.
2. Go to System > Administrator > Access Schedule to configure when the user is allowed to
access video feeds. The access profiles will be used in the user profiles you need to
configure in the next step. If no access schedule is specified, then the user is allowed to
access the video all the time.
Page 48
3. Go to System > Administrator > User Profile to configure which camera group the user is
allowed to access. If no camera group is specified, then the user can access all
cameras. The user profiles will be used in the user settings you need to configure in the next
step. For details about configuring camera groups, see “Camera groups”.
4. Go to System > Administrator > Administrator to configure all other user settings.
Configuring user accounts
After you configure access profiles and user profiles, you can start to add user accounts.
To configure an account
1. Go to System > Administrator > Administrator.
To access this part of the web UI, your account’s Type must be Administrator.
2. Click New.
A dialog appears.
3. Configure these settings:
Setting name
Description
Username
Type the name of the account, such as IT, that can be referenced in
other parts of the configuration.
Do not use spaces or special characters. The maximum length is 35
characters.
Note: This is the entire user name that the person must provide when
logging in to the CLI or web UI. Depending on Authentication, your
external authentication server may require that you enter both the user
name and the domain part, such as guard@example.com.
Display name
Type a name for the recipient, such as FortiRecorder admin, as
you want it to appear in snapshot notifications, if any, sent by
FortiRecorder.
Email address
Type the person’s email address or an email alias, such as
all-admins@example.com, that will receive snapshot notifications,
if any, sent by FortiRecorder (see “Configuring FortiRecorder to send
notification email”).
If you do not know the email address and cannot provide it, don’t
worry. The person still will be able to view camera-related notifications
whenever he or she logs in to the FortiRecorder NVR. Additionally, the
person can configure his or her own email address later, when he or
she logs in.
Note: This is not used by accounts whose Type is Viewer; they cannot
receive snapshot notifications.
Message method
Select either Email or SMS to send notification messages to this user.
For detailed about notifications, see “Notifications”.
Password
Type a password for the account.
This field is available only when Authentication is Local or RADIUS +
Local.
Tip: For improved security, the password should be at least eight
characters long, be sufficiently complex, and be changed regularly. To
check the strength of your password, you can use a utility such as
Microsoft’s password strength meter.
User management
Page 49
FortiRecorder 2.0 Administration Guide
Setting name
Description
Confirm
Password
Re-enter the password to confirm its spelling.
Trusted hosts
This field is available only when Authentication is Local or RADIUS +
Local.
Type the IP address and netmask from which the account is allowed
to log in to the FortiRecorder appliance. You can specify up to 10
trusted network areas. Each area can be a single computer, a whole
subnet, or a mixture.
To allow login attempts from any IP address, enter 0.0.0.0/0.
To allow logins only from a single computer, enter its IP address and a
32-bit netmask, such as:
172.168.1.50/32
Caution: If you configure trusted hosts, do so for all accounts. Failure
to do so means that all accounts are still exposed to the risk of brute
force login attacks. This is because if you leave even one account
unrestricted (i.e. 0.0.0.0/0), the FortiRecorder appliance must allow
login attempts on all network interfaces where remote administrative
protocols are enabled, and wait until after a login attempt has been
received in order to check that user name’s trusted hosts list.
Tip: If you allow login from the Internet, set a longer and more
complex Password, and enable only secure administrative access
protocols (HTTPS and SSH) to minimize the security risk. For
information on administrative access protocols, see “NVR
configuration”.
Tip: For improved security, restrict all trusted host addresses to single
IP addresses of computer(s) from which only this administrator will log
in.
Type
Select either:
• Administrator — Suited to network technicians or administrators.
The account has full access to configure all FortiRecorder NVR
network and camera settings, create accounts, receive all
notifications via email, and view live video feeds and previous
recordings from all cameras.
• Operator — Suited to an office manager or perhaps security
guard. The account can view assigned live camera feeds and
associated previous recordings, including camera-based
notifications via email (“snapshot notifications”). It can change its
own password, but otherwise cannot change the FortiRecorder
NVR or camera configuration, reducing risk of accidental
misconfiguration.
• Viewer — Suited to a security guard. Only assigned live camera
feeds. It cannot view previous recordings, and therefore cannot
receive snapshot notifications. It can change its own password,
but otherwise cannot change the FortiRecorder NVR or camera
configuration.
This option does not appear for the admin administrator account,
which by definition is always an administrator.
User management
Page 50
FortiRecorder 2.0 Administration Guide
Setting name
Description
User profile
If you are creating an operator or viewer account, you can specify
which group of camera video feeds and recordings the account will be
able to access and when the user can access them. If no user profile
is specified, then the user can access all of the cameras all the
time.
Access profile
If you are creating an administrator account, you can specify an
access profile to grant the account certain access privileges.
To configure an access profile, go to System > Administrator > Access
Profile.
The administrator account can have read-only, read-write, or no
access rights to the following administrative categories:
• System Access — Controls settings critical to network
accessibility of FortiRecorder
• System Status page
• GUI console
• Network
• Administrator
• Authentication and certificates
• System — Controls other system settings
• Time
• Remote storage
• Log settings
• Alert email
• Camera Config — Controls camera installation and configuration
• Camera View — Monitor page with video, timeline and camera
control
• Other — Everything else
Authentication
Select one of:
• Local — Authenticate using an account whose name, password,
and other settings are stored locally, in the FortiRecorder NVR’s
configuration.
• RADIUS — Authenticate by querying the remote RADIUS server
that stores the account’s name and password. Also configure
RADIUS profile and Check permission attribute on RADIUS server.
• RADIUS+Local — Authenticate either by querying the remote
RADIUS server that stores the account’s name and password, or
by querying the accounts stored locally, in the FortiRecorder
appliance’s configuration. Also configure RADIUS profile and
Check permission attribute on RADIUS server.
• LDAP — Authenticate by querying a remote LDAP server that
stores the account’s name and password. Also configure LDAP
profile.
User management
Page 51
FortiRecorder 2.0 Administration Guide
Setting name
Description
RADIUS profile
Select a RADIUS authentication profile that defines the RADIUS
connection settings. See “To configure a RADIUS query”.
This field appears only when Authentication is RADIUS or
RADIUS+Local.
Caution: Secure your authentication server and, if possible, all query
traffic to it. Compromise of the authentication server could allow
attackers to gain administrative access to your FortiRecorder
appliance.
Check permission Enable to let the RADIUS server override Type when it replies to
attribute on
authentication queries, so that the RADIUS server can specify the
RADIUS server
account’s permissions. Also configure Vendor ID and Subtype ID.
This option requires that:
• Your RADIUS server must support vendor-specific attributes
(VSAs) similar to RFC 2548. (If your server does not support them,
it may reply with an “attribute not supported” error.)
• Your RADIUS server’s dictionary must have:
• a vendor ID for Fortinet/FortiRecorder
• an attribute ID for user types (“access profile” names)
• Each FortiRecorder account on your RADIUS server must have a
user type attribute with a value that specifies which Type to apply.
e.g.
Fortinet-Access-Profile = Administrator
or
Fortinet-Access-Profile = Operator
Some RADIUS servers already include the Fortinet vendor ID and
subtype ID in their default dictionaries. In this case, no server-side
configuration is necessary. Otherwise, you must configure your server.
Methods varies by vendor — FreeRADIUS and Internet Authentication
Services for Microsoft Windows 2008 Server, for example, are
configured differently. For instructions, consult its documentation. For
an example VSA dictionary, see the article FortiGate RADIUS VSA
Dictionary.
This field appears only when Authentication is RADIUS or
RADIUS+Local.
Vendor ID Type the vendor ID for Fortinet, as it is defined on your RADIUS server,
in decimal. On many RADIUS servers, Fortinet’s default vendor ID is
12356.
The vendor ID is an ID for the Fortinet client types. It should be
present in Access-Request packets from FortiRecorder, telling your
RADIUS server which settings are supported by accounts on
FortiRecorder. It should also be present when the RADIUS server
replies with an Access-Accept packet.
The default value is 0.
User management
Page 52
FortiRecorder 2.0 Administration Guide
Setting name
Subtype
ID
Description
Type the subtype ID for account permissions as it is defined on your
RADIUS server. On many RADIUS servers, Fortinet’s default subtype
ID for access profiles is 6.
The subtype ID is an ID for the user type (permissions) attribute. It
should be, but is not required to be, present in Access-Accept reply
packets from your RADIUS server to FortiRecorder.
Packets from your RADIUS server should use this attribute’s value to
refer to the name of a Type (e.g. Administrator) on FortiRecorder. If the
packet does not have this attribute-value pair, FortiRecorder will use
whichever permissions you defined locally for the account in Type. If
the packet does not contain the attribute-value pair and you have not
configured Type, when the person attempts to authenticate, even if
successfully authenticated, authorization will be null, and he or she
will receive a “permission denied” error message:
you do not have rights to view this page
The default value is 0.
LDAP profile
Select an LDAP authentication profile that defines the connection
settings. See “To configure an LDAP query”.
Caution: Secure your authentication server and, if possible, all query
traffic to it. Compromise of the authentication server could allow
attackers to gain administrative access to your FortiRecorder
appliance.
Theme
Select this administrator account’s preference for the initial web UI
color scheme or click Use Current to choose the theme currently in
effect for your own web UI session.
The administrator may switch the theme at any time after he or she
logs in by clicking Next Theme in the top right corner.
4. Click Create.
The account should now be able to log in.
Configuring LDAP authentication
FortiRecorder supports LDAP user authentication. You will use the LDAP authentication profiles
when you add user accounts.
To configure an LDAP query
1. Go to System > Authentication > LDAP.
2. Click New.
A dialog appears.
3. Configure these settings:
Setting name
Description
User management
Profile name
Type a name (such as LDAP-query) that can be referenced by other
parts of the configuration. Do not use spaces or special characters.
The maximum length is 35 characters.
Server name/IP
Type the fully qualified domain name (FQDN) or IP address of the
LDAP or Active Directory server that will be queried when an account
referencing this profile attempts to authenticate.
Page 53
FortiRecorder 2.0 Administration Guide
Setting name
Description
Fallback server
name/IP
Type the fully qualified domain name (FQDN) or IP address of a
secondary LDAP or Active Directory server, if any, that can be queried
if the primary server fails to respond according to the threshold
configured in “Timeout” on page 56.
Port
Type the port number on which the authentication server listens for
queries.
The IANA standard port number for LDAP is 389. LDAPS
(SSL/TLS-secured LDAP) is 636.
Use secure
connection
If your directory server uses SSL to encrypt query connections, select
SSL then upload the certificate of the CA that signed the LDAP
server’s certificate (see “Uploading trusted CAs’ certificates”).
Allow
unauthenticated
bind
Enable to perform the query without authenticating.
Disable to authenticate when querying. Also configure Bind DN, Bind
password, and User Authentication Options.
Many LDAP servers require LDAP queries to be authenticated
(“bound”) by supplying a bind DN and password to determine the
scope of permissions for the directory search. However, if your LDAP
server does not require binding, you can enable this option to improve
performance.
4. If your directory does not use OpenLDAP’s default schema, or if you need to configure a
query string, query cache, LDAP protocol version, or how the query will be authenticated
(the bind DN), click the arrows to expand User Query Options, User Authentication Options,
and Advanced Options, then configure:
Setting name
Description
Schema
If your LDAP directory’s user objects uses one of these common
schema style:
• InetOrgPerson
• InetLocalMailRecipient
• Active Directory
• Lotus Domino
select the schema style. This automatically configures the query string
to match that schema style.
Otherwise, select User Defined, then manually configure the query
string in LDAP user query.
Base DN
Enter the distinguished name (DN) of the part of the LDAP directory
tree within which FortiRecorder will search for user objects, such as
ou=People,dc=example,dc=com.
User objects should be child nodes of this location.
Bind DN
Enter the bind DN, such as
cn=FortiRecorderA,dc=example,dc=com, of an LDAP user
account with permissions to query the Base DN.
Leave this field blank if you have enabled Allow unauthenticated bind.
User management
Page 54
FortiRecorder 2.0 Administration Guide
Setting name
Description
Bind password
Enter the password of the Bind DN.
Click Browse to locate the LDAP directory from the location that you
specified in Base DN, or, if you have not yet entered a Base DN,
beginning from the root of the LDAP directory tree.
Browsing the LDAP tree can be useful if you need to locate your Base
DN, or need to look up attribute names. For example, if the Base DN is
unknown, browsing can help you to locate it.
Before using, first configure Server name/IP, Use secure connection,
Bind DN, Bind password, and , then click Create or OK. These fields
provide minimum information required to establish the directory
browsing connection.
LDAP user query
Enter an LDAP query filter that selects a set of user objects from the
LDAP directory.
The query string filters the result set, and should be based upon any
attributes that are common to all user objects but also exclude
non-user objects.
For example, if user objects in your directory have two distinguishing
characteristics, their objectClass and mail attributes, the query
filter might be:
(& (objectClass=inetOrgPerson) (mail=$m))
where $m is the FortiRecorder variable for a user's email address.
This option is preconfigured and read-only if you have selected from
Schema any schema style other than User Defined.
For details on query syntax, refer to any standard LDAP query filter
reference manual.
Scope
Select which level of depth to query, starting from Base DN.
• One level — Query only the one level directly below the Base DN
in the LDAP directory tree.
• Subtree — Query recursively all levels below the Base DN in the
LDAP directory tree.
Derefer
Select when, if ever, to dereference attributes whose values are
references.
• Never — Do not dereference.
• Always — Always dereference.
• Search — Dereference only when searching.
• Find — Dereference only when finding the base search object.
User management
Page 55
FortiRecorder 2.0 Administration Guide
Setting name
Description
User
Authentication
Options
Select how, if the query requires authentication, the FortiRecorder
appliance will form the bind DN. The default setting is the third option:
Search user and try bind DN.
• Try UPN or email address as bind DN — Select to form the user’s
bind DN by prepending the user name portion of the email address
($u) to the User Principle Name (UPN, such as example.com).
By default, the FortiRecorder appliance will use the mail domain as
the UPN. If you want to use a UPN other than the mail domain,
enter that UPN in the field named Alternative UPN suffix. This can
be useful if users authenticate with a domain other than the mail
server’s principal domain name.
• Try common name with base DN as bind DN — Select to form
the user’s bind DN by prepending a common name to the base
DN. Also enter the name of the user objects’ common name
attribute, such as cn or uid into the field.
• Search user and try bind DN — Select to form the user’s bind DN
by using the DN retrieved for that user by User Query Options.
User Type
Attribute
Select this option to define the user’s type.
User Profile
Attribute
Select this option to define the user’s profile.
Access Profile
Attribute
The access profile attribute can only be set if the user is an
administrator.
Valid entries for this field are: admin, operator, and viewer.
The entry for this field must match the profile name configured in
FortiRecorder.
Selecting this option will set the administrator user’s access profile.
The entry for this field must match the name of an access profile
configured in FortiRecorder.
Notification
Options
Select the “Allow notification attributes” option to enable notifications.
FortiRecorder supports the following notifications:
• Email attribute: This attribute specifies the user’s email address
for notifications.
• SMS profile attribute: This attribute specifies which SMS profile
the user will use. The SMS profile attribute must match the name
of the profile configured in FortiRecorder.
• SMS number attribute: This attribute specifies the user SMS
number for notifaction.The number format must be the same as
the number in the user entry settings.
• Method attribute: This attribute specifies the method used to
notify a user. The two valid entries are “email” and “sms”.
• Embedded email images attribute: This attribute specifies
whether images are included in email messages to the user. The
two valid entries are “yes” and “no”.
Timeout
Type the number of seconds that the FortiRecorder appliance will wait
for a reply to the query before assuming that the primary LDAP server
has failed, and will therefore query the secondary LDAP server.
The default value is 20.
User management
Page 56
FortiRecorder 2.0 Administration Guide
Setting name
Description
Select the LDAP protocol version (either 2 or 3) used by the LDAP server.
Protocol version
Enable to cache LDAP query results.
Enable cache
Caching LDAP queries can introduce a delay between when you
update LDAP directory information and when the FortiRecorder
appliance begins using that new information, but also has the benefit
of reducing the amount of LDAP network traffic associated with
frequent queries for information that does not change frequently.
If this option is enabled but queries are not being cached, inspect the
value of TTL. Entering a TTL value of 0 effectively disables caching.
TTL
Enter the amount of time, in minutes, that the FortiRecorder unit will
cache query results. After the TTL has elapsed, cached results expire,
and any subsequent request for that information causes the
FortiRecorder appliance to query the LDAP server, refreshing the
cache.
The default TTL value is 1440 minutes (one day). The maximum value
is 10080 minutes (one week). Entering a value of 0 effectively disables
caching.
This option is applicable only if is enabled.
5. Click Create.
6. To test the query, configure an account where this profile is used (“To configure an account”),
then attempt to authenticate using that account’s credentials.
Alternatively, click the row to select the query, click Edit, then click Test LDAP Query. From
the Select query type drop-down list, choose Authentication, then complete the Password
and Mail address fields that appear. Click Test. After a few seconds, a dialog should appear
to let you know that either the query succeeded, or the reason for its failure, such as a
connectivity error.
User management
Page 57
FortiRecorder 2.0 Administration Guide
Configuring RADIUS authentication
Except for local users, FortiRecorder also support RADIUS user authentication. You will use the
RADIUS authentication profiles when you add user accounts.
To configure a RADIUS query
1. Go to System > Authentication > RADIUS.
2. Click New.
A dialog appears.
3. Configure these settings:
Setting name
Description
Profile name
Type a name (such as RADIUS-query) that can be referenced by
other parts of the configuration. Do not use spaces or special
characters. The maximum length is 35 characters.
Server name/IP
Type the fully qualified domain name (FQDN) or IP address of the
RADIUS server that will be queried when an account referencing this
profile attempts to authenticate.
Server port
Type the port number on which the authentication server listens for
queries.
The IANA standard port number for RADIUS is 1812.
Protocol
Select which authentication method is used by the RADIUS server:
• Password Authentication
• Challenge Handshake Authentication (CHAP)
• Microsoft Challenge Handshake Authentication (CHAP)
• Microsoft Challenge Handshake Authentication V2 (CHAP
version 2)
• Default Authentication Scheme
NAS IP/Called
station ID
Type the NAS IP address or Called Station ID (for more information
about RADIUS Attribute 31, see RFC 2548 Microsoft Vendor-specific
RADIUS Attributes). If you do not enter an IP address, the IP address
of the FortiRecorder network interface used to communicate with the
RADIUS server will be applied.
Server secret
Type the secret required by the RADIUS server. It must be the same as
the secret that is configured on the RADIUS server.
Server requires
domain
Enable if the authentication server requires that users authenticate
using their full email address (such as user1@example.com) and not
just the user name (such as user1).
4. Click OK.
To test the query, select this profile when configuring an account (“To configure an account”),
then attempt to authenticate using that account’s credentials.
See also
• NVR configuration
• Connectivity issues
• Login issues
User management
Page 58
FortiRecorder 2.0 Administration Guide
Notifications
When a significant event happens, such as motion-triggered video recording or the hard disk
being full, your FortiRecorder NVR can notify you, either by email or SMS messages.
Notification configuration workflow
To configure the notifications, follow these steps:
1. Configure the SMTP mail server settings so that FortiRecorder can send out notification
email. See “Configuring FortiRecorder to send notification email”.
2. Configure the SMS server settings so that FortiRecorder can send out SMS messages. See
“Configuring FortiRecorder to send SMS messages”.
3. Configure the camera settings about what, when and to whom the notifications should be
sent. See “Configuring cameras to send notifications”.
4. Monitor the record of notification events by going to Monitor > Camera Notifications >
Notification Events.
Configuring FortiRecorder to send notification email
For FortiRecorder to send email, you must specify an SMTP server to use.
1. Go to System > Configuration > Mail Server Settings.
Page 59
2. Configure these settings:
Setting name
Description
Host name
Type the host name for the appliance. By default, it uses its serial
number.
The host name can be up to 35 characters in length. It can include
US-ASCII letters, numbers, hyphens, and underscores, but not
spaces and special characters.
The host name of the FortiRecorder appliance is used in multiple
places.
• It is used in the command prompt of the CLI.
• It is used as the SNMP system name. For information about
SNMP, see “SNMP traps & queries”.
The get system status CLI command displays the full host
name. If the host name is longer than 16 characters, the name
may be truncated elsewhere and end with a tilde ( ~ ) to indicate
that additional characters exist, but are not displayed.
For example, if the host name is FortiRecorder1234567890, the
CLI prompt would be:
FortiRecorder123~#
Mail server name
Type the fully-qualified domain name (FQDN) of your SMTP
server, such as mail.example.com.
If you do not have your own email server, this is often the name of
your ISP’s SMTP relay, or a 3rd-party email server such as Yahoo!
or Gmail.
Ensure that the DNS settings are configured. See “Configuring the
network settings”.
Mail server port
Type the port number on which your email server or SMTP relay
listens for connections from clients.
The default varies by whether you enable Use SMTPS: disabled, it
is port 25; enabled, it is port 465.
Use SMTPS
Enable to initiate SSL- and TLS-secured connections to the email
server if it supports SSL/TLS.
When disabled, SMTP connections from the FortiRecorder
appliance’s built-in email client to the SMTP server will occur as
clear text, unencrypted.
This option must be enabled to initiate SMTPS-secured
connections.
3. If the email server requires SMTP authentication (i.e. it uses the SMTP AUTH command), also
enable Authentication Required, then configure these settings:
Notifications
Setting name
Description
User name
Type the name of the account, such as jdoe or
fortirecorder@example.com, that FortiRecorder will use to
log in to the SMTP server.
Page 60
FortiRecorder 2.0 Administration Guide
Setting name
Description
Password
Type the password for the account on the SMTP server.
