FortiAnalyzer Administration Guide Version 4.0 MR2

FortiAnalyzer™
Version 4.0 MR2
Administration Guide
FortiAnalyzer™ Administration Guide
Version 4.0 MR2
3 December 2010
Revision 10
© Copyright 2010 Fortinet, Inc. All rights reserved. No part of this publication including text, examples,
diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means,
electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of
Fortinet, Inc.
Trademarks
Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient,
FortiGate®, FortiGate Unified Threat Management System, FortiGuard®, FortiGuard-Antispam,
FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager,
Fortinet®, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and
FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual
companies and products mentioned herein may be the trademarks of their respective owners.
Regulatory compliance
FCC Class A Part 15 CSA/CUS
Caution: Risk of explosion if the battery on the main board is replaced by an incorrect type. Dispose of used
batteries according to instructions.
Caution: The Fortinet equipment is intended for installation in a Restricted Access Location.
Contents
Contents
Introduction ............................................................................................ 11
Registering your Fortinet product............................................................................... 12
Customer service & technical support ....................................................................... 12
Training .......................................................................................................................... 13
Documentation .............................................................................................................. 13
Scope ............................................................................................................................. 13
Conventions .................................................................................................................. 14
IP addresses.............................................................................................................
Cautions, Notes and Tips .........................................................................................
Typographical conventions .......................................................................................
Command syntax conventions..................................................................................
14
14
14
15
What’s new ............................................................................................. 19
About the web-based manager............................................................. 21
System requirements.................................................................................................... 21
URL for access .............................................................................................................. 21
Settings .......................................................................................................................... 22
About administrative domains (ADOMs) ............................................. 23
Configuring ADOMs...................................................................................................... 25
Accessing ADOMs as the admin administrator ......................................................... 30
Assigning administrators to an ADOM ....................................................................... 30
System .................................................................................................... 33
Viewing the dashboard................................................................................................. 33
System Information widget .......................................................................................
Configuring the time & date................................................................................
Configuring the FortiAnalyzer unit’s host name .................................................
License Information widget .......................................................................................
Unit Operation widget ...............................................................................................
System Resources widget ........................................................................................
Logs/Data Received widget ......................................................................................
Statistics widget ........................................................................................................
Report Engine widget ...............................................................................................
Disk Monitor widget ..................................................................................................
Hot-swapping hard disks ....................................................................................
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
36
36
37
38
39
39
41
42
45
45
47
3
Contents
Adding new disks for FortiAnalyzer 2000B/4000B .............................................
Log Receive Monitor widget .....................................................................................
Alert Message Console widget .................................................................................
CLI Console widget...................................................................................................
Top Traffic widget .....................................................................................................
Top Web Traffic widget.............................................................................................
Top Email Traffic widget ...........................................................................................
Top FTP Traffic widget .............................................................................................
Top IM/P2P Traffic widget ........................................................................................
Virus Activity widget..................................................................................................
Intrusion Activity widget ............................................................................................
48
48
49
51
52
54
55
56
57
59
60
Configuring network settings ...................................................................................... 61
Configuring the network interfaces ...........................................................................
About Fortinet Discovery Protocol......................................................................
Configuring and using FortiAnalyzer web services ............................................
Configuring DNS.......................................................................................................
Configuring static routes ...........................................................................................
61
64
64
67
67
Configuring network shares ........................................................................................ 68
Configuring share users............................................................................................
Configuring share user groups ...........................................................................
Configuring Windows shares ....................................................................................
Configuring NFS shares ...........................................................................................
Default file permissions on NFS shares .............................................................
69
70
71
73
74
Configuring administrator-related settings ................................................................ 75
Configuring administrator accounts ..........................................................................
Changing an administrator’s password ..............................................................
Configuring access profiles ................................................................................
Configuring authentication groups .....................................................................
Configuring RADIUS servers .............................................................................
75
77
78
79
80
Configuring the web-based manager’s global settings ............................................ 82
Monitoring administrators............................................................................................ 83
Configuring log storage & query features .................................................................. 83
Configuring SQL database storage .......................................................................... 83
Configuring alerts...................................................................................................... 85
Configuring an email server for alerts & reports ....................................................... 87
Configuring report output templates ......................................................................... 89
Configuring the SNMP agent .................................................................................... 92
Configuring an SNMP community ...................................................................... 94
Configuring Syslog servers....................................................................................... 96
Configuring log aggregation...................................................................................... 98
Configuring an aggregation client ...................................................................... 99
Configuring an aggregation server ................................................................... 100
Configuring log forwarding...................................................................................... 101
Configuring IP aliases............................................................................................. 102
4
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Contents
Importing IP aliases..........................................................................................
Configuring RAID....................................................................................................
Supported RAID levels.....................................................................................
RAID array capacity .........................................................................................
Configuring LDAP queries for reports.....................................................................
Querying for the base DN ................................................................................
103
104
106
109
109
112
Backing up the configuration & installing firmware ................................................ 112
Scheduling & uploading vulnerability management updates ................................. 114
Migrating data from one FortiAnalyzer unit to another ........................................... 115
Actions during the migration process ............................................................... 118
Importing a local server certificate............................................................................ 119
Devices.................................................................................................. 121
Configuring connections with devices & their disk space quota........................... 121
Unregistered vs. registered devices ....................................................................... 124
Maximum number of devices.................................................................................. 124
Configuring IPSec secure connections between the FortiAnalyzer unit and a device or
an HA cluster .......................................................................................................... 126
Manually adding or deleting a device or HA cluster................................................ 127
Manually adding a FortiGate unit using the Fortinet Discovery Protocol (FDP) ..... 129
Configuring unregistered device options ................................................................ 131
Blocking unregistered device connection attempts................................................. 132
Configuring device groups ........................................................................................ 134
Classifying FortiGate network interfaces ................................................................. 135
Log & Archive....................................................................................... 137
Viewing log messages................................................................................................ 137
Customizing the log view ........................................................................................
Displaying and arranging log columns .............................................................
Filtering logs.....................................................................................................
Filtering tips ......................................................................................................
Searching the logs ...........................................................................................
Search tips .......................................................................................................
Viewing DLP archives.............................................................................................
Viewing quarantined files........................................................................................
140
141
142
143
144
146
147
149
Browsing log files ....................................................................................................... 152
Importing a log file .................................................................................................. 153
Downloading a log file............................................................................................. 154
Backing up logs and archived files ........................................................................... 156
Configuring rolling and uploading of devices’ logs ................................................ 156
Using eDiscovery ........................................................................................................ 158
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
5
http://docs.fortinet.com/ • Feedback
Contents
Reports.................................................................................................. 165
Configuring reports from logs in the proprietary indexed file system .................. 165
Configuring a report layout .....................................................................................
Adding charts, sections, and texts ...................................................................
Editing charts in a report layout........................................................................
Configuring data filter templates .............................................................................
Configuring report schedules..................................................................................
Configuring language..............................................................................................
Example reports (file system-based) ......................................................................
Example: FortiGate report ................................................................................
Example: FortiClient report ..............................................................................
Example: FortiMail report .................................................................................
166
169
171
176
179
182
186
186
189
192
Configuring reports from logs in a SQL database ................................................... 195
Configuring report chart templates .........................................................................
Configuring data sets..............................................................................................
Uploading graphics for reports................................................................................
Configuring report profiles ......................................................................................
Adding report dashboards and widgets ..................................................................
Example reports (SQL-based) ................................................................................
Example: FortiGate report ................................................................................
195
199
201
202
205
206
206
Browsing reports ........................................................................................................ 208
Vulnerability Management................................................................... 211
How to use vulnerability management...................................................................... 211
Configuring host assets ............................................................................................. 212
Grouping host assets.............................................................................................. 214
Discovering network host assets .............................................................................. 215
Viewing network map reports ................................................................................. 218
Configuring vulnerability scans ................................................................................ 221
Configuring vulnerability sensors............................................................................
Configuring vulnerability scan profiles ....................................................................
Scheduling vulnerability scans................................................................................
Viewing vulnerability scan reports ..........................................................................
221
227
229
231
Viewing host vulnerability statuses .......................................................................... 235
Vulnerabilities by severity level & top 10 categories............................................... 235
Top 10 vulnerable hosts by business risk............................................................... 235
Top 10 vulnerabilities.............................................................................................. 237
Viewing the vulnerability database ........................................................................... 238
Configuring compliance report templates ................................................................ 239
Viewing compliance reports ...................................................................................... 241
About PCI DSS compliance reports........................................................................ 243
6
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Contents
Tools...................................................................................................... 245
Network Analyzer ........................................................................................................ 245
Connecting the FortiAnalyzer unit to analyze network traffic..................................
Viewing network analyzer log messages................................................................
Viewing current network analyzer log messages .............................................
Viewing historical network analyzer log messages ..........................................
Browsing network analyzer log files........................................................................
Viewing network analyzer log file contents ......................................................
Downloading a network analyzer log file ..........................................................
Customizing the network analyzer log view............................................................
Displaying and arranging log columns .............................................................
Filtering logs.....................................................................................................
Filtering tips ......................................................................................................
Searching the network analyzer logs......................................................................
Search tips .......................................................................................................
Printing and downloading the search results ...................................................
Rolling and uploading network analyzer logs .........................................................
245
247
247
249
250
251
251
252
253
254
255
256
257
258
258
File Explorer ................................................................................................................ 261
Maintaining firmware ........................................................................... 263
Firmware upgrade path and general firmware upgrade steps................................ 263
Backing up your configuration .................................................................................. 264
Backing up your configuration through the web-based manager ........................... 264
Backing up your configuration through the CLI....................................................... 264
Backing up your log files......................................................................................... 264
Testing firmware before upgrading/downgrading ................................................... 265
Installing firmware from the BIOS menu in the CLI ................................................ 267
Upgrading your FortiAnalyzer unit............................................................................ 267
Upgrading/downgrading through the web-based manager..................................... 267
Upgrading/downgrading through the CLI................................................................ 268
Verifying the upgrade.............................................................................................. 269
Troubleshooting................................................................................... 271
Report issue ................................................................................................................ 271
Binary files issue......................................................................................................... 272
CPU usage issue ......................................................................................................... 272
HA log issue ................................................................................................................ 273
NFS server connection issue..................................................................................... 274
Vulnerability management issues ............................................................................. 274
Upgrade issue ............................................................................................................. 275
Web-based manager issue......................................................................................... 275
Disk usage issue ......................................................................................................... 276
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
7
http://docs.fortinet.com/ • Feedback
Contents
Device IP issue ............................................................................................................ 276
Error message "EXT3-fs error (device...)" ................................................................ 278
Running an HQIP for hardware integrity control ..................................................... 279
Packet capture (CLI sniffer) best practice ................................................................ 279
No logs received with encryption enabled between a FortiGate unit and a
FortiAnalyzer unit........................................................................................................ 280
Appendix A: SNMP MIB support......................................................... 283
Appendix B: Report templates............................................................ 285
FortiGate report templates ......................................................................................... 285
Intrusion Activity......................................................................................................
Antivirus Activity......................................................................................................
Webfilter Activity .....................................................................................................
Email Filter Activity .................................................................................................
IM Activity ...............................................................................................................
DLP Activity ............................................................................................................
Network Analysis ....................................................................................................
Web Activity ............................................................................................................
Mail Activity.............................................................................................................
FTP Activity.............................................................................................................
Terminal Activity .....................................................................................................
VPN Activity ............................................................................................................
Event Activity ..........................................................................................................
P2P Activity.............................................................................................................
VoIP Activity............................................................................................................
Data Leak Activity ...................................................................................................
Application Control Activity .....................................................................................
Network Scan .........................................................................................................
Application _Control................................................................................................
Intrusion_Detection.................................................................................................
AntiVirus .................................................................................................................
Data_Leak_Prevention ...........................................................................................
Email Filter..............................................................................................................
Event.......................................................................................................................
Traffic......................................................................................................................
286
286
288
290
290
291
292
293
294
295
296
297
297
298
300
302
303
303
303
304
304
304
305
305
305
FortiClient Report Templates..................................................................................... 305
FortiMail Report Templates........................................................................................ 307
Appendix C: Maximum values matrix ................................................ 309
Appendix D: Querying FortiAnalyzer SQL log databases................ 311
Creating datasets ........................................................................................................ 311
Troubleshooting ............................................................................................... 314
8
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Contents
SQL tables ................................................................................................................... 314
Log severity levels ..................................................................................................
Log fields in each table ...........................................................................................
Common log fields ..................................................................................................
Application control log fields ...................................................................................
Attack log fields.......................................................................................................
DLP archive / content log fields ..............................................................................
Data Leak Prevention log fields ..............................................................................
Email filter log fields................................................................................................
Event log fields .......................................................................................................
Malform Description Values .............................................................................
Traffic log fields.......................................................................................................
Antivirus log fields...................................................................................................
Web filter log fields .................................................................................................
Netscan log fields ...................................................................................................
317
317
317
319
321
322
327
328
329
339
343
345
347
348
Examples ..................................................................................................................... 349
Example 1: Distribution of applications by type in the last 24 hours.......................
GUI procedure..................................................................................................
CLI procedure ..................................................................................................
Notes:...............................................................................................................
Example 2: Top 100 applications by bandwidth in the last 24 hours ......................
GUI procedure..................................................................................................
CLI procedure ..................................................................................................
Notes:...............................................................................................................
Example 3: Top 10 attacks in the past one hour ....................................................
GUI procedure..................................................................................................
CLI procedure ..................................................................................................
Notes:...............................................................................................................
Example 4: Top WAN optimization applications in the past 24 hours ....................
GUI procedure..................................................................................................
CLI procedure ..................................................................................................
351
351
351
351
352
352
352
352
353
353
353
353
353
353
354
Index...................................................................................................... 355
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
9
http://docs.fortinet.com/ • Feedback
Contents
10
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Introduction
Introduction
Welcome and thank you for selecting Fortinet products for your network protection.
FortiAnalyzer units are network appliances that provide integrated log collection and
reporting tools. Reports analyze logs for email, FTP, web browsing, security events, and
other network activity to help identify security issues and reduce network misuse and
abuse.
In addition to logging and reporting, FortiAnalyzer units also have several major features
that augment or enable certain FortiGate unit functionalities, such as DLP archiving and
quarantining, and improve your ability to stay informed about the state of your network.
•
Logging and reporting: A FortiAnalyzer unit can aggregate and analyze log data from
Fortinet and other Syslog-compatible devices. Using a comprehensive suite of easilycustomized reports, you can filter and review records, including traffic, event, virus,
attack, Web content, and email data, mining the data to determine your security stance
and ensure regulatory compliance. For information about the FortiAnalyzer logging,
analyzing, and reporting workflow, see Figure 1 on page 12.
•
DLP archiving: Both FortiGate DLP (Data Leak Prevention) archive logs and their
associated copies of files or messages can be stored on and viewed from a
FortiAnalyzer unit, leveraging its large storage capacity for large media files that can be
common with multimedia content. When DLP archives are received by the
FortiAnalyzer unit, you can use data filtering similar to with other log files to track and
locate specific email or instant messages, or to examine the contents of archived files.
•
Quarantine repository: A FortiAnalyzer unit can act as a central repository for files
that are suspicious or known to be infected by a virus, and have therefore been
quarantined by your FortiGate units.
•
Vulnerability management: A FortiAnalyzer unit can scan your designated target
hosts for known vulnerabilities and open TCP and/or UDP ports. When the vulnerability
scan is complete, the FortiAnalyzer unit generates a report that describes the
discovered security issues and their known solutions.
FortiAnalyzer units can utilize FortiGuard subscription service to update their
vulnerability databases with new entries added as they are discovered.
•
Packet capture: FortiAnalyzer units can log observed packets to diagnose areas of
the network where firewall policies may require adjustment, or where traffic anomalies
occur.
•
File explorer: You can browse through the list of content archive/DLP, quarantine, log,
and report files on the FortiAnalyzer unit.
•
Network sharing: FortiAnalyzer units can use their hard disks as an NFS or Windowsstyle network share for FortiAnalyzer reports and logs, as well as users’ files.
•
FIPS support: Federal Information Processing Standards (FIPS) are supported in
some special releases of FortiAnalyzer firmware. Contact Fortinet Technical Support
for more information.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
11
Registering your Fortinet product
Introduction
Figure 1: Logging, analyzing, and reporting workflow
Devices monitored by
the FortiAnalyzer unit
FortiAnalyzer data
receiving server
The FortiAnalyzer unit collects logs
from the devices that it monitors.
Indexing & file
storage/database
The FortiAnalyzer unit buffers,
reorganizes, and stores the logs to
generate temporary log files.
The administrator views log files.
Log file
index/database
The FortiAnalyzer unit indexes the log
files for easy search and report
generation.
Administrator
The administrator configures
and requests for reports.
Report engine
The FortiAnalyzer unit generates reports
based on user configurations and requests.
The administrator views reports.
Reports
This topic includes:
•
Registering your Fortinet product
•
Customer service & technical support
•
Training
•
Documentation
•
Scope
•
Conventions
Registering your Fortinet product
Before you begin configuring and customizing features, take a moment to register your
Fortinet product at the Fortinet Technical Support web site, https://support.fortinet.com.
Many Fortinet customer services, such as firmware updates, technical support, and
FortiGuard Antivirus and other FortiGuard services, require product registration.
For more information, see the Fortinet Knowledge Base article Registration Frequently
Asked Questions.
Customer service & technical support
Fortinet Technical Support provides services designed to make sure that you can install
your Fortinet products quickly, configure them easily, and operate them reliably in your
network.
12
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Introduction
Training
To learn about the technical support services that Fortinet provides, visit the Fortinet
Technical Support web site at https://support.fortinet.com.
You can dramatically improve the time that it takes to resolve your technical support ticket
by providing your configuration file, a network diagram, and other specific information. For
a list of required information, see the Fortinet Knowledge Base article Fortinet Technical
Support Requirements.
Training
Fortinet Training Services provides classes that orient you quickly to your new equipment,
and certifications to verify your knowledge level. Fortinet provides a variety of training
programs to serve the needs of our customers and partners world-wide.
To learn about the training services that Fortinet provides, visit the Fortinet Training
Services web site at http://campus.training.fortinet.com, or email them at
training@fortinet.com.
Documentation
The Fortinet Technical Documentation web site, http://docs.fortinet.com, provides the
most up-to-date versions of Fortinet publications, as well as additional technical
documentation such as technical notes.
In addition to the Fortinet Technical Documentation web site, you can find Fortinet
technical documentation on the Fortinet Tools and Documentation CD, and on the Fortinet
Knowledge Base.
Fortinet Tools and Documentation CD
Many Fortinet publications are available on the Fortinet Tools and Documentation CD
shipped with your Fortinet product. The documents on this CD are current at shipping
time. For current versions of Fortinet documentation, visit the Fortinet Technical
Documentation web site, http://docs.fortinet.com.
Fortinet Knowledge Base
The Fortinet Knowledge Base provides additional Fortinet technical documentation, such
as troubleshooting and how-to-articles, examples, FAQs, technical notes, and more. Visit
the Fortinet Knowledge Base at http://kb.fortinet.com.
Comments on Fortinet technical documentation
Please send information about any errors or omissions in this technical document
totechdoc@fortinet.com.
Scope
This document describes how to use the web-based manager of the FortiAnalyzer unit. It
assumes you have already successfully installed the FortiAnalyzer unit by following the
instructions in the FortiAnalyzer Installation Guide.
At this stage:
•
You have administrative access to the web-based manager and/or CLI.
•
The FortiAnalyzer unit is integrated into your network.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
13
Conventions
Introduction
•
The system time, DNS settings, administrator password, and network interfaces have
been configured.
•
Firmware updates and FortiGuard Vulnerability Management Plugins and Engine
updates have been completed.
Once that basic installation is complete, you can use this document. This document
explains how to use the web-based manager to:
•
maintain the FortiAnalyzer unit, including backups
•
reconfigure basic items that were configured during installation
•
configure advanced features, such as adding devices, DLP archiving, vulnerability
management, logging, and reporting
This document does not cover commands for the command line interface (CLI). For
information on the CLI, see the FortiAnalyzer CLI Reference.
Conventions
Fortinet technical documentation uses the conventions described below.
IP addresses
To avoid publication of public IP addresses that belong to Fortinet or any other
organization, the IP addresses used in Fortinet technical documentation are fictional and
follow the documentation guidelines specific to Fortinet. The addresses used are from the
private IP address ranges defined in RFC 1918: Address Allocation for Private Internets,
available at http://ietf.org/rfc/rfc1918.txt?number-1918.
Cautions, Notes and Tips
Fortinet technical documentation uses the following guidance and styles for cautions,
notes and tips.
Caution: Warns you about commands or procedures that could have unexpected or
undesirable results including loss of data or damage to equipment.
Note: Presents useful information, usually focused on an alternative, optional method, such
as a shortcut, to perform a step.
Tip: Highlights useful additional information, often tailored to your workplace activity.
Typographical conventions
Fortinet documentation uses the following typographical conventions:
14
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Introduction
Conventions
Table 1: Typographical conventions in Fortinet technical documentation
Convention
Example
Button, menu, text box, From Minimum log level, select Notification.
field, or check box label
CLI input
config system dns
set primary <address_ipv4>
end
CLI output
FGT-602803030703 # get system settings
comments
: (null)
opmode
: nat
Emphasis
HTTP connections are not secure and can be intercepted by a third
party.
File content
<HTML><HEAD><TITLE>Firewall
Authentication</TITLE></HEAD>
<BODY><H4>You must authenticate to use this
service.</H4>
Hyperlink
Visit the Fortinet Technical Support web site,
https://support.fortinet.com.
Keyboard entry
Type a name for the remote VPN peer or client, such as
Central_Office_1.
Navigation
Go to VPN > IPSEC > Auto Key (IKE).
Publication
For details, see the FortiGate Administration Guide.
Command syntax conventions
The command line interface (CLI) requires that you use valid syntax, and conform to
expected input constraints. It will reject invalid commands.
Brackets, braces, and pipes are used to denote valid permutations of the syntax.
Constraint notations, such as <address_ipv4>, indicate which data types or string
patterns are acceptable value input.
Table 2: Command syntax notation
Convention
Description
Square brackets [ ]
A non-required word or series of words. For example:
[verbose {1 | 2 | 3}]
indicates that you may either omit or type both the verbose word and
its accompanying option, such as:
verbose 3
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
15
Conventions
Introduction
Table 2: Command syntax notation
16
Angle brackets < >
A word constrained by data type.
To define acceptable input, the angled brackets contain a descriptive
name followed by an underscore ( _ ) and suffix that indicates the
valid data type. For example:
<retries_int>
indicates that you should enter a number of retries, such as 5.
Data types include:
• <xxx_name>: A name referring to another part of the
configuration, such as policy_A.
• <xxx_index>: An index number referring to another part of the
configuration, such as 0 for the first static route.
• <xxx_pattern>: A regular expression or word with wild cards
that matches possible variations, such as *@example.com to
match all email addresses ending in @example.com.
• <xxx_fqdn>: A fully qualified domain name (FQDN), such as
mail.example.com.
• <xxx_email>: An email address, such as
admin@mail.example.com.
• <xxx_url>: A uniform resource locator (URL) and its associated
protocol and host name prefix, which together form a uniform
resource identifier (URI), such as
http://www.fortinet.com/.
• <xxx_ipv4>: An IPv4 address, such as 192.168.1.99.
• <xxx_v4mask>: A dotted decimal IPv4 netmask, such as
255.255.255.0.
• <xxx_ipv4mask>: A dotted decimal IPv4 address and netmask
separated by a space, such as
192.168.1.99 255.255.255.0.
• <xxx_ipv4/mask>: A dotted decimal IPv4 address and CIDRnotation netmask separated by a slash, such as such as
192.168.1.99/24.
• <xxx_ipv6>: A colon( : )-delimited hexadecimal IPv6 address,
such as 3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234.
• <xxx_v6mask>: An IPv6 netmask, such as /96.
• <xxx_ipv6mask>: An IPv6 address and netmask separated by a
space.
• <xxx_str>: A string of characters that is not another data type,
such as P@ssw0rd. Strings containing spaces or special
characters must be surrounded in quotes or use escape
sequences. See the FortiWeb CLI Reference.
• <xxx_int>: An integer number that is not another data type,
such as 15 for the number of minutes.
Curly braces { }
A word or series of words that is constrained to a set of options
delimited by either vertical bars or spaces.
You must enter at least one of the options, unless the set of options is
surrounded by square brackets [ ].
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Introduction
Conventions
Table 2: Command syntax notation
Options delimited
by vertical bars |
Mutually exclusive options. For example:
{enable | disable}
indicates that you must enter either enable or disable, but must
not enter both.
Options delimited
by spaces
Non-mutually exclusive options. For example:
{http https ping snmp ssh telnet}
indicates that you may enter all or a subset of those options, in any
order, in a space-delimited list, such as:
ping https ssh
Note: To change the options, you must re-type the entire list. For
example, to add snmp to the previous example, you would type:
ping https snmp ssh
If the option adds to or subtracts from the existing list of options,
instead of replacing it, or if the list is comma-delimited, the exception
will be noted.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
17
Conventions
18
Introduction
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
What’s new
What’s new
The list below contains key features which have changed since the previous release,
FortiAnalyzer v4.0 MR1. For upgrade information, see the Release Notes available with
the firmware, and “Maintaining firmware” on page 263.
•
SQL (Structured Query Language) reporting – The SQL database option is added.
The logs received by the FortiAnalyzer unit will be inserted into the SQL database for
generating reports. Both local and remote SQL database options are supported. The
advantages of using the SQL database are:
•
Flexibility: Through the use of standard SQL queries, more flexible reporting
capabilities can be offered.
•
Scalability: Through the use of a remote SQL database, any upper bound on the
amount of available log storage is removed. Furthermore, the hardware of an
external SQL database server can be more easily upgraded to support growing
performance needs.
For more information, see “Configuring SQL database storage” on page 83 and
“Example reports (SQL-based)” on page 206.
•
Administrator profile extension for RADIUS – If you use a RADIUS server to
manage your administrator accounts authentication, you can also use it to manage the
administrative authorization (that is, administrator profile). In other words, you can
assign an administrator profile to each user on the RADIUS server and have the
FortiAnalyzer unit retrieve and apply them for administrator access. The process is as
following:
•
The administrator provides user name and password to the FortiAnalyzer unit.
•
The FortiAnalyzer unit sends the user name and password to the RADIUS server
for authentication.
•
The RADIUS server returns "Access Accept" response and includes a VSA
containing the name of the administrator profile to the FortiAnalyzer unit.
•
The FortiAnalyzer unit looks for the returned administrator profile in its own
configuration.
If the administrator profile exists, the FortiAnalyzer unit assigns the returned profile
for the duration of the administrator session.
If the administrator profile does not exist, the FortiAnalyzer unit assigns the locally
configured admin profile for the duration of the administrator session.
For more information, see “Configuring RADIUS servers” on page 80.
•
Report charts – A new menu item Charts is added to Reports on the web-based
manager to help you understand better how all of the different report elements are
related. Under Charts, you can view the existing pre-defined charts on items such as
pre-defined services, IPS database, or application database. You can also add your
own chart definitions.
For more information, see “Configuring report chart templates” on page 195 and
“Configuring data sets” on page 199.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
19
What’s new
•
eDiscovery extension – eDiscovery allows you to search through the bulk of stored
emails, extract the search results, and share them with a third-party in situations such
as a lawsuit or regulatory violation action. It is crucial to be able to prove that shared
data is an exact copy of the original. This is an extension of the FortiAnalyzer’s
archived email searching.
For more information, see “Using eDiscovery” on page 158.
•
Dashboard enhancements – The interface for renaming and deleting tabs are
improved to simplify the user experience. For some widgets, you can add multiple
instances of the same widget. This helps if you need to do more than one thing with a
widget. Also, each ADOM administrator has a dashboard.
For more information, see “Viewing the dashboard” on page 33.
•
Web-based manager improvements – When viewing logs and archived files, if you
select a log entry, a detailed view will be displayed on the left hand side. You can then
see the values for all indexed columns for a particular log type. Fields with no values
will be hidden, and can optionally be expanded by selecting "show" at the bottom of the
popup window.
For more information, see“Log & Archive” on page 137.
20
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
About the web-based manager
System requirements
About the web-based manager
This chapter describes aspects that are general to use of the web-based manager, a
graphical user interface (GUI) that you can use to access the FortiAnalyzer unit from
within a current web browser.
This topic includes:
•
System requirements
•
URL for access
•
Settings
System requirements
The management computer that you use to access the web-based manager must have a
compatible web browser, such as Microsoft Internet Explorer 6.0 or greater, or Mozilla
Firefox 3.0 or greater.
To minimize scrolling, the computer’s screen should have a resolution that is a minimum of
1280 x 1024 pixels.
URL for access
The web-based manager can be accessed by URL using the network interfaces’ enabled
administrative access protocols and IP addresses.
By default, the URL when accessing the web-based manager through port1 is
https://192.168.1.99/.
If the network interfaces have been configured such as during the installation instructions
in the FortiAnalyzer Install Guide, the URL and/or permitted administrative access
protocols (in this case, HTTPS) may no longer be in their default state. In that case, for the
URL, use either a DNS-resolvable domain name for the FortiAnalyzer unit, or the IP
address that you configured for the network interface to which you are connected.