Authentication type
Select one of the following authentication methods:
• AUTO — Automatically detect and use the most secure SMTP
authentication type supported by the email server.
• PLAIN — Provides an unencrypted, scrambled password.
• LOGIN — Provides an unencrypted, scrambled password.
• DIGEST-MD5 — Provides an encrypted MD5 hash of the
password.
• CRAM-MD5 — Provides an encrypted MD5 hash of the
password, with hash replay prevention, combined with a
challenge and response mechanism.
4. If you want to customize the FortiRecorder’s sender email address so that, for example,
replies are sent to the network administrators rather than the appliance, then configure these
settings:
Setting name
Description
Sender display name
Type the display name, such as Surveillance System, that
will be displayed in the From field or column by email clients such
as Outlook and Thunderbird. Leaving this setting empty will cause
FortiRecorder to use the default value, postmaster.
Sender address
Type the sender email address (From:), such as
donotreply@example.com, that will appear in the SMTP
header. Leaving this setting empty will cause FortiRecorder to use
the default value, postmaster@example.com.
Unlike the display name, depending on the client and its settings,
this may not be visible.
Configuring FortiRecorder to send SMS messages
For FortiRecorder to send SMS messages, you must specify the SMS service providers.
1. Go to System > Configuration > SMS.
2. Configure the following:
Setting name
Description
Service provider
Notifications
Enter the SMS service provider name.
Page 61
FortiRecorder 2.0 Administration Guide
Setting name
Description
Description
Enter a short description of the provider.
Type
Select an SMS type: either SMTP or HTTP.
For SMTP, enter the Email to, Email subject, and Email body
information.
You can use the following tags when filing the fields:
• {{:country_code}} represents the country code portion of the
SMS number field in the user's configuration.
• {{:mobile_number}} represents the phone number portion of
the SMS number field in the user's configuration.
• {{:message}} represents the text of the message.
For HTTP, enter the following information:
• HTTP URL: the HTTP or HTTPS URL to contact to send SMS
messages, for example, https://myprovider.com/sendsms).
• HTTP method: either Get or Post.
• HTTP/S Parameters: configure all the parameters and values
required by the provider to send the SMS message. You can
use the same tags that were available above for SMTP. If you
select the Encrypt check-box in a parameter then the value will
not be displayed in clear-text when viewing the configuration.
The value will be sent as entered to the remote server which is
why using HTTPS is recommended.
For example, if your provider indicates that to send a message
the syntax should look like the following:
https://smsserver.com:8080/sendsms?api_id=1234&user=use
r&to=<phone_number>&text=<message>&password=<passw
d>
Then the settings might be:
HTTP URL: https://smsserver.com:8080/sendsms
HTTP Method: Get
Parameters:
api_id id
user user
to {{:country_code}}{{:mobile_number}}
text {{:message}}
password password (the encrypt checkbox should be
selected so this will not show in clear-text when viewing the
configuration)
Configuring cameras to send notifications
After you have set up the SMTP server and SMS service provider, you can configure the
detailed notification settings, such as when and how the notifications should be sent.
1. Go to Camera > Notification > Camera Notification.
2. Click New.
Notifications
Page 62
FortiRecorder 2.0 Administration Guide
3. Configure the following setting and then click Create.
Setting name
Description
Name
Enter a name for the notification entry.
Description
Optionally enter a descriptive comment.
Enable
Select to enable this notification entry.
Trigger event
Currently only motion event is the trigger.
Trigger number
Specify how many times the motion event should happen before
the notification is sent out.
Trigger period
Specify the period in which these motion events occur.
Message method
Select how the notification should be sent out: either Email or
SMS. At least one method should be selected.
Notification Period
Specify when notifications should be sent out.
Select Camera
Specify which camera’s motion events should be notified.
Select User
Specify which user should be notified.
4. To verify email connectivity, from FortiRecorder, trigger an alert event that matches the type
and severity levels that you have chosen. Then, check your email.
If you do not receive an alert email within a few minutes, verify that you have configured an
email address for the account. Next, verify the FortiRecorder NVR’s static routes (see
“Configuring the network settings”) and the policies on any firewalls or routers between the
appliance and the SMTP relay. (They must allow SMTP traffic from the FortiRecorder
network interface that is connected to the gateway between it and the email server.) To
determine the point of connectivity failure along the network path, if the SMTP server is
configured to respond to ICMP ECHO_REQUEST (ping), go to Monitor > System Status >
Console and enter the CLI command:
execute traceroute <syslog_ipv4>
where <syslog_ipv4> is the IPv4 address of your email server.
If that connectivity succeeds, verify that your alert email has not been classified as spam by
checking your junk mail folder.
To prevent classification as spam, it usually helps to add the FortiRecorder NVR’s email address
to your address book.
See also
• Connectivity issues
Notifications
Page 63
FortiRecorder 2.0 Administration Guide
Video monitoring
To get the most value out of your FortiRecorder system, use it to monitor your property — not
just to analyze after-the-fact. Your FortiRecorder NVR has a variety of monitoring tools for the
appliance itself, but administrators can also view the live video feeds from cameras.
You can use the tools in this section to monitor your FortiRecorder NVR and surveillance
cameras.
Watching live video feeds
Once the cameras are connected and configured, administrators can use the web UI to view
live video feeds from the cameras.
Administrators will use the surveillance system slightly differently than other users (“operators”
or “viewers”) such as security guards. Operators and viewers should use the instructions found
in the FortiRecorder Operator/Viewer Guide.
Quality of live video feeds may be different for administrators than it is for operator or viewer
accounts, which use the camera’s Viewing Stream profile setting.
Page 64
To view live video from your cameras as an administrator
1. Go to Monitor > Video Monitor
Buffering (a blue “Q” appears, with an oscillating dotted line underneath) may take a few
seconds, depending on the network, the Resolution of the camera, and your computer.
When buffering is done, the current live video feed should appear.
Panel expansion arrows
Live video feed
2. There are very thin arrows at the bottom and (for administrators) right of the video viewer
frame. If you are an administrator, click the arrow on the right to expand the image
adjustment control panels.
3. If you logged in as an administrator, on the right pane, in the Selection area, choose which
cameras you want to view.
4. If you logged in using a non-administrator account, your cameras have already been
selected for you. If they are not correct, ask an administrator to reconfigure your account.
See also
• Watching recorded video clips
Video monitoring
Page 65
FortiRecorder 2.0 Administration Guide
Watching recorded video clips
In addition to live video feeds, you can also watch the recorded video clips, which include the
scheduled recording, motion detection recording, and manual recording.
Time line panel
Color-coded video clips
Camera image
selection &
image adjustment
panel
Time periods in the time line panel are color-coded:
• Yellow — A system event such as a software update, system reboot, or camera reboot.
Recordings cannot be stored while FortiRecorder is unavailable.
• Light blue — The lightest blue denotes previously recorded clips, the darker blue
denotes temporary recording (see descriptions below), the darkest blue denotes
manually initiated recording. If a camera is not currently recording a continuous or motion
detection-triggered video, operators can manually trigger the camera to record video
using the Control pane. Bright blue — A bright blue tag over a video clip represents
recording with an attached annotation/marker. While a camera is recording, you can
insert markers with notes about what is currently being seen. If the camera is not
recording, after you enter the marker and click Insert Marker, the camera will start to
record.
• Red — A motion detection-based recording that was not initiated by schedule.
• A white/blank space means there is no recording at that period of time.
Video monitoring
Page 66
FortiRecorder 2.0 Administration Guide
About temporary recording
If the camera is not scheduled to record, but you are watching live feed from the camera, the
video feed from the camera will be temporarily recorded in memory but not saved on the hard
drive. When you stop watching the live feed from that camera, the temporary recording will be
deleted. However, if you initiate manual recording while watching the live feed from the camera,
the temporary recording will be saved on the hard drive.
To watch the recorded video
1. Go to Monitor > Video Monitor. The recorded video clips are in the Event Monitor area and
the video clips for each camera appears as a time line.
2. Be default, the time frame is minimized. To easily select a video clip, use the scroll wheel on
your mouse to zoom in a time frame. Ensure that the mouse cursor is centered in the area
that you want to zoom in. See the following pictures:
Figure 1: Time line zoomed out
Figure 2: Time line zoomed in
Preview frames
After zooming in, double-click the enlarged segment to view the clip
3. After you select the segment (if it is a motion-detection clip, a few key frames will appear for
preview purpose), you can do the following:
• Click the Show button to view clip.
• Click the Download button to download the clip for archival or viewing on another
computer. If your cameras have recorded a crime or other incident, you may need to
provide the video clip to the police or other authorities. Your FortiRecorder NVR uses the
.mp4 file format with the H.264 video codec, which can be viewed on Windows, Mac OS
X, Linux, and other platforms using QuickTime, VLC or other compatible players. All
video files are signed with an RSA 2048-bit signature to provide tamper protection. This
Video monitoring
Page 67
FortiRecorder 2.0 Administration Guide
applies to files stored locally, remotely, and downloaded. Quality of previously recorded
video depends on the camera’s Recording Stream profile setting.
• Click the Lock button to lock the clip so that the operators and viewers will not be able to
view it.
4. To scroll through the time line, use your mouse to click and drag.
5. To set the time span of the time line, from Start date, select the beginning date of the
recording, then from the interval drop-down menu to the right, select the interval of each
segment of the time line in minutes.
6. To manually control the camera to pause or start recording, in the pane on the right side,
click the Control bar to expand it, then click the buttons to pause or record.
You can’t stop a scheduled continuous or motion detection-based recording schedule. You can
only start/stop manual recording. See also “Configuring recording schedules”.
7. To adjust the image quality, in the pane on the right side, click the Control bar to expand it,
then click the + or - buttons to adjust Brightness, Contrast, Saturation, and Sharpness. Only
administrators can use these controls, to prevent operators from accidentally or maliciously
blacking-out the view.
Set these settings with care. After video is recorded, it won’t be possible to adjust the image
quality again unless you download the file and use video editing software. Video editing
software may not be able to successfully correct for excessively bad image quality
8. To add a note to the video (e.g. “Suspicious light”), in the pane on the right side, click the
Control bar to expand it, type your note in the text area, then click the Insert Marker button.
A bright blue marker will appear on the clip and the added note will appear as mouseover
text. Note that you must zoom in to see the marker. Otherwise it is very small on the time
line. See the following picture.
Figure 3: Inserted marker
Inserted text marker in bright blue
See also
• Watching live video feeds
Video monitoring
Page 68
FortiRecorder 2.0 Administration Guide
Reviewing motion detection notifications
If you have configured camera-based notifications (see “Notifications”), accounts configured to
be notified can log in to the web UI in order to review the video clips. If you have configured
email settings, these accounts will also receive an email when a camera-based event occurs.
Notifications contain snapshot images from the video clip of the detected motion or, depending
on your configuration, a link directly to the video clip. In this way, recipients can quickly assess
whether or not the event is serious, or just a false alarm.
Occasionally, as an administrator, you may sometimes be required to review these notifications
if, for example, the usual recipient is on vacation. You can do this from the web UI, without
logging in to a separate operator account. Alternatively, you can add yourself to the list of
people that will receive a notification via email (see “Notifications”).
To review camera-based notifications
1. Go to Monitor > Camera Notifications > Notification Events.
2. From Select recipient, select either All (any recipient) or the name of an account that should
have received the notification.
The list of notifications will be filtered by the recipient criteria. Only matching notifications will
appear.
3. In the Message column, click the link to view the corresponding notification.
A pop-up window displays the notification that was included in the email body, if any. The
notification includes some images that are key frames from the motion detection video clip.
4. To view a video clip from the notification, click its key frame image.
The notification window will be replaced with a video clip player.
Video monitoring
Page 69
FortiRecorder 2.0 Administration Guide
Video management
If you need to store video for longer periods of time, you can extended your FortiRecorder
appliance’s built-in storage.
Local storage
Initially, your FortiRecorder appliance will store video data on its internal hard drive. By default, it
will continue to do so, regardless of the video clip’s age, until all available space is consumed.
By storing files locally first, your FortiRecorder appliance’s system resources are not
continuously consumed by transferring video that may not be needed, nor by transferring them
while it is recording (which is itself bandwidth-intensive). But on a per-camera basis, you can
configure your FortiRecorder appliance to either delete old videos, or to move older videos to an
external location.
Remote storage
To safeguard your surveillance video in the event that your FortiRecorder appliance is destroyed
by fire, flood, intrusion, or other event that it is recording, configure your FortiRecorder
appliance to store its video at a remote location such as a branch office or cloud storage
provider.
It is recommended to connect the remote storage devices on a different interface than the
cameras.
To configure remote storage
1. Go to System > Configuration > Remote Storage.
2. Mark the Enabled check box.
3. Configure these settings:
Setting name
Protocol
Description
Select one of the following types of storage media:
• iSCSI Server — An iSCSI (Internet Small Computer
System Interface), server.
• NFS — A network file system (NFS) server.
Note: Support for NFS varies. Many Linux-based NAS
solutions have been tested and are supported. Windows
2003 R2 and Windows 2008 Service for NFS are not
supported.
Maximum size
Specify the maximum video file size that is allowed to be
stored on the remote storage device.
You can view the remote storage usage information on the
Status page under Monitor > System Status.
Page 70
Setting name
Description
Username
Type the user name of the FortiRecorder’s account on the
server.
Alternatively, if using iSCSI, select Initiator name as username
to authenticate using a name that follows RFC 3721.
Password
Type the password corresponding to the user name.
Hostname/IP Address
Type either the IP address or fully-qualified domain name
(such as nas.example.com) of the server.
Port
Type the port number on which the server listens for
connections.
The default is 2049 for NFS and 3260 for iSCSI.
Directory
Enter the path of the folder on the server, relative to the mount
point or user’s login directory, where the FortiRecorder
appliance will store the data.
This setting appears only if Protocol is NFS.
Note: Do not use special characters such as a tilde ( ~ ). This
will cause the storage to fail.
Encryption Key
Enter the private key that will be used to encrypt data stored
on this location. Valid key lengths are between 6 and 64
single-byte characters.
This setting appears only if Protocol is ISCSI Server
iSCSI ID
Enter the iSCSI identifier in the format expected by the iSCSI
server, such as an iSCSI Qualified Name (IQN), Extended
Unique Identifier (EUI), or T11 Network Address Authority
(NAA).
This setting appears only if Protocol is ISCSI Server.
4. Click Apply.
If the remote iSCSI device has not been formatted, before you can use it, you must format it
with the following CLI command: execute storage format
5. Go to Camera > Configuration > Camera, then click to select a camera’s row, then click Edit.
6. For Profile, click New or Edit.
7. From Storage Options, select Move. In the After n options that appear, select the age
threshold that will cause FortiRecorder to move the video clips to external storage. Note that
the Move option only appears after you have configured and enabled remote storage.
8. Click Create.
See also
• Camera settings
Video management
Page 71
FortiRecorder 2.0 Administration Guide
System monitoring
FortiRecorder provides several methods, such as SNMP traps, system logs, and realtime
dashboard, for you to monitor the system status and diagnose system problems.
The dashboard
Monitor > System Status > Status appears when you log in to the web UI. It contains a
dashboard with widgets that each indicates performance level or other system statuses.
The Sessions tab displays the active TCP/UDP sessions to and from FortiRecorder.
The Console tab allows you to use the CLI commands.
To access the dashboard, you must have an administrator account. Operator accounts do not
have permission. For details, see “User types”.
SNMP traps & queries
You can configure the FortiRecorder appliance’s simple network management protocol (SNMP)
agent to allow queries for system information and to send traps (alarms or event messages) to
the computer that you designate as its SNMP manager. In this way you can use an SNMP
manager to monitor the FortiRecorder appliance.
Before you can use SNMP, you must activate the FortiRecorder appliance’s SNMP agent and
add it as a member of at least one community. You must also enable SNMP access on the
network interface through which the SNMP manager connects. (See “SNMP”.)
On the SNMP manager, you must also verify that the SNMP manager is a member of the
community to which the FortiRecorder appliance belongs, and compile the necessary
Fortinet-proprietary management information blocks (MIBs) and Fortinet-supported standard
MIBs. For information on MIBs, see “MIB support”.
Failure to configure the SNMP manager as a host in a community to which the FortiRecorder
appliance belongs, or to supply it with required MIBs, will make the SNMP monitor unable to
query or receive traps from the FortiRecorder appliance.
To configure the SNMP agent via the web UI
1. Add the MIBs to your SNMP manager so that you will be able to receive traps and perform
queries. For instructions, see the documentation for your SNMP manager.
2. Go to System > Configuration > SNMP.
Page 72
3. Configure the following:
Setting name
Description
SNMP agent enable Enable to activate the SNMP agent, so that the FortiRecorder
appliance can send traps for the communities in which you enabled
queries and traps. To receive queries, also SNMP on a network
interface.
For more information on communities, see “Configuring an SNMP
community”.
Description
Type a comment about the FortiRecorder appliance, such as
dont-reboot. The description can be up to 35 characters long,
and can contain only letters (a-z, A-Z), numbers, hyphens ( - ) and
underscores ( _ ).
Location
Type the physical location of the FortiRecorder appliance, such as
floor2. The location can be up to 35 characters long, and can
contain only letters (a-z, A-Z), numbers, hyphens ( - ) and
underscores ( _ ).
Contact
Type the contact information for the administrator or other person
responsible for this FortiRecorder appliance, such as a phone
number (555-5555) or name (jdoe). The contact information can
be up to 35 characters long, and can contain only letters (a-z, A-Z),
numbers, hyphens ( - ) and underscores ( _ ).
4. If you want to use non-default thresholds to trigger SNMP traps such as high CPU usage,
memory (RAM) usage, or disk/partition usage, click the disclosure arrow next to SNMP
Threshold to expand the area, then configure these settings for each trap type:
Setting name
Description
Trigger
Click to edit, then type the percentage that when met or exceeded
will be considered an event.
Threshold
Click to edit, then type the number of events that must be exceeded
during the sample period in order to cause the SNMP trap.
Sample Period (s)
Click to edit, then type the amount of time in seconds during which
the appliance will count the number of trigger-exceeding events. If
the count exceeds the threshold number, the SNMP trap will be
sent.
Note: This must be equal to or greater than Sample Freq (s), so that
one or more samples are taken per time period.
Sample Freq (s)
Click to edit, then type the interval in seconds between
measurements of the trap condition. If the trigger value is exceeded,
this counts as an event. You will not receive traps faster than this
rate, depending on the selected sample period.
Note: This must be equal to or less than Sample Period (s), so that
one or more samples are taken per time period.
5. Click Apply.
6. Create at least one SNMP community to define which hosts are allowed to query, and which
hosts will receive traps. See “Configuring an SNMP community”.
7. If using SNMPv3, see “Configuring SNMP v3 users”.
See also
• Configuring an SNMP community
• Configuring SNMP v3 users
System monitoring
Page 73
FortiRecorder 2.0 Administration Guide
Configuring an SNMP community
An SNMP community is a grouping of equipment for network administration purposes. You
must configure your FortiRecorder appliance to belong to at least one SNMP community so that
community’s SNMP managers can query the FortiRecorder appliance’s system information and
receive SNMP traps from the FortiRecorder appliance.
On FortiRecorder, SNMP communities are also where you enable the traps that will be sent to
that group of hosts.
You can add up to three SNMP communities. Each community can have a different
configuration for queries and traps, and the set of events that trigger a trap. You can also add
the IP addresses of up to 8 SNMP managers to each community to designate the destination of
traps and which IP addresses are permitted to query the FortiRecorder appliance.
To add an SNMP community via the web UI
1. Go to System > Configuration > SNMP.
2. If you have not already configured the agent, do so before continuing. See “To configure the
SNMP agent via the web UI”.
3. Under Community, click New.
A dialog appears.
4. Configure these settings:
Setting name
Description
Name
Type the name of the SNMP community to which the FortiRecorder
appliance and at least one SNMP manager belongs, such as public.
The FortiRecorder appliance will not respond to SNMP managers whose
query packets do not contain a matching community name. Similarly,
trap packets from the FortiRecorder appliance will include community
name, and an SNMP manager may not accept the trap if its community
name does not match.
Caution: Fortinet strongly recommends that you do not add
FortiRecorder to the community named public. This popular default
name is well-known, and attackers that gain access to your network will
often try this name first.
Enable
System monitoring
Enable this community entry.
Page 74
FortiRecorder 2.0 Administration Guide
Setting name
Description
Community
Hosts
IP Address
Type the IP address of the SNMP manager that, if traps or queries are
enabled in this community:
• will receive traps from the FortiRecorder appliance
• will be permitted to query the FortiRecorder appliance
SNMP managers have read-only access. You can add up to 8.
To allow any IP address using this SNMP community name to query the
FortiRecorder appliance, enter 0.0.0.0. For security best practice
reasons, however, this is not recommended.
Caution: FortiRecorder sends security-sensitive traps, which should be
sent only over a trusted network, and only to administrative equipment.
Note: If there are no other host IP entries, entering only 0.0.0.0
effectively disables traps because there is no specific destination for
trap packets. If you do not want to disable traps, you must add at
least one other entry that specifies the IP address of an SNMP
manager.
Queries
Type each port number (161 by default) on which the FortiRecorder
appliance listens for SNMP queries from the SNMP managers in this
community, then enable it. Port numbers vary by SNMP v1 and SNMP
v2c.
Traps
Type each port number (162 by default) that will be the source (Local)
port number and destination (Remote) port number for trap packets sent
to SNMP managers in this community, then enable it. Port numbers vary
by SNMP v1 and SNMP v2c.
SNMP Event
Enable the types of SNMP traps that you want the FortiRecorder
appliance to send to the SNMP managers in this community.
• System events (system reboot, system reload, system upgrade,
log disk formatting, and video disk formatting)
• Remote storage event
• Interface IP change
• Camera events (enabling, disabling, communication failure,
recording failure, IP change, and camera reboot)
While most trap events are described by their names, the following
events occur when a threshold has been exceeded:
• CPU Overusage
• Memory Low
• Log Disk Usage Threshold
• Video Disk Usage Threshold
To configure their thresholds, see “To configure the SNMP agent via the
web UI”. For more information on supported traps and queries, see
“MIB support”.
5. Click OK.
6. To verify your SNMP configuration and network connectivity between your SNMP manager
and your FortiRecorder appliance, be sure to test both traps and queries (assuming you
have enabled both). Traps and queries typically occur on different port numbers, and
System monitoring
Page 75
FortiRecorder 2.0 Administration Guide
therefore verifying one does not necessarily verify that the other is also functional. To test
queries, from your SNMP manager, query the FortiRecorder appliance. To test traps, cause
one of the events that should trigger a trap.
See also
• Configuring SNMP v3 users
• SNMP traps & queries
Configuring SNMP v3 users
If your SNMP manager supports SNMP v3, you can specify which of its user accounts is
permitted to access information about your FortiRecorder appliance. This provides greater
granularity of control over who can access potentially sensitive system information.
To specify access for an SNMP user via the web UI
1. Go to System > Configuration > SNMP.
2. If you have not already configured the agent, do so before continuing. See “To configure the
SNMP agent via the web UI”.
3. Under User, click New.
A dialog appears.
4. Configure these settings:
Setting name
Description
User name
Type the name of the SNMP user. This must match the name of the
account as it is configured on your SNMP manager.
You can add up to 16 users.
Enable
Enable this user entry.
Security level
Choose one of the three security levels:
• No authentication, no privacy — Causes SNMP v3 to behave
similar to SNMP v1 and v2, which provides neither secrecy nor
guarantees authenticity, and therefore is not secure. This option
should only be used on private management networks.
• Authentication, no privacy — Enables authentication only,
guaranteeing the authenticity of the message, but not safeguarding it
from eavesdropping. Also configure Authentication protocol.
• Authentication, privacy — Enables both authentication and
encryption, guaranteeing authenticity as well as secrecy. Also
configure Privacy protocol.
Authentication
protocol
Select either SHA-1 or MD5 hashes for authentication. Also configure a
salt in Password. Both the protocols and passwords on the SNMP
manager and FortiRecorder must match.
Privacy
protocol
Select either AES or DES encryption algorithms. Also configure a salt in
Password. Both the protocols and passwords on the SNMP manager
and FortiRecorder must match.
5. Similar to configuring the SNMP community, configure the other settings to specify the trap
recipient IP, allowed query source IPs, and trap events (see “Configuring an SNMP
community”).
6. Click OK.
7. To verify your SNMP configuration and network connectivity between your SNMP manager
and your FortiRecorder appliance, be sure to test both traps and queries (assuming you
have enabled both). Traps and queries typically occur on different port numbers, and
System monitoring
Page 76
FortiRecorder 2.0 Administration Guide
therefore verifying one does not necessarily verify that the other is also functional. To test
queries, from your SNMP manager, query the FortiRecorder appliance. To test traps, cause
one of the events that should trigger a trap.
See also
• Configuring an SNMP community
• SNMP traps & queries
MIB support
The FortiRecorder SNMP agent supports the following management information blocks (MIBs):
Table 4: Supported MIBs
MIB or RFC
Description
Fortinet Core MIB
This Fortinet-proprietary MIB enables your SNMP manager to query for
system information and to receive traps that are common to multiple
Fortinet devices.
FortiRecorder MIB
This Fortinet-proprietary MIB enables your SNMP manager to query for
FortiRecorder-specific information and to receive
FortiRecorder-specific traps.
RFC-1213 (MIB II)
The FortiRecorder SNMP agent supports MIB II groups, except:
• There is no support for the EGP group from MIB II (RFC 1213,
section 3.11 and 6.10).
• Protocol statistics returned for MIB II groups (IP, ICMP, TCP, UDP,
and so on.) do not accurately capture all FortiRecorder traffic
activity. More accurate information can be obtained from the
information reported by the FortiRecorder MIB.
RFC-2665
(Ethernet-like MIB)
The FortiRecorder SNMP agent supports Ethernet-like MIB information,
except the dot3Tests and dot3Errors groups.
You can obtain these MIB files from the Fortinet Technical Support web site,
https://support.fortinet.com/.
To communicate with your FortiRecorder appliance’s SNMP agent, you must first compile these
MIBs into your SNMP manager. If the standard MIBs used by the SNMP agent are already
compiled into your SNMP manager, you do not have to compile them again.
To view a trap or query’s name, object identifier (OID), and description, open its MIB file in a
plain text editor.
All traps sent include the message, the FortiRecorder appliance’s serial number, and host name.
For instructions on how to configure traps and queries, see “SNMP traps & queries”.
See also
• SNMP traps & queries
Logging
Log messages, if you configured them (see “Configuring logging”), record important events on
your FortiRecorder system.
System monitoring
Page 77
FortiRecorder 2.0 Administration Guide
About logs
FortiRecorder appliances can log many different activities including:
• camera recording events
• administrator-triggered events including logouts and configuration changes
• system-triggered events including system failures
For more information about log types, see “Log types”.
You can select a priority level that log messages must meet in order to be recorded. For more
information, see “Log severity levels”.
The FortiRecorder appliance can save log messages to its memory, or to a remote location such
as a Syslog server or FortiAnalyzer appliance. For more information, see “Configuring logging”.
See also
• Log types
• Log severity levels
Log types
Each log message contains a Type (type) field that indicates its category, and in which log file it
is stored.
FortiRecorder appliances can record the following categories of log messages:
Table 5: Log types
Log type
Description
Event
Displays administrative events, such as downloading a backup copy of the
configuration, and hardware failures.
Camera
Displays start/stop recording events, factory reset, and other camera events.
Avoid recording highly frequent log types such as traffic logs to the local hard disk for an
extended period of time. Excessive logging frequency can cause undue wear on the hard disk
and may cause premature failure.
Log severity levels
Each log message contains a Severity (pri) field that indicates the severity of the event that
caused the log message, such as pri=warning.
Table 6: Log severity levels
Level
Name
Description
0
Emergency
The system has become unusable.
1
Alert
Immediate action is required.
2
Critical
Functionality is affected.
(0 is greatest)
System monitoring
Page 78
FortiRecorder 2.0 Administration Guide
Table 6: Log severity levels
Level
Name
Description
3
Error
An error condition exists and functionality could be
affected.
4
Warning
Functionality could be affected.
5
Notification
Information about normal events.
6
Information
General information about system operations.
(0 is greatest)
For each location where the FortiRecorder appliance can store log files (disk, Syslog or
FortiAnalyzer), you can define a severity threshold. The FortiRecorder appliance will store all log
messages equal to or exceeding the log severity level you select.
For example, if you select Error, the FortiRecorder appliance will store log messages whose log
severity level is Error, Critical, Alert, and Emergency.
Avoid recording log messages using low log severity thresholds such as information or
notification to the local hard disk for an extended period of time. A low log severity threshold is
one possible cause of frequent logging. Excessive logging frequency can cause undue wear on
the hard disk and may cause premature failure.
Viewing log messages
You can use the web UI to view and download locally stored log messages. (You cannot use the
web UI to view log messages that are stored remotely on Syslog or FortiAnalyzer devices.) Log
messages are in human-readable format, where each log field’s name, such as Message (msg
field when viewing a raw, downloaded log file), indicates its contents.
To view log messages
1. Go to either Monitor > Log Viewer > Event (to view event logs about the appliance itself) or
Monitor > Log Viewer > Camera (to view logs about connected cameras).
Columns and appearance varies slightly by the log type.
Initially, the page displays a list of log files of that type.
2. Double-click the row of a log file to view the log messages that it contains.
Table 7: Monitor > Video Monitor > Event (viewing the contents of a log file)
System monitoring
Setting name
Description
Level
Select a severity level to hide log messages that are below this
threshold (see “Log severity levels”).
Subtype
Select a subcategory (corresponding to the Subtype column) to hide
log messages whose subtype field does not match.
Page 79
FortiRecorder 2.0 Administration Guide
Setting name
Description
Go to line
Type the index number of the log message (corresponding to the #
column) that you want to jump to in the display.
Search
Click to find log messages matching specific criteria (see “Searching
logs”).
Back
Click to return to the list of log files stored on FortiRecorder’s hard
drive.
Save View
Click to keep your current log view settings for subsequent views and
sessions (see “Displaying & sorting log columns & rows”).
#
The index number of the log message within the log file, not the order
of rows in the web UI.
By default, the rows are sorted by timestamp in descending order, the
same as they are within the log file, so the rows are in sequential
order, starting with the most recent log message, number 1, in the top
row. If you change the row sorting criteria (see “Displaying & sorting
log columns & rows”), these index numbers won’t be in the same
order as the rows.
For example, when sorting by the Message column’s contents, the
index numbers of the first 3 rows could be 14, 15, 9.
Note: In the current log file, each log’s index number changes as
new log messages are added, pushing older logs further down the
stack. To find the same log message later, remember its timestamp
and Message, not its #.
Date
The date on which the log message was recorded.
When in raw format, this is the log’s date field.
Time
The time at which the log message was recorded.
When in raw format, this is the log’s time field.
Subtype
The category of the log message, such as admin for events such as
authentication or configuration changes, or system for events such
as disk consumption or connection failures.
When in raw format, this is the log’s subtype field.
Log ID
A dynamic log identifier within the system, not predictable, indicative
of the cause nor necessarily a unique identifier.
When in raw format, this is the log’s log_id field.
Message
The log message that describes the specific occurrence of a
recordable event.
For example, all logout events follow a format similar to User admin
logout from GUI(172.16.1.5). but the exact message varies if
the account name, connection method, and IP address are different.
When in raw format, this is the log’s msg field.
3. To return to the list of log files, click the Back button.
See also
• Displaying & sorting log columns & rows
• Searching logs
System monitoring
Page 80
FortiRecorder 2.0 Administration Guide
Displaying & sorting log columns & rows
You can display, hide and re-order most columns — each column corresponds to a field in the
log messages — to display only relevant categories of information, in your preferred order.
If you need to sort and filter the log messages based on more complex criteria, you can
download the log file as a raw or CSV-formatted file for loading into external log or spreadsheet
software (see “Downloading log messages”).
To display or hide columns
1. Go to one of the log types, such as Monitor > Log Viewer > Event.
2. Double-click the row of a log file to view the log messages that it contains.
3. Hover your mouse cursor over one of the column headings. An arrow will appear on the right
side of the heading. Click the arrow to display a drop-down menu, then hover your mouse
cursor over the Columns item in the menu to display a list of check boxes — one for each
column.
4. Select which columns to hide or display:
5. To display a column such as Time, mark the check box next to its name. To disable the
display of a column, clear its check box.
The page refreshes immediately, displaying the columns that you selected.
6. Column settings will not usually persist when changing pages, nor from session to session.
If you want to keep the settings, you must click Save View. The log view settings will not
apply to other accounts. Each administrator must configure their own settings.
To arrange the columns & rows
1. Hover your mouse cursor over the column heading.
2. Click and drag the column into the position where you want it to be.
3. Hover your mouse cursor over one of the column headings. An arrow will appear on the right
side of the heading. Click the arrow to display a drop-down menu, then click either Sort
Ascending or Sort Descending to cause the rows to be sorted from either first to last, or last
to first, based upon the contents of that column.
4. Column settings will not usually persist when changing pages, nor from session to session.
If you want to keep the settings, you must click Save View.
See also
• Logging
• Searching logs
• About logs
System monitoring
Page 81
FortiRecorder 2.0 Administration Guide
Downloading log messages
You can download logs that are stored locally (i.e., on the FortiRecorder appliance’s hard drive)
to your computer.
To download a log file
1. Go to one of the log types, such as Monitor > Log Viewer > Event.
2. In the list of log files, mark the check box of the log message that you want to download.
(You can only download one log file at a time.)
3. Click Download.
A drop-down menu appears.
4. Select either:
• Normal Format — A plain text .log file.
• CSV Format — A comma-separated values (CSV) file that can be opened in spreadsheet
software such as Microsoft Excel or OpenOffice Calc.
• Compressed Format — A plain text .log file in a .gz compressed archive.
5. If a file download dialog appears, choose the directory where you want to save the file.
Your browser downloads the log file. Time required varies by the size of the file and the
speed of the network connection.
See also
• Deleting log files
Deleting log files
If you have downloaded log files to an external backup, or if you no longer require them, you
can delete one or more locally stored log files to free disk space.
To delete a log file
1. Go to one of the log types, such as Monitor > Log Viewer > Event.
2. Either:
• To delete all log files, mark the check box in the column heading. All rows’ check boxes
will become marked.
• To delete some log files, mark the check box next to each file that you want to delete.
3. Click Delete.
See also
• Downloading log messages
Searching logs
When viewing attack logs, you can locate a specific log using the event log search function.
To search an attack log
1. Go to one of the log types, such as Monitor > Log Viewer > Event.
2. Click Search.
A dialog appears.
System monitoring
Page 82
FortiRecorder 2.0 Administration Guide
3. Configure these settings:
Setting name
Description
Keyword
Type all or part of the exact word or phrase you want to search for.
The word may appear in any of the fields of the log message (e.g.
Action and/or Message), in any part of that field’s value. If entering
multiple words, they must occur uninterrupted in that exact order.
For example, entering admin as a keyword will include results such
as User admin2 logout from GUI(172.16.1.15) where part
of the word appears in the middle of the log message. However,
entering User logout would not yield any results, because in the
log messages, those two words are always interrupted by the name
of the account, and therefore do not exactly match your search key
phrase.
Depending on your setting of Match condition, you may be able to
use asterisks as wild cards to match multiple words.
This setting is optional.
Message
Type all or part of the exact value of the Message (msg) field of the log
messages that you want to find.
This setting is optional.
Log ID
Type all or part of the ID number of the log messages that you want to
find.
This setting is optional.
Time
Select the date and time range that contains the attack log that you
are searching for.
This setting is optional.
Note: The date fields default to the current date. Ensure the date
fields are set to the actual date range that you want to search.
Match condition
Select whether your match criteria are specified exactly (Contain) or
you have indicated multiple possible matches using an asterisk in
Keyword (Wildcard).
4. Click Apply to initiate the search.
The web UI displays log messages that match your search on a new tab.
System monitoring
Page 83
FortiRecorder 2.0 Administration Guide
Secure connections and certificates
When a FortiRecorder appliance initiates or receives an SSL or TLS connection, it will use
certificates. Certificates can be used in secure connections for:
• encryption
• authentication of servers
FortiRecorder may require you to upload certificates and CRLs even if you do not use HTTPS.
For example, when sending alert email via SMTPS, or querying an authentication server via
LDAPS, FortiRecorder will validate the server’s certificate by comparing the server certificate’s
CA signature with the certificates of CAs that are known and trusted by the FortiRecorder
appliance. See “Uploading trusted CAs’ certificates” and “Revoking certificates”.
Supported cipher suites & protocol versions
How secure is an HTTPS connection?
A secure connection’s protocol version and cipher suite, including encryption bit strength and
encryption algorithms, is negotiated between the client and the SSL terminator during the
handshake. (When you connect to the web UI via HTTPS, your FortiRecorder appliance is the
SSL terminator.) Because security settings must agree, the result depends both on the
appliance and your web browser.
Page 84
FortiRecorder supports:
• SSL 2.0
• RC4-MD5 — 40-bit & 128-bit
• SSL 3.0
• AES-SHA — 256-bit & 128-bit
• CAMELLIA-SHA — 128-bit & 256-bit
• DES-CBC3-SHA — 168-bit
• DES-CBC-SHA — 40-bit & 56-bit
• DHE-RSA-AES-SHA — 256-bit & 128-bit
• DHE-RSA-CAMELLIA-SHA — 256-bit & 128-bit
• DHE-RSA-SEED-SHA — 128-bit
• EDH-RSA-DES-CBC3-SHA — 168-bit
• EDH-RSA-DES-CBC-SHA — 40-bit & 56-bit
• RC4-SHA — 128-bit
• RC4-MD5 — 40-bit & 128-bit
• SEED-SHA — 128-bit
• TLS 1.0
• AES-SHA — 256-bit & 128-bit
• CAMELLIA-SHA — 128-bit & 256-bit
• DES-CBC3-SHA — 168-bit
• DES-CBC-SHA — 40-bit & 56-bit
• DHE-RSA-AES-SHA — 256-bit & 128-bit
• DHE-RSA-CAMELLIA-SHA — 256-bit & 128-bit
• DHE-RSA-SEED-SHA — 128-bit
• EDH-RSA-DES-CBC3-SHA — 168-bit
• EDH-RSA-DES-CBC-SHA — 40-bit & 56-bit
• RC4-SHA — 128-bit
• RC4-MD5 — 40-bit & 128-bit
• SEED-SHA — 128-bit
AES-256 and SHA-1 are preferable. Generally speaking, for security reasons, avoid using:
• SSL 2.0
• TLS 1.0
• Older hash algorithms, such as MD5. (On modern computers, these can be cracked quickly.)
• Ciphers with known vulnerabilities, such as some implementations of RC4, AES and DES
(e.g. To protect clients with incorrect CBC implementations for AES and DES, prioritize RC4.)
• Encryption bit strengths less than 128
• Older styles of re-negotiation (These are vulnerable to man-in-the-middle (MITM) attacks.)
Replacing the default certificate for the web UI
For HTTPS connections with the web UI, FortiRecorder has its own X.509 server certificate.
By default, the FortiRecorder appliance presents the “Factory” certificate, which can be used to
encrypt the connection, but whose authenticity cannot be guaranteed and therefore may not be
Secure connections and certificates
Page 85
FortiRecorder 2.0 Administration Guide
trusted by your web browser. This will cause your web browser to display a security alert,
indicating that the connection may have been intercepted.
To prevent this false alarm, you can go to System > Certificate > Local Certificate to replace the
certificate with one that is signed by your own CA so that it will be trusted. Thereafter, a security
alert will only occur if:
• the certificate expires
• your CA revokes the certificate
• the connection has been compromised by a man-in-the-middle attack
If you have not yet requested a certificate from your CA, and if it requires one, you must first
generate a certificate signing request (see “Generating a certificate signing request”).
Otherwise, start with “Uploading & selecting to use a certificate”.
Secure connections and certificates
Page 86
FortiRecorder 2.0 Administration Guide
Table 8: System > Certificate > Local Certificate
Setting name
Description
View
Click to view the selected certificate’s issuer, subject, and range of dates
within which the certificate is valid.
Generate
Click to generate a certificate signing request. For details, see
“Generating a certificate signing request”.
Download
Click to download the selected certificate’s entry in certificate (.cer),
PKCS #12 (.p12), or certificate signing request (.csr) file format. PKCS
#12 is recommended if you require a certificate backup that includes the
private key.
Certificate backups can also be made by downloading a configuration file
backup, which includes all certificates and keys. See “Regular backups”.
Set status
To configure your FortiRecorder appliance to use a certificate, click its
row to select it, then click this button. A confirmation dialog will appear,
asking if you want to use it as the “default” (currently in use) certificate.
Click OK. The Status column will change to reflect the new status.
Import
Click to upload a certificate. For details, see “Uploading & selecting to
use a certificate”.
Name
Displays the name of the certificate according to the appliance’s
configuration file. This will not be visible to clients.
Subject
Displays the distinguished name (DN) located in the Subject: field of
the certificate.
If the row contains a certificate request which has not yet been signed,
this field is empty.
Status
Displays the status of the certificate.
• Default — Indicates that this certificate will be used whenever a client
attempts to connect to the appliance. Only one certificate can be in
use at any given time.
• OK — Indicates that the certificate was successfully imported. To use
the certificate, select it, then use Set status to change its status.
• Pending — Indicates that the certificate request (CSR) has been
generated, but must be downloaded, signed, and imported before it
can be used as a server certificate.
See also
• Uploading & selecting to use a certificate
• Revoking certificates
• Supported cipher suites & protocol versions
• Uploading trusted CAs’ certificates
Secure connections and certificates
Page 87
FortiRecorder 2.0 Administration Guide
Generating a certificate signing request
Many commercial certificate authorities (CAs) will provide a web site where you can generate
your own certificate signing request (CSR). A CSR is an unsigned certificate file that the CA will
sign. When the CSR is generated, the associated private key that the appliance will use to sign
and/or encrypt connections with clients is also generated.
If your CA does not provide this, or if you have your own private CA such as a Linux server with
OpenSSL, you can use the appliance generate a CSR and private key. This CSR can then be
submitted for verification and signing by the CA.
To generate a certificate request
1. Go to System > Certificate > Local Certificate.
2. Click Generate.
A dialog appears.
3. Configure the certificate signing request:
Setting name
Description
Certification name
Enter a unique name for the certificate request, such as
fortirecorder.example.com. This can be the name of
your appliance.
Subject Information
ID Type
Select the type of identifier to use in the certificate to identify
the FortiRecorder appliance:
• Host IP — Select if the FortiRecorder appliance has a
static IP address and enter the public IP address of the
FortiRecorder appliance in the IP field. If the FortiRecorder
appliance does not have a public IP address, use E-Mail or
Domain Name instead.
• Domain Name — Select if the FortiRecorder appliance
has a static IP address and subscribes to a dynamic DNS
service. Enter the FQDN of the FortiRecorder appliance,
such as fortirecorder.example.com, in the Domain
Name field. Do not include the protocol specification
(http://) or any port number or path names.
• E-Mail — Select and enter the email address of the owner
of the FortiRecorder appliance in the E-mail field. Use this
if the appliance does not require either a static IP address
or a domain name.