For example, you might have configured port2 with the IP address 10.0.0.1 and enabled
HTTPS. You might have also configured a private DNS server on your network to resolve
fortianalyzer.example.com to 10.0.0.1. In this case, to access the web-based manager
through port2, you could enter either https://fortianalyzer.example.com/ or
https://10.0.0.1/.
For information on enabling administrative access protocols and configuring IP addresses,
see “Configuring the network interfaces” on page 61.
Note: If the URL is correct and you still cannot access the web-based manager, you may
also need to configure from which hosts the FortiAnalyzer unit will accept login attempts for
your administrator account (that is, trusted hosts), and/or static routes. For details, see
“Configuring administrator accounts” on page 75 and “Configuring static routes” on
page 67.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
21
Settings
About the web-based manager
Settings
Some settings for the web-based manager apply regardless of which administrator
account you use to log in. Global settings include the idle timeout, TCP port number on
which the web-based manager listens for connection attempts, the network interface(s) on
which it listens, and the language of its display.
For details, see “Configuring the web-based manager’s global settings” on page 82 and
“Configuring the network interfaces” on page 61.
22
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
About administrative domains (ADOMs)
About administrative domains
(ADOMs)
Administrative domains (ADOMs) enable the admin administrator to constrain other
FortiAnalyzer unit administrators’ access privileges to a subset of devices in the device
list. For FortiGate devices with virtual domains (VDOMs), ADOMs can further restrict
access to only data from a specific FortiGate VDOM.
Note: ADOMs are not supported on FortiAnalyzer-100/100A/100B/100C models.
Table 3: Characteristics of the CLI and web-based manager when ADOMs are enabled
admin administrator account
Other administrators
Access to Global Configuration
Yes
No
Access to Administrative Domain
Configuration (can create ADOMs)
Yes
No
Can create administrator accounts
Yes
No
Can enter all ADOMs
Yes
No
Enabling ADOMs alters the structure and available functionality of the web-based
manager and CLI according to whether you are logging in as the admin administrator,
and, if you are not logging in as the admin administrator, the administrator account’s
assigned access profile.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
23
About administrative domains (ADOMs)
24
Within the Global ADOM
Within other ADOMs
System > Dashboard > Status
System > ADOM > ADOM
System > Network > Interface
System > Network > DNS
System > Network > Routing
System > Network Sharing > Windows Share
System > Network Sharing > NFS Export
System > Network Sharing > User
System > Network Sharing > Group
System > Admin > Administrator
System > Admin > Access Profile
System > Admin > Auth Group
System > Admin > RADIUS Server
System > Admin > Settings
System > Admin > Monitor
System > Config > SQL Database
System > Config > Log-based Alerts
System > Config > SNMP
System > Config > Remote Syslog
System > Config > Log Aggregation
System > Config > Log Forwarding
System > Config > RAID
System > Maintenance > Backup & Restore
System > Maintenance > FortiGuard
System > Maintenance > Migration
Devices > All Devices > Allowed
Device > All Devices > Blocked
Device > All Devices > Unregistered Options
Log & Archive > eDiscovery > Config
Log & Archive > Options > Log File Options
Report > Config > Language (SQL database
disabled in System > Config > SQL Database)
Vulnerability Management > Summary > Host
Status
Vulnerability Management > Summary >
Vulnerability Database
Vulnerability Management > Asset > Host
Vulnerability Management > Asset > Group
Vulnerability Management > Network Map >
Report
Vulnerability Management > Network Map >
Config
Vulnerability Management > Scan > Report
Vulnerability Management > Scan > Schedule
Vulnerability Management > Scan > Profile
Vulnerability Management > Scan > Sensor
Vulnerability Management > Compliance
Report > Report
Vulnerability Management > Compliance
Report > Template
Tools > Network Analyzer > Historical
Tools > Network Analyzer > Browse
Tools > Network Analyzer > Config
Tools > File Explorer > File Explorer
System > Config > Mail Server
System > Config > Remote Output
System > Config > IP Alias
System > Config > LDAP
Devices > All Devices > Allowed (read only)
Device > Group > Device Group
Log & Archive > Log Access > Traffic
Log & Archive > Log Access > Event
Log & Archive > Log Access > IPS (Attack)
Log & Archive > Log Access > Application Control
Log & Archive > Log Access > Web Filter
Log & Archive > Log Access > AntiVirus
Log & Archive > Log Access > Data Leak (DLP)
Log & Archive > Log Access > VoIP
Log & Archive > Log Access > Email Filter
Log & Archive > Log Access > Network Scan
Log & Archive > Log Access > History
Log & Archive > Log Access > IM
Log & Archive > Log Access > Generic Syslog
Log & Archive > Log Access > All Logs
Log & Archive > Archive Access > IPS Packet
Log & Archive > Archive Access > Quarantine
Log & Archive > Archive Access > Web
Log & Archive > Archive Access > Email
Log & Archive > Archive Access > FTP
Log & Archive > Archive Access > IM
Log & Archive > Archive Access > VoIP Log
Log & Archive > Archive Access > MMS
Log & Archive > eDiscovery > Folders
Log & Archive > eDiscovery > Search
Log & Archive > Log Browse > Log Browse
Report (SQL database disabled in System >
Config > SQL Database):
Report > Access > Scheduled Report
Report > Schedule > Schedule
Report > Config > Layout
Report > Config > Data Filter
Report (SQL database enabled in System >
Config > SQL Database):
Report > Access > default
Report > Access > Scheduled Report
Report > Config > Report
Report > Config > Graphic
Report > Chart > Template
Report > Chart > Data Set
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
About administrative domains (ADOMs)
•
Configuring ADOMs
If ADOMs are enabled and you log in as admin, you first access the Global ADOM
where you have full access to the menus and can configure other ADOMs in System >
ADOM > ADOM. At the end of the menu list, the Current ADOM menu appears,
enabling you to enter into another ADOM or return to the Global ADOM.
Note: Be default, some menus are hidden. To make them visible, you can enable the
menus in System > Admin > Settings.
The Global ADOM contains settings used by the FortiAnalyzer unit itself and settings
shared by ADOMs, such as the device list, RAID, and administrator accounts. It does
not include ADOM-specific settings or data, such as logs and reports. When
configuring other administrator accounts, an additional option appears allowing you to
restrict other administrators to an ADOM. For more information, see “Assigning
administrators to an ADOM” on page 30. The admin administrator can further restrict
other administrators’ access to specific configuration areas within their ADOM by using
access profiles. For more information, see “Configuring access profiles” on page 78.
•
If ADOMs are enabled and you log in as any other administrator, you enter the ADOM
assigned to your account. You can only access the menu items assigned to you in your
access profile. You cannot access the Global ADOM, or enter other ADOMs.
By default, administrator accounts other than the admin account are assigned to the
root ADOM, which includes all devices in the device list. By creating ADOMs that
contain a subset of devices in the device list, and assigning them to administrator
accounts, you can restrict other administrator accounts to a subset of the FortiAnalyzer
unit’s total devices or VDOMs.
The maximum number of ADOMs varies by FortiAnalyzer model. For details, see
“Appendix C: Maximum values matrix” on page 309.
This topic includes:
•
Configuring ADOMs
•
Accessing ADOMs as the admin administrator
•
Assigning administrators to an ADOM
Configuring ADOMs
Administrative domains (ADOMs) are disabled by default. To use administrative domains,
the admin administrator must:
1 Enable the feature by going to System > Admin > Settings. See “To enable ADOMs” on
page 26.
Note: ADOMs are not supported on FortiAnalyzer-100/100A/100B/100C models.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
25
Configuring ADOMs
About administrative domains (ADOMs)
2 Create ADOMs by going to System > ADOM > ADOM. See “To add or edit an ADOM”
on page 28.
3 Assign other FortiAnalyzer administrators to an ADOM by going to System > Admin >
Administrator. See “To assign an administrator to an ADOM” on page 31.
To enable ADOMs
Caution: Enabling ADOMs moves non-global configuration items to the root ADOM. Back
up the configuration before beginning the following procedure. For more information about
backing up your configuration, see “Backing up the configuration & installing firmware” on
page 112.
1 Log in as admin.
Other administrators cannot enable, disable, or configure ADOMs.
2 Go to System > Admin > Settings.
3 Enable (select) Admin Domain Configuration.
26
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
About administrative domains (ADOMs)
Configuring ADOMs
4 Click Apply.
A dialog appears:
Enabling/Disabling the admin domain configuration will require
you to re-login. Are you sure you want to continue?
5 Click OK.
The FortiAnalyzer unit logs you out.
Note: If other administrators are also logged in at the same time, they will not be
automatically logged out. Notify them that ADOMs have been enabled, and that they may
need to log out and log in again for display changes to take effect.
6 To confirm that ADOMs are enabled, log in again as admin.
System > ADOM > ADOM appears. At the end of the menu list, the Current ADOM
menu also appears, enabling you to enter into an ADOM or return to the Global ADOM.
Continue with “To add or edit an ADOM” on page 28 to create ADOMs.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
27
Configuring ADOMs
About administrative domains (ADOMs)
To add or edit an ADOM
Before you can add an ADOM, you must first enable the feature. For details, see “To
enable ADOMs” on page 26.
1 From Current ADOM in the lefthand navigation menu, select Global.
2 Go to System > ADOM > ADOM.
3 Click Create New, or, to modify an existing ADOM, mark its check box, then click Edit.
4 In Name, type a name for the ADOM.
This field cannot be modified if you are editing an existing entry. To modify the name,
delete the entry, then recreate it using the new name.
5 From Available Devices, select which devices to associate with the ADOM, then click
the right arrow to move them to Selected Devices.
You can move multiple devices at once. To select multiple devices, click the first
device, then hold the Shift key while clicking the last device in a continuous range, or
hold the Ctrl key while clicking each additional device.
To remove a device from Selected Devices, select one or more devices, then click the
left arrow to move them to Available Devices.
6 If the ADOM includes a FortiGate unit, and you want to include only a specific VDOM,
enable Restrict to Virtual Domain(s), then enter the VDOM name. If the ADOM
includes a FortiMail unit and you want to include only a specific email domain, enable
and configure Restrict to Email Domain(s).
7 Click OK.
Continue with “Assigning administrators to an ADOM” on page 30.
28
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
About administrative domains (ADOMs)
Configuring ADOMs
To disable ADOMs
Caution: Back up the configuration before beginning this procedure. Deleting ADOMs,
which can occur when disabling the ADOM feature, removes administrator accounts
assigned to ADOMs other than the root ADOM. For more information, see “Backing up
the configuration & installing firmware” on page 112.
If you do not wish to delete these administrator accounts, assign them to the root ADOM
before disabling ADOMs.
1 From Current ADOM in the lefthand navigation menu, select Global.
2 Go to System > ADOM > ADOM.
3 Mark the check boxes next to each ADOM except root (Management Administrative
Domain), then click Delete.
Note: You cannot delete an ADOM if an administrator is currently assigned to it. You must
first reassign the administrator to the root ADOM (see “Assigning administrators to an
ADOM” on page 30).
If any other ADOMs except the root ADOM remain, the option to disable ADOMs will
not appear.
4 Go to System > Admin > Settings.
5 Disable (deselect) Admin Domain Configuration.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
29
Accessing ADOMs as the admin administrator
About administrative domains (ADOMs)
6 Click Apply.
A dialog appears:
Enabling/Disabling the admin domain configuration will require
you to re-login. Are you sure you want to continue?
7 Click OK.
The FortiAnalyzer unit logs you out.
Accessing ADOMs as the admin administrator
When ADOMs are enabled, additional ADOM items become available to the admin
administrator and the structure of the web-based manager menu changes. After logging
in, other administrators implicitly access the subset of the web-based manager that
pertains only to their ADOM, while the admin administrator accesses the root of the
web-based manager and can use all menus. The admin administrator must explicitly
enter the part of the web-based manager that contains an ADOM’s settings and data to
configure items specific to an ADOM.
To access an ADOM
1 Log in as admin.
Other administrators can access only the ADOM assigned to their account.
2 From Current ADOM in the lefthand navigation menu, select the name of the ADOM
that you want to enter.
The ADOM-specific menu subset appears. While in this menu subset, any changes
you make affect this ADOM only, and do not affect devices in other ADOMs or global
FortiAnalyzer unit settings.
You can return to global settings by selecting Global from Current ADOM.
Assigning administrators to an ADOM
The admin administrator can create other administrators and assign an ADOM to their
account, constraining them to configurations and data that apply only to devices in their
ADOM.
Note: By default, when ADOMs are enabled, existing administrator accounts other than
admin are assigned to the root ADOM, which contains all devices in the device list. For
more information about creating other ADOMs, see “Configuring ADOMs” on page 25.
30
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
About administrative domains (ADOMs)
Assigning administrators to an ADOM
Note: The admin administrator account cannot be restricted to an ADOM.
To assign an administrator to an ADOM
1 Log in as admin.
Other administrators cannot configure administrator accounts when ADOMs are
enabled.
2 From Current ADOM in the lefthand navigation menu, select Global.
3 Go to System > Admin > Administrator.
4 Configure the administrator account as described in “Configuring administrator
accounts” on page 75. In Admin Domain, select which ADOM the administrator will be
able to access.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
31
Assigning administrators to an ADOM
32
About administrative domains (ADOMs)
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
System
Viewing the dashboard
System
The System menu displays a dashboard with widgets that indicate statuses and do basic
functions such as rebooting the FortiAnalyzer unit.
This menu also contains submenus that enable you to make configuration backups, and
configure administrator accounts, system time, network and FortiGuard connectivity, and
other system-wide features such as RAID and log forwarding.
This topic includes:
•
Viewing the dashboard
•
Configuring network settings
•
Configuring network shares
•
Configuring administrator-related settings
•
Configuring log storage & query features
•
Backing up the configuration & installing firmware
•
Scheduling & uploading vulnerability management updates
•
Importing a local server certificate
Viewing the dashboard
System > Dashboard > Status displays first after you log in to the web-based manager. It
contains a dashboard with widgets that each indicates performance level or other status.
By default, widgets appear display the serial number and current system status of the
FortiAnalyzer unit, including uptime, system resource usage, host name, firmware version,
system time, and log throughput. The dashboard also contains a CLI widget that enables
you to use the command line through the web-based manager. These widgets appear on
a single dashboard.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
33
Viewing the dashboard
System
Figure 1: Viewing the dashboard
The dashboard is customizable. You can select which widgets to display, where they are
located on the page, and whether they are minimized or maximized. You can also create
additional dashboards.
To add a dashboard, click Dashboard, then select Add Dashboard and type its name. The
dashboard is added to the lefthand navigation menu. (For example, for a dashboard
named “Summary Reports”, System > Dashboard > Summary Reports would be added to
the menu.) The new dashboard is empty until you add the widgets that you want to show
on that new dashboard.
To move a widget, position your mouse cursor on the widget’s title bar, then click and drag
the widget to its new location.
To show a widget, in the upper left-hand corner, click Widget, then click the names of
widgets that you want to show. To hide a widget, in its title bar, click Close.
Figure 2: Adding a widget
34
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
System
Viewing the dashboard
To see the available options for a widget, position your mouse cursor over the icons in the
widget’s title bar. Options vary slightly from widget to widget, but always include options to
close or show/hide the widget.
Figure 3: A minimized widget
Edit
Widget title
Show/Hide arrow
Refresh
Close
Name of the GUI item Description
Widget Title
The name of the widget.
Show/Hide arrow
Click to display or show the widget.
Edit
Click to change settings for the widget.
Refresh
Click to update the displayed information.
Close
Click to hide the widget on the dashboard. You will be prompted to confirm
the action. To show the widget again, click Widget near the top of the
dashboard.
The available dashboard widgets are:
•
System Information widget
•
License Information widget
•
Unit Operation widget
•
System Resources widget
•
Logs/Data Received widget
•
Statistics widget
•
Report Engine widget
•
Disk Monitor widget
•
Log Receive Monitor widget
•
Alert Message Console widget
•
CLI Console widget
•
Top Traffic widget
•
Top Web Traffic widget
•
Top Email Traffic widget
•
Top FTP Traffic widget
•
Top IM/P2P Traffic widget
•
Virus Activity widget
•
Intrusion Activity widget
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
35
Viewing the dashboard
System
System Information widget
The System Information widget (System > Dashboard > Status) displays the serial number
and basic system statuses such as the firmware version, system time, host name, and up
time.
In addition to displaying basic system information, the System Information widget enables
you to configure the host name, operation mode, and to change the firmware.
Figure 4: System Information widget
Name of the GUI item Description
Serial Number
The serial number of the FortiAnalyzer unit. The serial number is specific to
the FortiAnalyzer unit’s hardware and does not change with firmware
upgrades. Use this number when registering the hardware with Fortinet
Technical Support.
Uptime
The time in days, hours, and minutes since the FortiAnalyzer unit was
started.
System Time
The current date and time according to the FortiAnalyzer unit’s internal
clock.
Click Change to change the time or configure the FortiAnalyzer unit to get
the time from an NTP server. See “Configuring the time & date” on page 36.
Host Name
The host name of the FortiAnalyzer unit.
Click Change to change the host name. See “Configuring the FortiAnalyzer
unit’s host name” on page 37.
Firmware Version
The version of the firmware currently installed on the FortiAnalyzer unit.
Click Update to install firmware. See “Maintaining firmware” on page 263.
Configuring the time & date
You can either manually set the FortiAnalyzer system time or configure the FortiAnalyzer
unit to automatically keep its system time correct by synchronizing with a Network Time
Protocol (NTP) server.
Note: For many features to work, including scheduling, logging, and SSL-dependent
features, the FortiAnalyzer system time must be accurate.
To configure the date and time
1 Go to System > Dashboard > Status. In the System Information widget, in the System
Time row, click Change.
2 From Time Zone, select the time zone in which the FortiAnalyzer unit is located.
36
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
System
Viewing the dashboard
3 Configure the following to either manually configure the system time, or automatically
synchronize the FortiAnalyzer unit’s clock with an NTP server:
Name of the GUI item
Description
System Time
The date and time according to the FortiAnalyzer unit’s clock at
the time that this tab was loaded, or when you last clicked the
Refresh button.
Refresh
Click to update the System Time field with the current time
according to the FortiAnalyzer unit’s clock.
Time Zone
Select the time zone in which the FortiAnalyzer unit is located.
Set Time
Select this option to manually set the date and time of the
FortiAnalyzer unit’s clock, then select the Hour, Minute,
Second, Year, Month and Day fields before you click OK.
Synchronize with NTP Server Select this option to automatically synchronize the date and
time of the FortiAnalyzer unit’s clock with an NTP server, then
configure the Server and Sync Interval fields before you click
OK.
Server
Enter the IP address or domain name of an NTP server. To find
an NTP server that you can use, go to http://www.ntp.org.
Sync Interval
Enter how often in minutes the FortiAnalyzer unit should
synchronize its time with the NTP server. For example, entering
1440 causes the FortiAnalyzer unit to synchronize its time once
a day.
4 Click OK.
Configuring the FortiAnalyzer unit’s host name
The host name of the FortiAnalyzer unit is used in several places.
•
It appears in the System Information widget on the Status tab. For more information
about the System Information widget, see “System Information widget” on page 36.
•
It is used in the command prompt of the CLI.
•
It is used as the SNMP system name. For information about SNMP, see “Configuring
the SNMP agent” on page 92.
The System Information widget and the get system status CLI command will display
the full host name. However, if the host name is longer than 16 characters, the CLI and
other places display the host name in a truncated form ending with a tilde ( ~ ) to indicate
that additional characters exist, but are not displayed.
For example, if the host name is FortiAnalyzer1234567890, the CLI prompt would be
FortiAnalyzer123456~#.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
37
Viewing the dashboard
System
To change the host name
1 Go to System > Dashboard > Status.
2 In the System Information widget, in the Host Name row, click Change.
3 In the Host Name field, type a new host name.
The host name may be up to 35 characters in length. It may include US-ASCII letters,
numbers, hyphens, and underscores. Spaces and special characters are not allowed.
4 Click OK.
License Information widget
The License Information widget displays information on features that vary by a purchased
license or contract, such as FortiGuard subscription services.
It also displays how many devices are connected or attempting to connect to the
FortiAnalyzer unit.
Figure 5: License Information widget
Name of the GUI
item
Description
FortiGuard
Services
38
Vulnerability
Management
Indicates whether or not this FortiAnalyzer unit is licensed for FortiGuard
Vulnerability Management Service. If it is not, you can click Subscribe to
register for the service.
VM Plugins
The version of the vulnerability management plug-in, and the date of its last
update. Click Update to upload a new version of the plug-in. For more
information on vulnerability management, see “Scheduling & uploading
vulnerability management updates” on page 114.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
System
Viewing the dashboard
VM Engine
The version of the vulnerability management engine, and the date of its last
update.
Device Registration A total of the number of each device type connecting or attempting to connect
to the FortiAnalyzer unit. For more information about the maximum numbers
Summary
of devices of each type and/or VDOMs that are permitted to connect to the
FortiAnalyzer unit, see “Maximum number of devices” on page 124 and
“Appendix C: Maximum values matrix” on page 309.
The Registered column is the number of devices that you have added to the
FortiAnalyzer unit’s device list, either manually or automatically.
The Unregistered column is the number of devices attempting to connect to
the FortiAnalyzer unit that are not yet registered. To configure the
FortiAnalyzer unit to accept data from a device, see “Manually adding or
deleting a device or HA cluster” on page 127.
For more information about registered and unregistered device, see
“Unregistered vs. registered devices” on page 124.
Unit Operation widget
The Unit Operation widget indicates the connectivity status for each physical network port.
It also enables administrators to perform basic system operations such as rebooting the
FortiAnalyzer unit.
Note: These operations are available only to users with the read and write access profile.
Color indicates whether or not a port has detected a physical connection. If a port’s color is
gray, there is no connectivity, but if a port’s color is green, it is connected.
Additional system-wide operations, such as formatting the log disk or resetting the
configuration to the firmware’s default values, are available from the CLI. For details, see
the FortiAnalyzer CLI Reference.
Figure 6: Unit Operation widget
Name of the GUI item
Description
Reboot
Click to halt and restart the operating system of the FortiAnalyzer unit.
ShutDown
Click to halt the operating system of the FortiAnalyzer unit, preparing
its hardware to be powered off.
System Resources widget
The System Resources widget displays the CPU and memory usage levels over time.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
39
Viewing the dashboard
System
Figure 7: System Resources widget
Edit
Name of the GUI item
Description
CPU Usage
The current CPU usage displayed as a dial gauge or graph.
The web-based manager displays CPU usage for core processes only.
CPU usage for management processes (for example, for HTTPS
connections to the web-based manager) is excluded.
The FortiAnalyzer CPU utilization can appear to be continually high
due to the amount of work the FortiAnalyzer is tasked to perform.
There are two key CPU-intensive operations on a FortiAnalyzer unit:
• indexing log messages
• report generation and other enhanced features
Log indexing
A FortiAnalyzer unit deployed in a network can receive hundreds of log
messages per second throughout the day. The FortiAnalyzer unit
indexes nearly all fields in a log message to include in the database.
This process can be very CPU intensive, as the indexing component is
continually running to keep up with the incoming log messages.
Report generation and other enhanced features
The FortiAnalyzer unit has many reporting functions. Various report
generations can be running at any time during the day including:
• security event reports
• traffic summary reports
• regular reports whose complexity can vary depending on the
requirements
• quota checking with log rolling
• network sniffing
• vulnerability scan.
All these tasks can be CPU intensive, especially when a combination
of them is occurring at the same time. This can cause the CPU to stay
at 90% or more a lot of the time. It is important to note that the indexing
operation is set to the lowest priority so as to not affect the critical
process such as receiving log messages. These operation will take all
the available cpu cycles so it is normal to expect high CPU utilization
at times.
On smaller devices, such as the FortiAnalyzer-100A, where the CPU
and disk speed are not as fast as the higher-end models, the CPU
usage can appear more pronounced.
40
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
System
Viewing the dashboard
Memory Usage
The current memory (RAM) usage displayed as a dial gauge or graph.
The web-based manager displays memory usage for core processes
only. Memory usage for management processes (for example, for
HTTPS connections to the web-based manager) is excluded.
Session
The number of sessions over the specified historical time period.
Sessions are the current communications sessions on the
FortiAnalyzer unit which includes devices that connect to send logs or
quarantine files.
This item does not appear when viewing current (Real Time) system
resources.
Network Utilization
The network utilization over the specified historical time period.
This item does not appear when viewing current (Real Time) system
resources.
To configure settings for the widget, in its title bar, click Edit to open the Edit System
Resources Settings window.
•
To view only the most current information about system resources, from View Type,
select Real Time.
•
To view historical information about system resources, from View Type, select History.
To change the time range, from Time Period, select one of the following: Last 10
Minutes, Last Hour, or Last Day.
•
To automatically refresh the widget at intervals, in Refresh Interval, type a number
between 10 and 240 seconds. To disable the refresh interval feature, type 0.
Logs/Data Received widget
The Logs/Data Received widget displays the rate over time of the logs and data, such as
DLP archives and quarantined files, received by the FortiAnalyzer unit.
This widget display varies on different models.
Figure 8: Logs/Data Received widget
Edit
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
41
Viewing the dashboard
System
Name of the GUI item
Description
Logs Received
Number of logs received per second.
Data Received
Volume of data received.
To configure settings for the widget, in its title bar, click Edit to open the Edit Logs/Data
Received Settings window.
•
To view only the most current information about system resources, from View Type,
select Real Time.
•
To view historical information about system resources, from View Type, select History.
To change the time range, from Time Period, select one of the following: Last 10
Minutes, Last Hour, or Last Day.
•
To automatically refresh the widget at intervals, in Refresh Interval, type a number
between 10 and 240 seconds. To disable the refresh interval feature, type 0.
For information on how much disk space is currently consumed, see “Disk Monitor widget”
on page 45.
Statistics widget
The Statistics widget displays the numbers of sessions, volume of log files, and number of
reports handled by the FortiAnalyzer unit.
Figure 9: Statistics widget
Reset
Name of the GUI
item
Description
(Since yyyy-mmdd hh:mm:ss)
The date and time when the statistics were last reset.
To rest the date and time, hover your mouse cursor over the widget’s title bar
area, then click Reset.
Sessions
The number of communication sessions occurring on the FortiAnalyzer unit,
including those with devices that connect to send logs or quarantine files. Click
Details for more information on the connections. For more information, see “To
view session details” on page 43.
Logs & Reports
42
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
System
Viewing the dashboard
Logs
The number of new log files received from a number of devices since the
statistics were last reset. For more information, see “To view log details” on
page 44.
Log Volume
The average log file volume received per day over the past 7 days. Click
Details to view the log file volume received per day. For information on total
disk space consumption, see “Disk Monitor widget” on page 45.
Reports
The number of reports generated for a number of devices. Click Details for
more information on the reports. For more information, see “Example reports
(SQL-based)” on page 206.
To view session details
1 Go to System > Dashboard > Status.
2 In the Statistics widget, next to Sessions, click Details.
When viewing sessions, you can search or filter to find specific content. For more
information about filtering information, see “Filtering logs” on page 142.
Search
Name of the GUI
item
Description
Refresh
Click to refresh the page with current, updated session information.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
43
Viewing the dashboard
System
Search
Enter a word or words to find specific information. Press Enter to initiate the
search process.
Protocol
The protocol used during that session.
Source
The session’s source IP address.
Source Port
The session’s source port number.
Destination
The session’s destination IP address.
Destination Port
The session’s destination port number.
Expires(secs)
The number of seconds the session expires.
To view log details
1 Go to System > Dashboard > Status.
2 In the Statistics widget, next to Logs, click Details.
44
Name of the GUI
item
Description
Display
Mark the check box of a log file whose messages you want to view, then click
this button. Only one log file can be selected each time. For more information
about viewing log details, see “Viewing log messages” on page 137.
Download
Mark the check box of a log file that you want to download, click this button,
then select one of the following.
• Log file format: Downloads the log file in text (.txt), comma-separated
value (.csv), or standard .log (Native) file format.
• Compress with gzip: Compress the downloaded log file with GZIP
compression. Downloading a log-formatted file with GZIP compression
results in a download with the file extension .log.gz.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
System
Viewing the dashboard
Import
Click to import devices’ log files. This can be useful when restoring data or
loading log data for temporary use.
From the Device field, select the device to which the imported log file belongs,
or select Take From Imported File to read the device ID from the log file.
If you select Take From Imported File, your log file must contain a device_id
field in its log messages.
In Filename, click Browse to find the log file.
For more information, see “Importing a log file” on page 153.
Device Type
Select the type of devices whose log files you want to view.
Show Log File
Names
Enable to show the log file names under each log type.
Log Files
Depending on the
#
Number of log files for each type.
From
The date and time when the FortiAnalyzer unit starts to generate the log file.
To
The date and time when the FortiAnalyzer unit completes generating the log
file when the file reaches its maximum size or the scheduled time. For more
information, see “Configuring rolling and uploading of devices’ logs” on
page 156.
Size (bytes)
The size of the log file.
Report Engine widget
You can only add a Report Engine widget when you selected the proprietary indexed file
storage system. For information on switching file storage systems, see “Configuring SQL
database storage” on page 83.