The type you should select varies by whether or not your
FortiRecorder appliance has a static IP address, a
fully-qualified domain name (FQDN), and by the primary
intended use of the certificate.
For example, if your FortiRecorder appliance has both a static
IP address and a domain name, but you will primarily use the
local certificate for HTTPS connections to the web UI by the
domain name of the FortiRecorder appliance, you might
prefer to generate a certificate based upon the domain name
of the FortiRecorder appliance, rather than its IP address.
Secure connections and certificates
Page 88
FortiRecorder 2.0 Administration Guide
Setting name
IP
Description
Type the static IP address of the FortiRecorder appliance,
such as 10.0.0.1.
The IP address should be the one that is visible to clients.
Usually, this should be its public IP address on the Internet, or
a virtual IP that you use NAT to map to the appliance’s IP
address on your private network.
This option appears only if ID Type is Host IP.
Domain Name
Type the fully qualified domain name (FQDN) of the
FortiRecorder appliance, such as www.example.com.
The domain name must resolve to the static IP address of the
FortiRecorder appliance or protected server. For more
information, see “NVR configuration”.
This option appears only if ID Type is Domain Name.
E-mail
Type the email address of the owner of the FortiRecorder
appliance, such as admin@example.com.
This option appears only if ID Type is E-Mail.
Key type
Displays the type of algorithm used to generate the key.
This option cannot be changed, but appears in order to
indicate that only RSA is currently supported.
Select a secure key size of 512 Bit, 1024 Bit, 1536 Bit or
2048 Bit. Larger keys are slower to generate, but provide
better security.
Key size
4. If you want to, or if your CA requires you to provide identifying information, configure these
settings:
Setting name
Description
Optional Information
Organization
unit
Optional. Type the name of your organizational unit (OU),
such as the name of your department.
To enter more than one OU name, click the + icon, and enter
each OU separately in each field.
Organization
Optional. Type the legal name of your organization.
Locality(City)
Optional. Type the name of the city or town where the
FortiRecorder appliance is located.
State/Province
Optional. Type the name of the state or province where the
FortiRecorder appliance is located.
Country/Region Optional. Select the name of the country where the
FortiRecorder appliance is located.
E-mail
Optional. Type an email address that may be used for contact
purposes, such as admin@example.com.
5. Click OK.
The FortiRecorder appliance creates a private and public key pair. The generated request
includes the public key of the FortiRecorder appliance and information such as the
FortiRecorder appliance’s IP address, domain name, or email address. The FortiRecorder
appliance’s private key remains confidential on the FortiRecorder appliance. The Status
column of the entry is Pending.
6. Click to select the row that corresponds to the certificate request.
Secure connections and certificates
Page 89
FortiRecorder 2.0 Administration Guide
7. Click Download.
Standard dialogs appear with buttons to save the file at a location you select. Your web
browser downloads the certificate request (.csr) file. Time required varies by the size of the
file and the speed of your network connection.
8. Upload the certificate request to your CA.
After you submit the request to a CA, the CA will verify the information in the certificate, give
it a serial number, an expiration date, and sign it with the public key of the CA.
9. If you are not using a commercial CA whose root certificate is already installed by default on
web browsers, download your CA’s root certificate, then install it on all computers that will
be connecting to your appliance. (If you do not install these, those computers may not trust
your new certificate.)
10.When you receive the signed certificate from the CA, upload the certificate to the
FortiRecorder appliance (see “Uploading & selecting to use a certificate”).
Uploading & selecting to use a certificate
You can import (upload) either:
• Base64-encoded
• PKCS #12 RSA-encrypted
X.509 server certificates and private keys to the FortiRecorder appliance. The format of the
certificate file that you have, and whether or not it includes the private key, may vary.
If a server certificate is signed by an intermediate certificate authority (CA) rather than a root CA,
before clients will trust the server certificate, you must demonstrate a link with root CAs that the
clients trust, thereby proving that the server certificate is genuine. You can demonstrate this
chain of trust either by:
• Appending a signing chain in the server certificate.
• Installing each intermediary CA’s certificate in clients’ trust store (list of trusted CAs).
Which method is best for you often depends on whether you have a convenient method for
deploying CA certificates to clients, such as you may be able to for clients in an internal
Microsoft Active Directory domain, and whether you often refresh the server certificate.
To append a signing chain in the certificate itself, before uploading the server certificate
to the FortiRecorder appliance
1. Open the certificate file in a plain text editor.
2. Append the certificate of each intermediary CA in order from the intermediary CA who
signed the local certificate to the intermediary CA whose certificate was signed directly by a
trusted root CA.
For example, an appliance’s certificate that includes a signing chain might use the following
structure:
-----BEGIN CERTIFICATE----<server certificate>
-----END CERTIFICATE---------BEGIN CERTIFICATE----<certificate of intermediate CA 1, who signed the server certificate>
-----END CERTIFICATE---------BEGIN CERTIFICATE----<certificate of intermediate CA 2, who signed the certificate of
intermediate CA 1 and whose certificate was signed by a trusted
root CA>
-----END CERTIFICATE----Secure connections and certificates
Page 90
FortiRecorder 2.0 Administration Guide
3. Save the certificate.
To upload a certificate
1. Go to System > Certificate > Local Certificate.
2. Click Import.
A dialog appears.
3. Configure these settings:
Setting name
Description
Type
Select the type of certificate file to upload, either:
• Local Certificate — An unencrypted certificate in PEM format.
• Certificate — An unencrypted certificate in PEM format. The
private key is in a separate file.
• PKCS12 Certificate — A PKCS #12 encrypted certificate with
private key.
Other available settings vary depending on this selection.
Certificate file
Click Browse to locate the certificate file that you want to upload.
This option is available only if Type is Certificate or Local Certificate.
Key file
Click Browse to locate the private key file that you want to upload
with the certificate.
This option is available only if Type is Certificate.
Certificate with
key file
Click Browse to locate the PKCS #12 certificate-with-key file that you
want to upload.
This option is available only if Type is PKCS12 Certificate.
Password
Type the password that was used to encrypt the file, enabling the
FortiRecorder appliance to decrypt and install the certificate.
This option is available only if Type is Certificate or PKCS12
Certificate.
4. Click OK.
5. To use a certificate, click its row to select it, then click Set status to put it in force.
6. If your web browser does not yet have your CA’s certificate installed, download it and add it
to your web browser’s trust store so that it will be able to validate the appliance’s certificate
(see “Uploading trusted CAs’ certificates”).
Uploading trusted CAs’ certificates
In order to authenticate other devices’ certificates, FortiRecorder has a store of trusted CAs’
certificates. Until you upload at least one CA certificate, FortiRecorder does not know and
trust any CAs, it cannot validate any other client or device’s certificate, and all of those
secure connections will fail.
FortiRecorder may require you to upload certificates and CRLs even if you do not use HTTPS.
For example, when sending alert email via SMTPS, or querying an authentication server via
LDAPS, FortiRecorder will validate the server’s certificate by comparing the server certificate’s
CA signature with the certificates of CAs that are known and trusted by the FortiRecorder
appliance.
Secure connections and certificates
Page 91
FortiRecorder 2.0 Administration Guide
Certificate authorities (CAs) validate and sign others’ certificates. When FortiRecorder needs to
know whether a client or device’s certificate is genuine, it will examine the CA’s signature,
comparing it with the copy of the CA’s certificate that you have uploaded in order to determine if
they were both made using the same private key. If they were, the CA’s signature is genuine,
and therefore the client or device’s certificate is legitimate.
If the signing CA is not known, that CA’s own certificate must likewise be signed by one or more
other intermediary CAs, until both the FortiRecorder appliance and the client or device can
demonstrate a signing chain that ultimately leads to a mutually trusted (shared “root”) CA that
they have in common. Like a direct signature by a known CA, this proves that the certificate can
be trusted. For more information on how to include a signing chain, see “Uploading & selecting
to use a certificate”.
To upload a CA’s certificate
1. Obtain a copy of your CA’s certificate file.
If you are using a commercial CA, your web browser should already contain a copy in its CA
trust store. Export a copy of the file to your desktop or other folder.
If you are using your own private CA, download a copy from your CA’s server. See “Example:
Downloading the CA’s certificate from Microsoft Windows 2003 Server”.
Verify that your private CA’s certificate does not contain its private keys. Disclosure of private
keys compromises the security of your network, and will require you to revoke and regenerate
all certificates signed by that CA.
2. Go to System > Certificate > CA Certificate.
To view the selected certificate’s issuer, subject, and range of dates within which the
certificate is valid, click a certificate’s row to select it, then click View.
3. Click Import.
A dialog appears.
4. In Certificate name, type a name for the certificate that can be referenced by other parts of
the configuration. Do not use spaces or special characters. The maximum length is 35
characters.
5. Next to Certificate file, click the Browse button and select your CA’s certificate file.
6. Click OK.
Time required to upload the file varies by the size of the file and the speed of your network
connection.
7. To test your configuration, cause your appliance to initiate a secure connection to an LDAPS
server (see “To configure an LDAP query” and “To configure an account”).
If the query fails, verify that your CA is the same one that signed the LDAP server’s
certificate, and that its certificate’s extensions indicate that the certificate can be used to
sign other certificates. Verify that both the appliance and LDAP server support the same
cipher suites and SSL/TLS protocols. Also verify that your routers and firewalls are
configured to allow the connection.
See also
• Revoking certificates
• User management
Secure connections and certificates
Page 92
FortiRecorder 2.0 Administration Guide
Example: Downloading the CA’s certificate from Microsoft Windows 2003 Server
If you are generated and signed your LDAP server’s certificate using Microsoft Certificate
Services on Microsoft Windows 2003 or 2008 Server, you must download the CA’s certificate
and provide it to the FortiRecorder appliance so that it will be able to verify the CA signature on
the certificate.
To download a CA certificate from Microsoft Windows 2003 Server
1. On your management computer, start your web browser.
2. Go to:
https://<ca-server_ipv4>/certsrv/
where <ca-server_ipv4> is the IP address of your CA server.
3. Log in as Administrator.
Other accounts may not have sufficient privileges. The Microsoft Certificate Services home
page for your server’s CA should appear.
4. Click the Download CA certificate, certificate chain, or CRL link.
The Download a CA Certificate, Certificate Chain, or CRL page appears.
5. From Encoding Method, select Base64.
6. Click Download CA certificate.
7. If your browser prompts you, select a location to save the CA’s certificate file.
Secure connections and certificates
Page 93
FortiRecorder 2.0 Administration Guide
See also
• Uploading trusted CAs’ certificates
Revoking certificates
To ensure that your FortiRecorder appliance validates only certificates that have not been
revoked, you should periodically upload a current certificate revocation list (CRL), which may be
provided by certificate authorities (CA).
Alternatively, you can use HTTP or online certificate status protocol (OCSP) to query for
certificate status. For more information, see “Revoking certificates by OCSP query”.
To upload a CRL file
1. Go to System > Certificate > Certificate Revocation List.
2. Click Import.
3. In Certificate name, type the name of the certificate as it will be referred to in the appliance’s
configuration file.
4. Next to Certificate file, click Browse, then select the certificate file.
5. Click OK.
The certificate is uploaded to the appliance. TIme required varies by the size of the file and
the speed of the network connection, but is typically only a few seconds.
Revoking certificates by OCSP query
Online certificate status protocol (OCSP) enables you to revoke or validate certificates by query,
rather than by importing certificate revocation list (CRL) files. Since distributing and installing
CRL files can be a considerable burden in large organizations, and because delay between the
release and install of the CRL represents a vulnerability window, this can often be preferable.
To use OCSP queries, you must first install the certificates of trusted OCSP/CRL servers.
To view or upload a remote certificate
1. From your OCSP/CRL server, download its server certificate.
2. Go to System > Certificate > Remote.
3. Click Import.
4. In Certificate name, type the name of the certificate as it will be referred to in the appliance’s
configuration file.
5. Next to Certificate file, click Browse, then select the certificate file.
6. Click OK.
The certificate is uploaded to the appliance. Time required varies by the size of the file and
the speed of the network connection, but is typically only a few seconds.
Secure connections and certificates
Page 94
FortiRecorder 2.0 Administration Guide
Updating the firmware
Your new FortiRecorder appliance comes with the latest operating system (firmware) when
shipped. However, if a new version has been released since your appliance was shipped, you
should install it before you continue the installation. (Camera firmware can be updated later,
after you have connected your cameras to the appliance. See “Upgrading/downgrading the
camera firmware”.)
Fortinet periodically releases FortiRecorder firmware updates to include enhancements and
address issues. After you register your FortiRecorder appliance, FortiRecorder firmware is
available for download at:
https://support.fortinet.com
New firmware can introduce new features which you must configure for the first time.
For late-breaking information specific to the firmware release version, see the Release Notes
available with that release.
In addition to major releases that contain new features, Fortinet releases patch releases that
resolve specific issues without containing new features and/or changes to existing features. It is
recommended to download and install patch releases as soon as they are available.
Before you can download firmware updates for your FortiRecorder appliance, you must first
register your FortiRecorder appliance with Fortinet Technical Support. For details, go to
https://support.fortinet.com/ or contact Fortinet Technical Support.
See also
• Restoring firmware (“clean install”)
Installing NVR firmware
You can use either the web UI or the CLI to upgrade or downgrade the appliance’s operating
system.
Firmware changes are either:
• an update to a newer version
• a reversion to an earlier version
To determine if you are updating or reverting the firmware, go to Monitor > System Status >
Status and in the System Information widget, see the Firmware Version row. (Alternatively, in the
CLI, enter the command get system status.)
For example, if your current firmware version is:
FortiRecorder-200D v1.0,build0065,120821
changing to
FortiRecorder-200D v1.0,build0066,120824
Page 95
an earlier build number (65) and date (120821 means August 21, 2012), indicates that you are
reverting.
Back up your configuration before beginning this procedure.
Reverting to an earlier firmware version could reset settings that are not compatible with the
new firmware. For information on backups, see “Regular backups”. For information on
reconnecting to a FortiRecorder appliance whose network interface configuration was reset,
see “Connecting to FortiRecorder web UI”.
If you are installing a firmware version that requires a different size of system partition, you may
be required to format the boot device before installing the firmware by re-imaging the boot
device. Consult the Release Notes. In that case, do not install the firmware using this
procedure. Instead, see “Restoring firmware (“clean install”)”.
To install firmware via the web UI
1. Download the firmware file from the Fortinet Technical Support web site:
https://support.fortinet.com/
2. Log in to the web UI of the FortiRecorder appliance as the admin administrator.
3. Go to Monitor > System Status > Status.
Figure 4: System Information widget
4. In the System Information widget, in the Firmware version row, click Update.
The Choose Firmware dialog appears.
5. Click Browse to locate and select the firmware file that you want to install, then click OK.
6. Click OK.
Your management computer uploads the firmware image to the FortiRecorder appliance.
The FortiRecorder appliance installs the firmware and restarts. The time required varies by
the size of the file and the speed of your network connection, and by the amount of time that
the specific model requires to reboot. Over a LAN connection, it should only take a couple
minutes until the appliance becomes available again.
If you are downgrading the firmware to a previous version, and the settings are not fully
backwards compatible, the FortiRecorder appliance may either remove incompatible settings,
or use the feature’s default values for that version of the firmware. You may need to reconfigure
some settings.
7. Clear the cache of your web browser and restart it to ensure that it reloads the web UI and
correctly displays all interface changes. For details, see your browser's documentation.
Updating the firmware
Page 96
FortiRecorder 2.0 Administration Guide
8. To verify that the firmware was successfully installed, log in to the web UI and go to
Monitor > System Status > Status.
In the System Information widget, the Firmware version row indicates the currently installed
firmware version.
9. If you want to install alternate firmware on the secondary partition, follow “Installing alternate
firmware”.
10.Continue with “Setting the “admin” account password”.
To install firmware via the CLI
1. Download the firmware file from the Fortinet Technical Support web site:
https://support.fortinet.com/
2. Copy the new firmware image file to the root directory of the TFTP server.
3. Connect your management computer to the FortiRecorder console port using a
RJ-45-to-DB-9 serial cable or a null-modem cable.
4. Connect port1 of the FortiRecorder appliance directly or to the same subnet as a TFTP
server.
5. Initiate a connection from your management computer to the CLI of the FortiRecorder
appliance, and log in as the admin administrator.
6. If necessary, start your TFTP server. (If you do not have one, you can temporarily install and
run one such as tftpd (Windows, Mac OS X, or Linux) on your management computer.)
Because TFTP is not secure, and because it does not support authentication and could allow
anyone to have read and write access, you should only run it on trusted administrator-only
networks, never on computers directly connected to the Internet. If possible, immediately turn
off tftpd off when you are done.
7. Verify that the TFTP server is currently running, and that the FortiRecorder appliance can
reach the TFTP server.
To use the FortiRecorder CLI to verify connectivity, enter the following command:
execute ping 192.168.1.168
where 192.168.1.168 is the IP address of the TFTP server.
8. Enter the following command to download the firmware image from the TFTP server to the
FortiRecorder appliance:
execute restore image tftp <name_str> <tftp_ipv4>
where <name_str> is the name of the firmware image file and <tftp_ipv4> is the IP
address of the TFTP server. For example, if the firmware image file name is image.out and
the IP address of the TFTP server is 192.168.1.168, enter:
execute restore image tftp image.out 192.168.1.168
One of the following message appears:
This operation will replace the current firmware version!
Do you want to continue? (y/n)
or:
Get image from tftp server OK.
Check image OK.
This operation will downgrade the current firmware version!
Do you want to continue? (y/n)
Updating the firmware
Page 97
FortiRecorder 2.0 Administration Guide
9. Type y.
The FortiRecorder appliance downloads the firmware image file from the TFTP server. The
FortiRecorder appliance installs the firmware and restarts. The time required varies by the
size of the file and the speed of your network connection.
If you are downgrading the firmware to a previous version, the FortiRecorder appliance reverts
the configuration to default values for that version of the firmware. You will need to reconfigure
the FortiRecorder appliance or restore the configuration file from a backup. For details, see
“Connecting to FortiRecorder web UI” and, if you opt to restore the configuration, “Restoring a
previous configuration”.
10.To verify that the firmware was successfully installed, log in to the CLI and type:
get system status
The firmware version number is displayed.
11.If you want to install alternate firmware on the secondary partition, follow “Installing alternate
firmware”.
12.Continue with “Setting the “admin” account password”.
See also
• Installing alternate firmware
Installing alternate firmware
You can install alternate firmware which can be loaded from its separate partition if the primary
firmware fails. This can be accomplished via the CLI.
To install alternate firmware via the CLI
1. Download the firmware file from the Fortinet Technical Support web site:
https://support.fortinet.com/
2. Copy the new firmware image file to the root directory of the TFTP server.
3. Connect your management computer to the FortiRecorder console port using a
RJ-45-to-DB-9 serial cable or a null-modem cable.
4. Connect port1 of the FortiRecorder appliance directly or to the same subnet as a TFTP
server.
5. Initiate a connection from your management computer to the CLI of the FortiRecorder
appliance, and log in as the admin administrator.
For details, see “Connecting to FortiRecorder web UI”.
6. If necessary, start your TFTP server. (If you do not have one, you can temporarily install and
run one such as tftpd (Windows, Mac OS X, or Linux) on your management computer.)
Because TFTP is not secure, and because it does not support authentication and could allow
anyone to have read and write access, you should only run it on trusted administrator-only
networks, never on computers directly connected to the Internet. If possible, immediately turn
off tftpd off when you are done.
7. Verify that the TFTP server is currently running, and that the FortiRecorder appliance can
reach the TFTP server.
To use the FortiRecorder CLI to verify connectivity, enter the following command:
execute ping 192.168.1.168
where 192.168.1.168 is the IP address of the TFTP server.
Updating the firmware
Page 98
FortiRecorder 2.0 Administration Guide
8. Enter the following command to restart the FortiRecorder appliance:
execute reboot
9. As the FortiRecorder appliances starts, a series of system startup messages appear.
Press any key to display configuration menu........
10.Immediately press a key to interrupt the system startup.
You have only 3 seconds to press a key. If you do not press a key soon enough, the
FortiRecorder appliance reboots and you must log in and repeat the execute reboot
command.
If you successfully interrupt the startup process, the following messages appears:
[G]:
[F]:
[B]:
[Q]:
[H]:
Get firmware image from TFTP server.
Format boot device.
Boot with backup firmware and set as default.
Quit menu and continue to boot with default firmware.
Display this list of options.
Enter G,F,B,Q,or H:
Please connect TFTP server to Ethernet port "1".
11.Type G to get the firmware image from the TFTP server.
The following message appears:
Enter TFTP server address [192.168.1.168]:
12.Type the IP address of the TFTP server and press Enter.
The following message appears:
Enter local address [192.168.1.188]:
13.Type a temporary IP address that can be used by the FortiRecorder appliance to connect to
the TFTP server.
The following message appears:
Enter firmware image file name [image.out]:
14.Type the firmware image file name and press Enter.
The FortiRecorder appliance downloads the firmware image file from the TFTP server and
displays a message similar to the following:
Save as Default firmware/Backup firmware/Run image without
saving:[D/B/R]?
15.Type B.
The FortiRecorder appliance saves the backup firmware image and restarts. When the
FortiRecorder appliance reboots, it is running the primary firmware.
See also
• Booting from the alternate partition
• Installing NVR firmware
Booting from the alternate partition
Each appliance can have up to two firmware versions installed. Each firmware version is stored
in a separate disk partition.
Updating the firmware
Page 99
FortiRecorder 2.0 Administration Guide
To boot into alternate firmware via the local console CLI
1. Install firmware onto the alternate partition (see “Installing alternate firmware”).
2. Connect your management computer to the FortiRecorder console port using a
RJ-45-to-DB-9 serial cable or a null-modem cable.