This widget indicates report generation activity. Report engine activities include whether
the report engine is active or inactive, what reports are running when active, and the
percentage completed.
When a report is being generated as scheduled, the report engine status changes from
inactive to active.
To generate a report, click the Generate report icon in the title bar, and then configure a
new report schedule. For more information, see “Configuring report schedules” on
page 179.
Figure 10: Report Engine widget
Disk Monitor widget
The Disk Monitor widget displays information about the status of RAID disks as well as
what RAID level has been selected. It also displays how much disk space is currently
consumed.
To configure settings for the widget, in its title bar, click RAID Settings. For more
information, see “Configuring RAID” on page 104.
Note: The RAID Settings icon does not appear on FortiAnalyzer 100A, 100B, and 100C
units, because RAID is not supported on these models. Only disk space usage information
is displayed on these models.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
45
Viewing the dashboard
System
Figure 11: Disk Monitor widget
RAID Settings
Rebuilding
icon
46
Name of the GUI item
Description
RAID Status
Icons and text indicate one of the following RAID disk statuses:
• green checkmark (OK): Indicates that the RAID disk has no
problems
• warning symbol (Warning): Indicates that there is a problem with
the RAID disk, such as a failure, and needs replacing. The RAID
disk is also in reduced reliability mode when this status is indicated
in the widget.
• wrench symbol (Rebuilding): Indicates that a drive has been
replaced and the RAID array is being rebuilt; it is also in reduced
reliability mode.
• exclamation mark (Failure): Indicates that one or more drives
have failed, the RAID array is corrupted, and the drive must be
reinitialized. This is displayed by both a warning symbol and text.
The text appears when you hover your mouse over the warning
symbol; the text also indicates the amount of space in GB.
Rebuild Status
A percentage bar indicating the progress of the rebuilding of a RAID
array. The bar displays only when a RAID array is being rebuilt.
Estimated rebuild time
[start and end time]
The time remaining to rebuild the RAID array, and the date and time
the rebuild is expected to end. This time period displays only when an
array is being rebuilt.
This time period will not display in hardware RAID, such as
FortiAnalyzer-2000/2000A/2000B, and FortiAnalyzer4000/4000A/4000B.
Rebuild Warning
Text reminding you the system has no redundancy protection until the
rebuilding process is complete. This text displays only when an array
is being rebuilt.
Disk space usage
The amount of disk used, displayed as a percentage and a percentage
bar.
Note that the FortiAnalyzer unit reserves some disk space for
compression files, upload files, and temporary reports files.
The total reserved space is:
• 25% of total disk space if total < 500G, with MAX at 100G
• 20% of total disk space if 500G< total <1000G, with MAX at 150G
• 15% of total disk space if 1000G < total < 3000G, with MAX at
300G
• 10% of total disk space if total > 3000G
This is therefore to be deducted from the total capacity.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
System
Viewing the dashboard
FortiAnalyzer units allocate most of their total disk space for both the FortiAnalyzer unit’s
own logs as well as logs and quarantined files from connecting devices. Disk space quota
is assigned to each device and the FortiAnalyzer unit itself. If the quota is consumed, the
FortiAnalyzer unit will either overwrite the oldest files saved or stop collecting new logs,
depending on your preference. For devices’ disk space quota settings, see “Manually
adding or deleting a device or HA cluster” on page 127. For the FortiAnalyzer unit’s local
log disk space quota settings, see the FortiAnalyzer CLI Reference.
Remaining disk space is reserved for devices, FortiAnalyzer reports, and any temporary
files, such as configuration backups and log files that are currently queued for upload to a
server. The size of the reserved space varies by the total RAID/hard disk capacity. For
more information, see “Disk space usage” on page 46.
For more information about RAID, see “Configuring RAID” on page 104. For more
information on the volume of logs being received, see “Logs/Data Received widget” on
page 41.
Hot-swapping hard disks
If a hard disk on a FortiAnalyzer unit fails, it must be replaced. The hard disk can be
replaced while the FortiAnalyzer unit is running, also known as hot swapping.
Figure 12: Status of a failed hard disk on a FortiAnalyzer-800 unit as shown in the Disk
Monitor widget
To hot-swap a hard disk
Caution: Electrostatic discharge (ESD) can damage FortiAnalyzer equipment. Only
perform the procedures described in this document from an ESD workstation. If no such
station is available, you can provide some ESD protection by wearing an anti-static wrist or
ankle strap and attaching it to an ESD connector or to a metal part of a FortiAnalyzer
chassis.
When replacing a hard disk, you need to first verify that the new disk has the same size as
those supplied by Fortinet and has at least the same capacity as the old one in the
FortiAnalyzer unit. Installing a smaller hard disk will affect the RAID setup and may cause
data loss. Due to possible differences in sector layout between disks, the only way to
guarantee that two disks have the same size is to use the same brand and model.
The size provided by the hard drive manufacturer for a given disk model is only an
approximation. The exact size is determined by the number of sectors present on the disk.
1 Go to System > Dashboard > Status.
2 In the Unit Operation widget, click Shutdown.
3 Click OK.
4 Remove the faulty hard disk and replace it with a new one.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
47
Viewing the dashboard
System
5 Restart the FortiAnalyzer unit.
The FortiAnalyzer unit will automatically add the new disk to the current RAID array.
The status appears on the console. After the FortiAnalyzer unit boots, the widget will
display a green check mark icon for all disks and the RAID Status area will display the
progress of the RAID resynchronization/rebuild.
Note: Once a RAID array is built, adding another disk with the same capacity will not affect
the array size until you rebuild the array by restarting the FortiAnalyzer unit.
Adding new disks for FortiAnalyzer 2000B/4000B
The FortiAnalyzer 2000B unit is shipped with 2 hard disks. You can add up to 4 more disks
to increase the storage capacity. The FortiAnalyzer 4000B unit is shipped with 6 hard
disks. You can add up to 18 more disks to increase the storage capacity.
Note: Fortinet recommends that you use the same disks as those supplied by Fortinet.
Disks of other brands will not be supported by Fortinet. For information on purchasing extra
hard disks, contact Fortinet Technical Support.
To add more hard disks
1 Obtain the same disks as those supplied by Fortinet.
2 Back up the log data on the FortiAnalyzer 2000B/4000B unit. You can also migrate the
data to another FortiAnalyzer unit if you have one. Data migration reduces system
down time and risk of data loss.
For information on data backup, see “Backing up the configuration & installing
firmware” on page 112. For information on data migration, see “Migrating data from one
FortiAnalyzer unit to another” on page 115.
3 Install the disks on the FortiAnalyzer unit. You can do so while the FortiAnalyzer unit is
running.
4 Configure the RAID level. See “Configuring RAID” on page 104.
5 If you have backed up the log data, restore the data. For more information, see
“Backing up the configuration & installing firmware” on page 112.
Log Receive Monitor widget
The Log Receive Monitor widget displays the rate at which logs are received over time.
To configure settings for the widget, in its title bar, click Edit.
48
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
System
Viewing the dashboard
Figure 13: Log Receive Monitor widget
Edit
Figure 14: Editing Log Receive Monitor Settings
Name of the GUI Description
item
Widget Name
The current widget name.
Type
Select either:
• Log Type: Display the type of logs that are received from all registered
devices and separates them into categories, such as top 5 traffic logs or
antivirus logs.
• Device: Display the logs that received by each registered device and
separates the devices into the top number of devices.
N0. Entries
Select the number of either log types or devices in the widget’s graph,
depending on your selection in the Type field.
Time Period
Select one of the following time ranges over which to monitor the rate at
which log messages are received:
• Hour
• Day
• Week
Refresh Interval To automatically refresh the widget at intervals, in Refresh Interval, type a
number between 10 and 240 seconds. To disable the refresh interval
feature, type 0.
Alert Message Console widget
The Alert Message Console widget displays log-based alert messages for both the
FortiAnalyzer unit itself and connected devices.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
49
Viewing the dashboard
System
Alert messages help you track system events on your FortiAnalyzer unit such as firmware
changes, and network events such as detected attacks. Each message shows the date
and time that the event occurred.
Tip: Alert messages can also be delivered by email, Syslog or SNMP. For more
information, see “Configuring alerts” on page 85.
Figure 15: Alert Message Console widget
More alerts
The widget displays only the most current alerts. For a complete list of unacknowledged
alert messages, in the widget’s title bar, click More alerts. To sort the columns by either
ascending or descending order, click the column headings.
Figure 16: List of all alert messages
50
Name of the GUI item
Description
Acknowledge
Mark the check boxes of alert messages that you want to remove from
the list of alerts, then click Acknowledge.
Include...and higher
Select a severity threshold. Log messages equal to or greater than that
severity will appear in the list of alerts.
Remove
unacknowledged alerts
older than [n days]
Select a number of days to remove the alert messages older than that
number.
formatted | raw
Select either:
• formatted: Display the alert messages in columnar format.
• raw: Display the information without formatting, as it actually
appears in the log messages.
Device
The device where the log message originated.
Event
The Message (msg=) field of the log message, which usually contains a
description of the event.
Level
The severity level of the log message.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
System
Viewing the dashboard
Time
The date and time when the log message was generated. To sort in
ascending or descending order, click the arrow in the column heading.
Counter
The number of occurrences of the event.
CLI Console widget
The CLI Console widget enables you to enter command lines through the web-based
manager, without making a separate Telnet, SSH, or local console connection to access
the CLI.
Note: The CLI Console widget requires that your web browser support JavaScript.
To use the console, first click within the console area. Doing so will automatically log you
in using the same administrator account you used to access the web-based manager. You
can then enter commands by typing them. Alternatively, you can copy and paste
commands from or into the CLI Console.
Note: The prompt, by default the model number such as FortiAnalyzer-800B #,
contains the host name of the FortiAnalyzer unit. To change the host name, see
“Configuring the FortiAnalyzer unit’s host name” on page 37.
For information on available commands, see the FortiAnalyzer CLI Reference.
Figure 17: CLI Console widget
Console Preferences
To configure settings for the widget, in its title bar, click Console Preferences.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
51
Viewing the dashboard
System
Figure 18: CLI Console widget settings
Color palette
Name of the GUI item
Description
Preview
A preview of your changes to the CLI Console widget’s appearance.
Text
Click the current color swatch to the left of this label, then click a color
from the color palette to the right to change the color of the text in the
CLI Console.
Background
Click the current color swatch to the left of this label, then click a color
from the color palette to the right to change the color of the background
in the CLI Console.
Use external command Enable to display a command input field below the normal console
emulation area. When this option is enabled, you can enter commands
input box
by typing them into either the console emulation area or the external
command input field.
Console buffer length
Enter the number of lines the console buffer keeps in memory. The valid
range is from 20 to 9999.
Font
Select a font type from the list. There are only three font types to choose
from: Lucida Console, Courier New, and the default font.
Size
Select a font from the list to change the display font of the CLI Console.
Reset Defaults
Select the size in points of the font. The default size is 10 points.
Top Traffic widget
You can only add a Top Traffic widget when you selected the proprietary indexed file
storage system. For information on switching file storage systems, see “Configuring SQL
database storage” on page 83.
This widget displays a bar chart of the total volume of traffic handled by FortiGate units,
based upon their traffic logs.
52
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
System
Viewing the dashboard
Figure 19: Top Traffic widget
Edit
To expand details for one of the widget’s items, click its + button, then select which log
field you want to use to categorize its results.
For example, for one of the items, you might select Device to display and categorize that
item’s results by which devices recorded those log messages. To further subcategorize
one of the device’s results by protocol, you could then click its + button, then select
Service. The resulting widget display would show reflect traffic volume for each service on
that one device, from that source IP address.
To collapse details and return to higher-level items, click a parent item’s X button.
To configure settings for the widget, in its title bar, click Edit.
Figure 20: Top Traffic widget settings
Name of the GUI Description
item
Widget Name
Type a name for the widget. It will appear in the widget’s title bar.
Device
Select the name of either a device or device group for which you want to display
traffic volumes.
Display by
Select which attribute to use in order to rank the top results:
• Top Sources (to any): Rank results according to the total volume for each
source IP address.
• Top Destinations (from any): Rank results according to the total volume for
each destination IP address.
Filter Port
Select whether to include TCP or UDP protocols, then type the port number. The
valid range is from 1 to 65,535.
Time Scope
Select one of the following time ranges:
• Hour
• Day
• Week
• Month
No. Entries
Select the number of entries to display.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
53
Viewing the dashboard
System
Top Web Traffic widget
You can only add a Top Web Traffic widget when you selected the proprietary indexed file
storage system. For information on switching file storage systems, see “Configuring SQL
database storage” on page 83.
This widget displays a bar chart of the total volume of web traffic handled by FortiGate
units, based upon either their traffic logs (if you select By Volume in the widget’s settings)
or web filtering logs (if you select By Request in the widget’s settings).
Figure 21: Top Web Traffic widget
Edit
To expand details for one of the widget’s items, click its + button, then select which log
field you want to use to categorize its results.
For example, for one of the items, you might select Device to display and categorize that
item’s results by which devices recorded those log messages. To further subcategorize
one of the device’s results by protocol, you could then click its + button, then select
Service. The resulting widget display would show reflect web traffic volume for each
service on that one device, from that source IP address.
To collapse details and return to higher-level items, click a parent item’s X button.
To configure settings for the widget, in its title bar, click Edit.
Figure 22: Top Web Traffic widget settings
54
Name of the GUI item
Description
Widget Name
Type a name for the widget. It will appear in the widget’s title bar.
Device
Select the name of either a device or device group for which you
want to display traffic volumes.
Display by
Select which attribute to use in order to rank the top results:
• Top Sources (to any): Rank results according to the total
volume for each source IP address.
• Top Destinations (from any): Rank results according to the
total volume for each destination IP address.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
System
Viewing the dashboard
FIlter Source IP Address or
User
Type the traffic’s source IP address or user name.
Filter Destination IP Address
Type the traffic’s destination IP address.
By Volume
Select to gather the information for this widget from the traffic
logs.
By Requests
Select to gather the information for this widget from the Web Filter
logs.
Time Scope
Select one of the following time ranges:
• Hour
• Day
• Week
• Month
No. Entries
Select the number of entries to display.
Top Email Traffic widget
You can only add a Top Email Traffic widget when you selected the proprietary indexed file
storage system. For information on switching file storage systems, see “Configuring SQL
database storage” on page 83.
This widget displays a bar chart of the total volume of email traffic handled by FortiGate
units, based upon either their traffic logs (if you select By Volume in the widget’s settings)
or content logs (if you select By Request in the widget’s settings).
Figure 23: Top Email Traffic widget
Edit
To expand details for one of the widget’s items, click its + button, then select which log
field you want to use to categorize its results.
For example, for one of the items, you might select Device to display and categorize that
item’s results by which devices recorded those log messages. To further subcategorize
one of the device’s results by protocol, you could then click its + button, then select
Service. The resulting widget display would show reflect email traffic volume for each
service on that one device, from that source IP address.
To collapse details and return to higher-level items, click a parent item’s X button.
To configure settings for the widget, in its title bar, click Edit.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
55
Viewing the dashboard
System
Figure 24: Top Email Traffic widget settings
Name of the GUI Description
item
Widget Name
Type a name for the widget. It will appear in the widget’s title bar.
Device
Select the name of either a device or device group for which you want to display
traffic volumes.
Display by
Select which attribute to use in order to rank the top results:
• Top Sources (to any): Rank results according to the total volume for each
source IP address.
• Top Destinations (from any): Rank results according to the total volume for
each destination IP address.
Filter Protocol
Select a protocol to filter by email protocol.
Filter Address
Enter the email server IP address for filtering the information.
By Volume
Select to gather the total amount of email traffic for this widget from the traffic
logs.
By Requests
Select to gather the total amount of email traffic for this widget from the content
logs.
Time Scope
Select one of the following time ranges:
• Hour
• Day
• Week
• Month
No. Entries
Select the number of entries to display.
Top FTP Traffic widget
You can only add aTop FTP Traffic widget when you selected the proprietary indexed file
storage system. For information on switching file storage systems, see “Configuring SQL
database storage” on page 83.
This widget displays a bar chart of the total volume of FTP traffic handled by FortiGate
units, based upon their traffic logs.
56
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
System
Viewing the dashboard
Figure 25: Top FTP Traffic widget
Edit
To expand details for one of the widget’s items, click its + button, then select which log
field you want to use to categorize its results.
For example, for one of the items, you might select Device to display and categorize that
item’s results by which devices recorded those log messages. To further subcategorize
one of the device’s results by protocol, you could then click its + button, then select
Service. The resulting widget display would show reflect FTP traffic volume for each
service on that one device, from that source IP address.
To collapse details and return to higher-level items, click a parent item’s X button.
To configure settings for the widget, in its title bar, click Edit.
Figure 26: Top FTP Traffic widget settings
Name of the
GUI item
Description
Widget Name
Type a name for the widget. It will appear in the widget’s title bar.
Device
Select the name of either a device or device group for which you want to display
traffic volumes.
Display by
Select which attribute to use in order to rank the top results:
• Top Sources (to any): Rank results according to the total volume for each
source IP address.
• Top Destinations (from any): Rank results according to the total volume for
each destination IP address.
Time Scope
Select one of the following time ranges:
• Hour
• Day
• Week
• Month
No. Entries
Select the number of entries to display.
Top IM/P2P Traffic widget
You can only add a Top IM/P2P Traffic widget when you selected the proprietary indexed
file storage system. For information on switching file storage systems, see “Configuring
SQL database storage” on page 83.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
57
Viewing the dashboard
System
This widget displays a bar chart of, depending on your selection in the widget’s settings,
either the total number of instant message (IM) or peer-to-peer (P2P) sessions handled by
FortiGate units, based upon their DLP logs.
Figure 27: Top IM/P2P Traffic widget
Edit
To expand details for one of the widget’s items, click its + button, then select which log
field you want to use to categorize its results.
For example, for one of the items, you might select Device to display and categorize that
item’s results by which devices recorded those log messages. To further subcategorize
one of the device’s results by protocol, you could then click its + button, then select
Service. The resulting widget display would show reflect IM/P2P traffic volume for each
service on that one device, from that source IP address.
To collapse details and return to higher-level items, click a parent item’s X button.
To configure settings for the widget, in its title bar, click Edit.
Figure 28: Top IM/P2P Traffic widget settings
Name of the GUI Description
item
58
Widget Name
Type a name for the widget. It will appear in the widget’s title bar.
Type
Select either instant messaging (IM) or peer-to-peer (P2P) traffic.
Device
Select the name of either a device or device group for which you want to display
traffic volumes.
Display by
Select which attribute to use in order to rank the top results:
• Top Sources (to any): Rank results according to the total volume for each
source IP address.
• Top Destinations (from any): Rank results according to the total volume for
each destination IP address.
Protocol
Select a protocol for filtering the traffic. If you select All, all of the protocols will be
included.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
System
Viewing the dashboard
Time Scope
Select one of the following time ranges:
• Hour
• Day
• Week
• Month
No. Entries
Select the number of entries to display.
Virus Activity widget
You can only add a Virus Activity widget when you selected the proprietary indexed file
storage system. For information on switching file storage systems, see “Configuring SQL
database storage” on page 83.
This widget displays a bar chart of the total number of virus detections in traffic handled by
FortiGate units, based upon their antivirus logs.
Figure 29: Virus Activity widget
Edit
To expand details for one of the widget’s items, click its + button, then select which log
field you want to use to categorize its results.
For example, for one of the items, you might select Device to display and categorize that
item’s results by which devices recorded those log messages. To further subcategorize
one of the device’s results by protocol, you could then click its + button, then select
Service. The resulting widget display would show reflect detected viruses for each service
on that one device, from that source IP address.
To collapse details and return to higher-level items, click a parent item’s X button.
To configure settings for the widget, in its title bar, click Edit.
Figure 30: Virus Activity widget settings
Name of the
GUI item
Description
Widget Name
Type a name for the widget. It will appear in the widget’s title bar.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
59
Viewing the dashboard
System
Device
Select the name of either a device or device group for which you want to
display traffic volumes.
Display by
Select which attribute to use in order to rank the top results:
• Time Period: Rank results according to the total number of incidents for
each 24-hour time period, from 00:00:00 to 23:59:59.
• Top Viruses: Rank results according to the total number of incidents for
each virus.
• Top Sources (to any): Rank results according to the total number of
incidents for each source IP address.
• Top Destinations (from any): Rank results according to the total number
of incidents for each destination IP address.
• Protocol break down for virus incidents: Rank results according to the
total number of incidents for each protocol.
Time Scope
Select one of the following time ranges:
• Hour
• Day
• Week
• Month
No. Entries
Select the number of entries to display.
Intrusion Activity widget
You can only add an Intrusion Activity widget when you selected the proprietary indexed
file storage system. For information on switching file storage systems, see “Configuring
SQL database storage” on page 83.
This widget displays a bar chart of the total number of attack attempts in traffic handled by
FortiGate units, based upon their attack logs.
Figure 31: Intrusion Activity widget
Edit
To expand details for one of the widget’s items, click its + button, then select which log
field you want to use to categorize its results.
For example, for one of the items, you might select Device to display and categorize that
item’s results by which devices recorded those log messages. To further subcategorize
one of the device’s results by protocol, you could then click its + button, then select
Service. The resulting widget display would show reflect detected intrusion attempts for
each service on that one device, from that source IP address.
To collapse details and return to higher-level items, click a parent item’s X button.
To configure settings for the widget, in its title bar, click Edit.
60
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
System
Configuring network settings
Figure 32: Intrusion Activity widget settings
Name of the
GUI item
Description
Widget Name Type a name for the widget. It will appear in the widget’s title bar.
Device
Select the name of either a device or device group for which you want to display
traffic volumes.
Display by
Select which attribute to use in order to rank the top results:
• Time Period: Rank results according to the total number of incidents for each
24-hour time period, from 00:00:00 to 23:59:59.
• Top Intrusions: Rank results according to the total number of incidents for each
virus.
• Top Sources (to any): Rank results according to the total number of incidents
for each source IP address.
• Top Destinations (from any): Rank results according to the total number of
incidents for each destination IP address.
Time Scope
Select one of the following time ranges:
• Hour
• Day
• Week
• Month
No, Entries
Select the number of entries to display.
Configuring network settings
The Network menu allows you to configure the FortiAnalyzer unit to operate on your
network. You can configure basic network settings, including configuring interfaces, DNS
settings, and static routes.
Configuring the network interfaces
System > Network > Interface displays a list of the FortiAnalyzer unit’s network interfaces.
You must configure at least one of the FortiAnalyzer unit’s network interfaces for you to be
able to connect to the CLI and web-based manager, which require an IP address.
Depending on your network topology and other considerations, to enable the
FortiAnalyzer unit to connect to your network and to the devices whose logs it receives,
you may need to configure one or more of the FortiAnalyzer unit’s other network
interfaces. You can configure each network interface separately, with its own IP address,
netmask, and accepted administrative access protocols.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
61
Configuring network settings
System
Caution: Enable administrative access only on network interfaces connected to trusted
private networks or directly to your management computer. If possible, enable only secure
administrative access protocols such as HTTPS or SSH. Failure to restrict administrative
access could compromise the security of your FortiAnalyzer unit.
Note: You can restrict which IP addresses are permitted to log in as a FortiAnalyzer
administrator through the network interfaces. For details, see “Configuring administrator
accounts” on page 75.
Unlike other administrative protocols, SNMP access is not configured individually for each
network interface. Instead, see “Configuring the SNMP agent” on page 92.
Figure 33: Interface list
Name of the GUI item
Description
Bring Up
Mark the check box of the network interface that you want to enable,
then click Bring Up. The new status appears in Status.
Bring Down
Mark the check box of the network interface that you want to disable,
then click Bring Down. The new status appears in Status.
Name
The name of the network interface, usually directly associated with
one physical link as indicated by its name, such as port1.
IP/Netmask
The IP address and netmask of the network interface, separated by a
slash ( / ).
Access
The administrative access services that are enabled on the network
interface, such as HTTPS for the web-based manager.
FDP
Indicates whether Fortinet Discovery Protocol (FDP) is enabled. When
Fortinet Discovery Protocol is enabled for an interface, a green check
appears. For more information about FDP, see “About Fortinet
Discovery Protocol” on page 64 and “Manually adding a FortiGate unit
using the Fortinet Discovery Protocol (FDP)” on page 129.
Status
Indicates the “up” (available) or “down” (unavailable) administrative
status of the network interface.
• Green up arrow: The network interface is up and permitted to
receive or transmit traffic.
• Red down arrow: The network interface is down and not
permitted to receive or transmit traffic.
To edit a network interface
1 Go to System > Network > Interface.
2 Mark the check box next to the interface whose settings you want to modify, then click
Edit.
62
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
System
Configuring network settings
3 Configure the following:
Name of the GUI item
Description
Interface Name
The name (such as port2) and media access control (MAC)
address of this network interface.
Fortinet Discovery Protocol
Select Enabled to respond to Fortinet Discovery Protocol
(FDP) on this interface, allowing FortiGate devices to find the
FortiAnalyzer unit automatically. For more information about
FDP, see “About Fortinet Discovery Protocol” on page 64 and
“Manually adding a FortiGate unit using the Fortinet Discovery
Protocol (FDP)” on page 129.
IP/Netmask
Enter the IP address/subnet mask. The IP address must be on
the same subnet as the network to which the interface
connects.
Administrative Access
Enable the types of administrative access that you want to
permit on this interface.
HTTPS
Enable to allow secure HTTPS connections to the web-based
manager through this network interface.
For information on configuring the port number on which the
FortiAnalyzer listens for these connections, see “Configuring
the web-based manager’s global settings” on page 82.
PING
Enable to allow ICMP ping responses from this network
interface.
HTTP
Enable to allow HTTP connections to the web-based manager
through this network interface.
For information on configuring the port number on which the
FortiAnalyzer listens for these connections, see “Configuring
the web-based manager’s global settings” on page 82.
Caution: HTTP connections are not secure, and can be
intercepted by a third party. If possible, enable this option only
for network interfaces connected to a trusted private network,
or directly to your management computer. Failure to restrict
administrative access through this protocol could compromise
the security of your FortiAnalyzer unit.
SSH
Enable to allow SSH connections to the CLI through this
network interface.
TELNET
Enable to allow Telnet connections to the CLI through this
network interface.
Caution: Telnet connections are not secure, and can be
intercepted by a third party. If possible, enable this option only
for network interfaces connected to a trusted private network,
or directly to your management computer. Failure to restrict
administrative access through this protocol could compromise
the security of your FortiAnalyzer unit.
AGGREGATOR
Enable to allow sending and receiving log aggregation
transmissions. For more information about aggregation, see
“Configuring log aggregation” on page 98.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
63
Configuring network settings
System
WEBSERVICES Enable to allow web service (SOAP) connections.
FortiManagerunits require web service connections for remote
management of FortiAnalyzer units. If this option is not
enabled, the FortiManager unit will not be able to install a
configuration on the FortiAnalyzer unit. For more information,
see “Configuring and using FortiAnalyzer web services” on
page 64.
Web services can also be used by third party tools to access
logs and reports stored on the FortiAnalyzer unit. For more
information about web services, see the FortiAnalyzer CLI
Reference.
MTU
Enable Override default MTU value (1500) to change the
maximum transmission unit (MTU) value, then enter the
maximum packet size in bytes.
To improve network performance, adjust the MTU so that it
equals the smallest MTU of all devices between this interface
and traffic’s final destinations.
If the MTU is larger than other devices’ MTU, other devices
through which the traffic travels must spend time and
processing resources to break apart large packets to meet their
smaller MTU, which slows down transmission.
The default value is 1500 bytes. The MTU size must be
between 576 and 1500 bytes.
4 Click OK.
If you were connected to the web-based manager through this network interface, you
are now disconnected from it.
5 To access the web-based manager again, in your web browser, modify the URL to
match the new IP address of the network interface. For example, if you configured the
network interface with the IP address 172.16.1.20, you would browse to
https://172.16.1.20.
If the new IP address is on a different subnet than the previous IP address, and your
computer is directly connected to the FortiAnalyzer unit, you may also need to modify
the IP address and subnet of your computer to match the FortiAnalyzer unit’s new IP
address.
About Fortinet Discovery Protocol
FortiGate units running FortiOS 4.0 or greater can use Fortinet Discovery Protocol (FDP),
a UDP protocol, to locate a FortiAnalyzer unit.
When a FortiGate administrator selects Automatic Discovery, the FortiGate unit attempts
to locate FortiAnalyzer units on the network within the same subnet. If FDP has been
enabled for the FortiAnalyzer unit’s network interface to that subnet, the FortiAnalyzer unit
will respond. After discovering the FortiAnalyzer unit, the FortiGate unit automatically
enables logging to the FortiAnalyzer and begins sending log data.
Depending on its configuration, the FortiAnalyzer unit may then automatically register the
device and save its data, add the device but ignore its data, or ignore the device entirely.
For more information, see “Configuring unregistered device options” on page 131.
Configuring and using FortiAnalyzer web services
To manage FortiAnalyzer v3.0 MR5 or later, FortiManager 3.00 MR5 or later requires that
you enable web services on the FortiAnalyzer unit and obtain the Web Services
Description Language (WSDL) file that defines the XML requests you can make and the
responses that the FortiAnalyzer unit can provide. If web services are not enabled, the
FortiManager unit will not be able to send a configuration to the FortiAnalyzer unit.
64
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
System
Configuring network settings
In addition to enabling web services, you must also register the devices with each other.
When registering the FortiAnalyzer with the FortiManager unit, to guarantee full access to
the FortiAnalyzer unit’s entire configuration, you must provide the login for the
FortiAnalyzer unit’s admin administrator account. When registering the FortiManager with
the FortiAnalyzer unit’s device list, you must set connection permissions to allow remote
management.
Web services can also be used by third party tools to access logs and reports stored on
the FortiAnalyzer unit. For more information, see the FortiAnalyzer CLI Reference.
Web services are automatically encrypted with SSL (HTTPS). For information on the
certificate used to do so, see “Importing a local server certificate” on page 119.
To configure web services
1 On the FortiAnalyzer unit, log in as admin.
2 Go to System > Network > Interface.
3 Mark the check box of the network interface which will accept web services
connections, then click Edit.
4 In the Administrative Access area, enable WEBSERVICES.
If it is not already enabled, also enable HTTPS.
5 Click OK.
6 Go to System > Admin > Administrator.
7 Mark the check box of the admin administrator account, then click Edit.
8 In Trusted Host, include the FortiManager unit's IP address. For additional security,
restrict the Trusted Host entry to include only the FortiManager unit's IP address (that
is, a subnet mask of 255.255.255.255) and your computer's IP address.
9 Click OK.
10 Go to Devices > All Devices > Allowed.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
65
Configuring network settings
System
11 If the FortiManager unit appears as an unregistered device, mark its check box, then
click Register to complete the device registration.
If the FortiManager unit does not appear in the device list, click Create New to add the
device registration.
12 Click OK.
13 Register the FortiAnalyzer unit with the FortiManager unit’s device list. For details, see
the FortiManager Administration Guide.
To obtain the WSDL file
Download the WSDL file directly from the following URL:
https://<FortiAnalyzer_ip_address>:8080/FortiAnalyzerWS?wsdl
The following is a section of the WSDL file:
<definitions name="FortiAnalyzerWS"
targetNamespace="http://localhost:8080/FortiAnalyzerWS.wsdl">
<types>
<schema targetNamespace="urn:FortiAnalyzerWS"
elementFormDefault="qualified"
attributeFormDefault="qualified">
<import
namespace="http://schemas.xmlsoap.org/soap/encoding/
"/>
<element name="FortiRequestEl" type="ns:FortiRequest"/>
<element name="FortiResponseEl" type="ns:FortiResponse"/>
<!-- enumerations -->
<simpleType name="SearchContent">
<restriction base="xsd:string">
<enumeration value="Logs"/>
<enumeration value="ContentLogs"/>
<enumeration value="LocalLogs"/>
</restriction>
</simpleType>
<simpleType name="ReportType">
<restriction base="xsd:string">
<enumeration value="FortiGate"/>
<enumeration value="FortiClient"/>
<enumeration value="FortiMail"/>
</restriction>
</simpleType>
…
<service name="FortiAnalyzerWS">
<documentation>gSOAP 2.7.7 generated service
definition</documentation>
<port name="FortiAnalyzerWS" binding="tns:FortiAnalyzerWS">
<SOAP:address location="https://localhost:8080/
FortiAnalyzerWS"/>
66
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
System
Configuring network settings
</port>
</service>
</definitions>
Configuring DNS
System > Network > DNS enables you to configure the FortiAnalyzer unit with the IP
addresses of the domain name system (DNS) servers that the FortiAnalyzer unit will query
to resolve domain names such as www.example.com into IP addresses.
FortiAnalyzer units require connectivity to DNS servers for DNS lookups. Your Internet
service provider (ISP) may supply IP addresses of DNS servers, or you may want to use
the IP addresses of your own DNS servers.
Note: For improved performance, use DNS servers on your local network. Features such
as NFS shares can be impacted by poor DNS connectivity.
Configuring static routes
The route list displays the static routes on the FortiAnalyzer unit. Static routes provide the
FortiAnalyzer unit with the information it needs to forward a packet to a particular
destination other than the default gateway.
To view the routing list, go to System > Network > Routing.
Figure 34: Route list
Name of the GUI item
Description
Move
Select to change the route’s order in the route list.
Insert
Select to add a route before the selected one in the list.
Destination IP/Netmask
The destination IP address and netmask of packets that the
FortiAnalyzer unit wants to send to.
Gateway
The IP address of the router where the FortiAnalyzer unit forwards
packets.
Interface
The names of the FortiAnalyzer interfaces through which intercepted
packets are received and sent.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
67
Configuring network shares
System
To add a static route
1 Go to System > Network > Routing.
2 Select Create New.
3 Enter the applicable information, and click OK.
Name of the GUI item
Description
Destination IP/Mask
Enter the destination IP address network mask of packets that the
FortiAnalyzer unit has to intercept.
Enter a netmask to associate with the IP address.
Gateway
Enter the IP address of the gateway where the FortiAnalyzer unit will
forward intercepted packets.
Interface
Select a port through which intercepted packets are received and
sent.
Configuring network shares
The FortiAnalyzer hard disk can be used as an NFS or Windows network share to store
users’ files and/or FortiAnalyzer reports and logs.
By default, this option is not available. To make it appear, you need to enable it in
System > Admin > Settings.
68
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
System
Configuring network shares
When selecting a network share style, consider the access methods available to your
users:
•
Microsoft Windows users could connect to a FortiAnalyzer Windows network share by
mapping a drive letter to a network folder
•
Apple Mac OS X, Unix or Linux users:
•
could mount a FortiAnalyzer Windows network share using smbfs
•
could mount a FortiAnalyzer NFS network share
Before a user can access files on the FortiAnalyzer network share:
•
network share user accounts and groups must be created (for Windows share only)
•
network sharing (Windows or NFS) must be enabled
•
the share folder and its file permissions (user access) must be set
Configuring share users
You can create Windows network share user accounts to provide non-administrative
access to the log, reports and hard disk storage of the FortiAnalyzer unit.
Users that are added will not have administrative access to the FortiAnalyzer hard disk or
FortiAnalyzer unit. For information about how to add administrative users, see
“Configuring administrator-related settings” on page 75.
To view the network user list, go to System > Network Sharing > User.
Figure 35: Network share user list
Name of the GUI item Description
Create New
Select to create a Windows network share user. See “To add a user
account” on page 69.
Edit
Change a selected user’s current settings.
Delete
Remove a selected user’s current settings.
Username
The name of the user.
UID
The user’s identification. This is useful for NFS shares only.
Description
A comment about the user account.
To add a user account
1 Go to System > Network Sharing > User.
2 Select Create New.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
69
Configuring network shares
System
3 Enter the appropriate information for the network share user account and select OK.
Name of the GUI item Description
Username
Enter a user name.
The name cannot include spaces.
UID (NFS only)
Leave this field empty.
This field is for NFS shares only. The NFS protocol uses the UID to
determine the permissions on files and folders.
Password
Enter a password for the user.
Description
Enter a description of the user. For example, you might enter the users
name or a position such as IT Manager.
Configuring share user groups
You can create Windows network share user groups to maintain access privileges for a
large number of users at once. You need to add users before you can create groups.
To view the user group list, go to System > Network Sharing > Group.
Figure 36: User group list
Name of the GUI item Description
Group
The name of the group. For example, Finance. The name cannot include
spaces.
GID
The Group ID. This is useful for NFS shares only.
Members
The users that are members of that group.
To add a user group
1 Go to System > Network Sharing > Group.
2 Select Create New.
70
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
System
Configuring network shares
3 Enter the information for the group account and select OK.
Name of the GUI item Description
Group
Enter the name of the group.
GID (NFS only)
Leave this field empty.
This field is for NFS shares only. The GID is the numerical unique
identification for a group. The NFS protocol uses the GID to determine the
permissions on files and folders.
Available Users
The available users that you can add to the group. Select a user and then
select the right arrow to move that user to the Members area.
Members
The users that are included in the group. If you do not want a user included
as a member, select a user and then select the left arrow to move that user
back to the Available Users area.
Configuring Windows shares
You can configure the FortiAnalyzer unit to provide folder and file sharing using Windows
sharing.
To view users with Windows share access to the FortiAnalyzer unit, go to System >
Network Sharing > Windows Share.
Figure 37: Windows network share user list
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
71
Configuring network shares
System
Name of the GUI
item
Description
Enable Windows
Network Sharing
Select the check box to enable Windows network sharing.
Workgroup
Enter the name of the work group and then select Apply.
Local Path
The shared file or folder path.
Share as
The share name.
Read Only User
A list of users or groups that have read-only access to the folder or files.
Read Write User
A list of users or groups that have read-write access to the folder or files.
To configure Windows share
1 Go to System > Network Sharing > Windows Share.
2 Select Create New.
3 Enter the information for the Windows share and select OK.
Local path
button
72
Name of the GUI
item
Description
Local Path
Type a folder directory, such as /Storage/Mail, or select the local path
button to choose a folder to share on the FortiAnalyzer hard disk. If you type a
directory, you must start with /Storage.
The default permission for files and folders is read and execute privileges. The
owner of the document also has write privileges. You must select the write
permission for the folder, user and the group to enable write permissions. For
more information, see “Default file permissions on NFS shares” on page 74.
Share Name
The name of the share configuration.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
System
Configuring network shares
Available Users & The list of users and groups that are available for Windows network shares.
For information on adding users and groups, see “Configuring share users” on
Group
page 69.
Select a user and then select the right arrow that points to the permission list
that you want that user or group to be under, either Read-Only Access or
Read-Write Access.
Ready-Only
Access
Users or groups that do not have permission to edit or change settings.
To remove a user or group from either access list, select the user or group and
then select the left arrow to move it back to the Available Users & Groups list.
Read-Write Access Users or groups that have permission to edit or change settings.
To remove a user or group from either access list, select the user or group and
then select the left arrow to move it back to the Available Users & Groups list.
Configuring NFS shares
You can configure the FortiAnalyzer unit to provide folder and file sharing using NFS
sharing.
To view a list of users with NFS share access to the FortiAnalyzer unit, including access
privileges, go to System > Network Sharing > NFS Export.
Figure 38: List of users with NFS share access
Name of the GUI
item
Description
Enable NFS Exports Select the check box beside Enable NFS Exports and then select Apply to
enable NFS shares.
Local Path
The path the user has permission to connect to.
Remote Clients
A list of users that have access to the folder or files.
Read Only User
A list of users or groups that have read-only access to the folder or files.
Read Write User
A list of users or groups that have read-write access to the folder or files.
To add a new NFS share configuration
1 Configure DNS and a default route. For information, see “Configuring network settings”
on page 61.
NFS exports are file system-level mounts. Bad DNS or routing connectivity can cause
very slow access or 'hangs' when trying to write a file using NFS.
2 Go to System > Network Sharing > NFS Export.
3 Select Enable NFS Exports and select Apply.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
73
Configuring network shares
System
4 Select Create New.
Local Path
button
Name of the GUI
item
Description
Local Path
Type a folder directory, such as /Storage/Mail, or select the local path
button to choose a folder to share on the FortiAnalyzer hard disk. If you type
a directory, you must start with /Storage.
The default permissions for files and folders is read and execute privileges.
The owner of the document also has write privileges. You must select the
write permission for the folder and for the user and the group to enable write
access for users and groups. For more information, see “Default file
permissions on NFS shares” on page 74.
Remote Client:
(Host, subnet,
FQDN)
Enter the IP address or domain name of an NFS client, such as a FortiMail
unit configured for NFS storage. This client can access the NFS share folder.
Permissions
Select the type of permissions. The type of permission selected determines
which list the NFS client will be put in.
• Read Only – users connecting to the share will be able to list and read
files.
• Read Write – users connecting to the share will be able to list, read,
create, modify, and delete files.
Add
Select to add the NFS client to either the Read-only Access list or the Read
Write Access list, depending on the permission selected.
Delete
Select the check box beside the NFS client in either the Read Only Access
list or the Read Write Access list, and then select Delete to remove it.
Read-only Access
The list of remote clients that have read-only access.
Read-Write Access The list of remote clients that have both read and write access.
5 Select OK.
6 Configure the NFS client to connect to the FortiAnalyzer unit and mount the share.
Default file permissions on NFS shares
By default, when a user adds a new file or folder, the permissions are:
•
read, write, and execute for the owner (user)
•
read and execute for the Admin group and Others group.
You can set file permissions in the CLI. For more information, see the config nas
share command in the FortiAnalyzer CLI Reference.
74
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
System
Configuring administrator-related settings
Configuring administrator-related settings
The Admin menu manages administrator accounts, access profiles, and RADIUS
authentication. It also controls settings for the web-based manager that apply to all
administrator accounts, and enables you to monitor which administrator accounts are
currently logged in.
Configuring administrator accounts
System > Admin > Administrator displays the list of FortiAnalyzer administrator accounts.
In its factory default configuration, a FortiAnalyzer unit has one administrator account,
named admin. The admin administrator has permissions that grant full access to the
FortiAnalyzer configuration and firmware. After connecting to the web-based manager or
the CLI using the admin administrator account, you can configure additional administrator
accounts with various levels of access to different parts of the FortiAnalyzer configuration.
Administrators may be able to access the web-based manager and/or the CLI through the
network, depending on administrator account’s trusted hosts, and the administrative
access protocols enabled for each of the FortiAnalyzer unit’s network interfaces. For
details, see “Configuring the network interfaces” on page 61 and “Trusted Host” on
page 77.
To determine which administrators are currently logged in, see “Monitoring administrators”
on page 83.
Note: In FortiAnalyzer 4.0 patch release 2, the admin administrator account can be
deleted. However, Fortinet strongly recommends updating to the latest FortiAnalyzer 4.0
patch release, or 4.0 MR1 and above to prevent any user or administrator from accidentally
deleting the admin administrator account. If you have FortiAnalyzer 4.0 Patch release 2
currently running on your FortiGate unit, back up either the default configuration or the
current configuration containing the admin administrator so that you can restore the admin
administrator account.
Figure 39: Administrator account list
Name of the GUI item
Description
Change Password
Change the account password. For more information, see “Changing
an administrator’s password” on page 77.
Update Column Settings
Define log columns for an administrator account. You can revert the
column settings to the system default one if they have been
customized, or copy the settings from another administrator account.
For information about configuring column settings, see “Displaying
and arranging log columns” on page 141.
Name
The assigned name for the administrator.
Trusted Hosts
The IP address and netmask of acceptable locations for the
administrator to log in to the FortiAnalyzer unit.
If you want the administrator to be able to access the FortiAnalyzer
unit from any address, use the IP address and netmask
0.0.0.0/0.0.0.0. To limit the administrator to only access the
FortiAnalyzer unit from a specific network or host, enter that network’s
IP and netmask.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
75
Configuring administrator-related settings
System
Profile
The access profile assigned to the administrator. For more
information, see “Configuring access profiles” on page 78.
Type
Type can be either local, as a configured administrator on the
FortiAnalyzer unit, or RADIUS if you are using a RADIUS server on
your network.
To add an administrator account
1 Go to System > Admin > Administrator.
2 Select Create New.
3 Enter the appropriate information and select OK.
76
Name of the GUI item
Description
Administrator
Enter the administrator name.
You can add the ‘@’ symbol in the name. For example,
admin_1@headquarters, could identify an administrator that will
access the FortiAnalyzer unit from the headquarters office of their
organization. The ‘@’ symbol is also useful to those administrators
who require RADIUS authentication. You can also configure an
administrator account for remote authentication and associate an
authentication group as well.
Remote Auth
Select if you are authenticating a specific account on a RADIUS
server.
Wild Card
This option appears only if Remote Auth is enabled. Select if you don’t
want to set a password for this account.
Auth Group
This option appears only if Remote Auth is enabled. You also need to
create an authentication group so that you can select it from the list.
For more information about creating an authentication group, see
“Configuring authentication groups” on page 79.
Select which RADIUS server group to use when authenticating this
administrator account.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
System
Configuring administrator-related settings
Password
Enter a password for the administrator account. For security reasons,
a password should be a mixture of letters and numbers and longer
than six characters.
If a user attempts to log in and mis-types the password three times,
the user is locked out of the system from that IP address for a short
period of time.
This option does not appear if you select Wild Card and when editing
the account.
Confirm Password
Re-enter the password for the administrator account to confirm its
spelling.
This option does not appear if you select Wild Card and when editing
the account.
Trusted Host
Enter the IP address and netmask of acceptable locations for the
administrator to log in to the FortiAnalyzer unit.
If you want the administrator to be able to access the FortiAnalyzer
unit from any address, use the IP address and netmask
0.0.0.0/0.0.0.0. To limit the administrator to only access the
FortiAnalyzer unit from a specific network, enter that network’s IP and
netmask.
Access Profile
Select an access profile from the list. Access profiles define
administrative access permissions to areas of the configuration by
menu item. For more information, see “Configuring access profiles” on
page 78.
This option does not appear for the admin administrator.
Admin Domain
Select an administrative domain (ADOM) from the list. ADOMs define
administrative access permissions to areas of the configuration and
device data by device or VDOM. For more information, see “About
administrative domains (ADOMs)” on page 23.
This option does not appear when ADOMs are disabled, nor for the
admin administrator.
Changing an administrator’s password
The admin administrator and administrators with read and write permissions can change
their own account passwords.
Administrators with read-only permissions cannot change their own password. Instead,
the admin administrator must change the password for them.
To change the administrator account password
1 Go to System > Admin > Administrator.
2 Select an administrator account
3 Select Change Password.
4 Enter the old password for confirmation.
5 Enter the new password and confirm the spelling by entering it again.
6 Select OK.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
77
Configuring administrator-related settings
System
Configuring access profiles
Access profiles define administrator privileges to parts of the FortiAnalyzer configuration.
For example, you can have a profile where the administrator only has read and write
access to the reports, or assign read-only access to the DLP archive logs.
Only the admin administrator has access to all configuration areas of a FortiAnalyzer unit
by default. Every other administrator must be assigned an access profile.
You can create any number of access profiles. For each profile, you can define what
access privileges are granted. Administrator accounts can only use one access profile at a
time.
To view the list of access profiles, go to System > Admin > Access Profile.
Figure 40: Access profile list
Name of the GUI item
Description
Profile Name
The name of the access profile.
To create an access profile
1 Go to System > Admin > Access Profile.
2 Select Create New.
78
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
System
Configuring administrator-related settings
3 Enter the information for the new access profile, and select OK.
Name of the
GUI item
Description
Profile Name
Enter a name for the new access profile.
Access Control Lists the FortiAnalyzer configuration components to which you can set
administrator access.
None
The administrator has no access to the function.
Read Only
The administrator can view pages, menus and information, but cannot modify any
settings.
Read-Write
The administrator can view pages, menus and information as well as change
configurations.
Note: Administrator accounts can also be restricted to specific devices or FortiGate units
with VDOMs in the FortiAnalyzer device list. For more information, see “About
administrative domains (ADOMs)” on page 23.
Configuring authentication groups
Auth Group enables you to group RADIUS servers into logical arrangements for
administrator authentication.
You must first configure at least one RADIUS server before you can create an
authorization group. For information on creating RADIUS servers, see “Configuring
RADIUS servers” on page 80.
To view the list of auth groups, go to System > Admin > Auth Group.
Figure 41: Authentication group list
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
79
Configuring administrator-related settings
System
Name of the GUI item
Description
Group Name
The name of the auth group.
Members
RADIUS servers in the group.
To add a group
1 Go to System > Admin > Auth Group.
2 Select Create New.
3 Enter a name for the group.
4 Select the servers from Available Auth Servers to add to the group and select the right
arrow.
5 Select OK.
Configuring RADIUS servers
If you already have a RADIUS server for authentication, you can configure the
FortiAnalyzer unit to have it perform the user authentication. RADIUS servers authenticate
administrators.
To view the RADIUS server list, go to System > Admin > RADIUS Server.
80
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
System
Configuring administrator-related settings
Figure 42: RADIUS server list
Name of the GUI item Description
Name
The name that identifies the server.
Server Name/IP
The server name or IP address of that server.
To add a RAIDUS server
1 Go to System > Admin > RADIUS Server, select Create New.
2 Enter the appropriate information for the server and select OK.
Name of the GUI item Description
Name
Enter a name to identify the server.
Primary Server
Name/IP
Enter the primary IP address for the server.
Primary Server Secret Enter the password for the primary server.
Secondary Server
Name/IP
Enter the secondary IP address for the server. This is in case the primary
one goes out of service.
Secondary Server
Secret
Enter the password for the secondary server.
Authentication
Protocol
Select which protocol the FortiAnalyzer unit will use to communicate with
the RADIUS server.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
81
Configuring the web-based manager’s global settings
System
Configuring the web-based manager’s global settings
Administrators Settings allows you to configure some common settings for all
administrator accounts, including the idle timeout (how much time must pass without
activity before the FortiAnalyzer unit logs out an administrator), the language for the
web-based manager, and the web-based manager menu customization (showing or
hiding the menu items). You can also enable or disable administrative domains (ADOMs).
To configure administrators, go to System > Admin > Settings.
Note: Only the admin administrator can change administrators’ settings.
Figure 43: Administrators’ settings
Name of the GUI item Description
82
Idle Timeout
Set the idle timeout to control the amount of inactive time before the
administrator must log in again. For better security, keep the idle timeout to
a low value (for example, five minutes).
When viewing real-time logs, a pop-up window appears 60 seconds before
the set idle timeout value is reached, prompting you to keep or cancel the
value. If you choose to cancel the set idle timeout value, you will not be
logged out after the idle timeout value is reached.
Web Administration
[Language]
Select the language for the web-based manager.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
System
Monitoring administrators
GUI Menu
Customization
Be default, these menu items are hidden. Select one to make it appear in
the menu list.
Admin Domain
Configuration
Enable or disable administrative domains (ADOMs). For more information
on ADOMs, see “About administrative domains (ADOMs)” on page 23.
This option does not appear if ADOMs are currently enabled and ADOMs
other than the root ADOM exist.
This option does not appear on FortiAnalyzer-100/100A/100B/100C
models.
Monitoring administrators
The Monitor page enables the admin administrator to view a list of other administrators
that are currently logged in to the FortiAnalyzer unit. The admin administrator can
disconnect other administrators’ sessions, should the need arise.
To monitor current administrators, go to System > Admin > Monitor.
Figure 44: Monitoring administrators
To disconnect an administrator, mark the check box next to an administrator’s account
name, then click Disconnect.
Configuring log storage & query features
System > Config enables you to configure miscellaneous features, such as SQL
database, alert output, log aggregation, log forwarding, IP aliases, RAID, and LDAP
connections.
Configuring SQL database storage
The FortiAnalyzer unit saves logs received to the default proprietary indexed file storage
system which is always ready to accept log data, it can also insert the log data into the
Structured Query Language (SQL) database for generating reports. Both local and remote
SQL database options are supported. The advantages of using the SQL database are:
•
Flexibility: Through the use of standard SQL queries, more flexible reporting
capabilities can be offered.
•
Scalability: Through the use of a remote SQL database, any upper bound on the
amount of available log storage is removed. Furthermore, the hardware of an external
SQL database server can be more easily upgraded to support growing performance
needs.
The FortiAnalyzer unit inserts logs into a remote SQL database but is not responsible for
deleting logs from that database nor for enforcing any type of size quotas. These tasks are
the responsibility of the remote SQL database administrator.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
83
Configuring log storage & query features
System
The FortiAnalyzer unit stores the log data into the SQL database according to a predetermined structure called the SQL schema. The schema contains all the possible log
fields of every log type and allows the extraction of log data on a per-device and/or perVDOM basis for any continuous time period.
To configure the SQL database
1 Go to System > Config > SQL Database.
Name of the
GUI item
Description
Location
Select Disabled to save log data to the proprietary indexed file storage system
instead of the SQL database, Local Database to save log data into the local SQL
database, and Remote Database to save log data into the remote MySQL
database.
By default, the local SQL database is PostgreSQL.
The selection of location affects the way to configure reports. For more
information, see “Reports” on page 165.
Start Time
Select the time when the FortiAnalyzer unit can start to insert log data into the
SQL database.
This field activates when Local Database or Remote Database is selected.
Type
Select the remote SQL database from the supported list of databases.
This field only appears when Remote Database is selected.
Server
Enter the IP address or FQDN of the server on which the remote SQL database
is installed.
This field only appears when Remote Database is selected.
Database
Name
Enter the name for the database in which log tables will be stored. This
database should already exist on the MySQL server. If it does not, the
FortiAnalyzer unit will not be able to connect.
This field only appears when Remote Database is selected.
User Name
Password
Enter the login information for a user on the database that has permissions to
read and write data, and to create tables.
Log Type
Select the log type(s) that you want to save to the SQL database.
This field activates when Local Database or Remote Database is selected.
2 Complete the fields and click Apply.
84
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
System
Configuring log storage & query features
Configuring alerts
Log-based alerts define log message types, severities, and sources which trigger
administrator notification. For example, you could configure a trigger on the attack logs
with an SMTP server output if you want to receive an alert by email when your network
detects an attack attempt.
You can notify administrators by email, SNMP, or Syslog, as well as the Alert Message
Console widget. For information on viewing alerts through the web-based manager, see
“Alert Message Console widget” on page 49.
To view configured log-based alerts, go to System > Config > Log-based Alerts.
Figure 45: Alert events list
Name of the
GUI item
Description
Name
The name given to the log-based alert configuration.
Devices
The devices the FortiAnalyzer unit is monitoring for the log-based alerts.
Triggers
The log message packets the FortiAnalyzer unit is monitoring for the log-based
alerts.
Destination
The location where the FortiAnalyzer unit sends the alert message. This can be an
email address, SNMP Trap or syslog server.
To add a log-based alert
1 Go to System > Config > Log-based Alerts, select Create New, enter the appropriate
information and select OK.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
85
Configuring log storage & query features
86
System
Name of the GUI item
Description
Alert name
Enter a name indicating the type of alert the FortiAnalyzer is
monitoring for.
Device Selection
Select the devices the FortiAnalyzer unit monitors for the alert event.
Select from the Available Devices list and select the right arrow to
move the device name to the Selected Devices list. Hold the SHIFT or
CTRL keys while selecting to select multiple devices.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
System
Configuring log storage & query features
Trigger(s)
Select the triggers that the FortiAnalyzer unit uses to indicate when to
send an alert message. Select the following:
• a log type to monitor, such as Event Log or Attack Log
• the severity level to monitor for within the log messages, such as
>=
• the severity of the log message to match, such as Critical
For example, selecting Event Log >= Warning, the FortiAnalyzer unit
will send alerts when an event log message has a level of Warning,
Error, Critical, Alert and Emergency.
These options are used in conjunction with Generic Text (located
under Log Filters) and Device Selection to specify which log
messages will trigger the FortiAnalyzer unit to send an alert message.
Log Filters
(Generic Text)
Select the check box Generic Text to enable log filters, and then enter
log message filter text.
This text is used in conjunction with Trigger(s) and Device Selection to
specify which log messages will trigger the FortiAnalyzer unit to send
an alert message.
Enter an entire word, which is delimited by spaces, as it appears in the
log messages that you want to match. Inexact or incomplete words or
phrases may not match. For example, entering log_i or log_it
may not match; entering log_id=0100000075 will match all log
messages containing that whole word.
Do not use special characters, such as quotes (‘) or asterisks (*). If
the log message that you want to match contains special characters,
consider entering a substring of the log message that does not contain
special characters. For example, instead of entering, User 'admin'
deleted report 'Report_1', you might enter admin.
Threshold
Set the threshold or log message level frequency that the
FortiAnalyzer unit monitors before sending an alert message. For
example, set the FortiAnalyzer unit to send an alert only after it
receives five emergency messages in an hour.
Destination(s)
Select where the FortiAnalyzer unit sends the alert message.
Send Alert To
Select an email address, SNMP trap or Syslog server from the list.
You must configure the SNMP traps or Syslog server, before you can
select them from the list.
For the FortiAnalyzer unit to send an email message, you must
configure a DNS server and mail server account. For information, see
“Configuring an email server for alerts & reports” on page 87.
For information on configuring SNMP traps, see “Configuring the
SNMP agent” on page 92.
For information on configuring Syslog servers, see “Configuring
Syslog servers” on page 96.
From
When configuring the FortiAnalyzer unit to send an email alert
message, enter the sender’s email address.
To
When configuring the FortiAnalyzer unit to send an email alert
message, enter the recipients’ email address.
Add
Select to add the destination for the alert message. Add as many
recipients as required.
Delete
Select a recipient from the Destination list and select Delete to remove
a recipient.
Include Alert Severity
Select the alert severity value to include in the outgoing alert message
information.
Configuring an email server for alerts & reports
When the FortiAnalyzer unit receives a log message meeting the alert event conditions, it
can send an alert message to an email address via SMTP, informing an administrator of
the issue and where it is occurring.
You must first configure an SMTP server so that the FortiAnalyzer unit can send email
alert messages.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
87
Configuring log storage & query features
System
If the mail server is defined by a domain name, the FortiAnalyzer unit will query the DNS
server to resolve the IP address of that domain name. In this case, you must also define a
DNS server. For details, see “Configuring DNS” on page 67.
If sending an email by SMTP fails, the FortiAnalyzer unit will re-attempt to send the
message every ten seconds, and never stop until it succeeds in sending the message, or
the administrator reboots the FortiAnalyzer unit.