3. Initiate a connection from your management computer to the CLI of the FortiRecorder
appliance, and log in as the admin administrator.
For details, see “Connecting to FortiRecorder web UI”.
4. Enter the following command to restart the FortiRecorder appliance:
execute reboot
5. As the FortiRecorder appliances starts, a series of system startup messages appear.
Press any key to display configuration menu........
Immediately press a key to interrupt the system startup.
You have only 3 seconds to press a key. If you do not press a key soon enough, the
FortiRecorder appliance reboots and you must log in and repeat the execute reboot
command.
If you successfully interrupt the startup process, the following messages appears:
[G]:
[F]:
[B]:
[Q]:
[H]:
Get firmware image from TFTP server.
Format boot device.
Boot with backup firmware and set as default.
Quit menu and continue to boot with default firmware.
Display this list of options.
Enter G,F,B,Q,or H:
Please connect TFTP server to Ethernet port "1".
6. Type B to reboot and use the backup firmware.
See also
• Installing alternate firmware
Upgrading/downgrading the camera firmware
Once the FortiRecorder NVR is connected to your cameras, you can upgrade/downgrade the
camera firmware through the FortiRecorder web UI.
To upgrade/downgrade your cameras’ firmware
1. First, go to Camera > Configuration > Firmware to check the availability of the camera
firmware. For the corresponding camera model, if the Availability column says Fortinet
Support, that means the firmware is available to download from the Fortinet Technical
Support web site.
2. Download the firmware file from the Fortinet Technical Support web site and save the file on
your PC:
https://support.fortinet.com/
3. Go to Camera > Configuration > Firmware.
4. Click the Upload button to upload the downloaded firmware images. After the firmware is
successfully uploaded, the Availability column will show Local.
Updating the firmware
Page 100
FortiRecorder 2.0 Administration Guide
5. Go to Camera > Configuration > Camera.
6. Select the camera that you want to upgrade/downgrade and click the Upgrade button. Note
that you can select multiple cameras and upgrade/downgrade them at the same time.
7. From the available firmware list, select the firmware version you want to upgrade to and click
OK.
The camera installs the new firmware. During this time, the camera will not be able to record
video if it was scheduled; you may notice a gap in the recorded video clips.
Updating the firmware
Page 101
FortiRecorder 2.0 Administration Guide
Fine-tuning & best practices
This topic is a collection of fine-tuning and best practice tips and guidelines to help you
configure your FortiRecorder appliances for the most secure and reliable operation.
While many features are optional or flexible such that they can be used in many ways, some
practices are generally a good idea because they reduce complication, risk, or potential issues.
This section includes only recommendations that apply to a combination of multiple features, to
the entire appliance, or to your overall network environment.
For feature-specific recommendations, see the tips in each feature’s instructions.
Hardening security
FortiRecorder NVRs are designed to manage IP cameras and store video. While FortiRecorder
does have some security features, its primary focus is surveillance. It always should be
protected by a network firewall, and physically kept in a restricted access area.
Should you wish to protect the appliance from accidental or malicious misuse from people
within your private network, this section lists tips to further enhance security.
Topology
• To protect your surveillance system from hackers and unauthorized network access, install
the FortiRecorder appliance and cameras behind a network firewall such as a FortiGate.
FortiRecorder is not a firewall. FortiRecorder appliances are designed specifically to
manage cameras and store video.
• If remote cameras or people will be accessing the appliance via the Internet, through a
virtual IP or port forward on your router or FortiGate, configure your router or firewall to
restrict access, allowing only their IP addresses. Require firewall authentication for
connections from network administrators and security guards.
• Make sure traffic cannot bypass the FortiRecorder appliance in a complex network
environment, accessing the cameras directly.
• If remote access while travelling or at home is not necessary, do not configure “Configuring
system timeout, ports, and public access”, and do not configure your Internet firewall to
forward traffic to FortiRecorder. If you do require remote access, be sure to apply strict
firewall policies to the connection, and harden all accounts and administrative access (see
“Administrator access” and “Operator access”) as well as keeping the FortiRecorder
software up-to-date (see “Patches”).
• Disable all network interfaces that should not receive any traffic.
Page 102
Figure 5: Disabling port4 in System > Network > Interface
For example, if administrative access is typically through port1, the Internet is connected to
port2, and cameras are connected to port3, you would disable (“bring down”) port4. This
would prevent an attacker with physical access from connecting a cable to port4 and
thereby gaining access if the configuration inadvertently allows it.
Administrator access
• As soon as possible during initial FortiRecorder setup, give the default administrator, admin,
a password. This super-administrator account has the highest level of permissions possible,
and access to it should be limited to as few people as possible.
• Administrator passwords should be at least 8 characters long and include both numbers and
letters.
• Change all passwords regularly. Set a policy — such as every 60 days — and follow it.
• Instead of allowing administrative access to the FortiRecorder appliance from any source,
restrict it to trusted internal hosts. On those computers that you have designated for
management, apply strict patch and security policies. Always password-encrypt any
FortiRecorder configuration backup that you download to those computers to mitigate the
information that attackers can gain from any potential compromise. If your computer’s
operating system does not support this, you can use third-party software to encrypt the file.
• Do not give administrator-level access to all people who use the system. Usually, only a
network administrator should have access to the network settings. Others should have
operator accounts. This prevents others from accidentally or maliciously breaking the
appliance’s connections with cameras and computers. See “User management”.
• By default, an administrator login that is idle for more than five minutes times out. You can
change this to a longer period in the idle timeout settings. But Fortinet does not recommend
it. Left unattended, a web UI or CLI session could allow anyone with physical access to your
computer to change FortiRecorder settings. Small idle timeouts mitigate this risk.
• Restrict administrative access to a single network interface (usually port1), and allow only
the management access protocols needed.
Fine-tuning & best practices
Page 103
FortiRecorder 2.0 Administration Guide
Figure 6: Restricting accepted administrative protocols in the Edit Interface dialog in
System > Network > Interface
Use only the most secure protocols. Disable PING, except during troubleshooting. Disable
HTTP, SNMP, and TELNET unless the network interface only connects to a trusted, private
administrative network. See “NVR configuration”.
• Disable all network interfaces that should not receive any traffic. (i.e. Set the Administrative
status to Down.)
Figure 7: Disabling port4 in System > Network > Interface
For example, if administrative access is typically through port1, the Internet is connected to
port2, and cameras are connected to port3, you would disable (“bring down”) port4. This
would prevent an attacker with physical access from connecting a cable to port4 and
thereby gaining access if the configuration inadvertently allows it.
Operator access
• Authenticate users only over encrypted channels such as HTTPS. Authenticating over
non-secure channels such as Telnet or HTTP exposes the password to any eavesdropper.
For certificate-based server/FortiRecorder authentication, see “Replacing the default
certificate for the web UI”.
• Immediately revoke certificates that have been compromised. If possible, automate the
distribution of certificate revocation lists (see “Revoking certificates”).
Patches
• Upgrade to the latest available firmware to take advantage of new security features and
stability enhancements (see “Updating the firmware”).
Fine-tuning & best practices
Page 104
FortiRecorder 2.0 Administration Guide
Improving performance
When configuring your FortiRecorder appliance and its features, there are many settings and
practices that can yield better performance.
Video performance
Video performance is a combination of the video input (from the cameras) and the video output
(to the browser for live views and playback).
Input performance factors
• Peak number of cameras streaming to the NVR simultaneously
• The camera recording type (motion detection only or continuous)
• The camera resolution, frame rate, and image quality
Output performance factors
• Number of administrator/operator sessions
• Number of live camera views per administrator/operator session
• Peak number of simultaneous administrator/operator live views
Resolution has the largest impact on the overall NVR performance.
• Low resolution — n MB/s
• Medium resolution — 2n MB/s
• High resolution — 6n MB/s
In other words, high resolution video will generate 3 times as much raw data as the default,
medium resolution. Depending on how efficiently a specific raw stream can be compressed,
higher resolutions can multiply the bandwidth and/or disk space required per camera,
and per login session. For example, assuming a FortiCam 20A camera, the NVR can store on
its local hard drive about 36 days’ worth of high resolution video, but about 240 days’ worth of
low resolution video.
Degree of motion in the camera’s field of view also affects video performance. Constant and/or
extreme motion will result in larger files/streams, because the compression method cannot
encode it as efficiently. To improve compression, exclude areas of irrelevant motion such as
fans or blinking lights from the camera’s field of view.
For sizing guidelines and estimates on the amount of video that you will be able to store,
contact your reseller. Alternatively, expand your storage by configuring a network storage
location (see “Remote storage”).
System performance
• Delete or disable unused cameras. FortiRecorder allocates memory with each camera,
regardless of whether it is actually in active use. Configuring extra cameras will
unnecessarily consume memory and decrease performance.
• To reduce latency associated with DNS queries, use a DNS server on your local network as
your primary DNS. See “NVR configuration”.
Fine-tuning & best practices
Page 105
FortiRecorder 2.0 Administration Guide
Logging & alert performance
• If you have a FortiAnalyzer, store FortiRecorder’s logs on the FortiAnalyzer to avoid resource
usage associated with writing logs to FortiRecorder’s own hard disks. See “Configuring
logging”.
• If you do not need a log or alert, disable it to reduce the use of system resources. See
“Configuring logging”.
• Avoid recording log messages using low severity thresholds, such as information or
notification, to the local hard disk for an extended period of time. Excessive logging
frequency saps system resources and can cause undue wear on the hard disk and may
cause premature failure. See “Configuring logging”.
Figure 8: Logs and Alerts > Log Setting > Local Log Settings
Packet capture performance
Packet capture can be useful for troubleshooting but can be resource intensive. (See “Packet
capture”.) To minimize the performance impact on your FortiRecorder appliance, use packet
capture only during periods of minimal traffic. Use a local console CLI connection rather than a
Telnet or SSH CLI connection, and be sure to stop the command when you are finished.
Regular backups
Make a backup before executing operations that can cause large configuration changes, such
as:
• Upgrading the firmware
• Running the CLI commands execute factoryreset or execute restore
• Clicking the Restore button in the System Information widget on the dashboard
Fine-tuning & best practices
Page 106
FortiRecorder 2.0 Administration Guide
To mitigate impact in the event of a network compromise, always password-encrypt your
backups. If your operating system does not support this feature, you can encrypt the file using
third-party software.
Once you have tested your basic installation and verified that it functions correctly, create a
backup. Aside from being an IT best practice, this “clean” backup can be used to:
• troubleshoot a non-functional configuration by comparing it with this functional baseline (via
a tool such as diff)
• rapidly restore your installation to a simple yet working point (see “Restoring a previous
configuration”)
• batch-configure FortiRecorder appliances by editing the file in a plain text editor, then
uploading the finalized configuration to multiple appliances (see “Restoring a previous
configuration”)
After you have a working deployment, back up the configuration again after any changes. This
will ensure that you can rapidly restore your configuration exactly to its previous state if a
change does not work as planned.
Configuration backups do not include backups of video data or logs. For information about
video backup, see “Remote storage”.
To back up the configuration
1. Log in to the web UI as the admin administrator.
Other administrator accounts do not have the required permissions.
2. Go to Monitor > System Status > Status.
3. In the System Information widget, in the System configuration row, click Backup.
If your browser prompts you, navigate to the folder where you want to save the configuration
file. Click Save.
Your browser downloads the configuration file. Time required varies by the size of the file and
the speed of your network connection, but could take several seconds. The default file name
is <hostname>_YYYYMMDD.conf, where hostname is defined when you configure the mail
server settings (see “Configuring FortiRecorder to send notification email”) and YYYYMMDD
is the timestamp of the backup.
See also
• Restoring a previous configuration
• Restoring firmware (“clean install”)
• Resetting the configuration
• Updating the firmware
Fine-tuning & best practices
Page 107
FortiRecorder 2.0 Administration Guide
Restoring a previous configuration
If you have downloaded configuration backups, you can upload one to revert the appliance’s
configuration to that point.
Uploading a configuration file can also be used to configure many features of the FortiRecorder
appliance in a single batch: download a configuration file backup, edit the file in a plain text
editor, then upload the finalized configuration.
To upload a configuration via the web UI
1. Go to Monitor > System Status > Status.
2. In the System Information widget, in the System configuration row, click Restore.
3. Choose a FortiRecorder configuration backup file. (It has a .conf file extension.)
4. Click Upload to start the restoration of the selected configuration.
Your web browser uploads the configuration file and the FortiRecorder appliance restarts
with the new configuration. Time required to restore varies by the size of the file and the
speed of your network connection. Your web UI session will be terminated when the
FortiRecorder appliance restarts.
5. To continue using the web UI, if you have not changed the IP address and static routes of the
web UI, simply refresh the web page and log in again.
Otherwise, to access the web UI again, in your web browser, modify the URL to match the
new IP address of the network interface.
For example, if you configured port1 with the IP address 10.10.10.5, you would browse to:
https://10.10.10.5
If the new IP address is on a different subnet than the previous IP address, and your
computer is directly connected to the FortiRecorder appliance, you may also need to modify
the IP address and subnet of your computer to match the FortiRecorder appliance’s new IP
address.
See also
• Regular backups
• Restoring firmware (“clean install”)
• Resetting the configuration
Fine-tuning & best practices
Page 108
FortiRecorder 2.0 Administration Guide
Troubleshooting
This topic provides guidelines to help you resolve issues if your FortiRecorder appliance is not
behaving as you expect.
Keep in mind that if you cannot resolve the issue on your own, you can contact Fortinet
Technical Support.
Solutions by issue type
Recommended solutions vary by the type of issue.
• Video viewing issues
• Snapshot notification issues
• Login issues
• Connectivity issues
• Resource issues
• Data storage issues
Fortinet also provides these resources:
• the Release Notes provided with your firmware
• Technical documentation (references, installation guides, and other documents)
• Knowledge base (technical support articles)
• Forums
• Online campus (tutorials and training materials)
Check within your organization. You can save time and effort during the troubleshooting
process by checking if other FortiRecorder administrators experienced a similar problem
before.
Video viewing issues
If you can connect to FortiRecorder, and your cameras can connect with your FortiRecorder,
but you cannot view video that is streamed or stored on FortiRecorder, first check that you have
installed software that can view live streams (which use RTP) and files (which use .mp4 format).
For requirements, see “Configuring video profiles” and “The notification window will be replaced
with a video clip player.”.
Different media players can interfere with each other. By default, some installers take file type
associations previously belonging to other players and re-assign them to the new software. If
you installed software to view downloaded video files, for example, and suddenly could no
longer view live video streams, you might need to fix the file associations for RTP and/or MP4.
If you have installed a suitable media player but still cannot view the video, try clicking the panel
arrows to hide and then show the panel again. For some Windows computers, this can solve
the problem. (This QuickTime issue does not affect Mac OS X computers.)
If this does not trigger the video to play, make sure that its codec software does not have any
conflicts, and is capable of displaying H.264 video. Media players’ codec plug-ins can come
Page 109
from many sources, and if you have installed multiple codecs for the same format, display
problems can arise.
Live feed delay
Before QuickTime will begin playing a video stream, it must buffer a few seconds’ worth of data.
The time that QuickTime requires to do this may result in a few seconds’ difference between
what you see happening in the live video feed, and what is happening in reality now.
You can minimize this by:
• Changing the camera’s Resolution setting to the lowest acceptable resolution
• Changing the camera’s Resolution setting to the lowest acceptable resolution
• Improving the bandwidth and latency of your network
Video not being sent to the NVR
If the camera itself does not seem to be sending video to the NVR, although it has booted, has
network connectivity, and you have configured a recording schedule on the NVR, you may see
camera log messages such as:
Camera 'c1' is in an incorrect state: 'idle'. The expected state is
'continuous'.
Usually this is self-correcting. If not, or if a camera is otherwise unresponsive, reboot the
camera:
execute camera reboot <camera_name>
If this does not solve the problem, you can try either upgrading the camera’s firmware (see
“Upgrading/downgrading the camera firmware”) or resetting the camera to factory defaults,
then re-configuring it (see the camera’s QuickStart Guide).
Snapshot notification issues
If you are not receiving any email after motion detection records a clip, but you have configured
camera notifications, first verify that your FortiRecorder NVR’s SMTP email settings are correct,
and that it can connect to your email server to send email. Then check that notifications are not
being blocked or sent to your spam or junk mail folder. (Some anti-spam systems mistakenly
mark repeated or frequent email as spam.)
If you are receiving the email, and there are video links (that is, FortiRecorder has not been
configured to email still images — see “Notification configuration workflow”), but you cannot
view the video from the email:
1. Verify that you have installed the QuickTime video player software on your computer.
2. Verify that your computer can connect to the FortiRecorder NVR’s IP address. Unless you
have configured FortiRecorder with your public IP, this is a private network IP address,
and can only be reached when you are connected to your office’s network. It cannot
be viewed from the Internet. If you want to log in to the web UI and/or view video clips
while out of the office, you must configure port forwarding and/or a virtual IP (VIP) on your
firewall or Internet router, and configure the FortiRecorder NVR to link to this public IP
address in snapshot notifications.
If you are receiving too many notifications, change the configuration so that your FortiRecorder
NVR will only send snapshot notifications during suspicious periods, and focuses motion
detection only on areas that do not cause false alerts, such as fans or blinking lights.
Troubleshooting
Page 110
FortiRecorder 2.0 Administration Guide
Login issues
If the person cannot access the login page at all, it is usually actually a connectivity issue (see
“Connectivity issues”) unless all accounts are configured to accept login only from specific IP
addresses (see “Trusted hosts”) or authentication has been externalized to an LDAP or RADIUS
server.
If the person has lost or forgotten his or her password, the admin account can reset other
accounts’ passwords (see “Resetting passwords”).
When an administrator account cannot log in from a specific IP
If an administrator is entering his or her correct account name and password, but cannot log in
from some or all computers, examine that account’s trusted host definitions (see “Trusted
hosts”). It should include all locations where that person is allowed to log in, such as your office,
but should not be too broad.
Remote authentication query failures
If your network administrators’ or other accounts reside on an external server (e.g. Active
Directory or RADIUS), first switch the account to be locally defined on the FortiRecorder
appliance. If the local account fails, correct connectivity between the client and appliance (see
“Connectivity issues”). If the local account succeeds, troubleshoot connectivity between the
appliance and your authentication server. If routing exists but authentication still fails, you can
verify correct vendor-specific attributes and other protocol-specific fields by running a packet
trace (see “Packet capture”).
Resetting passwords
If someone has forgotten or lost his or her password, or if you need to change an account’s
password, the admin administrator can reset the password.
If you forget the password of the admin administrator, however, you will not be able to reset its
password through the web UI. You can either:
• reset the FortiRecorder NVR to its default state (including the default administrator account
and password) by restoring the firmware. For instructions, see “Restoring firmware (“clean
install”)”.
• connect to the local console, reboot the FortiRecorder NVR, and set the password (see “To
reset the admin account’s password”)
To reset an account’s password
1. Log in as the admin administrator account.
2. Go to System > User > User.
3. Click the row to select the account whose password you want to change.
4. Click Edit.
5. In the New Password and Confirm Password fields, type the new password.
6. Click OK.
The new password takes effect the next time that account logs in.
Troubleshooting
Page 111
FortiRecorder 2.0 Administration Guide
To reset the admin account’s password
To do this, you must either have direct physical, local access to the appliance, or have
connected it to your terminal server, which serves as an aggregator for direct physical
accesses. For security reasons, this cannot be done via the web UI nor via CLI through the
Ethernet network adapters.
1. Power off the FortiRecorder NVR.
2. Find the serial number of the FortiRecorder NVR.
This is usually on the bottom of the appliance. If you have previously registered the
appliance to associate it with your Fortinet Technical Support account, you can also retrieve
it from the web site.
3. On your computer, copy the serial number.
This is so that you are ready to quickly paste it into the terminal emulator. (Typing it slowly
may cause the login to time out.) The serial number is case sensitive.
4. While the appliance is shut down, connect the local console port of your appliance to your
computer.
5. On your management computer, start a terminal emulator such as PuTTY.
6. Power on the FortiRecorder NVR.
Power on self-test (POST) and other messages should begin to appear in the console.
7. Between 15 - 30 seconds after the login prompt appears, immediately enter:
maintainer
then enter:
bcpb<serial-number_str>
where <serial-number_str> is the serial number. (If you have copied it, in PuTTY, you
can right-click to quickly paste it, instead of typing it in. This will prevent the login from
timing out.)
If you are successful, the CLI will welcome you, and you can then enter the following
commands to reset the admin account’s password:
config system admin
edit admin
set password <new-password_str>
end
exit
where <new-password_str> is the password for the administrator account named admin.
If you do not enter both the correct user name and the password within the correct time
frame, the console will display an error message:
The hashed password length is invalid
To attempt the login again, power cycle the appliance.
Connectivity issues
One of your first tests when configuring a new device should be to determine whether video is
being received from your camera, and whether commands/schedules are being sent to it. You
should also test whether notification email can be sent, and accounts (administrators,
operators, etc.) can log in to the web UI and view live video feeds.
Troubleshooting
Page 112
FortiRecorder 2.0 Administration Guide
After initial setup, connectivity should not be interrupted. FortiRecorder may sometimes be able
to recover if, for example, a DHCP-addressed camera changes its IP. However this may result in
disruptions to recording, and camera log messages such as:
Camera 'c1' experienced an interruption that may result in a loss of
recording.
If connections fail or perform erratically, check the following in order.
Troubleshooting is in order from more fundamental OSI layers of your network to the higher,
more application-specific. If you are not setting up a new network, you may prefer to start with
the more FortiRecorder-specific layers of your network, later in this section.