To view the mail server list, go to System > Config > Mail Server.
Figure 46: Mail server list
Name of the GUI item
Description
Test
Verify if the email server is correctly configured. For more information,
see “To verify mail server connectivity” on page 89.
SMTP Server
The name of the email server.
E-Mail Account
The email address used for accessing the account on the email
server.
Password
The password used in authentication of that server. The password
displays as ******.
To add a mail server for alerts
1 Go to System > Config > Mail Server and select Create New.
2 Enter the appropriate information and select OK.
88
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
System
Configuring log storage & query features
Name of the GUI item
Description
SMTP Server
The name/address of the SMTP email server.
Enable Authentication Select to enable SMTP authentication. When set, you must enter an
email user name and password for the FortiAnalyzer unit to send an
email with the account.
E-Mail Account
Enter the user name for logging on to the SMTP server to send alert
mails. You only need to do this if you have enabled the SMTP
authentication. The account name must be in the form of an email
address, such as user@example.com.
Password
Enter the password for logging on to the SMTP server to send alert email.
You only need to do this if you enabled the SMTP authentication.
Note: Mail servers that you have defined for the FortiAnalyzer unit to be able to send alerts
can also be selected when configuring report profiles and vulnerability scan jobs to email
report output. For more information, see “Scheduling vulnerability scans” on page 229
and“Configuring reports from logs in the proprietary indexed file system” on page 165.
To verify mail server connectivity
1 Go to System > Config > Mail Server.
2 Select the mail server that you want to verify, then select Test.
3 Enter an email address in the Send test email to field.
To verify complete connectivity from the FortiAnalyzer unit to the administrator’s inbox,
this should be the administrator’s email address.
4 Select Test.
A message appears, indicating the success or failure of sending email to the SMTP
server. If the message was successfully sent, verify that it reached the email address.
Configuring report output templates
You can configure the FortiAnalyzer unit to output the report in one or more file formats,
save the reports of selected file formats to the FortiAnalyzer hard disk, email the report to
recipients, and upload completed report files to a server accepting FTP, SFTP, or SCP.
You can make multiple report output templates and assign them to different report
schedules.
The report output templates are used when configuring a report schedule. For more
information, see “Configuring report schedules” on page 179 and “Configuring report
profiles” on page 202.
When configuring the FortiAnalyzer unit to email a report, you must first configure the
FortiAnalyzer unit to connect to an email server. For more information, see “Configuring an
email server for alerts & reports” on page 87.
If HTML reports are sent to a user that has an email client without supported HTML, the
HTML code for the reports will display in the message body.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
89
Configuring log storage & query features
System
To view the list of output templates, go to System > Config > Remote Output.
Figure 47: Output templates
Name of the GUI item
Description
Create New
Select to create a new report output template. See “To configure a
report output template” on page 90.
Edit
Modify a selected report output.
Delete
Remove selected report output templates.
You cannot delete a report output template if it is being used by a
report schedule. For more information, see “Configuring report
schedules” on page 179. If you want to delete a report output template
that is being used by a report schedule, edit that report schedule to
deselect the data filter template.
Name
The name of the output template.
E-Mail Destination
The route the email will take when sent, in the format, <recipient_email
address> (from <sender_email address> through <email server>).
FTP/SFTP/SCP Server IP
The type of server that the report will be uploaded to in the format,
<ipv4>(typeofserver). For example, 10.10.20.15(FTP).
To configure a report output template
1 Go to System > Config > Remote Output.
2 Select Create New, enter the appropriate information and then select OK.
90
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
System
Configuring log storage & query features
Name of the GUI item
Description
Name
Enter a name for the report output. This name concerns only the
report output configuration that you are configuring for your report,
not the report itself.
Description
Enter a description for the report. This is optional.
Output Format
The format of the report when it is sent or uploaded. Select one or
more of the following file formats:
• HTML (default)
• PDF
• MS Word (RTF)
• Text (ASCII)
• Multi-purpose Internet Mail Externsion HTML format (MHT)
• XML
Send Report by Mail
Verify this check box is selected. If you do not want to send a report
by email, unselect the check box. If the check box is unselected,
the available options under Send Report by Mail are hidden.
Note: Only those file formats that are enabled in both output
template and schedule output types are sent by email. For
example, if PDF and Text formats are selected in the output
template, and then PDF and MHT are selected in the report
schedule, the report’s file format in the email attachment is PDF.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
91
Configuring log storage & query features
System
Compress Report Files Select to compress the report files into a .zip file and attach that
.zip file to the email.
From
Enter a sender email address for the FortiAnalyzer unit or
administrator to configure the report.
Server
Select which email server to use when the FortiAnalyzer unit sends
reports as an email, or select Create New to configure a new email
server connection.
Recipient
Enter the email addresses of the recipients of the report. Add
multiple recipients by selecting Add after each email address.
These email addresses display in the To field.
To
Displays email addresses in the format, <recipient_email address>
(from <sender_email address> through <email server>).
If you want to remove an email address from the list, select the
email address you want removed, and then select Delete.
Attachment Name
Select Use Default if you want the attached report name to be the
name given of the report when configuring the layout in Layout.
Deselect Use Default to enter a specific name for the attached
report in the field. This name will appear as the attachment’s name,
and is not the report’s actual name.
Subject
Enter a subject for the report email. If you do not enter a subject,
the subject line will be the name of the report.
Body
Enter text to include in the body of the email message.
Upload report to Server
Select to upload completed report files to a server accepting FTP,
SFTP, or SCP. These options are only available when the Upload
Report to FTP Server check box is selected.
Note: When sending reports to an FTP server, the following are
sent: HTML, PDF and MHT.
Server Type
Select the protocol to use when connecting to the upload server.
Select from:
• File Transfer Protocol (FTP)
• Secure File Transfer Protocol (SFTP)
• Secure Copy Protocol (SCP)
IP Address
Enter the IP address of the upload server.
Username
Enter the user name the FortiAnalyzer unit will use when
connecting to the upload server.
Password
Enter the password the FortiAnalyzer unit will use when connecting
to the upload server.
Directory
Enter the directory path that the FortiAnalyzer unit will upload the
report to.
Delete file(s) after
uploading
Select to delete the report files from the ForitAnalyzer hard disk
after the FortiAnalyzer unit has completed uploading the report files
to the server.
Configuring the SNMP agent
Simple Network Management Protocol (SNMP) allows you to monitor hardware on your
network. You can configure the hardware, such as the FortiAnalyzer SNMP agent, to
report system information and send traps (alarms or event messages) to SNMP
managers. An SNMP manager, or host, is typically a computer running an application that
can read the incoming trap and event messages from the agent and send out SNMP
queries to the SNMP agents. A FortiManager unit can act as an SNMP manager, or host,
to one or more FortiAnalyzer units.
92
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
System
Configuring log storage & query features
By using an SNMP manager, you can access SNMP traps and data from any
FortiAnalyzer interface configured for SNMP management access. Part of configuring an
SNMP manager is to list it as a host in a community on the FortiAnalyzer unit it will be
monitoring. Otherwise the SNMP monitor will not receive any traps from that FortiAnalyzer
unit, or be able to query that unit.
You can configure the FortiAnalyzer unit to respond to traps and send alert messages to
SNMP managers that were added to SNMP communities. When you are configuring
SNMP, you need to first download and install both the FORTINET-CORE-MIB.mib and
FORTINET-FORTIANALYZER-MIB.mib files so that you can view these alerts in a
readable format. The Fortinet MIB contains support for all Fortinet devices, and includes
some generic SNMP traps; information responses and traps that FortiAnalyzer units send
are a subset of the total number supported by the Fortinet proprietary MIB.
Your SNMP manager may already include standard and private MIBs in a compiled
database which is all ready to use; however, you still need to download both the
FORTINET-CORE-MIB.mib and FORTINET-FORTIANALYZER-MIB.mib files regardless.
FortiAnalyzer SNMP is read-only: SNMP v1 and v2 compliant SNMP managers have
read-only access to FortiAnalyzer system information and can receive FortiAnalyzer traps.
RFC support includes most of RFC 2665 (Ethernet-like MIB) and most of RFC 1213 (MIB
II). FortiAnalyzer units also use object identifiers from the Fortinet proprietary MIB.
For more information about the MIBs and traps that are available for the FortiAnalyzer
unit, see “Appendix A: SNMP MIB support” on page 283.
SNMP traps alert you to events that happen, such as an a log disk being full or a virus
being detected.
SNMP fields contain information about your FortiAnalyzer unit, such as percent CPU
usage or the number of sessions. This information is useful to monitor the condition of the
unit, both on an ongoing basis and to provide more information when a trap occurs.
To configure the SNMP agent, go to System > Config > SNMP.
Figure 48: SNMP Access List
Expand arrow
Name of the GUI item
Description
SNMP Agent
Select to enable the SNMP agent.
Description
Enter a descriptive name for this FortiAnalyzer unit.
Location
Enter the physical location of the FortiAnalyzer unit, such as a city or
floor number.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
93
Configuring log storage & query features
System
Contact
Enter the contact information for the person responsible for this
FortiAnalyzer unit.
Trap Type
The type of available SNMP trap.
Trigger
Enter a number (percent) for the trap type usage that will trigger a
trap. The number can be between 1 to 100.
Threshold
Enter the number of times a trigger value is reached before triggering
a trap.The number can be between 1 and 100.
Sample Period(s)
Enter a time period, in seconds. The number can be between 1 and
28800. The default number is 600 seconds, which is 10 minutes.
During the configured time period, the SNMP agent evaluates the trap
type, for example, CPU, at every same frequency. For example,
during 600 seconds (10 minutes), the SNMP agent evaluates Memory
every 60 seconds (1 minute).
Sample Frequency(s)
Enter a number for the frequency of triggers. The number can be
between 1 and 100.
Apply
Select to save the configured settings. Selecting Apply will not save
the SNMP communities because they are automatically saved after
being configured.
Communities
The list of SNMP communities added to the FortiAnalyzer
configuration.
Create New
Select to add a new SNMP community. See “Configuring an SNMP
community” on page 94.
Edit
Change the selected SNMP community configuration.
Delete
Remove the selected SNMP community configuration. You cannot
delete a community if it is used in an alert event. For more information,
see “Configuring alerts” on page 85.
Test
Verify the selected SNMP community configuration by sending a test
SNMP trap to the SNMP manager. This option only shows if the test
SNMP trap is successfully sent by the FortiAnalyzer unit. You need to
go to the SNMP manager to check if the trap has been successfully
received. If the test fails, you need to reconfigure the SNMP
community that you want to verify.
This option is inactive if the SNMP agent configuration is not saved.
See “Apply” on page 94.
#
The sequential order of the communities.
Community Name
The name of the SNMP community.
Queries
The status of SNMP queries for each SNMP community. The query
status can be enabled (green check mark) or disabled (gray cross).
Traps
The status of SNMP traps for each SNMP community. The trap status
can be enabled (green check mark) or disabled (gray cross)
Enable
Select to enable the SNMP community. By default, an SNMP
community is enabled when it is configured.
Configuring an SNMP community
An SNMP community is a grouping of devices for network administration purposes. Within
that SNMP community, devices can communicate by sending and receiving traps and
other information. One device can belong to multiple communities, such as one
administrator terminal monitoring both a firewall SNMP community and a printer SNMP
community.
You can add an SNMP community to define a destination IP address that can be selected
as the recipient (SNMP manager) of FortiAnalyzer unit SNMP alerts. Defined SNMP
communities are also granted permission to request FortiAnalyzer unit system information
using SNMP traps.
94
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
System
Configuring log storage & query features
Each community can have a different configuration for SNMP queries and traps. Each
community can be configured to monitor the FortiAnalyzer unit for a different set of events.
You can also add the IP addresses of up to 10 SNMP managers to each community.
To add an SNMP community
1 Go to System > Config > SNMP.
2 Under Communities, select Create New.
3 Enter the appropriate information and then select OK.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
95
Configuring log storage & query features
System
Name of the GUI item
Description
Community Name
Enter a name to identify the SNMP community.
Hosts
Enter the IP address and Identify the SNMP managers that can use
the settings in this SNMP community to monitor the FortiAnalyzer unit.
Host Name
The IP address of an SNMP manager than can use the settings in this
SNMP community to monitor the FortiAnalyzer unit. You can also set
the IP address to 0.0.0.0 to so that any SNMP manager can use this
SNMP community.
Interface
Optionally select the name of the interface that this SNMP manager
uses to connect to the FortiAnalyzer unit. You only have to select the
interface if the SNMP manager is not on the same subnet as the
FortiAnalyzer unit. This can occur if the SNMP manager is on the
Internet or behind a router.
Delete
Select a Delete icon to remove an SNMP manager.
Add
Add a blank line to the Hosts list. You can add up to 10 SNMP
managers to a single community.
Queries
Enter the Port number (161 by default) that the SNMP managers in
this community use for SNMP v1 and SNMP v2c queries to receive
configuration information from the FortiAnalyzer unit. Select the
Enable check box to activate queries for each SNMP version.
Note: The SNMP client software and the FortiAnalyzer unit must use
the same port for queries.
Traps
Enter the Local and Remote port numbers (port 162 for each by
default) that the FortiAnalyzer unit uses to send SNMP v1 and SNMP
v2c traps to the SNMP managers in this community. Select the Enable
check box to activate traps for each SNMP version.
Note: The SNMP client software and the FortiAnalyzer unit must use
the same port for traps.
SNMP Events
Enable each SNMP event for which the FortiAnalyzer unit should send
traps to the SNMP managers in this community.
Configuring Syslog servers
By default, this option is not available. To make it appear, you need to enable it in
System > Admin > Settings.
You can configure Syslog servers where the FortiAnalyzer unit can send alerts by the
Syslog protocol. You must add the Syslog server before you can select it as a way for the
FortiAnalyzer unit to communicate an alert.
To view the Syslog servers, go to System > Config > Remote Syslog.
Figure 49: Syslog server list
96
Name of the GUI item
Description
Test
Verify the Syslog server configuration by sending a test message to
the server. See “To verify a Syslog server configuration” on page 97.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
System
Configuring log storage & query features
Name
The name of the Syslog server.
IP or FQDN: Port
The IP address or Fully Qualified Domain Name (FQDN) for the
SNMP server, and port number.
To add a Syslog server
1 Go to System > Config > Remote Syslog.
2 Click Create New, enter the appropriate information, then click OK.
Name of the GUI item
Description
Name
Enter a name for the SNMP server.
IP address (or FQDN)
Enter the IP address or fully qualified domain name for the SNMP
server.
Port
Enter the Syslog server port number. The default Syslog port is 514.
To verify a Syslog server configuration
1 Go to System > Config > Remote Syslog.
2 Select the Syslog server configuration you want to verify.
3 Select Test.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
97
Configuring log storage & query features
System
4 In the Syslog Message field, enter a Syslog message such as “This is a test”.
5 Select Test.
This option only appears if the test Syslog message is successfully sent by the
FortiAnalyzer unit. You need to go to the Syslog server to check if the message has
been successfully received. If the test fails, reconfigure the Syslog server.
Configuring log aggregation
By default, this option is not available. To make it appear, you need to enable it in
System > Admin > Settings.
Log aggregation is a method of collecting log data from one or more FortiAnalyzer units to
a central FortiAnalyzer unit.
Log aggregation involves one or more FortiAnalyzer units configured to act as aggregation
clients, and a FortiAnalyzer unit configured to act as an aggregation server. The
aggregation client sends all of its device logs, including quarantined or archived files, to
the aggregation server. The transfer includes the active log to the point of aggregation (for
example, tlog.log) and all rolled logs stored on the aggregation client (tlog.1.log,
tlog.2.log, tlog.3.log …). Subsequent log aggregations include only changes; the
aggregation client does not re-send previously aggregated logs.
For example, a company may have a headquarters and a number of branch offices. Each
branch office has a FortiGate unit and a FortiAnalyzer-100B to collect local log
information. Those branch office FortiAnalyzer units are configured as log aggregation
clients. The headquarters has a FortiAnalyzer-2000/2000A which is configured as a log
aggregator. The log aggregator collects logs from each of the branch office log
aggregation clients, enabling headquarters to run reports that reflect all offices.
Note: For more information about log aggregation port numbers, see the Fortinet
Knowledge Base article Traffic Types and TCP/UDP Ports used by Fortinet Products.
98
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
System
Configuring log storage & query features
Figure 50: Example log aggregation topology
Head Office
Internet
Branch Office
Branch Office
All FortiAnalyzer models can be configured as a log aggregation client, but log
aggregation server support varies by FortiAnalyzer model, due to storage and resource
requirements.
Table 1: FortiAnalyzer models that support either an aggregation client or server, or both
FortiAnalyzer Model
Aggregation Client
Aggregation Server
FortiAnalyzer-100A/100B/100C
Yes
No
FortiAnalyzer-400B
Yes
No
FortiAnalyzer-800/800B
Yes
Yes
FortiAnalyzer-1000B/1000C
Yes
Yes
FortiAnalyzer-2000/2000A/2000B
Yes
Yes
FortiAnalyzer-4000/4000A/4000B
Yes
Yes
A device logging to a log aggregator client cannot send its logs to the aggregation server
since the server will refuse them. This device will appear in the device list of the
aggregation server. You can easily identify these devices as they do not have Rx and Tx
permissions.
Note: On the aggregation server, configure the device quotas to be equal to or more than
those on the aggregation client to avoid log data loss.
When using log aggregation, all the FortiAnalyzer units must be running the same firmware
release and their system time must be synchronized.
Configuring an aggregation client
An aggregation client is a FortiAnalyzer unit that sends logs to an aggregation server.
By default, log aggregation is disabled on the FortiAnalyzer unit.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
99
Configuring log storage & query features
System
To configure the aggregation client, go to System > Config > Log Aggregation, select
Enable log aggregation TO remote FortiAnalyzer and enter the appropriate information.
Select Apply.
Figure 51: Log aggregation client configuration
Name of the GUI item Description
Enable log
Select to enable log aggregation to a remote FortiAnalyzer unit.
aggregation TO
remote FortiAnalyzer
Remote
FortiAnalyzer IP
Enter the IP address of the FortiAnalyzer unit acting as the aggregation
server.
Password
Enter the password for the aggregation server. This password is set when
configuring the aggregation server. See “Password” on page 101.
Confirm Password Enter the password again for the aggregation server.
Aggregation daily
at [hh:mm]
Select the time of the day when the aggregation client uploads the logs to
the aggregation server.
Aggregation Now
Select to start a log aggregation operation.
Depending on the amount of new logs since the previous sychronization,
the aggregation operation can take some time. It is recommended to
perform the aggregation during off-peak hours.
Configuring an aggregation server
An aggregation server is a FortiAnalyzer unit that receives the logs sent from an
aggregation client. FortiAnalyzer-800/800B units and higher can be configured as
aggregation servers.
Caution: The aggregration server needs to have device quotas at least as large as the
aggregation client. If the device quotas are not correctly configured, log data will be lost.
By default, log aggregation is disabled on the FortiAnalyzer unit.
To configure the aggregation server, go to System > Config > Log Aggregation, select
Enable log aggregation TO this FortiAnalyzer, enter the password and confirm it, and then
select Apply.
100
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
System
Configuring log storage & query features
Figure 52: Log Aggregation server configuration
Name of the GUI item Description
Enable log
aggregation TO this
FortiAnalyzer
Password
Select to enable log aggregation to this FortiAnalyzer unit.
Enter a password for access to this FortiAnalyzer unit.
Confirm Password Enter the password again to confirm it.
Configuring log forwarding
By default, this option is not available. To make it appear, you need to enable it in
System > Admin > Settings.
Log forwarding sends duplicates of log messages received by the FortiAnalyzer unit to a
separate Syslog server. This can be useful for additional log storage or processing.
The log forwarding destination (remote device IP) may receive either a full duplicate or a
subset of those log messages that are received by the FortiAnalyzer unit. Log messages
are forwarded only if they meet or exceed the Minimum Severity threshold.
Log forwarding is similar to log uploading or log aggregation, but log forwards are sent as
individual Syslog messages, not whole log files over FTP, SFTP, or SCP, and not as
batches of log files.
By default, log forwarding is disabled on the FortiAnalyzer unit.
To forward logs
1 Go to System > Config > Log Forwarding.
2 Select Enable log forwarding to remote log server.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
101
Configuring log storage & query features
System
Name of the GUI item Description
Enable log forwarding Select to enable log forwarding to a Syslog server.
to remote log server
Remote device IP
Enter the IP address of the external syslog server.
Forward all
incoming logs
Select to forward all incoming logs.
Forward only
authorized logs
Select to forward only authorized logs (authorized according to a device’s
permissions).
Minimum Severity
Select the minimum severity threshold. All log events of equal or greater
severity will be transmitted. For example, if the selected minimum severity
is Critical, all Emergency, Alert and Critical log events will be forwarded;
other log events will not be forwarded.
3 Enter the appropriate information, and click Apply.
Configuring IP aliases
By default, this option is not available. To make it appear, you need to enable it in
System > Admin > Settings.
Use IP Alias to assign meaningful names to IP addresses. When configuring reports, or
viewing logs and DLP archives, select Resolve Host Name to view the alias rather than
the IP address.
IP aliases can make logs and reports easier to read and interpret. For example, you could
create an IP alias to display the label mailserver1 instead of its IP address,
10.10.1.54.
When adding an IP alias, you can also include an IP address range. For example:
•
10.10.10.1 - 10.10.10.50
•
10.10.10.1 - 10.10.20.100
To view the IP Alias list, go to System > Config > IP Alias.
102
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
System
Configuring log storage & query features
Figure 53: List of IP aliases with IP alias ranges
Name of the GUI item Description
Import
If you have a text file with IP addresses and aliases mapping, you can
import the file instead of mapping them one by one on the FortiAnalyzer
unit. See “Importing IP aliases” on page 103.
Alias
The name of the IP alias.
Host
The IP address or range for the IP alias.
To add an IP alias
1 Go to System > Config > IP Alias.
2 Select Create New.
3 Enter a nickname for the IP address in Alias.
4 Enter the IP address or range in Host(Subnet / IP Range).
5 Select OK.
Importing IP aliases
If you have a text file with IP addresses and aliases mapping, you can import the file
instead of mapping them one by one on the FortiAnalyzer unit. This is a quick way to add
the mappings to the FortiAnalyzer unit.
The contents of the text file should be in the following format:
<alias_ipv4> <alias_name>
For example:
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
103
Configuring log storage & query features
System
10.10.10.1 User_1
There can be only one IP address and user name entry per line.
To import the alias file
1 Go to System > Config > IP Alias.
2 Click Import.
3 Enter the path and file name, or select Browse to locate the file.
4 Click OK.
Configuring RAID
RAID (Redundant Array of Independent Disks) helps to divide data storage over multiple
disks which provides increased data reliability. FortiAnalyzer units that contain multiple
hard disks can configure the RAID array for capacity, performance and availability.
From System > Dashboard > Status, you can view the status of the RAID array from the
Disk Monitor widget. The Disk Monitor widget displays the status of each disk in the RAID
array, including the disk’s RAID level. This widget also displays how much disk space is
being used. For more information, see “Disk Monitor widget” on page 45.
The Alert Message Console widget, located in System > Dashboard > Status provides
detailed information about RAID array failures. For more information see “Alert Message
Console widget” on page 49.
If you need to remove a disk from the FortiAnalyzer unit, you can hot swap it. Hot
swapping means that you can remove a failed hard disk and replace it with a new one
even while the FortiAnalyzer unit is still in operation. Hot swapping is a quick and efficient
way to replace hard disks. For more information about hot swapping, see “Hot-swapping
hard disks” on page 47.
System > Config > RAID allows you to change the RAID level of the RAID array. Changing
the RAID level will remove all log data from the disks, and the device disk quota may be
reduced to accommodate the available disk space in the new RAID array.
104
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
System
Configuring log storage & query features
Figure 54: RAID Settings (FortiAnalyzer-800B)
Name of the GUI item Description
RAID Level
Select a RAID level and click Apply.
The FortiAnalyzer unit will reboot, destroy the existing RAID array, create
a new RAID array with the specified level, and then create a new file
system on the array. All existing data is lost.
Total Disk Space
The amount of disk space available within the RAID array.
Free Disk Space
The amount of free disk space.
Disk #
The number identifying the disk. These numbers reflect what disks are
available on the FortiAnalyzer unit.For example, on a FortiAnalyzer4000/4000A, there would be 1-12, whereas on a FortiAnalyzer-2000A
there would be 1-6.
Size (GB)
The size of the individual hard disk.
Status
The current status of the hard disk. For example, OK indicates that the
hard disk is okay and working normally; Not Present indicates that the
hard disk is not being detected by the FortiAnalyzer unit or has been
removed and no disk is available; Failed indicates that the hard disk is not
working properly.
To change the RAID levels
1 Go to System > Config > RAID.
Tip: Alternatively, go to System > Dashboard > Status and, on the Disk Monitor widget,
click RAID Settings in the title bar.
2 From RAID Level, select a RAID level.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
105
Configuring log storage & query features
System
3 Click Apply to begin the process of changing the RAID level.
The following message appears:
Warning: If the RAID setting is changed, ALL data will be
DELETED! The procedure could take up to 20 minutes. Continue?
4 Click OK to continue with the process.
Supported RAID levels
RAID levels vary between FortiAnalyzer units. The following table explains the
recommended RAID levels for each unit, the supported RAID levels, and any additional
information.
Table 2: RAID levels
FortiAnalyzer
Platform
Supported
Levels
Recommended
Level
FortiAnalyzer100A/100B/100C
Note
RAID is not supported.
FortiAnalyzer-400B
0, 1
1
RAID 0 is supported for only two-disk
configuration.
FortiAnalyzer800/800B
Linear, 0, 1,
5, 10
10
RAID 5 can be configured in the CLI;
however, using RAID 5 may decrease
performance.
FortiAnalyzer-1000B
0, 1
1
RAID 0 is supported for only two-disk
configuration.
FortiAnalyzer-1000C
Linear, 0, 1,
10
10
FortiAnalyzer2000/2000A/2000B
0, 5, 5 plus
50
spare, 10, 50
FortiAnalyzer4000/4000A
0, 5, 5 plus
50
spare, 10, 50
FortiAnalyzer-4000B
0, 5, 5 plus
50
spare, 10, 50,
6, 6 plus
spare, 60
RAID 5 is supported on 2000B with
more than three disks.
When changing the RAID level, the available levels depend on the number of working
disks that are actually present in the unit. For example, RAID5 is not available on
FortiAnalyzer units with fewer than three disks. With a full complement of working disks,
the default level is the recommended level in the above table. The following sections
assume a full complement except where noted.
106
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
System
Configuring log storage & query features
You can find out information about RAID from the get system status or diag raid
info commands in the CLI.
Note: Fortinet recommends having an Uninterruptible Power Supply (UPS) to reduce the
possibility of data inconsistencies when power failures occur.
Linear
A linear RAID level combines all hard disks into one large virtual disk. It is also known as
concatenation or JBOD (Just a Bunch of Disks). The total space available in this option is
the capacity of all disks used. There is very little performance change when using this
RAID format. If any of the drives fails, the entire set of drives is unusable until the faulty
drive is replaced. All data will be lost.
RAID 0
A RAID 0 array is also referred to as striping. The FortiAnalyzer unit writes information
evenly across all hard disks. The total space available is that of all the disks in the RAID
array. There is no redundancy available. If any of the drives fails, the data cannot be
recovered. This RAID level is beneficial because it provides better performance, since the
FortiAnalyzer unit can distribute disk writing across multiple disks.
RAID 1
A RAID 1 array is also referred to as mirroring. The FortiAnalyzer unit writes information to
one hard disk, and writes a copy (a mirror image) of all information to all other hard disks.
The total disk space available is that of only one hard disk, as the others are solely used
for mirroring. This provides redundant data storage with no single point of failure. Should
any of the hard disks fail, there are several backup hard disks available. With a
FortiAnalyzer-800 for example, if one disk fails, there are still three other hard disks the
FortiAnalyzer unit can access and continue functioning.
RAID 5
A RAID 5 array employs striping with a parity check. The FortiAnalyzer unit writes
information evenly across all drives. Additional parity blocks are written on the same
stripes. The parity block is staggered for each stripe. The total disk space is the total
number of disks in the array, minus one disk for parity storage. For example, on a
FortiAnalyzer-800 with four hard disks, the total capacity available is actually the total for
three hard disks. RAID 5 performance is typically better with reading than writing, although
performance is degraded when one disk has failed or is missing. With RAID 5, one disk
can fail without the loss of data. If a drive fails, it can be replaced and the FortiAnalyzer
unit will restore the data on the new disk using reference information from the parity
volume.
Note: RAID 5 appears in the web-based manager only for FortiAnalyzer units with
hardware RAID.
RAID 10
RAID 10 (or 1+0), includes nested RAID levels 1 and 0, or a stripe (RAID 0) of mirrors
(RAID 1). The total disk space available is the total number of disks in the array (a
minimum of 4) divided by 2. One drive from a RAID 1 array can fail without loss of data;
however, should the other drive in the RAID 1 array fail, all data will be lost. In this
situation, it is important to replace a failed drive as quickly as possible.