Checking hardware connections
If there is no traffic whatsoever arriving to the FortiRecorder appliance, even though the
configuration appears to be correct, it may be a hardware problem.
• Verify that the LEDs for the ports light to indicate firm electrical contact when you plug
network cables into the appliance. For LED indications, see your model’s QuickStart Guide.
• If the cable or its connector are loose or damaged, or you are unsure about the cable’s type
or quality, change it or test with a loopback jack.
If traffic ingresses and egresses but performance is not what you expect, verify that the MTU
matches other devices on your network.
If the hardware connections are functional and the appliance is powered on, but you cannot
connect — even using a local console connection to the CLI rather then a network connection
— you may be experiencing bootup problems. Contact Fortinet Technical Support.
Bringing up network interfaces
If the network interface was disabled, all connections will fail even though the cable has
connectivity physically.
If the network interface’s Status column is a red “down” arrow, its administrative status is
currently “down” and it will not receive or emit packets, even if you otherwise configure it. To
bring up the network interface, edit the Administrative status setting.
This Status column is not the detected physical link status; it is the administrative status that
indicates whether you permit network interface to receive and/or transmit packets.
For example, if the cable is physically unplugged, diagnose netlink interface list
port1 may indicate that the link is down, even though you have administratively enabled it by
Administrative status.
In the web UI, go to System > Network > Interface. If the status is down (a down arrow on red
circle), click Bring Up next to it in the Status column to bring up the link.
Alternatively you can enable an interface in CLI:
config system interface
edit port2
set status up
end
See also
• NVR configuration
Troubleshooting
Page 113
FortiRecorder 2.0 Administration Guide
Examining the ARP table
When connectivity cannot be established or is periodically interrupted, but hardware and link
status is not an issue, the first place to look is at a slightly higher layer in network connections:
the address resolution protocol (ARP) table. While most devices’ MAC address is bound to the
hardware at the manufacturer and not easily changed, some devices have configurable or
virtual MACs. In this case, you should make sure there is no conflict which could cause the IP to
resolve to a different network port whenever that other device is connected to your network.
Functioning ARP is especially important in high availability (HA) topologies. If changes in which
MAC address resolves to which IP address are not correctly propagated through your network,
failovers may not work.
To display the ARP table in the CLI, enter:
diagnose network arp list
Checking routing
If the MAC resolves correctly, but IP connectivity fails, try using ICMP (ping and traceroute)
to determine if the host is reachable, or to locate the point on your network at which
connectivity fails. You can do this from the FortiRecorder appliance using CLI commands.
IP layer connectivity fails when routes are incorrectly configured. Static routes direct traffic
exiting the FortiRecorder appliance — you can specify through which network interface a
packet will leave, and the IP address of a next-hop router that is reachable from that network
interface. Routers are aware of which IP addresses are reachable through various network
pathways, and can forward those packets along pathways capable of reaching the packets’
ultimate destinations. Your FortiRecorder itself does not need to know the full route, as long as
the routers can pass along the packet.
You must configure FortiRecorder with at least one static route that points to a router, often a
router that is the gateway to the Internet. You may need to configure multiple static routes if you
have multiple gateway routers (e.g. each of which should receive packets destined for a
different subset of IP addresses), redundant routers (e.g. redundant Internet/ISP links), or other
special routing cases.
However, often you will only need to configure one route: a default route.
For example, if a web server is directly attached to one physical port on the FortiRecorder, but
all other destinations, such as connecting clients, are located on distant networks, such as the
Internet, you might need to add only one route: a default route that indicates the gateway router
through which the FortiRecorder appliance can send traffic in the direction towards the Internet.
If your management computer is not directly attached to one of the physical ports of the
FortiRecorder appliance, you may also require a static route so that your management
computer is able to connect with the web UI and CLI.
To determine which route a packet will be subject to, FortiRecorder examines each packet’s
destination IP address and compares it to those of the static routes. It will forward the packet
along to the route with the largest prefix match, automatically egressing from the network
interface on that network. (Egress port for a route cannot be manually configured.)
The ping command sends a small data packet to the destination and waits for a response. The
response has a timer that may expire, indicating that the destination is unreachable via ICMP.
ICMP is part of Layer 3 on the OSI Networking Model. ping sends Internet Control Message
Protocol (ICMP) ECHO_REQUEST packets to the destination, and listens for ECHO_RESPONSE
packets in reply. Beyond basic existence of a possible route between the source and
Troubleshooting
Page 114
FortiRecorder 2.0 Administration Guide
destination, ping tells you the amount of packet loss (if any), how long it takes the packet to
make the round trip (latency), and the variation in that time from packet to packet (jitter).
Similarly, traceroute sends ICMP packets to test each hop along the route. It sends three
packets to the destination, and then increases the time to live (TTL) setting by one, and sends
another three packets to the destination. As the TTL increases, packets go one hop farther
along the route until they reach the destination.
Most traceroute commands display their maximum hop count — that is, the maximum
number of steps it will take before declaring the destination unreachable — before they start
tracing the route. The TTL setting may result in routers or firewalls along the route timing out due
to high latency. If you specify the destination using a domain name, the traceroute output
can also indicate DNS problems, such as an inability to connect to a DNS server.
By default, FortiRecorder appliances will respond to ping and traceroute. However, if
FortiRecorder does not respond, and there are no firewall policies that block it, ICMP type 0
(ECHO_REPSPONSE or “pong”) might be effectively disabled. By default, traceroute uses
UDP with destination ports numbered from 33434 to 33534. The traceroute utility usually has an
option to specify use of ICMP ECHO_REQUEST (type 8) instead, as used by the Windows
tracert utility. If you have a firewall and you want traceroute to work from both machines
(Unix-like systems and Windows) you will need to allow both protocols inbound through your
firewall (UDP ports 33434 - 33534 and ICMP type 8).
Some networks block ICMP packets because they can be used in a ping flood or denial of
service (DoS) attack if the network does not have anti-DoS capabilities, or because ping can
be used by an attacker to find potential targets on the network.
To enable ping & traceroute responses from FortiRecorder
1. Go to System > Network > Interface.
To access this part of the web UI, you must have Read and Write permission in your
administrator's account access profile to items in the Router Configuration category.
2. In the row for the network interface which you want to respond to ICMP type 8
(ECHO_REQUEST) for ping and UDP for traceroute, click Edit.
A dialog appears.
3. Enable PING.
Disabling PING only prevents FortiRecorder from receiving ICMP type 8 (ECHO_REQUEST) and
traceroute-related UDP.
It does not disable FortiRecorder CLI commands such as execute ping or execute
traceroute that send such traffic.
Since you typically use these tools only during troubleshooting, you can allow ICMP, the
protocol used by these tools, on interfaces only when you need them. Otherwise, disable ICMP
for improved security and performance
4. Click OK.
The appliance should now respond when another device such as your management
computer sends a ping or traceroute to that network interface.
To verify routes between cameras & your FortiRecorder
1. Use FortiRecorder’s execute ping command with the camera’s IP address to verify that a
route exists between the two.
2. If possible, temporarily connect a computer at the camera’s usual physical location, using
the camera’s usual IP address, so that you can use its ping command to test traffic
Troubleshooting
Page 115
FortiRecorder 2.0 Administration Guide
movement along the path in both directions: from the location of the camera (temporarily, the
computer) to the FortiRecorder, and the FortiRecorder to the camera.
In networks using features such as asymmetric routing, routing success in one direction does
not guarantee success in the other.
If the routing test succeeds, continue with step 4.
Connectivity via ICMP only proves that a route exists. It does not prove that connectivity also
exists via other protocols at other layers such as HTTP.
If ping shows some packet loss, investigate:
• cabling to eliminate loose connections
• ECMP, split horizon, or network loops
• dynamic routing such as OSPF
• all equipment between the ICMP source and destination to minimize hops
If the routing test fails, and ping shows total packet loss:
• verify cabling to eliminate loose connections
• continue to the next step
Both ping and traceroute require that network nodes respond to ICMP. If you have disabled
responses to ICMP on your network, hosts may appear to be unreachable to ping and
traceroute, even if connections using other protocols can succeed.
Troubleshooting
Page 116
FortiRecorder 2.0 Administration Guide
For example, you might use ping to determine that 172.16.1.10 is reachable:
FortiRecorder-200D# execute ping 172.16.1.10
PING 172.16.1.10 (172.16.1.10): 56 data bytes
64 bytes from 172.16.1.10: icmp_seq=0 ttl=64 time=2.4 ms
64 bytes from 172.16.1.10: icmp_seq=1 ttl=64 time=1.4 ms
64 bytes from 172.16.1.10: icmp_seq=2 ttl=64 time=1.4 ms
64 bytes from 172.16.1.10: icmp_seq=3 ttl=64 time=0.8 ms
64 bytes from 172.16.1.10: icmp_seq=4 ttl=64 time=1.4 ms
--- 172.20.120.167 ping statistics --5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.8/1.4/2.4 ms
or that 192.168.1.10 is not reachable:
FortiRecorder-200D# execute ping 192.168.1.10
PING 192.168.1.10 (192.168.1.10): 56 data bytes
Timeout ...
Timeout ...
Timeout ...
Timeout ...
Timeout ...
--- 192.168.1.10 ping statistics --5 packets transmitted, 0 packets received, 100% packet loss
3. Use the tracert or traceroute command on both the camera (temporarily, the
computer) and FortiRecorder to locate the point of failure along the route, the router hop or
host at which the connection fails. For example, if it fails at the second hop, you might see:
FortiRecorder-200D# execute traceroute 192.168.1.10
traceroute to 192.168.1.10 (192.168.1.10), 32 hops max, 72 byte
packets
1 192.168.1.2 2 ms 0 ms 1 ms
2 * * *
Each line lists the routing hop number, the IP address and FQDN (if any) of that hop, and the
3 response times from that hop. Typically a value of <1ms indicates a local router. The
asterisks ( * ) indicate no response from that hop in the network routing.
If the route is broken when it reaches the FortiRecorder, first examine its network interfaces
and routes. To display network interface addresses and subnets, enter:
FortiRecorder-200D# show system interface
To display all recently-used routes (the routing table cache) with their priorities, enter:
FortiRecorder-200D# diagnose netlink rtcache list
The index number of the route in the list of static routes in the web UI is not necessarily the
same as its position in the cached routing table (diagnose netlink rtcache list).
Troubleshooting
Page 117
FortiRecorder 2.0 Administration Guide
You may need to verify that there are no misconfigured DNS records, and otherwise rule out
problems at the physical, network, and transport layer.
If these tests succeed, a route exists, but you cannot receive video feeds or use
FortiRecorder to update the camera’s network settings, an application-layer problem is
preventing connectivity.
4. For application-layer problems, on the FortiRecorder, examine the:
• camera network settings (these may have become out-of-sync if you modified them while
the camera was disabled)
• certificates (if connecting via HTTPS)
On routers and firewalls between the host and the FortiRecorder appliance, verify that they
permit HTTP, HTTPS, and RTP connectivity between them.
Relatedly, if the computer’s DNS query cannot resolve the host name, output similar to the
following appears:
example.lab: Name or service not known
Cannot handle "host" cmdline arg `example.lab' on position 1 (argc 1)
See also
• NVR configuration
Facilitating discovery
Discovery of the cameras by the FortiRecorder NVR uses mDNS. For it to work, cameras
usually must be on the same IP subnet as the NVR, and must not be impeded by firewalls or
other network filtering. If cameras are not on the same subnet, you may still be able to facilitate
discovery traffic by configuring your FortiGate or other device with multicast forwarding.
If you do not know which device is impeding discovery, you can either:
• Temporarily attach the cameras to a closer point on the network, such as a local switch or
directly to the FortiRecorder NVR, so that discovery is not blocked.
• Manually add the camera to the FortiRecorder NVR’s list of known cameras, skipping
discovery. (Some behavior may differ. For example,
DHCP issues
The FortiRecorder appliance has a built-in DHCP server. By default, it is disabled.
If you enable it and your network has another DHCP server (e.g. your ISP’s cable modem, a
router, or a Windows or Linux server), verify that:
• both are not serving requests on the same network segment (which could create a race
condition)
• both are not using the same pool of IP addresses (which could lead to IP address conflicts
— see “Resolving IP address conflicts”)
To verify that your appliance and cameras are sending and receiving lease requests, you can
perform a packet trace (see “Packet capture”) and/or use the event log to look for:
• DHCPDISCOVER (destination IP is broadcast, not FortiRecorder’s)
• DHCPOFFER
• DHCPREQUEST
• DHCPACK
Troubleshooting
Page 118
FortiRecorder 2.0 Administration Guide
Unauthorized DHCP clients or DHCP pool exhaustion
Typically returning DHCP clients will receive the same IP address lease. However if computers
or other devices are accidentally using IP addresses that the FortiRecorder NVR’s built-in DHCP
server should be allocating to cameras, and the pool of available DHCP IP addresses becomes
exhausted, cameras may be unable to get or retain an IP address.
To determine which devices are using your pool of DHCP IP addresses, compare the MAC
address of each device’s network adapter to the list of current DHCP clients in Monitor >
DHCP Status > DHCP or enter this command in the CLI:
execute dhcp lease-list
Output will resemble the following:
port3
IP
192.168.200.100
192.168.200.101
MAC-Address
20:10:7a:5a:28:d1
20:10:7a:5a:29:38
VCI
udhcp 0.9.8
udhcp 0.9.8
Expiry
Thu Oct
Wed Oct
4 15:01:22 2013
3 11:17:12 2013
To correct this situation, first configure unintentional DHCP clients so that they do not use
DHCP (that is, they have a static IP address) and so their IP address is not in the range used by
the DHCP pool. Second, clear the list of DHCP clients to allow legitimate DHCP clients (your
cameras) to obtain a lease:
execute dhcp clear-lease
New clients that were previously unable to get an IP address will obtain an IP address for the
first time. Returning clients’ s IP addresses may change as the built-in DHCP server no longer
has any memory of their previous lease, and may assign them a new IP address if another client
has claimed that IP address first. (This may result in temporary IP address conflicts and
therefore connectivity interruptions while the DHCP server assigns new leases.)
See also
• Configuring the DHCP server
Establishing IP sessions
If a route exists, but there appears to be a problem establishing or maintaining TCP or IP-layer
sessions between FortiRecorder and a computer or camera on your IP network, there are
multiple possible causes, such as:
• Trusted hosts
• protocols/port numbers mismatched or blocked by NAT or firewalls
• IP address conflicts
• short DHCP leases (Lease time (Seconds) in “Configuring the DHCP server”)
• socket exhaustion
You can view a snapshot of FortiRecorder’s session table according to the IP layer. Go to
Monitor > System Status > Sessions.
Troubleshooting
Page 119
FortiRecorder 2.0 Administration Guide
Table 9: IP session table
Refresh
GUI item
Description
Protocol
The protocol of the session according to the “protocol” ID number field
(or, for IPv6, “next header”) in the IP header of the packets.
• icmp — 1 (Due to the speed of ICMP messages, this will almost
never be seen in the session list.)
• tcp — 6
• udp — 17 (Due to the speed of UDP datagrams, this may be seen
in the session list only rarely.)
From IP
The source of the session according the source field in the IP header. If
source NAT is occurring, this is not necessarily the IP in the original
frame from the client.
From Port
The source port number.
For a list of port numbers that can originate from the FortiRecorder
NVR, see “Appendix A: Port numbers”.
To IP
The destination according to the destination field in the IP header. If
destination NAT is occurring, this is not necessarily the IP in the
original frame from the client.
To Port
The destination port number.
For a list of port numbers that can be received by the FortiRecorder
NVR, see “Appendix A: Port numbers”.
Expire (secs)
The session timeout in seconds. The expiry counter is reset when
packets are sent or received, indicating that the session is still active.
To refresh the session list snapshot with the most current list, click the dotted circle (Refresh)
icon to the left of Records per page.
To sort the session list based upon the contents of a column, hover your mouse cursor over the
column’s heading then click the arrow that appears on the right side of the heading, and select
either Sort Ascending or Sort Descending.
If you expect sessions that do not exist, be aware that due that some protocol designs (notably
UDP) do not feature persistent sessions. Their sessions will almost immediately expire and be
removed from the session list, and therefore it may be very difficult to capture a session list
snapshot during the brief moment that the datagram is being transmitted. TCP features
persistent connections, where the socket is maintained until the data transmission either is
Troubleshooting
Page 120
FortiRecorder 2.0 Administration Guide
confirmed to be finished or times out, and therefore TCP connections will persist in the session
table for a much longer time.
If you still do not see the sessions that you expect, verify that your firewall or router allows traffic
to or from those IP addresses, on all expected source and destination port numbers (see
“Appendix A: Port numbers”).
If you see sessions with the FortiRecorder web UI or CLI that should not be allowed to exist, be
sure to configure all accounts’ Trusted hosts setting.
See also
• NVR configuration
• User management
Resolving IP address conflicts
If two or more devices are configured to use the same IP address on your network, this will
cause a problem called an IP address conflict. Only one of those identically addressed devices
can have IP-layer connectivity at a given time. The other will be ignored, effectively causing it to
behave as if it were disconnected. (If multiple devices were to use the same IP address, routers
and switches would not be able to determine with certainty where to deliver a packet destined
for that IP address. To prevent this, routers and switches will only let one of the devices use the
IP.)
Typically IP conflicts are caused when either:
• you have accidentally configured 2 devices with the same static IP address
• you have accidentally configured a device with a static IP address that belongs to the DHCP
pool
• 2 DHCP servers accidentally have pools in the same range of IP addresses, and are each
independently assigning their clients the same IPs
Your cameras, of course, have no screen, and cannot display any IP address conflict error
message. However, you may notice symptoms such as interrupted video streams whenever a
new device connects to the network or reboots.
If you have configured your FortiRecorder NVR’s built-in DHCP server, first verify that it is not
using the same DHCP pool as another DHCP server on your network. Next, you can use the CLI
to determine whether MAC addresses from other devices’ network adapters have stolen IP
addresses that should belong to your cameras. See “Unauthorized DHCP clients or DHCP pool
exhaustion”. If, however, you have transitioned your cameras to use static IP addresses, you
must use another method.
• Use the ARP table of either your FortiRecorder NVR (see “Examining the ARP table”) or
router to determine which MAC address (and therefore which computer/device’s network
adapter) has taken the IP address.
• If a computer is using the same IP address as another device, such as your cameras, it may
periodically complain of an IP address conflict. This computer may be the source of the
conflict.
Once you have found the source of the problem, configure that computer or device to use a
unique IP address that is not used by any other device on your network.
See also
• Configuring the DHCP server
Troubleshooting
Page 121
FortiRecorder 2.0 Administration Guide
Packet capture
Packet capture, also known as sniffing, packet trace, or packet analysis, records some or all of
the packets seen by a network interface (that is, the network interface is used in promiscuous
mode). By recording packets, you can trace TCP connection states and HTTP request
transactions to the exact point at which they fail, which may help you to diagnose some types of
problems that are otherwise difficult to detect, such as malformed packets, differentiated
services misconfiguration, or non-RFC protocol incompatibilities.
Packet capture can be very resource intensive. To minimize the performance impact on your
FortiRecorder appliance, use packet capture only during periods of minimal traffic, with a local
console CLI connection rather than a Telnet or SSH CLI connection, and be sure to stop the
command when you are finished.
FortiRecorder appliances have a built-in sniffer. Packet capture on FortiRecorder appliances is
similar to that of FortiGate appliances. To use the built-in sniffer, connect to the CLI and enter
the following command:
diagnose sniffer packet [{any | <interface_name>}
[{none | '<filter_str>'} [{1 | 2 | 3 | 4 | 5 | 6} [<packets_int>
[{a | <any_str>}]]]]]
where:
• <interface_name> is either the name of a network interface, such as port1, or enter any
for all interfaces. If you omit this and the following parameters for the command, the
command captures all packets on all network interfaces.
• '<filter_str>' is the sniffer filter that specifies which protocols and port numbers that
you do or do not want to capture, such as 'tcp port 80', or enter none for no filters.
Filters use tcpdump syntax.
• <packets_int> is the number of packets the sniffer reads before stopping. Packet
capture output is printed to your CLI display until you stop it by pressing Ctrl+C, or until it
reaches the number of packets that you have specified to capture.
• {a | <any_str>} is either a (to include an absolute, full UTC timestamp in the format
yyyy-mm-dd hh:mm:ss.ms), or any other text (to include a timestamp that is the amount of
time since he start of the packet capture, in the format ss.ms)
• {1 | 2 | 3 | 4 | 5 | 6} is an integer indicating whether to display the network
interface names, packet headers, and/or payloads for each packet that the network interface
sends, receives, or sees:
• 1 — Display the packet capture timestamp, plus basic fields of the IP header: the source
IP address, the destination IP address, protocol name, and destination port number.
Does not display all fields of the IP header; it omits:
• IP version number bits
• Internet header length (ihl)
• type of service/differentiated services code point (tos)
• explicit congestion notification
• total packet or fragment length
• packet ID
• IP header checksum
• time to live (TTL)
• IP flag
Troubleshooting
Page 122
FortiRecorder 2.0 Administration Guide
• fragment offset
• options bits
e.g.:
interfaces=[port2]
filters=[none]
0.655224 172.20.130.16.2264 -> 172.20.130.15.42574: udp 113
• 2 — All of the output from 1, plus the packet payload in both hexadecimal and ASCII.
e.g.:
interfaces=[port2]
filters=[none]
0.915616 172.20.130.16.2264 -> 172.20.130.15.42574: udp 124
0x0000
4500 0098 d27d 4000 4011 0b8f ac14 8210
E....}@.@.......
0x0010
ac14 820f 08d8 a64e 0084 b75a 80e0 3dee
.......N...Z..=.
0x0020
71b8 d617 38fa 3fd8 419b 5006 053c 99c1
q...8.?.A.P..<..
0x0030
e961 93bc 21c9 3197 a030 a709 76dc 0ed8
.a..!.1..0..v...
0x0040
98f8 ceef 6afb e7f2 7773 98e1 5ef7 bfbf
....j...ws..^...
0x0050
2f0d 726f 70cf 26cd d986 392f 4a0b f97b
/.rop.&...9/J..{
0x0060
b84f 932d 3043 cbdd c2dc da77 0b73 70fc
.O.-0C.....w.sp.
0x0070
158a 1868 eee0 793b c09e 7dc0 59f5 787c
...h..y;..}.Y.x|
0x0080
fc1a f25a dc18 735d f090 8e05 c3e8 c14f
...Z..s].......O
0x0090
3466 57c0 4688 58b8
4fW.F.X.
• 3 — All of the output from 2, plus the link layer (Ethernet) header. e.g.:
interfaces=[port2]
filters=[none]
0.317960 172.20.130.16.2264 -> 172.20.130.15.42574: udp 31
0x0000
50e5 49e8 dc3d 000f 7c08 2ff5 0800 4500
P.I..=..|./...E.
0x0010
003b 2cad 4000 4011 b1bc ac14 8210 ac14
.;,.@.@.........
0x0020
820f 08d8 a64e 0027 ea3c 80e0 981e 7474
.....N.'.<....tt
0x0030
6ddf 38fa 3fd8 419b 6e06 00f0 8dd5 e01d
m.8.?.A.n.......
0x0040
810a e049 e5e9 380a f8
...I..8..
• 4 — All of the output from 1, plus the network interface name. This can be necessary if
you are capturing packets from multiple network interfaces at once, and need to know
which packet was seen by which interface. e.g.:
interfaces=[port2]
filters=[none]
0.918575 port2 -- 172.20.130.16.2264 -> 172.20.130.15.42574: udp 38
Troubleshooting
Page 123
FortiRecorder 2.0 Administration Guide
• 5 — All of the output from 2, plus the network interface name. e.g.:
interfaces=[port2]
filters=[none]
0.508965 port2 -- 172.20.130.16.2265 -> 172.20.130.15.42575: udp 44
0x0000
4500 0048 03ab 4000 4011 dab1 ac14 8210
E..H..@.@.......
0x0010
ac14 820f 08d9 a64f 0034 df2e 80c8 0006
.......O.4......
0x0020
38fa 3fd8 d39f 1ee5 7597 80ba 75f0 bb05
8.?.....u...u...
0x0030
0000 3064 0831 856b 81ca 0003 38fa 3fd8
..0d.1.k....8.?.
0x0040
0105 6c6f 6262 7900
..lobby.
• 6 — All of the output from 3, plus the network interface name. e.g.:
interfaces=[port2]
filters=[none]
0.169046 port2 -- 172.20.130.16.2268 -> 172.20.130.15.35552: udp 46
0x0000
50e5 49e8 dc3d 000f 7c08 2ff5 0800 4500
P.I..=..|./...E.
0x0010
004a 8989 4000 4011 54d1 ac14 8210 ac14
.J..@.@.T.......
0x0020
820f 08dc 8ae0 0036 43eb 80e0 590e 5ad4
.......6C...Y.Z.
0x0030
6e1a 53b4 db17 419b d006 02bd e02d f92e
n.S...A......-..
0x0040
f809 35ac 020e f4a0 3ac4 7097 7cd9 01b3
..5.....:.p.|...
0x0050
cdd5 42dc 9e6c 0ec0
..B..l..
For example, you might capture all TCP port 443 (typically HTTPS) traffic occurring through
port1, regardless of its source or destination IP address. The capture uses a high level of
verbosity (indicated by 3).
A specific number of packets to capture is not specified. As a result, the packet capture
continues until the administrator presses Ctrl+C. The sniffer then confirms that five packets
were seen by that network interface.
(Verbose output can be very long. As a result, output shown below is truncated after only one
packet.)
FortiRecorder# diagnose sniffer packet port1 'tcp port 443' 3
interfaces=[port1]
filters=[tcp port 443]
10.651905 192.168.0.1.50242 -> 192.168.0.2.443: syn 761714898
0x0000
0009 0f09 0001 0009 0f89 2914 0800 4500
..........)...E.
0x0010
003c 73d1 4000 4006 3bc6 d157 fede ac16
.<s.@.@.;..W....
0x0020
0ed8 c442 01bb 2d66 d8d2 0000 0000 a002
...B..-f........
0x0030
16d0 4f72 0000 0204 05b4 0402 080a 03ab
..Or............
0x0040
86bb 0000 0000 0103 0303
..........
Instead of reading packet capture output directly in your CLI display, you usually should save
the output to a plain text file using your CLI client. Saving the output provides several
advantages. Packets can arrive more rapidly than you may be able to read them in the buffer of
your CLI display, and many protocols transfer data using encodings other than US-ASCII. It is
Troubleshooting
Page 124
FortiRecorder 2.0 Administration Guide
often, but not always, preferable to analyze the output by loading it into in a network protocol
analyzer application such as Wireshark (http://www.wireshark.org/).
For example, you could use PuTTY or Microsoft HyperTerminal to save the sniffer output to a
file. Methods may vary. See the documentation for your CLI client.
Requirements
• terminal emulation software such as PuTTY
• a plain text editor such as Notepad
• a Perl interpreter
• network protocol analyzer software such as Wireshark
To view packet capture output using PuTTY and Wireshark
1. On your management computer, start PuTTY.
2. Use PuTTY to connect to the FortiRecorder appliance using either a local console, SSH, or
Telnet connection.
3. Type the packet capture command, such as:
diag sniffer packet port1 'src host 10.0.0.1 and tcp port 443' 3
but do not press Enter yet.
4. In the upper left corner of the window, click the PuTTY icon to open its drop-down menu,
then select Change Settings.
A dialog appears where you can configure PuTTY to save output to a plain text file.
5. In the Category tree on the left, go to Session > Logging.
6. In Session logging, select Printable output.
7. In Log file name, click the Browse button, then choose a directory path and file name such
as C:\Users\MyAccount\packet_capture.txt to save the packet capture to a plain
text file. (You do not need to save it with the .log file extension.)
8. Click Apply.
Troubleshooting
Page 125
FortiRecorder 2.0 Administration Guide
9. Press Enter to send the CLI command to the FortiRecorder appliance, beginning packet
capture.
10.If you have not specified a number of packets to capture, when you have captured all
packets that you want to analyze, press Ctrl + C to stop the capture.
11.Close the PuTTY window.
12.Open the packet capture file using a plain text editor such as Notepad.
13.Delete the first and last lines, which look like this:
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2015.07.25 11:34:40
=~=~=~=~=~=~=~=~=~=~=~=
FortiRecorder-200 #
These lines are a PuTTY timestamp and a command prompt, which are not part of the
packet capture. If you do not delete them, they could interfere with the script in the next
step.
14.Convert the plain text file to a format recognizable by your network protocol analyzer
application.
You can convert the plain text file to a format (.pcap) recognizable by Wireshark (formerly
called Ethereal) using the fgt2eth.pl Perl script. To download fgt2eth.pl, see the Fortinet
Knowledge Base article Using the FortiOS built-in packet sniffer.
The fgt2eth.pl script is provided as-is, without any implied warranty or technical support, and
requires that you first install a Perl module compatible with your operating system.
To use fgt2eth.pl, open a command prompt, then enter a command such as the following:
Methods to open a command prompt vary by operating system.
On Windows XP, go to Start > Run and enter cmd.
On Windows 7, click the Start (Windows logo) menu to open it, then enter cmd.
fgt2eth.pl -in packet_capture.txt -out packet_capture.pcap
where:
• fgt2eth.pl is the name of the conversion script; include the path relative to the current
directory, which is indicated by the command prompt
• packet_capture.txt is the name of the packet capture’s output file; include the
directory path relative to your current directory
• packet_capture.pcap is the name of the conversion script’s output file; include the
directory path relative to your current directory where you want the converted output to
be saved
Troubleshooting
Page 126
FortiRecorder 2.0 Administration Guide
Figure 9: Converting sniffer output to .pcap format
15.Open the converted file in your network protocol analyzer application. For further
instructions, see the documentation for that application.
Figure 10:Viewing sniffer output in Wireshark
For additional information on packet capture, see the Fortinet Knowledge Base article Using
the FortiOS built-in packet sniffer.
Resource issues
If the system resource usage appears to be abnormally high according to the System Resource
widget on the dashboard or the CLI command:
get system status
you can view the current consumption by each process by entering this CLI command:
diagnose system top 10
Troubleshooting
Page 127
FortiRecorder 2.0 Administration Guide
The above command generates a list of processes every 10 seconds. It includes the process
names, their process ID (pid), status, CPU usage, and memory usage.
The report continues to refresh and display in the CLI until you press q (quit).
Once you locate an offending PID, you can terminate it:
diagnose system kill 9 <pid_int>
If the issue recurs, and corresponds with a hardware or configuration change, you may need to
change the configuration (especially frequent logging and high resolution video streams),
reduce traffic load or contact Fortinet Technical Support to prevent the issue from recurring.
Data storage issues
If FortiRecorder cannot locally store any data such as logs, reports, and video, and
FortiRecorder has been storing data but has suddenly stopped, first verify that FortiRecorder
has not used all of its local storage capacity by entering this CLI command:
diagnose hardware sysinfo df
which will include disk usage for all mounted file systems, such as:
Filesystem
Size
Used Avail Use% Mounted on
none
180M
104M
77M
none
0
0
0
-
/proc
none
0
0
0
-
/sys
none
0
0
0
-
/dev/pts
none
10M
32K
10M
/dev/sdb1
284M
54M
230M
/dev/sda2
92G
333M
87G
1% /var/log
/dev/sda3
824G
118G
665G
16% /var/spool
//172.16.10.200/NVR
226G
25G
201G
11% /mnt/remote
58% /
1% /dev/shm
19% /data
You can use alerts to notify you when FortiRecorder has almost consumed its hard disk space.
You can also configure FortiRecorder to overwrite old logs rather than stopping logging when
the disk is full. (Keep in mind, however, that this may not prevent full disk problems for other
features. To free disk space, delete files such as old reports and video that you no longer need.)
If a full disk is not the problem, examine the configuration to determine if an administrator has
disabled those features that store data.
If neither of those indicate the cause of the problem, verify that the disk’s file system has not
been mounted in read-only mode, which can occur if the hard disk is experiencing problems
with its write capabilities. For details, contact Fortinet Technical Support.
Resetting the configuration
If you will be selling your FortiRecorder appliance, or if you are not sure what part of your
configuration is causing a problem, you can reset it and its cameras to their default settings and
Troubleshooting
Page 128
FortiRecorder 2.0 Administration Guide
erase data. (If you have not updated the firmware, this is the same as resetting to the factory
default settings.)
Back up your configuration before beginning this procedure, if possible. Resetting the
configuration could include the IP addresses of network interfaces. For information on backups,
see “Regular backups”. For information on reconnecting to a FortiRecorder appliance whose
network interface configuration was reset, see “Connecting to FortiRecorder web UI”. For
information on reconnecting your cameras, see “Configuring video profiles”.
To reset your cameras’ configuration, connect to the CLI and enter these commands:
config camera devices
edit <camera_name>
set status disable
end
execute camera factoryreset <camera_name>
To delete your data from the NVR, connect to the CLI and enter this command:
execute formatlogdisk
To reset the NVR’s configuration, connect to the CLI and enter this command:
execute factoryreset
Alternatively, you can reset the NVR’s configuration to its default values for a specific software
version by restoring the firmware during a reboot (a “clean install”). See “Restoring firmware
(“clean install”)”.
Restoring firmware (“clean install”)
Restoring the firmware can be useful if:
• you are unable to connect to the FortiRecorder appliance using the web UI or the CLI
• you want to install firmware without preserving any existing configuration (i.e. a
“clean install”)
• a firmware version that you want to install requires a different size of system partition (see
the Release Notes accompanying the firmware)
• a firmware version that you want to install requires that you format the boot device (see the
Release Notes accompanying the firmware)
Unlike updating firmware, restoring firmware re-images the boot device, including the
signatures that were current at the time that the firmware image file was created. Also, restoring
firmware can only be done during a boot interrupt, before network connectivity is available, and
therefore requires a local console connection to the CLI. It cannot be done through an SSH
or Telnet connection.
Alternatively, if you cannot physically access the appliance’s local console connection, connect
the appliance’s local console port to a terminal server to which you have network access. Once
you have used a client to connect to the terminal server over the network, you will be able to
use the appliance’s local console through it. However, be aware that from a remote location,
you may not be able to power cycle the appliance if abnormalities occur.
Troubleshooting
Page 129
FortiRecorder 2.0 Administration Guide
To restore the firmware
Back up your configuration before beginning this procedure, if possible. Restoring firmware
resets the configuration, which could include the IP addresses of network interfaces. For
information on backups, see “Regular backups”. For information on reconnecting to a
FortiRecorder appliance whose network interface configuration was reset, see “Connecting to
FortiRecorder web UI”.
1. Download the firmware file from the Fortinet Technical Support web site:
https://support.fortinet.com/
2. Connect your management computer to the FortiRecorder console port using a
RJ-45-to-DB-9 serial cable or a null-modem cable.
3. Initiate a local console connection from your management computer to the CLI of the
FortiRecorder appliance, and log in as the admin administrator, or an administrator account
whose access profile contains Read and Write permissions in the Maintenance category.
4. Connect port1 of the FortiRecorder appliance directly or to the same subnet as a TFTP
server.
5. Copy the new firmware image file to the root directory of the TFTP server.
6. If necessary, start your TFTP server. (If you do not have one, you can temporarily install and
run one such as tftpd (Windows, Mac OS X, or Linux) on your management computer.)
Because TFTP is not secure, and because it does not support authentication and could allow
anyone to have read and write access, you should only run it on trusted administrator-only
networks, never on computers directly connected to the Internet. If possible, immediately turn
off tftpd off when you are done.
7. Verify that the TFTP server is currently running, and that the FortiRecorder appliance can
reach the TFTP server.
To use the FortiRecorder CLI to verify connectivity, enter the following command:
execute ping 192.168.1.168
where 192.168.1.168 is the IP address of the TFTP server.
8. Enter the following command to restart the FortiRecorder appliance:
execute reboot
9. As the FortiRecorder appliances starts, a series of system startup messages appear.
Press any key to display configuration menu........
10.Immediately press a key to interrupt the system startup.
You have only 3 seconds to press a key. If you do not press a key soon enough, the
FortiRecorder appliance reboots and you must log in and repeat the execute reboot
command.
If you successfully interrupt the startup process, the following messages appears:
[G]:
[F]:
[B]:
[Q]:
[H]:
Troubleshooting
Get firmware image from TFTP server.
Format boot device.
Boot with backup firmware and set as default.
Quit menu and continue to boot with default firmware.
Display this list of options.
Page 130
FortiRecorder 2.0 Administration Guide
Enter G,F,B,Q,or H:
Please connect TFTP server to Ethernet port "1".
11.If the firmware version requires that you first format the boot device before installing
firmware, type F. Format the boot disk before continuing.
12.Type G to get the firmware image from the TFTP server.
The following message appears:
Enter TFTP server address [192.168.1.168]:
13.Type the IP address of the TFTP server and press Enter.
The following message appears:
Enter local address [192.168.1.188]:
14.Type a temporary IP address that can be used by the FortiRecorder appliance to connect to
the TFTP server.
The following message appears:
Enter firmware image file name [image.out]:
15.Type the file name of the firmware image and press Enter.
The FortiRecorder appliance downloads the firmware image file from the TFTP server and
displays a message similar to the following:
Save as Default firmware/Backup firmware/Run image without
saving:[D/B/R]?
16.Type D.
The FortiRecorder appliance downloads the firmware image file from the TFTP server. The
FortiRecorder appliance installs the firmware and restarts. The time required varies by the
size of the file and the speed of your network connection.
The FortiRecorder appliance reverts the configuration to default values for that version of the
firmware.
17.To verify that the firmware was successfully installed, log in to the CLI and type:
get system status
The firmware version number is displayed.
18.Either reconfigure the FortiRecorder appliance or restore the configuration file. See “Regular
backups”.
If you are downgrading the firmware to a previous version, and the settings are not fully
backwards compatible, the FortiRecorder appliance may either remove incompatible settings,
or use the feature’s default values for that version of the firmware. You may need to reconfigure
some settings.
See also
• Updating the firmware
Troubleshooting
Page 131
FortiRecorder 2.0 Administration Guide
Questions and answers
• How to connect cameras to FortiRecorder for the first time
• How to use recorded video clips
• How to use DIDO terminal connectors on FortiCam MB13 cameras
How to connect cameras to FortiRecorder for the first time
• Scenario 1: Direct connection
• Scenario 2: Connection with a third party DHCP server
Scenario 1: Direct connection
This scenario may be used to test the FortiRecorder and FortiCam equipment in a lab
environment. If you install the FortiRecorder NVR and FortiCam cameras in a dedicated
network, the topology of this scenario will also apply.
1. Change your PC’s IP address to be on the same subnet as the FortiRecorder port1’s default
IP address 192.168.1.99. For example, set your PC’s IP to 192.168.1.98.
2. Connect your PC and FortiRecorder’s port1to a PoE switch as show in the diagram. Do not
connect the camera to the switch at this stage.
3. On your PC, open a web browser and connect to https://192.168.1.99. Log in to the admin
administrator account with Name: admin and Password: (none).
Page 132
4. On the FortiRecorder web UI, go to System > Network > DHCP, and click New to create a
new DHCP server on port1.
Make sure to enable
DHCP server
Make sure to select
port1
Questions and answers
Page 133
FortiRecorder 2.0 Administration Guide
5. Go to System > Network > Interface. Select port1 and click Edit.
Make sure to
enable it
6. Make sure Discover cameras on this port is enabled.
7. Connect the camera to the PoE switch now.
If you connect the camera to the switch before you have configured and enabled the DHCP
server on FortiRecorder, the camera will use its default IP address, which might not be working
on your network. Therefore, you must reboot the camera to get an IP address from the
FortiRecorder DHCP server by unplugging the camera from the switch and plugging it back.
Questions and answers
Page 134
FortiRecorder 2.0 Administration Guide
8. Go to Camera > Configuration > Camera, and click Discover. After several seconds, a list of
discovered cameras should appear. Newly discovered cameras will be highlighted in yellow,
and their Status column will contain Not Configured.
Discover button
Yellow: discovered but not configured cameras
Configured cameras
9. Double click on the discovered camera to configure the camera settings. For details, see
“Configuring cameras” on page 40.
10.Go to Monitor > Video Monitor to view the live feed from the camera.
Scenario 2: Connection with a third party DHCP server
In this scenario, you already have a DHCP server running in your existing network and you are
installing the FortiRecorder NVR and FortiCam cameras in your network.
Note that the NVR will be using a static IP address and the cameras will be getting DHCP IP
addresses from the third party DHCP server.
1. Change your PC’s IP address to be on the same subnet as the FortiRecorder port1’s default
IP address 192.168.1.99. For example, set your PC’s IP to 192.168.1.98.
2. Connect your PC directly to FortiRecorder’s port1 interface.
3. On your PC, open a web browser and connect to https://192.168.1.99. Log in to the admin
administrator account with Name: admin and Password: (none).
Questions and answers
Page 135
FortiRecorder 2.0 Administration Guide
4. On the FortiRecorder web UI, go to System > Network > Interface and double click on port1
interface. Change the IP address to one that is accessible to the DHCP server and your
network. And make sure Discover cameras on this port is enabled.
5. Change your PC’s IP address back.
6. Connect your PC and the FortiRecorder NVR to your network. Then connect the camera to
your network through a PoE switch.
7. Go to Camera > Configuration > Camera, and click Discover. After several seconds, a list of
discovered cameras should appear. Newly discovered cameras will be highlighted in yellow,
and their Status column will contain Not Configured.
8. Double click on the discovered camera to configure the camera settings. For details, see
“Configuring cameras” on page 40.
9. Go to Monitor > Video Monitor to view the live feed from the camera.
How to use recorded video clips
Under Monitor > Video Monitor, you can watch the recorded video clips, which include the
scheduled recording, motion detection recording, and manual recording.
Control bar
Time line panel
Questions and answers
Color-coded video clips
Page 136
Camera image
selection &
image adjustment
panel
FortiRecorder 2.0 Administration Guide
Time periods in the time line panel are color-coded:
• Yellow — A system event such as a software update, system reboot, or camera reboot.
Recordings cannot be stored while FortiRecorder is unavailable.
• Light blue — The lightest blue denotes previously recorded clips, the darker blue
denotes temporary recording (see descriptions below), the darkest blue denotes
manually initiated recording. If a camera is not currently recording a continuous or motion
detection-triggered video, operators can manually trigger the camera to record video
using the Control pane. Bright blue — A bright blue tag over a video clip represents
recording with an attached annotation/marker. While a camera is recording, you can
insert markers with notes about what is currently being seen. If the camera is not
recording, after you enter the marker and click Insert Marker, the camera will start to
record.
• Red — A motion detection-based recording that was not initiated by schedule.
• A white/blank space means there is no recording at that period of time.
About temporary recording
If the camera is not scheduled to record, but you are watching live feed from the camera, the
video feed from the camera will be temporarily recorded in memory but not saved on the hard
drive. When you stop watching the live feed from that camera, the temporary recording will be
deleted. However, if you initiate manual recording while watching the live feed from the camera,
the temporary recording will be saved on the hard drive.
To watch the recorded video
1. Go to Monitor > Video Monitor. The recorded video clips are in the Event Monitor area and
the video clips for each camera appears as a time line.