•
two RAID 1 arrays of two disks each (FortiAnalyzer-800/800B)
•
three RAID 1 arrays of two disks each (FortiAnalyzer-2000/2000A/2000B)
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
107
Configuring log storage & query features
System
•
six RAID1 arrays of two disks each (FortiAnalyzer-4000/4000A)
•
twelve RAID1 arrays of two disks each (FortiAnalyzer-4000B)
Note: Fortinet recommends using RAID 10 for redundancy instead of RAID 5 on
FortiAnalyzer units with software RAID. RAID 5 can cause decreased performance.
RAID 50
RAID 50 (or 5+0) includes nested RAID levels 5 and 0, or a stripe (RAID 0) and stripe with
parity (RAID 5). The total disk space available is the total number of disks minus the
number of RAID 5 sub-arrays. RAID 50 provides increased performance and also ensures
no data loss for the same reasons as RAID 5. One drive in each RAID 5 array can fail
without the loss of data. For the following FortiAnalyzer units, data is recoverable when:
•
two RAID 5 arrays of three disks each (FortiAnalyzer-2000/2000A/2000B)
•
three RAID 5 arrays of four disks each (FortiAnalyzer-4000/4000A)
•
two RAID 5 arrays of twelve disks each (FortiAnalyzer-4000B)
RAID 5 with hot spare
FortiAnalyzer-2000/2000A/2000B and FortiAnalyzer-4000/4000A/4000B units can use
one of their hard disks as a hot spare (a stand-by disk for the RAID), should any of the
other RAID hard disks fail. If a hard disk fails, within a minute of the failure, the
FortiAnalyzer unit begins to automatically substitute the hot spare for the failed drive,
integrating it into the RAID array, and rebuilding the RAID’s data.
When you replace the failed hard disk, the FortiAnalyzer unit uses the new hard disk as
the new hot spare. The total disk space available is the total number of disks minus two.
RAID 6
RAID 6 provides fault tolerance from two drive failures; array continues to operate with up
to two failed drives. This makes larger RAID groups more practical, especially for highavailability systems. This becomes increasingly important as large-capacity drives
lengthen the time needed to recover from the failure of a single drive. Single-parity RAID
levels are as vulnerable to data loss as a RAID 0 array until the failed drive is replaced and
its data rebuilt; the larger the drive, the longer the rebuild will take. Double parity gives
time to rebuild the array without the data being at risk if a single additional drive fails
before the rebuild is complete.
RAID 60
RAID 60 (or 6+0) includes nested RAID levels 6 and 0, or a stripe (RAID 0) and stripe with
parity (RAID 6). The total disk space available is the total number of disks minus the
number of RAID 6 sub-arrays. RAID 60 provides increased performance and also ensures
no data loss for the same reasons as RAID 6. One drive in each RAID 6 array can fail
without the loss of data. For the following FortiAnalyzer unit, data is recoverable when:
•
two RAID 6 arrays of twelve disks each (FortiAnalyzer-4000B)
RAID 6 with hot spare
FortiAnalyzer-4000B unit can use one of its hard disks as a hot spare (a stand-by disk for
the RAID), should any of the other RAID hard disks fail. If a hard disk fails, within a minute
of the failure, the FortiAnalyzer unit begins to automatically substitute the hot spare for the
failed drive, integrating it into the RAID array, and rebuilding the RAID’s data.
When you replace the failed hard disk, the FortiAnalyzer unit uses the new hard disk as
the new hot spare. The total disk space available is the total number of disks minus two.
108
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
System
Configuring log storage & query features
RAID array capacity
Based on the hard disk numbers and sizes, the following table lists the RAID array
capacity for selected FortiAnalyzer platforms. You can use the table as a reference for
choosing RAID levels.
Table 3: RAID array capacity for selected FortiAnalyzer platforms (All values are rounded)
Total Usable Disk Space (in GB)
Platform
Number
of Disks
Size per
RAID 0 RAID 1 RAID 5 RAID 5 RAID 10 RAID 50 RAID 6
Disk (GB)
+ Spare
400B
2
500
930
460
800B
4
500
1860
465
1000B
2
1000
1860
930
1000C
4
932
3668
917
6
250
1390
1160
930
695
930
6
400
2230
1863
1490
1110
1490
6
500
2790
2320
1860
1390
1860
6
932
5500
4582
3666
2750
3666
12
250
2790
2560
2320
1396
2320
12
400
4470
4090
3720
2330
3720
12
500
5580
5120
4650
2790
4650
24
932
15380
15380
15380
10990
14653
2000A
2000B
4000A
4000B
1390
RAID 6 + RAID 60
Spare
930
1834
15380
15380
10990
Note: FortiAnalyzer-4000B supports up to 24 disks. Each disk size is 932GB. In theory,
FortiAnalyzer-4000B can support a maximum disk space of 24 x 932GB (close to 24TB)
when RAID level is 0. However, the FortiAnalyzer unit uses filesystem ext3 which has a
16TB limitation of disk space. Therefore, even if FortiAnalyzer-4000B has 24TB RAID array
capacity, the total disk space is limited to 16TB. This is why the max disk space for
FortiAnalyzer-4000B is 15380GB.
Configuring LDAP queries for reports
By default, this option is not available. To make it appear, you need to enable it in
System > Admin > Settings.
Caution: By default, the LDAP query occurs over a standard LDAP connection. The
FortiAnalyzer unit does not support secure query (TLS or LDAPS) protocols.
A directory is a set of objects with similar attributes organized in a logical and hierarchical
way. Generally, an LDAP directory tree reflects geographic or organizational boundaries,
with the Domain Name System (DNS) names at the top level of the hierarchy. The
common name identifier for most LDAP servers is cn; however some servers use other
common name identifiers such as uid.
For example, you could use the following base distinguished name:
ou=marketing,dc=fortinet,dc=com
where ou is organization unit and dc is a domain component.
You can also specify multiple instances of the same field in the distinguished name, for
example, to specify multiple organization units:
ou=accounts,ou=marketing,dc=fortinet,dc=com
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
109
Configuring log storage & query features
System
Binding occurs when the LDAP server successfully authenticates the user and allows the
user access to the LDAP server based on his or her permissions.
You can configure the FortiAnalyzer unit to use one of two types of binding:
•
anonymous - bind using anonymous user search
•
regular - bind using user name/password and then search
If the users are under more than one DN, use the anonymous or regular type, which can
search the entire LDAP database for the required user name.
If your LDAP server requires authentication to perform searches, use the regular type and
provide values for user name and password.
In System > Config > LDAP, you can define a query to retrieve a list of LDAP users from a
remote LDAP server. LDAP queries are used in FortiAnalyzer reports as an additional filter
for the user field, providing a convenient way for filtering log data without having to list the
user names manually. For example, you need to create a scope in a report that is
restricted to include only log messages whose user= field matches user names retrieved
from the network’s main LDAP server.
For more information about LDAP queries in FortiAnalyzer reports, see “Configuring
reports from logs in the proprietary indexed file system” on page 165.
To view the LDAP server list, go to System > Config > LDAP.
Figure 55: LDAP server list
Name of the GUI item
Description
Name
The name of the LDAP server.
Server Name/IP
The server name or IP address of the LDAP server.
Port
The port with which the server is exchanging information. The default
port is 389.
Common Name Identifier The name of the common name identifier.
Distinguished Name
The name of the attribute identifier that is used in the LDAP query filter.
To define an LDAP server query
1 Go to System > Config > LDAP.
2 Select Create New, enter the appropriate information for the LDAP server, and select
OK.
110
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
System
Configuring log storage & query features
LDAP
Distinguished
Name Query
Name of the GUI item
Description
Name
Enter the name for the LDAP server query.
Server Name/IP
Enter the LDAP server domain name or IP address.
Server Port
Enter the port number. By default, the port is 389.
Server Type
Select whether to use anonymous or authenticated (regular) queries.
If selecting Anonymous, your LDAP server must be configured to allow
unauthenticated anonymous queries.
If selecting Regular, you must also enter the Bind DN and Bind
Password.
Bind DN
Enter an LDAP user name in DN format to authenticate as a specific
LDAP user, and bind the query to a DN.
This option appears only when the Server Type is Regular.
Bind Password
Enter the LDAP user’s password.
This option appears only when the Server Type is Regular.
Common Name Identifier Enter the attribute identifier used in the LDAP query filter. By default,
the identifier is cn.
For example, if the Base DN contains several objects, and you want to
include only objects whose cn=Admins, enter the Common Name
Identifier cn and enter the Group(s) value Admins when configuring
report profiles. For more information, see “Configuring reports from
logs in the proprietary indexed file system” on page 165.
Report scopes using this query require Common Name Identifier. If
this option is blank, the LDAP query for reports will fail.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
111
Backing up the configuration & installing firmware
Base DN
System
Enter the Distinguished Name of the location in the LDAP directory
which will be searched during the query.
To improve query speed, enter a more specific DN to constrain your
search to the relevant subset of the LDAP tree.
For example, instead of entering dc=example,dc=com you might
enter the more specific DN ou=Finance,dc=example,dc=com.
This restricts the query to the “Finance” organizational unit within the
tree.
Report scopes using this query require Base DN. If this option is blank,
the LDAP query for reports will fail.
LDAP Distinguished Name View the LDAP server Distinguished Name Query tree for the LDAP
server that you are configuring so that you can cross-reference to the
Query
Distinguished Name.
Leave the Base DN filed empty for this option to work.
For more information, see “Querying for the base DN” on page 112.
Querying for the base DN
The LDAP Distinguished Name Query list displays the LDAP Server IP address, and all
the distinguished names associated with the Common Name Identifier for the LDAP
server. The tree helps you to determine the appropriate entry for the Base DN field.
In the Base DN field, enter the DN you choose from the list and click OK. The DN appears
in the Base DN field of the LDAP server configuration.
Figure 56: LDAP Distinguished Name Query
Backing up the configuration & installing firmware
Backup & Restore displays the date and time of the last configuration backup and the last
firmware upload. It also enables you to:
•
download and back up a FortiAnalyzer unit’s configuration
•
upload and restore a FortiAnalyzer unit’s configuration
•
upload a firmware update
Backed up copies of the FortiAnalyzer unit configuration file can be encrypted with a
password. When restoring encrypted configuration files, the password must be entered to
decrypt the file.
Caution: Do not forget the password to the backed up configuration file. A
password-encrypted backup configuration file cannot be restored without the password.
For additional information about backing up and restoring configuration, see “Maintaining
firmware” on page 263.
112
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
System
Backing up the configuration & installing firmware
Figure 57: Backup & Restore
Name of the GUI item
Description
System Configuration
Last Backup
The date and time of the last backup to local PC
Backup configuration Currently, the only option on the web-based manager is to back up to
your local PC. However, you can use the execute backup config
to:
command to back up the system configuration to a file on a FTP,
SFTP, SCP, or TFTP server. For more information, see the
FortiAnalyzer CLI Reference.
Encrypt configuration Select to encrypt the backup file. Enter a password in the Password
field and enter it again in the Confirm field. You will need this password
file
to restore the file.
You must encrypt the backup file if you are using a secure connection
to a FortiGate or FortiManager device.
Password
Enter a password to encrypt the configuration file. This password is
required when restoring the configuration file.
Confirm
Enter the password again to confirm.
Backup
Select to back up the configuration.
Restore configuration Currently the only option is to restore from a PC.
from:
Filename
Enter the configuration file name or use the Browse button if you are
restoring the configuration from a file on the management computer.
Password
Enter the password if the backup file is encrypted.
Restore
Select to restore the configuration from the selected file.
Firmware
Partition
A partition can contain one version of the firmware and the system
configuration.
Active
A green check mark indicates which partition contains the firmware
and configuration currently in use.
Last Upgrade
The date and time of the last update to this partition.
Firmware Version
The version and build number of the FortiAnalyzer firmware. If your
FortiAnalyzer model has a backup partition, you can:
• Select Upload to replace with firmware from the management
computer.
• Select Upload and Reboot to replace the existing firmware and
make this the active partition.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
113
Scheduling & uploading vulnerability management updates
System
Scheduling & uploading vulnerability management updates
You can update the engine and vulnerability scan modules in one of the following ways:
•
manually upload update packages to the FortiAnalyzer unit from your management
computer
•
configure the FortiAnalyzer unit to periodically request updates from the Fortinet
Distribution Network (FDN)
You must register and license the FortiAnalyzer unit and purchase and register
vulnerability management service with the Fortinet Technical Support web site,
https://support.fortinet.com/, to receive vulnerability management updates from the FDN.
See “(Vulnerability Management) Subscribe” on page 115. The FortiAnalyzer unit must
also have a valid Fortinet Technical Support contract, which includes VM update
subscriptions, and be able to connect to the FDN or the IP address that you have
configured to override the default FDN addresses. For port numbers required for license
validation and update connections, see the Fortinet Knowledge Base article FDN Services
and Ports.
For more information about configuring vulnerability scan jobs and viewing vulnerability
scan reports, see “Vulnerability Management” on page 211.
To manually upload vulnerability management updates or to configure scheduled
vulnerability management updates, go to System > Maintenance > FortiGuard.
Figure 58: FortiGuard Distribution Network
114
Name of the GUI item
Description
FortiGuard Subscription
Services
The Vulnerability Management registration status, engine and module
version number, date of last update, and status of the connection to
the FortiGuard Distribution Network (FDN).
A green indicator means that the FortiAnalyzer unit can connect to the
FDN or override server.
An orange indicator means that the FortiAnalyzer unit cannot connect
to the FDN or override server. Check the configuration of the
FortiAnalyzer unit and any NAT or firewall devices that exist between
the FortiAnalyzer unit and the FDN or override server. For example,
you may need to add routes to the FortiAnalyzer unit’s routing table.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
System
Migrating data from one FortiAnalyzer unit to another
(Vulnerability
Management)
Subscribe
Select to open the Fortinet Technical Support web site to register the
FortiAnalyzer unit and Vulnerability Management Service to receive
vulnerability management updates from the FDN.
(VM Plugins) Update
Select to upload a Vulnerability Management upgrade file from your
management computer. To obtain a VM upgrade file, contact Fortinet
Technical Support.
You might upload a VM file if you want to provide an immediate
update, or use a VM version other than the one currently provided by
the FDN. If you want to use a VM file other than the one currently
provided by the FDN, also disable scheduled updates.
Note: Manual updates are not a substitute for a connection to the
FDN. As with scheduled updates, manual updates require that the
FortiAnalyzer unit be able to connect to the FDN to validate its VM
license.
Vulnerability
Management
Select the Expand arrow to display this FortiAnalyzer unit’s
FortiGuard’s server options for the subscription services.
Use override server
address
Enable Use override server address and enter the IP address and port
number of an FDS in the format <IP>:<port>, such as
10.10.1.10:8889.
If you want to connect to a specific FDN server other than the one to
which the FortiAnalyzer unit would normally connect, you can override
the default IP addresses by configuring an override server.
If, after applying the override server address, the FDN status icon
changes to indicate availability (a green check mark), the
FortiAnalyzer unit has successfully connected to the override server. If
the icon still indicates that the FDN is not available, the FortiAnalyzer
unit cannot connect to the override server. Check the FortiAnalyzer
configuration and the network configuration to make sure you can
connect to the FDN override server from the FortiAnalyzer unit.
Use Web Proxy
Select to enable the FortiAnalyzer unit to connect to the FDN through a
web proxy, then enter the IP, Port, and (if required) Name and
Password.
IP
Enter the IP address of the web proxy.
Port
Enter the port number of the web proxy.
This is usually 8080.
Name
If your web proxy requires a login, enter the user name that your
FortiAnalyzer unit should use when connecting to the FDN through the
web proxy.
Password
If your web proxy requires a login, enter the password that your
FortiAnalyzer unit should use when connecting to the FDN through the
web proxy.
Scheduled Update
[Request Update Now]
Enable scheduled updates, then select the frequency of the update
(Every, Daily or Weekly).
Select Request Update Now if you want to immediately request an
update.
Every
Select to update once every n hours, then select the number of hours
in the interval.
Daily
Select to update once every day, then select the hour. The update
attempt occurs at a randomly determined time within the selected hour.
Weekly
Select to update once a week, then select the day of the week and the
hour of the day. The update attempt occurs at a randomly determined
time within the selected hour.
Migrating data from one FortiAnalyzer unit to another
By default, this option is not available. To make it appear, you need to enable it in
System > Admin > Settings.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
115
Migrating data from one FortiAnalyzer unit to another
System
You can migrate configuration settings and log data from one FortiAnalyzer unit to another
from System > Maintenance > Migration. This is referred to as migrating data, and
provides an easy way to have the same information on multiple FortiAnalyzer units without
having to manually configure each one.
Caution: When migrating configuration settings and log data from one FortiAnalyzer unit to
another, the source FortiAnalyzer unit stops receiving logs from the managed devices as
soon as it enters into the migration mode. If you want to keep the logs from the devices
during the migration process, make sure that the managed devices send logs to the
destination FortiAnalyzer unit or another compatible log storage location. To send logs to
the destination FortiAnalyzer unit, simply swap the IP addresses of the source and
destination units by going to System > Network > Interface on each unit. You also need to
perform step 5 on the destination unit. You can swap the IP addresses back after the
migration completes.
The destination FortiAnalyzer unit will lose all of the data received prior to the migration
process starts. Back up the important data on the destination unit if necessary.
You can also test the connection between two FortiAnalyzer units before migrating the
configuration settings to verify that the connection is working properly.
Before you begin the migration process, you need to verify that each FortiAnalyzer unit is
upgraded to FortiAnalyzer 4.0 MR1 or higher. The migration feature is available only in
FortiAnalyzer 4.0 MR1 or higher. You also need to decide which FortiAnalyzer unit will be
the one used for migrating data to the other before proceeding. Migrating data should be
done during a low traffic time period, for example at night, because, depending on the
amount of data being transferred, it could take more than an hour to transfer.
Caution: To migrate data, the firmware release number and build number on the source
and destination FortiAnalyzer units must match. Otherwise the migration will fail.
You need to configure both the FortiAnalyzer unit that will be sending data (source
FortiAnalyzer unit) and the FortiAnalyzer unit that will be receiving data (destination
FortiAnalyzer unit) for migrating configuration settings.
To configure the source FortiAnalyzer unit
1 On the source FortiAnalyzer unit, log in to the web-based manager.
Remember the login password. You will need it for configuring the destination
FortiAnalyzer unit. See “To configure the destination FortiAnalyzer unit for migrating
configuration settings” on page 117.
2 Go to System > Maintenance > Migration.
3 Select Source to enable the FortiAnalyzer unit to send the configuration settings to the
other FortiAnalyzer unit.
4 In Peer IP, enter the IP address of the FortiAnalyzer unit that will be receiving the data.
116
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
System
Migrating data from one FortiAnalyzer unit to another
5 Select Apply, then select Enter Migration Mode.
A message similar to the following, appears:
Enabling source migration mode will cause a reboot. Would you
like to continue?
6 Select OK to reboot the FortiAnalyzer unit in migration mode.
This may take a few minutes. You may need to refresh the page so that the login page
displays. You can then log back in to the web-based manager to verify that the
FortiAnalyzer unit is in migration mode. Only the admin user can log in to the
FortiAnalyzer unit in migration mode.
Only System > Admin > Settings (Read + Write) and System > Maintenance >
Migration (Read + Write) menu items appear under migration mode for a source
FortiAnalyzer unit. You can modify these settings and they will be migrated to the
destination unit.
The migration will not start before the destination FortiAnalyzer unit is configured and
starts to query the source unit.
7 If you need to modify the Peer IP in migration mode, enter a new one and select Apply.
To configure the destination FortiAnalyzer unit for migrating configuration settings
1 On the destination FortiAnalyzer unit, log in to the web-based manager and go to
System > Maintenance > Migration.
2 Select Destination to enable the FortiAnalyzer unit to receive the configuration settings.
3 Enter the IP address of the source FortiAnalyzer unit.
4 Enter the same password you used when logging into the source FortiAnalyzer unit.
The destination FortiAnalyzer unit will use this password to log into the source
FortiAnalyzer unit to get the configuration. The migration will fail if the passwords do
not match.
5 If you want this FortiAnalyzer unit to receive logs and data from the registered devices
during the migration process, select the check box beside Accept Logs & Reports.
The logs and data received from the managed devices during the migration process
will not be overridden by the migrated data.
You can also enable or disable this option during the migration process. For more
information, see “Actions during the migration process” on page 118.
6 To receive certain logs and files, expand All Categories and then select what you want
to receive. To receive all the categories, select the check box beside All Categories.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
117
Migrating data from one FortiAnalyzer unit to another
System
7 Click Apply, and then click Test Migration Mode.
This FortiAnalyzer unit contacts the source FortiAnalyzer unit to validate the migration.
The validation focuses on the following:
• If the source unit and destination unit have different versions of firmware, the
destination unit aborts the migration.
• If the destination unit has data, a warning displays. You may choose to proceed or
not.
• If the source unit is not in migration mode, the destination unit aborts the migration.
• If the source unit’s IP is wrong or there is a network problem, Migration source is not
reachable displays.
8 If the migration mode test is successful, select Enter Migration Mode.
Only the following menu items appear:
• System > Dashboard > Dashboard (Read-Only)
• System > Network > Interface/DNS/Routing (Read + Write)
• System > Admin > Settings (Read + Write)
• System > Admin > Maintenance > Migration (Read + Write)
• Device > All > Device (Read-Only)
• Log > Log Viewer > Real-time (Read + Write)
• Tools > File Explorer (Read-Only)
You can modify the settings with Read + Write privileges and they will not be
overridden by the migrated data.
9 If you modify the configurations in migration mode, select Apply.
10 Select Start Migration.
This may take a few minutes or several hours, depending on the amount of data that is
being transferred. For example, if there is 500 GB of data that is being transferred, it
will take several hours to send.
See “Actions during the migration process” on page 118 for actions that can be taken
during the migration process.
11 When the migration process is complete, go to the source and destination
FortiAnalyzer units.
12 Log in to the web-based manager and go to System > Maintenance > Migration.
13 Select Exit Migration Mode.
Actions during the migration process
During the migration process, the destination FortiAnalyzer unit displays and automatically
updates phase descriptions and results and progress bar with size (such as 123 of
480 GB) and time (such as 18 mins. of estimated 4h14m) indicators. You can check the
migration status from both the web-based manager and CLI in real-time.
You can also:
•
118
Choose Start/Stop Accepting New Data.
This action allows the destination unit to accept or deny data from the registered
devices. For example, if you want to speed up the data migration process and can
afford to lose some logs from the devices, you can select to stop accepting new data.
When the destination unit receives new logs and data, messages will appear in
migration status display.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
System
Importing a local server certificate
•
Choose to pause the ongoing migration process from destination unit. You can
subsequently start again or cancel the migration by selecting the respective button.
•
If the destination unit is interrupted unexpectedly, for example, by a power or network
failure:
• the message The migration destination became silent. Please verify its status.
appears on the source unit. Click OK.
• when the destination unit is back alive in migration mode, resume or cancel the
migration by selecting the respective button.
Importing a local server certificate
You can change the FortiAnalyzer unit’s default HTTPS certificate to a new certificate
(PKCS #12 format) signed by a certificate authority (CA) other than Fortinet.
This feature is not available on the web-based manager. However, you can do it with the
following CLI command:
execute admin-cert import {ftp|sftp|scp|tftp} <server_ipv4>
<argument1_str> <argument2_str> <argument3_str>
where:
•
<argument1_str> – For FTP, SFTP or SCP, enter a user name. For TFTP, enter a
directory or file name.
•
<argument2_str> – For FTP, SFTP or SCP, enter a password or “-”. For TFTP, enter
a file name or PKCS #12 file password or “-”.
•
<argument3_str> – For FTP, SFTP or SCP, enter a directory or file name. For TFTP,
enter a PKCS #12 file password or “-”.
Web services are automatically encrypted with SSL (HTTPS). The FortiAnalyzer unit
automatically generates a self-signed public certificate. To view the public certificate, in
the CLI, enter the command:
get system ws-cert
You can use this auto-generated certificate, or you can replace it with your own certificate
using the associated set command. FortiManager units with which the FortiAnalyzer unit
is registered will automatically accept the new certificate.
For more information on HTTPS access to the web-based manager and web services, see
“Configuring the network interfaces” on page 61.
For more information about CLI commands, see the FortiAnalyzer CLI Reference.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
119
Importing a local server certificate
120
System
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Devices
Configuring connections with devices & their disk space quota
Devices
The Devices menu controls connection attempt handling, permissions, disk space quota,
and other aspects of devices that are connected to the FortiAnalyzer unit for remote
logging, DLP archiving, quarantining, and/or remote management.
For a diagram of traffic types, ports and protocols that FortiAnalyzer units use to
communicate with other devices and services, see the Fortinet Knowledge Base article
Traffic Types and TCP/UDP Ports used by Fortinet Products.
This topic includes:
•
Configuring connections with devices & their disk space quota
•
Configuring device groups
•
Classifying FortiGate network interfaces
Note: Connection attempts not handled by the device list include log aggregation, log
forwarding, and SNMP traps. For more information about configuring connection handling
for those types, see “Configuring log aggregation” on page 98, “Configuring log forwarding”
on page 101, and “Configuring the SNMP agent” on page 92.
Configuring connections with devices & their disk space quota
The device list displays devices that are allowed to connect to the FortiAnalyzer unit
including their connection permissions. The list may also display unregistered devices
attempting to connect.
Connection attempts occur when a device sends traffic to the FortiAnalyzer unit before
you have added the device to the FortiAnalyzer unit. FortiAnalyzer units either ignore the
connection attempt, or automatically add the device to its device list as either a registered
or unregistered device. This connection attempt handling depends on:
•
the type of the device that is attempting to connect
•
your selections in Unregistered Options, and
•
whether the maximum number of devices has been reached on the FortiAnalyzer unit
For more information on:
•
connection attempt handling, see “Configuring unregistered device options” on
page 131.
•
the device number maximum, see “Maximum number of devices” on page 124.
•
manually adding a device to the device list, see “Manually adding or deleting a device
or HA cluster” on page 127.
Adding a device to the device list configures connections from the device but does not
automatically establish a connection. You need to configure the device to send traffic to
the FortiAnalyzer unit to establish a connection. For more information, see the FortiGate
Administration Guide, FortiMail Administration Guide, FortiManager Administration Guide,
FortiClient Administrator’s Guide, or your Syslog server’s documentation.
Due to the nature of connectivity for certain high availability (HA) modes, FortiGate units in
an HA cluster may not be able to send full DLP archives and quarantine data. For more
information, see the FortiGate HA Overview.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
121
Configuring connections with devices & their disk space quota
Devices
You may want to block connection attempts from devices that you do not want to add to
the device list since connection attempts must be reconsidered with each attempt. For
more information, see “Blocking unregistered device connection attempts” on page 132.
Devices may automatically appear on the device list when the FortiAnalyzer unit receives
a connection attempt, according to your configuration of Unregistered Options, but
devices may also automatically appear as a result of importing log files. For more
information, see “Importing a log file” on page 153.
To view the device list, go to Devices > All Devices > Allowed.
Note: Hover your cursor over an item to display more information.
Figure 59: Device list
Column Display Settings
Search
Current page
122
Name of the GUI item
Description
Create New
Select to manually add a new device to the device list.
For information about how to manually add devices, see “Manually
adding or deleting a device or HA cluster” on page 127.
Edit
Reconfigure the selected device connection.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Devices
Configuring connections with devices & their disk space quota
Delete
Remove the selected devices from the list. You cannot delete a device
that is referenced elsewhere in the configuration, such as by being
assigned to a device group. To delete the device, first remove all
configuration references to that device.
If you use the default proprietary indexed file storage system for log
storage, once a device is removed from the device list, the associated
logs and other data, such as DLP archives and the default report
profile for the device (that is, the device summary report
Default_<device_name>) are deleted. Reports that may have
been already generated from the device’s log data, however, are not
deleted.
If you use the local SQL file storage system for log storage, once a
device is removed from the device list, the associated logs are not
deleted. To delete the logs, use the command execute sql-local
remove-device. This command does not remove reports that may
have been already generated from the device’s log data.
If the device is still configured to attempt to connect to the
FortiAnalyzer unit and you have configured Unregistered Device
Options to display connection attempts from unregistered devices, the
device may reappear in the device list.
Register
This option only appears if you select an unregistered device.
Change a selected unregistered device into an registered one.
When the Register Device page appears, enter a name for the device,
and modify other settings if required. Click OK. The device appears in
the Allowed device list.
For more information on registering a device, see “Manually adding or
deleting a device or HA cluster” on page 127.
Block
Stop further connection attempts. This option appears if the selected
device is an unregistered device. For more information about on
blocking a device, see “Blocking unregistered device connection
attempts” on page 132
Column Display Settings
Select to change the columns to view and the order they appear on
the page. For more information, see “Displaying and arranging log
columns” on page 141.
Search
Enter partial or the full name of a device and select the one you want
from the list to view or edit the device.
Name
The name of the device in the device list. This can be any descriptive
name that you want assigned to it, and does not need to be its host
name.
Select the arrow beside Name to list the devices in either ascending or
descending order.
An orange exclamation point (!) icon before a device name indicates
that the device is connecting to the FortiAnalyzer unit and the device’s
time zone is not synchronized with the FortiAnalyzer unit’s time zone.
Model
The model of the device. For example, the device list displays a
FortiGate-400A model as FGT400A.