2. Be default, the time frame is minimized. To easily select a video clip, use the scroll wheel on
your mouse to zoom in a time frame. Ensure that the mouse cursor is centered in the area
that you want to zoom in. See the following pictures:
Questions and answers
Page 137
FortiRecorder 2.0 Administration Guide
Figure 11:Time line zoomed out
Figure 12:Time line zoomed in
Preview frames
After zooming in, double-click the enlarged segment to view the clip
3. After you select the segment (if it is a motion-detection clip, a few key frames will appear for
preview purpose), you can do the following:
• Click the Show button to view clip.
• Click the Download button to download the clip for archival or viewing on another
computer. If your cameras have recorded a crime or other incident, you may need to
provide the video clip to the police or other authorities. Your FortiRecorder NVR uses the
.mp4 file format with the H.264 video codec, which can be viewed on Windows, Mac OS
X, Linux, and other platforms using QuickTime, VLC or other compatible players. All
video files are signed with an RSA 2048-bit signature to provide tamper protection. This
applies to files stored locally, remotely, and downloaded. Quality of previously recorded
video depends on the camera’s Recording Stream profile setting.
• Click the Lock button to lock the clip so that the operators and viewers will not be able to
view it.
4. To scroll through the time line, use your mouse to click and drag.
5. To set the time span of the time line, from Start date, select the beginning date of the
recording, then from the interval drop-down menu to the right, select the interval of each
segment of the time line in minutes.
6. To manually control the camera to pause or start recording, in the pane on the right side,
click the Control bar to expand it, then click the buttons to pause or record.
You can’t stop a scheduled continuous or motion detection-based recording schedule. You can
only start/stop manual recording. See also “Configuring recording schedules”.
Questions and answers
Page 138
FortiRecorder 2.0 Administration Guide
7. To adjust the image quality, in the pane on the right side, click the Control bar to expand it,
then click the + or - buttons to adjust Brightness, Contrast, Saturation, and Sharpness. Only
administrators can use these controls, to prevent operators from accidentally or maliciously
blacking-out the view.
Set these settings with care. After video is recorded, it won’t be possible to adjust the image
quality again unless you download the file and use video editing software. Video editing
software may not be able to successfully correct for excessively bad image quality
8. To add a note to the video (e.g. “Suspicious light”), in the pane on the right side, click the
Control bar to expand it, type your note in the text area, then click the Insert Marker button.
A bright blue marker will appear on the clip and the added note will appear as mouseover
text. Note that you must zoom in to see the marker. Otherwise it is very small on the time
line. See the following picture.
Figure 13:Inserted marker
Inserted text marker in bright blue
How to use DIDO terminal connectors on FortiCam MB13 cameras
FortiCam MB13 (FCM-MB13) cameras come with Digital input and output (DIDO) terminal
connectors. According to your configuration, a digital input can trigger the camera to record a
video clip. You can also optionally connect other devices to the digital output, such as a relay to
turn on/off another device.
DIDO connection diagram for MB13 cameras
4. Power output +5V
3. Digital output (DO)
2. Digital input (DI)
1. Ground
To configure DIDO on MB13 cameras
1. Go to Camera > Configuration > Camera, select the MB13 camera from the camera list and
click Edit.
Questions and answers
Page 139
FortiRecorder 2.0 Administration Guide
2. Configure the digital input and output settings.Note that this setting is only available on
FortiCam MB13 cameras. More cameras will support this feature in the future.
The digital input can be configured to trigger when the signal is:
• LOW (ground)
• HIGH (+5V)
• Rising (transitioning from LOW to HIGH)
• or Falling (transitioning from HIGH to LOW)
If not connected, the camera will see the digital input as HIGH.
The digital output can be configured to be either grounded or open when in the triggered
state. When not triggered, it will be in the opposite state.
For example, if opening a door causes a sensor switch to open, then the switch could be
wired between DI and ground. DI will be grounded (LOW) while the door is closed and will go
HIGH when the door opens. DI could then be configured to trigger on the rising edge. When
the door opens, DO would be set to its triggered state and a video clip will also be recorded.
Triggering on the rising or falling edge can be useful if the DI might be held in the triggered
state for a long period. In the example above, if DI were set to trigger on HIGH and the door
is left open for a long period then the camera would trigger repeatedly.
Questions and answers
Page 140
FortiRecorder 2.0 Administration Guide
3. Go to Camera > Schedule and enable Digital input when you create a recording schedule.
The schedules will be used in camera profiles, which will eventually be used by the camera
settings. For details, see “Camera configuration workflow” on page 30.
Questions and answers
Page 141
FortiRecorder 2.0 Administration Guide
Appendix A: Port numbers
Communications between the FortiRecorder appliance, cameras, and your computer require
that any routers and firewalls between them permit specific protocols and port numbers.
The following tables list the default port assignments used by FortiRecorder. Many are
configurable. See each feature’s section in this document.
Table 10:Default ports used by FortiRecorder for outgoing traffic
Port number Protocol
Purpose
N/A
ICMP
execute ping and execute traceroute.
N/A
ARP
MAC address resolution. See “Examining the ARP table”.
25
TCP
SMTP for alert email and snapshot notifications. See
“Notification configuration workflow”.
53
UDP
DNS queries. See “NVR configuration”.
69
UDP
TFTP for backups, restoration, and firmware updates. See
commands such as execute backup or execute
restore.
80
HTTP
Sending network settings and recording signals to cameras.
See “Configuring video profiles”.
123
UDP
NTP synchronization. See “Camera settings”.
443
HTTPS
Sending network settings and other configurations to
cameras. See “Configuring video profiles”.
514
UDP
Syslog. See “Configuring logging”.
554, 8554
TCP/UDP
Controlling video recording (RTSP).
5353
UDP
mDNS queries for camera discovery. Multicast to 224.0.0.251.
Table 11: Default ports used by FortiRecorder for incoming traffic (listening)
Port number Protocol
Purpose
N/A
ICMP
ping and traceroute responses. See “NVR configuration”.
N/A
ARP
MAC address resolution responses. See “Examining the ARP
table”.
21
TCP
FTP for receiving motion detection clips from cameras.
Currently, this is not configurable.
22
TCP
SSH administrative CLI access. See “NVR configuration”.
Page 142
Table 11: Default ports used by FortiRecorder for incoming traffic (listening)
Port number Protocol
Purpose
23
TCP
Telnet administrative CLI access. See “NVR configuration”.
80
TCP
HTTP administrative web UI access. See “NVR configuration”.
443
TCP
HTTPS administrative web UI access. Only occurs if the
destination address is a network interface’s IP address. See
“NVR configuration”.
Dynamic
UDP
Receiving video from cameras (RTP). See “Configuring video
profiles”.
554
TCP
Live video feeds (RTP) in the HTTP/HTTPS administrative
web UI. See “Video monitoring”.
8550
TCP
FortiRecorder Central access.
See also
• Establishing IP sessions
Appendix A: Port numbers
Page 143
FortiRecorder 2.0 Administration Guide
Appendix B: Maximum values
This table shows the maximum number of configuration objects or limits that vary by them, and
are not a guarantee of performance. For values such as hardware specifications that do not vary
by software version or configuration, see your model’s QuickStart Guide.
Table 12:Maximum configuration objects
FortiRecorder 100D FortiRecorder 200D FortiRecorder VM
Cameras connected
16
64
Up to 1024
Controlled by
licences
See FortiRecorder
VM Install Guide for
details
Routes
250
Administrator accounts 50
Page 144
250
250
50
50
Index
Symbols
.mp4 67, 109, 138
authorization
error 53
A
B
access profile 103
Active Directory 53, 54
domain 49
administrative access
interface settings 17
protocols 17
restricting 17, 50
administrator
"admin" account 12, 13, 15
account 96, 98
password 15, 49
permissions 15
trusted host 50
AES 76, 85
age
of logs 27
of video 33, 70
alert
email 142
severity level 78
algorithm
SSL/TLS 84
Apple
Bonjour 118, 142
Mac OS X 67, 109, 138
QuickTime 12, 37, 109
Safari 12
application layer 20, 118
ARP 142
table 114, 121
troubleshooting 114
ASCII 123
asymmetric routing 116
attack
brute force login 50
man-in-the-middle 86
ping 17
attribute
31 58
ID 52
vendor-specific 52
authentication 52, 53
administrator 51
local 51
RADIUS 51, 53
SNMP 76
backup 106
configuration 107
firmware 98
password 103
video 70
bandwidth 31, 110
Base64 93
baseline 107
batch changes 108
best practices 107
bind DN 54, 56
bit
rate 31
strength 67, 84, 85, 138
tos 122
black video 68, 139
blurry video 68, 139
boot
device 129
interrupt 129
brightness 68, 139
bring up 113
broadcast 118
browser 18, 108
requirements 12
brute force login 50
buffer
QuickTime 65, 110
C
cable modem 37, 118
cache
browser 96
LDAP query 54, 57
route 117
routing table 117
Called Station ID 58
Camellia 85
camera
discovery 142
flip 43, 44
log 78, 79, 113
reboot 110
resolution 31, 105
third-party 7
time 46
Page 145
certificate 84
authority (CA) 88, 90, 92, 94
default 85
factory 85
revocation list (CRL) 94
upload 94
revoke 94
signing chain 90
signing request (CSR) 87
generating 88
submit 90
trust 90
chain of trust 90
CHAP 58
checksum
header 122
SNMP 76
Chrome 12
CIDR format 16
cipher
block chaining (CBC) 85
clean install 129
CLI
connecting to 13
clock
camera 46
cloud 70
codec 67, 109, 138
color 68, 139
command line interface (CLI) 142
diagnose 114
network 114
prompt 60
comma-separated values (CSV) 28, 82
communications (COM) port 13
community 74
name 74
SNMP 72
compression 31, 105
configuration
backup 107
batch 108
download 108
restore 108
conflict
codec 109
DHCP 121
file type association 109
IP address 16, 23, 118, 119, 121
plug-in 109
connecting
CLI 13
web UI 12
connection
state 122
contact information, SNMP 73
continuous recording 33
Index
contrast 68, 139
CPU
usage 31, 73, 127, 128
D
dashboard 72
default
administrator account 12, 13, 15, 96, 98
certificate 85
configuration 48
IP address 16
password 12, 13, 14, 15, 111
reset to 128
route 16, 19, 114
settings 12, 13
URL 12, 18, 108
delay 31, 110
delete
log file 82
old video 33
video 70
denial of service (DoS)
and ping 115
DES 76, 85
destination unreachable 115
detail 31
DHCPACK 118
DHCPDISCOVER 118
diagnose 114, 117, 122
netlink 113
differentiated services 122
Diffie-Hellman (DHE) 85
discovery 43, 142
troubleshooting 118
disk
full 27, 29, 59, 82, 128
space 28, 31, 33, 82
usage 31, 73, 128
distinguished name (DN) 87
domain name
directory 49
system (DNS)
multicast 118, 142
server 16, 20
test connection 115
settings 16
troubleshooting 115
used by DHCP clients 22
used by DHCP clients 22
dot3Errors 77
dot3Tests 77
downgrade 95
download
certificate 90
configuration 108
logs 82
video 67, 138
dropping logs 28
Page 146
FortiRecorder 2.0 Administration Guide
dynamic host configuration protocol (DHCP)
client 16, 119
lease 16, 23, 24
reservations 43
log 118
pool 23, 119
server 43, 121
interface 21
E
ECHO_REQUEST 17, 114, 115
ECHO_RESPONSE 17, 114, 115
ECMP 116
EGP 77
egress 114
e-mail 60
encryption
password 103
SNMP 76
SSL/TLS 84
error
IP address conflict 121
log 79
schedule conflict 33
severity level 79
Ethernet 12, 13, 77, 123
event
log 78, 79, 118
search 82
SNMP 75
Excel 82
Extended Unique Identifier (EUI) 71
F
factory default settings 12, 13, 48, 129
certificate 85
failure in name resolution 21
fcm.cfg 107
feed, video 65
file
configuration 107
format 67, 138
password 103
type association 46
filter
logs 81
packet 122
Firefox 12
firewall 26, 46, 102
blocking discovery of cameras 118
blocking FortiRecorder 115, 142
firmware 95
alternate 98
downgrade 95
restore 129
update 95
flag
IP 122
video 68, 139
Index
flip 43, 44
forgotten password 111
format
boot device 129
CIDR 16
CSV 28
file 67, 138
FortiAnalyzer 28, 79
Fortinet
Technical Support 77
FortiSwitch 37
forwarding
port 41
fragment 123
frame rate 105
frames
per second (FPS) 31
FTP 142
full
disk 29
fully qualified domain name (FQDN) 88
G
gateway 16, 19, 114
route 19
used by DHCP clients 21
get 60
Google
Chrome 12
grey video 68, 139
guidelines 105
H
H.264 67, 109, 138
handshake 84
hard drive
internal 70
hardening security 37, 49, 102, 115
hardware
failure 79
troubleshooting 113
hash 76, 112
hexadecimal 119, 123
host
name 60, 77
HTTP 17, 142
administrative access 143
HTTPS 17, 84, 85, 88, 91, 142
administrative access 143
httpsd 20
HyperTerminal 13
I
ICMP 17, 77, 114, 115, 142
ECHO_REQUEST 17, 115
ECHO_RESPONSE 115
type 0 17, 115
type 8 17, 115
Page 147
FortiRecorder 2.0 Administration Guide
ID
log 80
packet 122
image
detail 31
quality 68, 105, 139
import
certificate 90
CRL 94
InetLocalMailRecipient 54
InetOrgPerson 54
interface
administrative access 17
Internet Explorer 12
Internet service provider (ISP) 19, 20
IP
address 16
default 16
dynamic 16, 43
FortiRecorder NVR 16
static 24, 37, 121
conflict 23, 118, 119, 121
sessions 119
virtual 26
IP address 13
iSCSI 71
J
jitter 115
K
key
length 71
pair 89
private 87, 90, 91, 92
storage encryption 71
type, certificate 89
word, search 83
kill process 128
L
latency 110, 115
Layer
1 20, 123
2 20, 119
3 114
4 20
LDAP
bind 54
bind DN 54, 56
cache 57
password 55
query 55
schema 54
TTL 57
LDAPS 84, 91
lease, DHCP 16, 23, 24, 43, 119
Index
link
layer 123
status 113
Linux 67, 138
live video 65, 67, 137
buffering 65
delay 110
performance 105
load
traffic 128
local
certificate 85
logs 79
location 40
log 26
about 78
camera 113
download 82
dropped 28
ID 80
level 78
timestamp 24
type 78
login 13, 111
administrator 49
timeout 103
loop
network 116
lost password 111
Lotus Domino 54
M
Mac OS X 67, 138
management information block (MIB) 72
support 77
management protocols 103
manager
SNMP 72, 74, 75, 77
man-in-the-middle (MITM) attack 85, 86
mask 16, 19, 22
maximum
age 27, 33
transmission unit (MTU) 18
values 144
MD5 76, 85
mDNS 43, 118, 142
media access control (MAC) address 119, 121, 142
binding to a DHCP lease 24
conflict 114
resolution 114
virtual 114
media player 67, 138
memory
usage 73, 128
messages
error 121
log 79
types 78
SNMP 72
Page 148
FortiRecorder 2.0 Administration Guide
Microsoft
Active Directory 53, 54
Excel 82
Internet Explorer 12
Outlook 61
Windows 67, 138
monitor
live video 65, 67, 137
using SNMP 72
motion detection 33
Mozilla
Firefox 12
Thunderbird 61
multicast 43, 142
forwarding 118
N
name
community 74
host 60
netmask 16, 19
administrator account 50
DHCP client 22
network
adapter 16, 119
address translation (NAT) 26
and camera communications 41
and IP sessions 120
file system (NFS) 70
interface 12
layer 20, 118
loop 116
mask 16
time protocol (NTP) 24
problems 20
used by cameras 46
Network Address Authority (NAA) 71
network interface 13
newcli 20
next-hop router 19, 114
null modem cable 13
O
object
identifier (OID) 77
objectClass 55
online certificate status protocol (OCSP) 94
OpenOffice Calc 82
operating system (OS) 95
operator 48, 50
Outlook 61
P
packet
capture 106, 122
loss 115, 117
partition 73, 96, 98, 99, 129
Index
password 12, 13, 14, 15
admin, changing 111
administrator 49
backup 103
forgotten 111
LDAP bind 55
length 112
reset 111
SNMP 76
strength 49
strong 103
with certificate 91
PEM 91
performance 105, 115
DHCP 23
DNS 20, 22
factors in configuration 144
LDAP query 54, 57
network interface 113
on dashboard 72
packet capture 122
tuning 105
video 31, 105
permission
denied 53
full 15
router 115
persistent sessions 120
physical
layer 20, 118
link status 113
network interface 16
port 16, 114
ping 17, 19, 114, 115, 116, 142
flood 17
pixel dimensions 31
PKCS #12 90
play video 68, 138
plug-in 37, 109
pool, DHCP 23, 119
port
forwarding 26, 41
local console 129
number 26, 41, 75, 122, 142
destination 120
physical 16, 114
RJ-45 16
SNMP 75
TCP/UDP 142
UDP 17, 115
port1 12, 13, 16
port2 16
port3 16
port4 16
power
over Ethernet (PoE) 37
process
ID 128
promiscuous mode 122
protocol 57, 103, 122, 142
Page 149
FortiRecorder 2.0 Administration Guide
proxy 46
risk 50
RJ-45 12, 13
root
CA 90, 92
directory 98
route
asymmetric 116
dynamic 116
static 114
table 20, 117
router 26
blocking FortiRecorder 142
hop 117
next hop 19, 114
used by DHCP clients 21
RSA 67, 85, 90, 138
RTP 143
RTSP 46, 143
Q
quality 31
video 31
query
Active Directory 53
cache 57
DNS 142
filter 55
LDAP 53, 55
cache 54
mDNS 142
NTP 24
OCSP 94
RADIUS 52, 53, 54, 58
SNMP 17, 72, 73, 75, 77
string 54
QuickTime 12, 37
buffering 65, 110
S
R
RAM
usage 127
RC4 85
reachable 114, 117
real-time streaming protocol (RTSP) 46
reboot 66, 108, 137
camera 110
record
by motion detection 33
by schedule 33
manually 66, 137
re-imaging 96, 129
remote access 26
remote authentication dial-in user service (RADIUS) 51
query 52
vendor-specific attributes (VSAs) 52
reset
configuration 106, 128, 130
password 111
resolution 31, 105
restore
CLI command 97
configuration 108
firmware 129
retention of logs and recordings 33
RFC
1213 77
1531 119
2131 119
2326 46, 143
2548 52, 58
2665 77
3721 71
5905 25
792 17
Index
Safari 12
saturation 68, 139
schedule 33
overlapping 33
troubleshooting 24
schema
LDAP directory 54
secret
RADIUS 58
Secure Shell (SSH) 17
administrative access 142
security
hardening 37, 49, 102, 115
key size 89
passwords 49
TLS 91
trusted host 50
SEED 85
serial
number 77, 112
serial number 60
session
administrator 105
table 119, 121
severity
log levels 78
SHA-1 76, 85
sharpness 68, 139
signature 67, 138
CA 92, 93
signing chain 90
simple mail transport protocol (SMTP) 60, 142
simple network management protocol (SNMP)
Page 150
FortiRecorder 2.0 Administration Guide
17, 72, 74
agent 72, 73
contact information 73
manager 75, 77
MIB 77
OID 77
query 75
system name 60
v1 75
v2 75
v3 76
SMTPS 84, 91
sniffer 122
socket 120
source NAT 120
spam 63
special characters 60
split horizon 116
sshd 20
SSL 24, 60, 91
static
IP address 37
route 114
status
camera 129
certificate 87, 94
disk 29, 59, 128
FortiRecorder 72
link 113
stream 46
strength
bit 85
password 49
Subject 87
subject information, certificate 88
submit CSR 90
subnet 16, 43, 118
switch 118
synchronization
NTP 142
Syslog 79, 142
system
status 72, 95
time 24
system status 60
T
tamper protection 67, 138
TCP 77, 142
tcpdump 122
Telnet 18, 104, 143
terminal 13
server 129
TFTP 97, 98, 142
Thunderbird 61
time 20, 24
line 66, 137
to live (TTL) 115, 122
cache 57
LDAP 57
timestamp
packet capture 122
PuTTY 126
TLS 60
top 20
trace connection state 122
traceroute 17, 19, 114, 115, 142
tracert 19, 115, 117
transactions 122
transport
layer 20, 118
layer security (TLS) 91
trap 72, 73, 75, 77
trigger 33
troubleshooting
connectivity 19
DHCP 118
hardware 113
routing 117
video no longer being received 43, 121
video plug-ins 109
trust store 90
trusted
host 50, 103, 111
type 0, ICMP 17, 115
type 8, ICMP 17, 115
type of service (tos) bits 122
U
UDP 17, 77, 115, 142
update 66, 137
upgrade
firmware 95
upload
certificate, local 90
certificate, remote 94
configuration 108
CRL 94
URL 12, 18, 108
usage
CPU 31, 73, 127, 128
disk 31, 73, 128
RAM 73, 127, 128
US-ASCII 60, 123, 124
user
name 49
query 55
SNMP 76
User Principle Name (UPN) 56
V
vendor-specific attribute 52
Index
Page 151
FortiRecorder 2.0 Administration Guide
video
delay 31, 110
no longer being received 121
note 68, 139
play 68, 138
quality 31
Video LAN (VLC) media player 46, 67, 138
viewer 48, 50
virtual
IP (VIP) 26
MAC (VMAC) 114
Index
W
WAN 26
web browser 12, 18, 108
web user interface (web UI) 12
white video 68, 139
widget 72
Windows Media Player 46
X
X.509 85, 90
Page 152
FortiRecorder 2.0 Administration Guide