IP Address
The IP address of the device. If the device has not recently
established a connection, 0.0.0.0 appears.
Log
DLP
Quar
IPS
Mouse over an icon to view when the last logs or data the
FortiAnalyzer unit received from the device, if there are any logs or
data the FortiAnalyzer unit received from the device, if logs are
disabled on the device, or, if it’s an unregistered device.
Only FortiGate units can send DLP archives, quarantine files, and IPS
files to the FortiAnalyzer unit.
Secure
Indicates whether IPSec VPN tunnelling has been enabled for secure
transmission of logs, content and quarantined files.
Caution: A locked icon indicates that secure connection is enabled,
but not necessarily fully configured, and the tunnel may not be up. For
more information, see “Configuring IPSec secure connections
between the FortiAnalyzer unit and a device or an HA cluster” on
page 126.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
123
Configuring connections with devices & their disk space quota
Devices
Quota Usage
The amount of the FortiAnalyzer disk space allocated for the device
and how much of that space is used. For information on configuring
disk space usage by quarantined files, see the FortiAnalyzer CLI
Reference.
Virtual Domains
The number of VDOMs on the device.
Type
The type of the device: FortiGate unit, FortiManager unit, FortiMail
unit, FortiClient installation, or Syslog server.
ADOM
The ADOMs to which the device is assigned.
This column does not appear:
• on FortiAnalyzer-100B models
• when ADOM is disabled on the FortiAnalyzer unit.
For more information about ADOM, see “About administrative
domains (ADOMs)” on page 23.
Mode
Indicate if the device is a standalone one or in a cluster.
Show
Select the type of devices to display in the list. You can select devices
by type, or select Unregistered to display devices that are attempting
to connect but that have not yet been registered or added.
Current Page
By default, the first page of the list of items is displayed. The total
number of pages displays after the current page number. For
example, if 2/10 appears, you are currently viewing page 2 of 10
pages.
To view pages, select the left and right arrows to display the first,
previous, next, or last page.
To view a specific page, enter the page number in the field and then
press Enter.
Unregistered vs. registered devices
Devices > All Devices > Allowed displays devices, both registered and unregistered, that
have attempted to connect to the FortiAnalyzer unit.
A registered device can use all features of the FortiAnalyzer unit, while an unregistered
device will not be able to use most of the FortiAnalyzer unit’s features unless you
add/register it.
Note: Generic Syslog devices cannot be used for features such as reports or DLP archives,
and therefore cannot be registered.
By default, all Fortinet devices (FortiGate, FortiManager, FortiClient, and FortiMail) are
discovered and listed as registered devices. All generic Syslog devices are discovered
and automatically listed as unregistered devices automatically. You can configure these
settings. For more information, see “Configuring unregistered device options” on
page 131.
You can also manually add/register a device. For more information, see “Manually adding
or deleting a device or HA cluster” on page 127.
Maximum number of devices
Each FortiAnalyzer model is designed to support and provide effective logging and
reporting capabilities for up to a certain maximum number of devices (registered and
unregistered combined). The following table details these maximums.
124
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Devices
Configuring connections with devices & their disk space quota
Table 4: FortiAnalyzer device limits
FortiAnalyzer Maximum
models
number of
devices and/or
VDOMs
allowed
Maximum
number of
FortiClient
installations
allowed
FortiGate
models
supported
FortiManager FortiMail
models
models
supported
supported
FortiAnalyzer100A/100B/
100C
100
100
FortiGate-30B to
FortiGate224B/C
All
All
FortiAnalyzer400B
200
2000
All
All
All
FortiAnalyzer800/800B
500
5000
All
All
All
FortiAnalyzer1000B
No restrictions
No restrictions All
All
All
FortiAnalyzer1000C
No restrictions
No restrictions All
All
All
FortiAnalyzer2000/2000A
No restrictions
No restrictions All
All
All
FortiAnalyzer2000B
No restrictions
No restrictions All
All
All
FortiAnalyzer4000/4000A
No restrictions
No restrictions All
All
All
FortiAnalyzer4000B
No restrictions
No restrictions All
All
All
To view the number of devices currently attempting to connect, see “License Information
widget” on page 38.
For networks with more demanding logging scenarios, an appropriate device ratio may be
less than the allowed maximum. Performance will vary according to your network size,
device types, logging thresholds, and many other factors. When choosing a FortiAnalyzer
model, consider your network’s log frequency, and not only your number of devices.
A VDOM or high availability (HA) cluster counts as a single “device” towards the maximum
number of allowed devices. Multiple FortiClient installations (which can number up to the
limit of allowed FortiClient installations) also count as a single “device.”
For example, a FortiAnalyzer-100B could register up to either:
•
10 devices
•
9 devices and 100 FortiClient installations
•
9 devices and one HA pair
•
1 device and 9 VDOMs
but could not register 1 device and 900 FortiClient installations.
When devices attempt to connect to a FortiAnalyzer unit that has reached its number of
maximum number of allowed devices, the FortiAnalyzer unit will reject connection
attempts by excess devices, and automatically add those excess devices to the list of
blocked devices. For more information about on blocked devices, see “Configuring device
groups” on page 134.
When the FortiAnalyzer unit has exceeded its maximum number of allowed devices, you
will not be able to add devices to the device list. To resume adding devices, you must first
block a device that is currently on your device list, then unblock the device you want to add
and add it to the device list.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
125
Configuring connections with devices & their disk space quota
Devices
Configuring IPSec secure connections between the FortiAnalyzer unit and a
device or an HA cluster
For secure transmission of logs, content archives, and quarantined files, you can
configure an IPSec VPN tunnel between the FortiAnalyzer unit and FortiGate devices or
HA clusters, and FortiManager devices.
Note: You must configure the secure tunnel on both ends of the tunnel, the FortiAnalyzer
unit and the device.
For more information on the CLI commands, see the FortiAnalyzer CLI Reference,
FortiGate CLI Reference, and FortiManager CLI Reference.
Note: Changing a device’s FortiAnalyzer settings clears sessions to that IP address. If the
FortiAnalyzer unit is behind a NAT device, such as a FortiGate unit, this also resets
sessions to other hosts behind that same NAT.
To prevent disruption of other devices’ traffic, on the NAT device, create a separate virtual
IP for the FortiAnalyzer unit.
To configure a secure connection on a FortiAnalyzer unit
On the FortiAnalyzer CLI, enter the following commands:
config log device
edit <device_name>
set secure psk
set psk <preshared-key_str>
set id <fortigate’s_device_name_on_the_fortianalyzer
/fortimanager-serial-number_str>
end
To configure a secure connection on a FortiGate unit
On the FortiGate CLI, enter the following commands:
config log {fortianalyzer | fortianalyzer2 | fortianalyzer3}
settings
set encrypt enable
set psksecret <preshared-key_str>
set localid <fortigate’s_device_name_on_the_fortianalyzer>
end
Note: To enable and configure secure connection on a FortiGate HA cluster, configure the
primary device in the cluster. The primary device will synchronize the configuration with its
members.
To configure a secure connection on a FortiManager system
On the FortiManager CLI, enter the following commands:
config fmsystem log fortianalyzer
set secure_connection enable
set psk <preshared-key_str>
set localid <fortianalyzer_serial_number_str>
end
126
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Devices
Configuring connections with devices & their disk space quota
Manually adding or deleting a device or HA cluster
You can add devices to the FortiAnalyzer unit’s device list either manually or automatically.
If you have configured Unregistered Options to automatically add known-type devices,
you may only need to manually add unknown-type devices such as a generic Syslog
server. If you have configured Unregistered Options to list all devices as unregistered, you
may be required to add all devices manually. For more information, see “Configuring
unregistered device options” on page 131.
If the device has already been automatically added, the device was added to the device
list using default settings. You can reconfigure the device connection by manually editing
the device in the device list.
All FortiClient installations are added as a single device, rather than as one device
configuration per FortiClient installation, and their log messages are stored together. Use
the FortiAnalyzer reporting features to obtain network histories for individual FortiClient
installations.
Note: Remote logging from FortiClient installations requires FortiClient 3.0 MR2 or later.
You must add the FortiManager system to the FortiAnalyzer device list for the
FortiAnalyzer unit to be remotely administered by the FortiManager system. Additionally,
you must also:
•
enable web services on the FortiAnalyzer network interface that will be connected to
the FortiManager system (see “Configuring and using FortiAnalyzer web services” on
page 64)
•
register the FortiAnalyzer unit with the FortiManager system (see the FortiManager
Administration Guide)
•
be able to connect from your computer to the web-based manager of both the
FortiManager system and the FortiAnalyzer unit.
To manually add a device or HA cluster
1 Go to Devices > All Devices > Allowed.
2 Do one of the following:
• To add unregistered devices, at the bottom of the page, select Unregistered from
Show. Select an unregistered device and select Register.
• To add other devices, select Create New.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
127
Configuring connections with devices & their disk space quota
Devices
3 Enter the appropriate information.
Name of the GUI item Description
Device Type
128
Select the device type.
The type is automatically pre-selected if you are adding an unregistered
device from the device list, or if you are editing an existing device.
Other device options vary by the device type.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Devices
Configuring connections with devices & their disk space quota
Device Name
Enter a name to represent the FortiGate unit, such as FG-1000-1.This can
be any descriptive name that you want assign to it, and does not need to be
its host name.
The device name is automatically pre-entered if you are adding a
FortiClient installation.
IP Address
Enter the IP address of the device.
This option appears only if Device Type is Syslog.
Device ID
Enter the device ID. Device IDs are usually the serial number of the device,
and usually appear on the dashboard of the device’s web-based manager.
The device ID is automatically pre-entered if you are adding an
unregistered device from the device list, or if you are editing an existing
device.
This option does not appear if Device Type is Syslog or FortiClient.
Cluster ID (primary
member)
Enter the ID of the primary member in an HA cluster.
This option appears only if Mode is HA.
Disk Allocation (MB) Enter the amount of hard disk space allocated to the device’s log and
content messages, including quarantined files.
The allocated space should be at least 10 times the log rolling size for the
Log and DLP archive. For example, if you set the log and DLP archive log
file roll size to 50 MB, allocate at least 500 MB of disk space for the device.
Amounts following the disk space allocation field indicate the amount of disk
space currently being used by the device, and the total amount of disk
space currently available on the FortiAnalyzer unit.
When Allocated Disk Select to either Overwrite Oldest Files or Stop Logging to indicate what the
FortiAnalyzer unit should do when the allocated disk space has been used.
Space is All Used
For more information about disk space allocation, see “System Resources
widget” on page 39.
Device Privileges
Select the connection privileges of the device, such as for sending and
viewing log files, DLP archives and quarantined files. Available permissions
vary by device type.
Note: Remotely accessing logs, DLP archive logs and quarantined files is
available on FortiGate units running firmware version 4.0 or later.
Description
Enter any additional information on the device. Description information
appears when you move the mouse over a device name in the device list.
Mode
If you are adding a single unit, select Standalone.
If you are adding an HA cluster, select HA, then select the devices other
than the primary member of the cluster from Available Devices (devices on
the FortiAnalyzer unit’s device list) and move them to Membership using the
right-pointing arrow. The devices are added to the HA cluster. You can also
manually enter a device ID in the field under Available Devices and select
Add to put it into the HA cluster. Although the manually-entered devices will
not appear in the device list since they are not added to the FortiAnalyzer
unit, they can communicate with the FortiAnalyzer unit through the primary
device of the cluster because the primary device synchronizes the
configuration with its members.
All device models in an HA cluster must be the same. The FortiAnalyzer
unit will check each device ID’s first 6 digits to ensure the consistency.
This option appears only if Device Type is FortiGate or FortiManager.
4 Select OK.
The device appears in the device list. After registration, some device types can be
configured for secure connection. For more information, see “Secure” on page 123.
Manually adding a FortiGate unit using the Fortinet Discovery Protocol (FDP)
If you configure the FortiAnalyzer unit to respond to Fortinet Discovery Protocol (FDP)
packets, FortiGate units running FortiOS version 4.0 or higher can use FDP to locate a
FortiAnalyzer unit. Both units must be on the same subnet to use FDP, and they also must
be able to connect using UDP. For more information, see “About Fortinet Discovery
Protocol” on page 64.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
129
Configuring connections with devices & their disk space quota
Devices
When a FortiGate administrator selects Automatic Discovery, the FortiGate unit sends
FDP packets to locate FortiAnalyzer units on the same subnet. If FDP has been enabled
for its interface to that subnet, the FortiAnalyzer unit will respond. Upon receiving an FDP
response, the FortiGate unit knows the IP address of the FortiAnalyzer unit, and the
administrator can configure the FortiGate unit to begin sending log, DLP archive, and/or
quarantine data to that IP address. When the FortiGate unit attempts to send data to the
FortiAnalyzer unit, the FortiAnalyzer unit detects the connection attempt.
Connection attempts from devices not registered with the FortiAnalyzer unit’s device list
may not be automatically accepted. In this case, you may need to manually add the device
to the device list. For more information, see “Configuring unregistered device options” on
page 131.
For a diagram of traffic types, ports and protocols that FortiAnalyzer units use to
communicate with other devices and services, see the Knowledge Base article Traffic
Types and TCP/UDP Ports used by Fortinet Products.
To enable the FortiAnalyzer unit to reply to FDP packets
1 Go to System > Network > Interface.
2 Select Edit for the network interface that should reply to FDP packets.
3 Enable Fortinet Discovery Protocol.
4 Select OK.
The FortiAnalyzer unit is now configured to respond to FDP packets on that network
interface, including those from FortiGate units’ Automatic Discovery feature. For more
information about connecting the FortiGate unit using FDP, see “To connect a
FortiGate unit to a FortiAnalyzer unit using FDP” on page 130.
To connect a FortiGate unit to a FortiAnalyzer unit using FDP
This procedure is based on the FortiOS v4.0 MR2 release and may change in future
releases.
On the FortiGate unit CLI, enter
config log fortianalyzer setting
130
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Devices
Configuring connections with devices & their disk space quota
set address-mode auto-discovery
end
The FortiGate unit sends FDP packets to other hosts on the FortiGate unit’s subnet. If
a FortiAnalyzer unit exists on the subnet and is configured to reply to FDP packets, it
sends a reply.
If your FortiGate unit is connecting to a FortiAnalyzer unit from another network, such
as through the Internet or through other firewalls, this may fail to locate the
FortiAnalyzer unit, and you may need to configure an IPSec VPN tunnel to facilitate the
connection. For more information and examples, see the Fortinet Knowledge Base
article Sending remote FortiGate logs to a FortiAnalyzer unit behind a local FortiGate
unit.
For more information about configuring FortiGate unit quarantining, DLP archiving,
and/or remote logging, see the FortiGate Administration Guide.
Note: Due to the nature of connectivity for certain high availability (HA) modes, full DLP
archiving and quarantining may not be available for FortiGate units in an HA cluster. For
more information, see the FortiGate HA Overview.
Unregistered Device Options apply to all device types attempting to connect, not just
FortiGate units.
Configuring unregistered device options
You can configure the FortiAnalyzer unit to accept and handle connection attempts from
Fortinet devices (known devices) or generic Syslog devices (unknown devices)
automatically.
To configure device connection attempt handling, go to Devices > All Devices >
Unregistered Options.
Figure 60: Unregistered Device Options
Name of the GUI item
Description
Known Device Types (FortiGate, FortiManager, FortiClient, FortiMail)
Ignore connection and log Select to deny any connection attempts and log-sending to the
FortiAnalyzer unit from Fortinet devices.
data
Note that this option does not apply to manually added devices. For
more information on adding a device manually, see “Manually adding
or deleting a device or HA cluster” on page 127.
Allow connection, add to Select to allow the devices to connect but list them as unregistered
devices. The FortiAnalyzer unit will ignore any logs sent from the
unregistered table, but
devices until you manually register them.
ignore log data
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
131
Configuring connections with devices & their disk space quota
Devices
Allow connection, register Select to allow the connection and automatically register the devices.
automatically, and store The FortiAnalyzer unit will store a specified amount of log data from
the devices.
up to n MB data
(<sequential_number> MB
available)
Unknown Device Type (Generic Syslog Devices)
Ignore all unknown
unregistered devices
Select to deny any connection attempts from all unknown Syslog
devices.
Note that this option does not apply to manually added devices. For
more information on adding a device manually, see “Manually adding
or deleting a device or HA cluster” on page 127.
Add unknown
unregistered devices to
unregistered table, but
ignore data
Select to list unknown Syslog devices as unregistered devices and
ignore any logs sent from these devices.
Add unknown
unregistered devices to
unregistered table, and
store up to n MB data
(<sequential_number> MB
available)
Select to list unknown devices as unregistered, and allow the
FortiAnalyzer unit to store a specified amount of log data from these
devices. The default amount of storage space is 1,000 MB.
The available MB of data is determined by how much is currently
available on your FortiAnalyzer unit, which fluctuates and is never a
fixed number.
Note: Many FortiAnalyzer features are not available for unregistered devices of unknown
types. For more information about the differences between unregistered and registered
devices, see “Unregistered vs. registered devices” on page 124.
Both registered and unregistered devices count towards the maximum number of devices
available for a FortiAnalyzer unit. Too many unregistered devices will prevent you from
adding a device. For more information, see “Manually adding or deleting a device or HA
cluster” on page 127.
When devices attempt to connect to a FortiAnalyzer unit that has reached its maximum
number of allowed devices, the FortiAnalyzer unit will reject connection attempts by excess
devices, and automatically add those excess devices to the list of blocked devices. For
more information about blocked devices, see “Blocking unregistered device connection
attempts” on page 132.
Blocking unregistered device connection attempts
FortiAnalyzer units support a maximum number of devices, including registered and
unregistered devices combined. For more information, see “FortiAnalyzer device limits” on
page 125. Blocking unregistered devices prevents them from being able to connect to the
FortiAnalyzer unit and therefore can free up spots on the unit.
Devices may automatically appear on your list of blocked devices. This can occur when
devices attempt to connect after the maximum number of allowed devices has been
reached.
To view, delete, or unblock blocked devices, go to Devices > All Devices > Blocked.
Figure 61: Blocked devices
132
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Devices
Configuring connections with devices & their disk space quota
Name of the GUI item Description
Unblock
Register a selected device to the FortiAnalyzer unit’s device list.
When the Register Device page appears, enter a name for the device, and
modify other settings if required. Select OK. The device appears in the
Allowed device list.
For more information on registering a device, see “Manually adding or
deleting a device or HA cluster” on page 127.
Delete
Remove a selected device from the list of blocked devices. If the device
attempts to connect to the FortiAnalyzer unit, it may appear in the device list
as an unregistered device, according to your configuration of Unregistered
Device Options. For more information, see “Configuring unregistered device
options” on page 131.
Device ID
The unique ID or serial number of the blocked device.
Hardware Model
The type of device, such as FortiGate, FortiManager, FortiMail, or Syslog
server.
IP Address
The IP address of the blocked device.
To block a device
1 Go to Devices > All Devices > Allowed.
2 At the bottom of the page, from Show, select Unregistered.
3 Mark the check box of the unregistered device that you want to block, then click Block.
The device appears in the blocked devices list (Devices > All Devices > Blocked).
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
133
Configuring device groups
Devices
Configuring device groups
When you have multiple devices belonging to a department or section of your
organization, you may want to create device groups to simplify log browsing or report
configuration.
A device can belong to multiple groups; however, the device cannot be deleted from the
device list until it is removed from all groups.
To view device groups, go to Device > Group > Device Group.
Figure 62: Device groups
Name of the GUI
item
Description
Show
Select the device group type to display, such as FortiGate, FortiManager,
FortiMail or Syslog groups.
Group Name
The name of the device group.
Members
The names of devices that belong to the device group.
To configure a device group
1 Go to Device > Group > Device Group.
2 Select Create New to configure a new device group, or select the Edit icon to
reconfigure an existing device group.
134
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Devices
Classifying FortiGate network interfaces
Name of the GUI
item
Description
Group Name
Enter a name for the device group.
Group Type
Select the device group type that you want to create. You can choose FortiGate
Group, FortiMail Group, FortiManager Group, and Syslog Group. When you
select a group type, the devices that are available to that group appear in the
Available Devices field.
FortiClient installations are treated as a single device, and so cannot be
configured as a device group.
Available Devices The available devices for the group type you select in Group Type. Select a
device and then use the -> arrow to move it to the Members field.
Members
The devices that are available in the group you are creating. If you want to
remove a device from the Members field, select the device and then select the
<- arrow to remove it.
3 Select OK.
Classifying FortiGate network interfaces
After a FortiGate unit is added to the FortiAnalyzer unit, you need to assign each FortiGate
network interface to a network interface class (None, LAN, WAN, or DMZ) based on your
FortiGate network interface usage. Traffic between classes determines traffic flow
directionality for reports.
Through the FortiAnalyzer CLI command config log device, you can classify network
interfaces and VLAN subinterfaces according to their connections in your network
topology. Functionally classifying the device’s network interfaces and VLAN subinterfaces
as None, LAN, WAN or DMZindirectly defines the directionality of traffic flowing between
those network interfaces. For example, FortiAnalyzer units consider log messages of
traffic flowing from a WAN class interface to a LAN or DMZ class interface to represent
incoming traffic.
Some report types for FortiGate devices include traffic direction — inbound or outbound
traffic flow. When the FortiAnalyzer unit generates reports involving traffic direction, the
FortiAnalyzer unit compares values located in the source and destination interface fields
of the log messages with your defined network interface classifications to determine the
traffic directionality.
The table below illustrates the traffic directionality derived from each possible combination
of source and destination interface class.
For more information on classifying FortiGate network interfaces, see the FortiAnalyzer
CLI Reference.
Table 5: Traffic directionality by class of the source and destination interface
Source interface class
Destination interface class
Traffic direction
None
All types
Unclassified
All types
None
Unclassified
WAN
LAN, DMZ
Incoming
WAN
WAN
External
LAN, DMZ
LAN, DMZ
Internal
LAN, DMZ
WAN
Outgoing
Example:
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
135
Classifying FortiGate network interfaces
Devices
Your FortiGate unit has four interfaces: port 1 to 4. Port 1 is connected to WAN; Port 2 and
Port 3 are connected to LAN; and Port 4 is connected to DMZ.
In this case, traffic from Port 1 (WAN) to Port 2 (LAN) is considered as incoming, while
traffic from Port 2 to Port 1 is considered outgoing.
136
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Log & Archive
Viewing log messages
Log & Archive
The Log & Archive menu displays log messages and DLP archives from both other
devices and the FortiAnalyzer unit itself.
Note: FortiAnalyzer units cannot display logs from unregistered devices of unknown types.
Add the device first to view the logs of an unknown type device. For more information about
adding a device to the device list, see “Configuring connections with devices & their disk
space quota” on page 121.
You may need to reschedule the time when logs are rolled because log file size is now
reduced. For example, log files that are rolled every two months now need to be rolled
every four months. Fortinet recommends upgrading both the FortiGate and FortiAnalyzer
units to 4.0 MR1 firmware and later to take full advantage of this feature.
This topic includes:
•
Viewing log messages
•
Browsing log files
•
Backing up logs and archived files
•
Configuring rolling and uploading of devices’ logs
•
Using eDiscovery
Viewing log messages
Log & Archive > Log Access displays logs for devices that were added to the device list,
as well as the FortiAnalyzer unit itself.
Note: FortiGate units send log messages to the FortiAnalyzer unit only after a session is
closed. All real-time log messages you view on the FortiAnalyzer unit therefore do not
reflect the real-time activities on the FortiGate units.
You can view log messages from all devices or a particular device in real-time or within a
specified time frame.
For more information about log messages from FortiGate units, see the FortiGate Log
Message Reference.
To view all log messages, go to Log & Archive > Log Access > All Logs.
Note: The columns that appear reflect the content found in the log file. You can select an
item in a column to display more information.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
137
Viewing log messages
Log & Archive
Figure 63: All device logs
Column Settings Printable Version
Download Current View
Realtime Log
Search
Current page
Name of the GUI item Description
138
Show
Select the type of device you want to view logs from. You can select
multiple devices.
Timeframe
Select the time frame during which you want to display the logs.
Realtime Log
Click to view the real-time device log messages.
After selecting Realtime Log, the Historical Log icon appears. Select it to go
back to view logs within a specified time frame.
Column Settings
Click to change the columns to view and the order they appear on the page.
For more information, see “Displaying and arranging log columns” on
page 141.
Printable Version
Click to download a HTML file containing all log messages that match the
current filters. The HTML file is formatted to be printable.
Time required to generate and download large reports varies by the total
amount of log messages, the complexity of any search criteria, the
specificity of your column filters, and the speed of your network connection.
Download Current
View
Click to download log files in text (.txt), comma-separated value (.csv), or
standard .log (Native) file format. You can also select to compress the log
files in gzipped format before uploading to the server. The downloaded
version will match the current log view, containing only log messages that
match your current filter settings.
Search
Enter a keyword to perform a simple search on the available log
information, then press the Enter key to begin the search.
Advanced Search
Select to search the device logs for matching text using two search types:
Quick Search and Full Search. For more information, see “Searching the
logs” on page 144.
Last Activity
The date and time the log was received by the FortiAnalyzer unit.
Device ID
The ID of the device that sent the log.
Type
The log type.
Level
The severity level of the log.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Log & Archive
Viewing log messages
Timestamp
The date and time when events occurred on the devices that sent the logs.
Details
The detailed information of the log.
View n per page
Select the number of rows of log entries to display per page. You can
choose up to 1000 entries.
Current Page
Enter a page number, then press Enter to go to the page.
Change Display
Options
Select a view of the log file. Selecting Formatted (the default) displays the
log files in columnar format. Selecting Raw displays the log information as it
actually appears in the log file.
Note: Log messages that are received from a log aggregation device are scheduled
transfers, and not real-time messages, because log aggregation devices do not appear in
the Real-time log page. Individual high availability (HA) cluster members also do not appear
in the Real-time log page because HA members are treated as a single device. For more
information about log aggregation, see “Configuring log aggregation” on page 98.
To view a type of log, go to Log & Archive > Log Access and select a log type:
Note: The columns that appear reflect the content found in the log file. You can select an
item in a column to display more information.
•
Traffic: record all traffic to and through the interfaces on a device.
•
Event: record all event activities such as an administrator adding a firewall policy on a
FortiGate unit.
•
IPS (Attack): record all attacks that occur against your network. These log messages
also contain links to the Fortinet Vulnerability Encyclopedia where you can better
assess the attack.
•
Application Control: record the application traffic generated by the applications on the
device.
•
Web Filter: record HTTP device log rating errors, including web content blocking
actions that the device performs.
•
AntiVirus: record virus incidents in Web, FTP, and email traffic.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
139
Viewing log messages
Log & Archive
•
Data Leak (DLP): provide information concerning files, such as email messages and
web pages, that are archived on the FortiAnalyzer unit by the device.
•
VoIP: provide information on VoIP traffic on the device.
By default, this option is not available. To make it appear, you need to enable it in
System > Admin > Settings.
•
Email Filter: record IMAPS, POP3S, and SMTPS email traffic.
•
Network Scan: record the vulnerability scan activities on the device.
•
History: record all mail traffic going through the FortiMail unit.
By default, this option is not available. To make it appear, you need to enable it in
System > Admin > Settings.
•
IM: record instant message text, audio communications, and file transfers attempted by
users.
By default, this option is not available. To make it appear, you need to enable it in
System > Admin > Settings.
•
Generic Syslog: record syslog server activities.
By default, this option is not available. To make it appear, you need to enable it in
System > Admin > Settings.
Note: When selecting Change Display Options for some log types, Resolve Host Name,
Resolve Services, or both may appear in addition to Formatted and Raw.
Resolve Host Name: Select to display recognizable device names rather than IP
addresses. For more information about configuring IP address host names, see
“Configuring IP aliases” on page 102.
Resolve Services: Select to display the network service names rather than the port
numbers, such as HTTP rather than port 80.
Customizing the log view
Log messages can be displayed in either Raw or Formatted view.
•
Raw view displays log messages exactly as they appear in the log file.
•
Formatted view displays log messages in a columnar format. Each log field in a log
message appears in its own column, aligned with the same field in other log messages,
for rapid visual comparison. When displaying log messages in Formatted view, you can
customize the log view by hiding, displaying and arranging columns and/or by filtering
columns, refining your view to include only those log messages and fields that you
want to see.
To display logs in Raw or Formatted view, go to a page that displays log messages, such
as Log & Archive > Log Access > All Logs, and select Change Display Options >
Raw/Formatted at the bottom of the page. By default, log messages appear in Formatted
view.
140
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Log & Archive
Viewing log messages
Figure 64: Change display options
If you select Formatted, options appear that enable you to display and arrange log
columns and/or filter log columns.
Displaying and arranging log columns
When viewing logs in Formatted view, you can display, hide and re-order columns to
display only relevant categories of information in your preferred order.
For most columns, you can also filter data within the columns to include or exclude log
messages which contain your specified text in that column. For more information, see
“Filtering logs” on page 142.
To display or hide columns
1 Go to a page which displays log messages, such as Log & Archive > Log Access > All
Logs.
2 Select Column Settings.
Lists of available and displayed columns for the log type appear.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
141
Viewing log messages
Log & Archive
3 Select which columns to hide or display.
• In the Available Fields area, select the names of individual columns you want to
display, then select the single right arrow to move them to the Display Fields area.
Alternatively, to display all columns, select the double right arrow.
• In the Display Fields area, select the names of individual columns you want to hide,
then select the single left arrow to move them to the Available Fields area.
Alternatively, to hide all columns, select the double left arrow.
• To return all columns to their default displayed/hidden status, select Default.
4 Select OK.
To change the order of the columns
1 Go to a page which displays log messages, such as Log & Archive > Log Access > All
Logs.
2 Select Column Settings.
Lists of available and displayed columns for the log type appear.
3 In the Display Fields area, select a column name whose order of appearance you want
to change.
4 Select the up or down arrow to move the column in the ordered list.
Placing a column name towards the top of the Display Fields list will move the column
to the left side of the Formatted log view.
5 Select OK.
Filtering logs
When viewing log messages in Formatted view, you can filter columns to display only
those log messages that do or do not contain your specified content in that column. By
default, most column headings contain a gray filter icon, which becomes green when a
filter is configured and enabled.
Filters do not appear when viewing logs in Raw view, or for unindexed log fields in
Formatted view. When you are viewing real-time logs, filtering by time is not supported; by
definition of the real-time aspect, only current logs are displayed.
You can download filtered logs when you select Download Current View.
142
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Log & Archive
Viewing log messages
Figure 65: Filter icons
Filter
Filter in use
Download Current View
To filter log messages by column contents
1 In the heading of the column that you want to filter, select the filter icon to open the log
filtering window.
2 Select Enable.
3 If you want to exclude log messages with matching content in this column, select NOT.
If you want to include log messages with matching content in this column, deselect
NOT.
4 Enter the text that matching log messages must contain.
Matching log messages will be excluded or included in your view based upon whether
you have selected or deselected NOT.
5 Select OK.
A column’s filter icon is green when the filter is currently enabled. You can select
Download Current View to download only log messages which meet the current filter
criteria.
To disable a filter
1 In the heading of the column whose filter you want to disable, select the filter icon.
A column’s filter icon is green when the filter is currently enabled.
2 To disable the filter on this column, deselect Enable.
Alternatively, to disable the filters on all columns, select Clear All Filters. This disables
the filter; it does not delete any filter text you might have configured.
3 Select OK.
A column’s filter icon is gray when the filter is currently disabled.
Filtering tips
When filtering by source or destination IP, you can use the following in the filtering criteria:
•
a single address (2.2.2.2)
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
143
Viewing log messages
Log & Archive
•
an address range using a wild card (1.2.2.*)
•
an address range (1.2.2.1-1.2.2.100)
You can also use a Boolean operator (or) to indicate mutually exclusive choices:
• 1.1.1.1 or 2.2.2.2
• 1.1.1.1 or 2.2.2.*
• 1.1.1.1 or 2.2.2.1-2.2.2.10
Most column filters require that you enter the column’s entire contents to successfully
match and filter contents; partial entries do not match the entire contents, and so will not
create the intended column filter.
For example, if the column contains a source or destination IP address (such as
192.168.2.5), to create a column filter, enter the entire IP address to be matched. If you
enter only one octet of the IP address, (such as 192) the filter will not completely match
any of the full IP addresses, and so the resulting filter would omit all logs, rather than
including those logs whose IP address contains that octet.
Exceptions to this rule include columns that contain multiple words or long strings of text,
such as messages or URLs. In those cases, you may be able to filter the column using a
substring of the text contained by the column, rather than the entire text contained by the
column.
Searching the logs
When viewing device logs and archived files, you may find that some of them have a
button called Advanced Search. You can use the button to search the device’s log files for
matching text using two search types: Quick Search and Full Search. For more
information, see “Viewing log messages” on page 137 and “Viewing DLP archives” on
page 147.
You can use Quick Search to find results more quickly if your search terms are relatively
simple and you only need to search indexed log fields. Indexed log fields are those that
appear with a filter icon when browsing the logs in column view; unindexed log fields do
not contain a filter icon for the column or do not appear in column view but do appear in
the raw log view. Quick Search keywords cannot contain:
•
144
special characters such as single or double quotes (‘ or ") or question marks (?)
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Log & Archive
Viewing log messages
•
wild card characters (*), or only contain a wild card as the last character of a keyword
(logi*)
You can use Full Search if your search terms are more complex, and require the use of
special characters or log fields not supported by Quick Search. Full Search performs an
exhaustive search of all log fields, both indexed and unindexed, but is often slower than
Quick Search.
You can stop any search before the search is complete by selecting Stop Search beside
Full Search.
Figure 66: Log search
Name of the GUI Description
item
Device/Group
Select to search logs from the FortiAnalyzer unit (Local Logs), a device, or a
device group.
Time Period
Select to search logs from a time frame, or select Specify and define a custom
time frame by selecting the From and To date times.
From
Enter the date (or use the calendar icon) and time of the beginning of the
custom time range.
This option appears only when you select Specify.
To
Enter the date (or use the calendar icon) and time of the end of the custom time
range.
This option appears only when you select Specify.
Keyword(s)
Enter search terms which will match to yield log message search results. To
specify that results must include all, any, or none of the keywords, select these
options in Match.
Quick Search
Select to perform a quick search. Keywords for a quick search cannot contain
special characters. Quick Search examines only indexed fields.
Full Search
Select to perform a full search. Keywords for a full search may contain special
characters. Full Search examines all log message fields.
Stop Search
Select to stop the search before it is completed. This option is grayed out unless
there is a search in progress.
More Options
Select the Expand Arrow to hide or expand additional search options.
Match
Select how keywords are used to match log messages which comprise search
results.
•
•
•
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
All Words: Select to require that matching log messages must contain all
search keywords. If a log message does not contain one or more
keywords, it will not be included in the search results.
Any Words: Select to require that matching log messages must contain
at least one of the search keywords. Any log message containing one or
more keyword matches will be included in the search results.
Does Not Contain the Words: Select to require that matching log
messages must not contain the search keywords. If a log message
contains any of the search keywords, it will be excluded from the search
results.
145
Viewing log messages
Log & Archive
Other Filters
Specify additional criteria, if any, that can be used to further restrict the search
criteria.
•
•
•
•
•
•
Log Type: Select to include only log messages of the specified type. For
example, selecting Traffic would cause search results to include only log
messages containing type=traffic.
Log Level: Select to include only log messages of the specified severity
level. For example, selecting Notice would cause search results to include
only log messages containing pri=notice.
Source IP: Enter an IP address to include only log messages containing
a matching source IP address. For example, entering 192.168.2.1
would cause search results to include only log messages containing
src=192.168.2.1 and/or content log messages containing a client IP
address of 192.168.2.1.
Destination IP: Enter an IP address to include only log messages
containing a matching destination IP address. For example, entering
192.168.2.1 would cause search results to include only log messages
containing dst=192.168.2.1 and/or content log messages containing a
server IP address of 192.168.2.1.
User Name: Enter a user name to include only log messages containing
a matching authenticated firewall user name. For example, entering
userA would cause search results to include only log messages
containing user=”userA”.
Group Name: Enter a group name to include only log messages
containing a matching authenticated firewall group name. For example,
entering groupA would cause search results to include only log
messages containing group=”groupA”.
Search tips
If your search does not return the results you expect, but log messages exist that should
contain matching text, examine your keywords and filter criteria using the following search
characteristics and recommendations.
146
•
Separate multiple keywords with a space (type=webfilter
subtype=activexfilter).
•
Keywords cannot contain unsupported special characters. Supported characters vary
by selection of Quick Search or Full Search.
•
Keywords must literally match log message text, with the exception of case insensitivity
and wild cards; resolved names and IP aliases will not match.
•
Some keywords will not match unless you include both the log field name and its value
(type=webfilter).
•
Remove unnecessary keywords and search filters which can exclude results. In More
Options, if All Words is selected, for a log message to be included in the search results,
all keywords must match; if any of your keywords do not exist in the message, the
match will fail and the message will not appear in search results. If you cannot remove
some keywords, select Any Words.
•
You can use the asterisk (*) character as a wild card (192.168.2.*). For example,
you could enter any partial term or IP address, then enter * to match all terms that
have identical beginning characters or numbers.
•
You can search for IP ranges, including subnets. For example:
•
172.16.1.1/24 or 172.16.1.1/255.255.255.0 matches all IP addresses in
the subnet 172.16.1.1/255.255.255.0
•
172.16.1.1-140.255 matches all IP addresses from 172.16.1.1 to
172.16.140.255
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Log & Archive
Viewing log messages
•
•
You can search for URLs in multiple ways, using part or all of the URL. Searching for
the full URL may not return enough results if the URL contains random substrings,
such as session IDs. If your search keywords do not return enough results, try one of
the following:
•
Full Search
•
shortening your keyword to the smallest necessary substring of the URL
•
shortening your keyword to a substring of the URL delimited by slash (/) characters
The search returns results that match all, any, or none of the search terms, according
to the option you select in Match.
For example, if you enter into Keyword(s):
192.168.* action=login
and if from Match you select All Words, log messages for attacks on 192.168.* by
W32/Stration.DU@mm do not appear in the search results, since although the first
keyword (the IP address) appears in attack log messages, the second keyword (the
name of the attack) does not appear, and so the match fails. If the match fails, the log
message is not included in the search results.
Viewing DLP archives
DLP archiving provides a method of simultaneously logging and archiving copies of
content transmitted over your network, such as email messages and web pages.
FortiGate units can log metadata for common user content-oriented protocols. DLP logs
include information such as the senders, recipients, and the content of email messages
and files. If full DLP archiving is enabled, FortiGate units can also archive a copy of the
associated file or message with the DLP log message. Both FortiGate DLP archive logs
and their associated copies of files or messages can be stored and viewed remotely on a
FortiAnalyzer unit, leveraging its large storage capacity for large media files that can be
common with multimedia content. When DLP archives are received by the FortiAnalyzer
unit, you can use data filtering similar to other log files to track and locate specific email or
instant messages, or to examine the contents of archived files.
For more information about how to configure the FortiGate unit to send DLP archives to
the FortiAnalyzer unit, see the FortiGate Administration Guide.
You can view DLP archives of these types:
•
IPS Packet
•
Quarantine
•
Web
•
Email
•
FTP
•
IM
•
VoIP Log
•
MMS (By default, this option is not available. To make it appear, you need to enable it
in System > Admin > Settings.)
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
147
Viewing log messages
Log & Archive
You can view full and/or summary DLP archives. Summary DLP archives are those which
contain only a log message consisting of summary metadata. Full DLP archives are those
which contain both the summary and a hyperlink to the associated archived file or
message. For example, if the FortiAnalyzer unit has a full DLP archive for an email
message, the subject log field of email DLP archives contains a link that enables you to
view that email message. If the FortiAnalyzer unit has only a DLP archive summary, the
subject field does not contain a link.
Whether or not each DLP archive will be full or summary varies by:
•
whether the device is configured to send full DLP archives
•
whether the content satisfies DLP archiving requirements
•
whether the FortiAnalyzer unit has the file or message associated with the summary
log message (that is, full DLP archives do not appear if you have deleted the
associated file or message)
For more information about requirements and configuration of DLP archiving, see the
FortiGate Administration Guide.
To view DLP archives, go to Log & Archive > Archive Access. Select a DLP archive type.
Each type has similar controls.
Note: The columns that appear reflect the content found in the archive file. You can select
an item in a column to display more information.
Figure 67: Email archive
Download Current View
Printable Version
Column Settings
Delete associated
DLP archive files
Search
Current Page
148
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Log & Archive
Viewing log messages
Name of the GUI item
Description
Show
To view the archives from a single FortiGate unit, select the FortiGate
unit from the list. Select All FortiGates to view a combined list of
archives from all the configured FortiGate units.
Timeframe
Select a time frame to display only the archived files from the specified
period. Select Any time to display all the archived files.
Column Settings
Select to change the columns to view and the order they appear on
the page. For more information, see “Displaying and arranging log
columns” on page 141.
Note: This option is not available for the Quarantine type.
Printable Version
Select to download an HTML file containing all DLP archive
summaries that match the current filters. The HTML file is formatted to
be printable.
Time required to generate and download large reports varies by the
total number of log messages, the complexity of any search criteria,
the specificity of your column filters, and the speed of your network
connection.
Note: This option is not available for the Quarantine type.
Download Current View
Select to download a copy of the archived file with the current filters
applied. For example, if you have a filter applied to display only the
entries with a particular URL, selecting Download Current View will
allow you to download a log file with only the entries related to the
URL configured in the filter.
Note: This option is not available for the Quarantine type.
Delete associated DLP
archive files
Select to delete the links of all DLP archive files to the currently
selected device, not the file records.
Note: This option is not available for IPS Packet, Quarantine, and
VoIP archive.
Search
Enter a keyword to perform a simple search on the available archive
information, then press the Enter key to begin the search.
Note: This option is not available for the Quarantine type.
View n per page
Select the number of log entries to display per page.
Current Page
Enter a page number, then press Enter to go to the page.
Change Display Options
Select a view of the archive file. This option is not available for the
Quarantine type.
Resolve Host Name: Select to view the IP alias instead of the client’s
IP address. You must configure the IP aliases on the FortiAnalyzer
unit for this setting to take effect. For more information, see
“Configuring IP aliases” on page 102. This option is not available for
the Email type.
Resolve Services: Select to display the network service names rather
than the port numbers, such as HTTP rather than port 80. This option
is only available for the IPS Packet type.
Formatted (the default): Select to display the log files in columnar
format.
Raw: Select to display the log information as it actually appears in the
log file.
Note: DLP Archive allows you to both view logged details and to download the archived
files. If you want to display only the DLP archive log file, instead go to Log & Archive > Log
Browse > Log Browse and select the device’s dlog.log file. For more information, see
“Browsing log files” on page 152.
Viewing quarantined files
FortiAnalyzer units can act as a central repository for files that are suspicious or known to
be infected by a virus, and have therefore been quarantined by your FortiGate units. This
section describes how to view quarantined files.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
149
Viewing log messages
Log & Archive
If a secure connection has been established with the FortiGate and FortiAnalyzer units,
the communication between them is the same IPSec tunnel that the FortiGate unit uses
when sending log files.
For more information about configuring the FortiGate unit to send quarantined files to the
FortiAnalyzer unit, see the FortiGate Administration Guide.
Note: Sending quarantine files to a FortiAnalyzer unit is available only on FortiGate units
running FortiOS 3.0 or later.
FortiAnalyzer units do not accept quarantine files from devices that are not registered with
the FortiAnalyzer unit’s device list. For more information about adding devices, see
“Manually adding or deleting a device or HA cluster” on page 127.
To view the quarantine summary, go to Log & Archive > Archive Access > Quarantine.
Figure 68: Quarantine summary
Name of the GUI item
Description
Delete
Select to remove the selected quarantined file summary of this device
and all quarantined files under it from the hard disk.
Details
Select to view the quarantined files for this device. For more
information, see “To view the details of a quarantined file” on
page 150.
Show
Select a device from the list of available devices to display the list of
quarantined files for a specific device.
Timeframe
Select a span of time when quarantined files were sent to the
FortiAnalyzer unit.
From Device
The FortiGate unit from which the file originated. Select the expand
arrow next to a FortiGate unit to view the files sent from that unit.
Type
The type of quarantined file. For example, and infected file is
quarantined because a virus is detected. A blocked file is quarantined
because the file matches a defined file pattern. The Reason field
offers additional detail.
Reason
The reason a file is quarantined. This elaborates on the information in
the Type field. For example, if the Type is listed as Infected, the virus
name appears in the Reason field.
First Detection Time
The date and time the FortiGate unit quarantined the first instance of
this file, in the format yyyy/mm/dd hh:mm:ss.
Last Detection Time
The date and time the FortiGate unit quarantined the last instance of
this file, in the format yyyy/mm/dd hh:mm:ss, if multiple copies of
this file are quarantined.
Unique
The number of quarantined files from this device.
Count
The number of duplicates of the same file that are quarantined. A
rapidly increasing number can indicate a virus outbreak.
To view the details of a quarantined file
1 Go to Log & Archive > Archive Access > Quarantine.
2 Select Details for a file.
150
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Log & Archive
Viewing log messages
Current Page
Name of the GUI item Description
Delete
Select to remove files whose check boxes are selected.
• To delete one or more files, select the check box next to their file name,
then select Delete.
• To delete all files, select the column heading check box. All files’ check
boxes are selected, and then select Delete.
Download
Select to save the file to another location when it is deemed safe for the
recipient to collect. You can enter a password to protect the file.
Caution: Quarantined files are suspected or known to contain a virus or
other network threat. Inspecting quarantine files involves a significant
security risk. Use caution when downloading quarantined files.
Details
Select to view the log for this quarantined file. For information on viewing
logs, see “Viewing log messages” on page 137.
Analyze
Select to analyze a .sis file using the SIS Analyzer.
This option is only available if there is a quarantined .sis file.
Refresh
Select to update the current page.
From Device
The FortiGate unit from which the file originated.
File Name
The processed file name of the quarantined file.
First Detection Time
The date and time the FortiGate unit quarantined the first instance of this
file, in the format yyyy/mm/dd hh:mm:ss.
Last Detection Time
The date and time the FortiGate unit quarantined the last instance of this
file, in the format yyyy/mm/dd hh:mm:ss, if multiple copies of this file are
quarantined.
Service
The service by which the quarantined file was attempting to be transmitted,
such as SMTP.
Checksum
A 32-bit checksum the FortiGate unit created from the file.
Type
The type of quarantined file. For example, an infected file is quarantined
because a virus is detected. A blocked file is quarantined because the file
matches a defined file pattern. The Reason field offers additional detail.
Reason
The reason a file is quarantined. This elaborates on the information in the
Type field. For example, if the Type is listed as Infected, the virus name
appears in the Reason field.
DC
Duplicate count. A count of how many duplicates of the same file were
quarantined. A rapidly increasing number can indicate a virus outbreak.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
151
Browsing log files
Log & Archive
View n per page
Select the number of quarantine files to display per page.
Current Page
By default, the first page of the list of items is displayed. The total number
of pages displays after the current page number. For example, if 2/10
appears, you are currently viewing page 2 of 10 pages.
To view pages, select the left and right arrows to display the first, previous,
next, or last page.
To view a specific page, enter the page number in the field and then press
Enter.
Browsing log files
Log & Archive > Log Browse > Log Browse displays log files stored for both devices and
the FortiAnalyzer itself.
By default, this option is not available. To make it appear, you need to enable it in
System > Admin > Settings.
When a log file reaches its maximum size, or reaches the scheduled time, the
FortiAnalyzer rolls the active log file by renaming the file. The file name will be in the form
of xlog.N.log, where x is a letter indicating the log type and N is a unique number
corresponding to the time the first log entry was received.
For information about setting the maximum file size and log rolling options, see
“Configuring rolling and uploading of devices’ logs” on page 156.
If you display the log messages in Formatted view, you can display and arrange columns
and/or filter log messages by column contents. For more information, see “Customizing
the log view” on page 140.
For more information about log messages, see the FortiGate Log Message Reference and
“Viewing log messages” on page 137.
Figure 69: Log file list
Name of the GUI item Description
152
Display
Mark the check box of the file whose log messages you want to view, then
click this button. For more information, see “Viewing log messages” on
page 137.
Import
Click to import log files. You can only import log files in Native format. For
more information about importing log files, see “Importing a log file” on
page 153.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Log & Archive
Browsing log files
Download
Mark the check box of the log file that you want to download, click this
button, then select a format for saving the log files: text (.txt), commaseparated value (.csv), or standard .log (Native).
You can also select to compress the log files before saving them.
For more information, see “Downloading a log file” on page 154
Device Type
Select the type of devices whose logs you want to view.
Show Log File
Names
Enable to display the file names of log files in the Log Files column when
their log type is expanded.
Log Files
A list of available log files for each device or device group. Click the group
name to expand the list of devices within the group, and to view their log
files.
The current, or active, log file appears as well as rolled log files. Rolled log
files include a number in the file name, such as vlog.1267852112.log.
If you configure the FortiAnalyzer unit to delete the original log files after
uploading rolled logs to an FTP server, only the current log will exist.
#
The number of devices in a group, and the number of log files for a device.
From
The start time when the log file was generated.
To
The end time when the log file was generated.
Size (bytes)
The size of the log file.
Importing a log file
You can import devices’ log files. This can be useful when restoring data or loading log
data for temporary use.
For example, if you have older log files from a device, you can import these logs to the
FortiAnalyzer unit so that you can generate reports containing older data. Importing log
files is also useful when changing your RAID configuration. Changing your RAID
configuration reformats the hard disk, erasing log files. If you back up the log files, after
changing the RAID configuration, you can import logs to restore them to the FortiAnalyzer
unit.
You can only import log files in Native format.
To import a log file
1 Go to Log & Archive > Log Browse > Log Browse.
2 Select the Device Type.
3 Expand the group name or device name to view the list of available log files under each
log type.
4 Select a log file in Native format and then select Import.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
153
Browsing log files
Log & Archive
5 Select from Device to which device in the device list the imported log file belongs, or
select Take From Imported File to read the device ID from the log file.
If you select Take From Imported File, your log file must contain a device_id field in
its log messages.
6 In Filename, enter the path and file name of the log file, or select Browse.
7 Select OK.
A message appears, stating that the upload is beginning, but will be cancelled if you
leave the page.
8 Select OK.
Upload time varies by the size of the file and the speed of the connection.
After the log file successfully uploads, the FortiAnalyzer unit inspects the log file.
• If the device_id field in the uploaded log file does not match the device, the import
will fail. Select Return to attempt another import.
• If you selected Take From Imported File, and the FortiAnalyzer unit’s device list
does not currently contain that device, a message appears after the upload. Select
OK to import the log file and automatically add the device to the device list, or select
Cancel.
Downloading a log file
You can download a log file to save it as a backup or for use outside the FortiAnalyzer unit.
The download consists of either the entire log file, or a partial log file, as selected by your
current log view filter settings.
To download a whole log file
1 Go to Log & Archive > Log Browse > Log Browse.
2 Select the Device Type.
3 Expand the group name or device name to view the list of available log files under each
log type.
4 Select the specific log file (wlog.log, elog.log, etc.) that you want to download.
5 Select Download.
154
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Log & Archive
Browsing log files
6 Select one of the following download options:
Log File format
Downloads the log in text (.txt), comma-separated value (.csv),
or standard .log (Native) format. Each log element is separated
by a comma. CSV files can be viewed in spreadsheet
applications.
Compress with gzip
Compress the .txt, .log, or .csv file with gzip compression.
For example, downloading a log-formatted file with gzip
compression would result in a download with the file extension
.log.gz.
7 Select OK.
8 If prompted by your web browser, select a location to save the file, or open it without
saving.
To download a partial log file
1 Go to Log & Archive > Log Browse > Log Browse.
2 Select the Device Type.
3 Expand the group name or device name to view the list of available log files under each
log type.
4 Select the specific log file (wlog.log, elog.log, etc.) that you want to download.
5 Select Display.
6 Select a filter icon to restrict the current view to only items which match your criteria,
then select OK.
Filtered columns have a green filter icon, and Download Current View appears next to
Printable Version. For more information about filtering log views, see “Filtering logs” on
page 142.
7 Select Download Current View.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
155
Backing up logs and archived files
Log & Archive
8 Select one of the following download options:
Log File Format
Downloads the log in text (.txt), comma-separated value (.csv),
or standard .log (Native) format. Each log element is separated
by a comma. CSV files can be viewed in spreadsheet
applications.
Compress with gzip
Compress the .txt, .log, or .csv file with GZIP compression.
For example, downloading a log-formatted file with GZIP
compression would result in a download with the file extension
.log.gz.
9 Select OK.
10 If prompted by your web browser, select a location to save the file, or open it without
saving.
Backing up logs and archived files
To back up both logs and associated DLP archive files, enter the CLI command execute
backup logs. To back up logs only, enter execute backup logs-only. For more
information, see the FortiAnalyzer CLI Reference.
Configuring rolling and uploading of devices’ logs
You can control devices’ log file size and consumption of the FortiAnalyzer disk space by
configuring log rolling and/or scheduled uploads to a server.
Tip: You can also configure rolling and uploading settings for the FortiAnalyzer unit’s own
log files. For details, see the FortiAnalyzer CLI Reference.
As the FortiAnalyzer unit receives new log items, it performs the following tasks:
•
verifies whether the log file has exceeded its file size limit
•
if the file size is not exceeded, checks to see if it is time to roll the log file. You configure
the time to be either a daily or weekly occurrence, and when the roll occurs.
When a current log file (tlog.log) reaches its maximum size, or reaches the scheduled
time, the FortiAnalyzer unit rolls the active log file by renaming the file. The file name will
be in the form of xlog.N.log (for example, tlog,1252929496.log), where x is a
letter indicating the log type and N is a unique number corresponding to the time the first
log entry was received. The file modification time will match the time when the last log was
received in the log file.
Once the current log file is rolled into a numbered log file, it will not be changed. New logs
will be stored in the new current log called tlog.log.
If log uploading is enabled, once logs are uploaded to the remote server or downloaded
via the web-based manager, they are in the following format:
FG3K6A3406600001-tlog.1252929496.log-2009-09-14-14-00-14.gz
156
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Log & Archive
Configuring rolling and uploading of devices’ logs
If you have enabled log uploading, you can choose to automatically delete the rolled log
file after uploading, thereby freeing the amount of disk space used by rolled log files. If the
log upload fails, such as when the FTP server is unavailable, the logs are uploaded during
the next scheduled upload.
To enable and configure log rolling or uploading, go to Log & Archive > Options > Log File
Options.
Figure 70: Device log settings
Name of the GUI item
Description
Log file should not
exceed
Enter the maximum size of each device log file.
Log file should be
Set the time of day when the FortiAnalyzer unit renames the current log
rolled... even if size is file and starts a new active log file.
• Daily: Roll log files daily, even if the log file has not yet reached
not exceeded
maximum file size.
• Weekly: Roll log files weekly, even if the log file has not yet reached
maximum file size.
• Optional: Roll log files only when the log file reaches the maximum file
size, regardless of time interval.
Enable log uploading
Select to upload log files to a server when a log file rolls.
Server type
Select the protocol to use when uploading to a server:
• File Transfer Protocol (FTP)
• Secure File Transfer Protocol (SFTP)
• Secure Copy Protocol (SCP)
Server IP address
Enter the IP address of the log upload server.
Username
Enter the user name required to connect to the upload server.
Password
Enter the password required to connect to the upload server.
Confirm Password
Re-enter the password to verify correct entry.
Directory
Enter a location on the upload server where the log file should be saved.
Upload Files
Select when the FortiAnalyzer unit should upload files to the server.
• When rolled: Uploads logs whenever the log file is rolled, based upon
Log file should be rolled.
• Daily at [hh:mm]: Uploads logs at the configured time, regardless of
when or what size it rolls at according to Log file should be rolled.
Uploaded log format
Select a format for uploading the log files. The format is in text (.txt),
comma-separated value (.csv), or standard .log (Native) file.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
157
Using eDiscovery
Log & Archive
Compress uploaded
log files
Select to compress the log files before uploading to the server.
Delete files after
uploading
Select to remove the log file from the FortiAnalyzer hard disk after the
FortiAnalyzer unit completes the upload.
Using eDiscovery
eDiscovery allows you to search through the bulk of stored email from the FortiGate units,
extract and download the search results, and share them with a third-party if required in
situations such as a lawsuit or regulatory violation action.
To prove that shared data is an exact copy of the original, the FortiAnalyzer unit produces
local logs indicating when each search was executed, when the search results were
downloaded, and when they were deleted. In addition, the FortiAnalyzer unit generates
SHA1 and MD5 digests for every search result. When a search result is downloaded to an
external device, the SHA1 or MD5 digest calculated on the downloaded file must match
the same digest generated by the FortiAnalyzer unit in order to prove that the search
result has not been tampered with since leaving the FortiAnalyzer unit.
Log & Archive > eDiscovery > Folders displays the list of eDiscovery folders containing
search results.
Figure 71: eDiscovery folders list
Name of the
GUI item
Description
Download
Click to save the selected folder and the contained search results.
The saved information can be shared with a third party.
Run Now
Click to refresh the search tasks in a selected folder. This will update the email
lists in the search tasks.
Clone
Click to duplicate a folder to use as a basis for creating a new one.
Folder Name The names of the eDiscovery folders that you create. For more information, see
“To create eDiscovery folders” on page 160.
Select the arrow beside a folder name to display the task names of the search
results saved in the folder. For more information, see “Task Name” on page 161.
Select a task name to view the email list. See “To view a search task” on
page 161.
Creation Date The date and time when the folder and search tasks were created.
158
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Log & Archive
Using eDiscovery
Search
Results
Each eDiscovery folder displays the number of search results contained in it.
Each search task displays the number of email extracted based on the search
criteria. See “To search email” on page 160.
Size (bytes)
The size of the folders and search tasks.
This column also displays the status of search results:
• Completed: Search is completed and results are available for viewing.
• Incomplete: Search was interrupted by a system shutdown.
• Running: Search is in progress.
• Pending: Search has been queued and will run once other searches are
completed.
• Quota Exceeded: Search was stopped because the disk quota has been
exceeded.
To use eDiscovery, follow the general steps below:
•
Set the disk quota for eDiscovery results out of the current disk space reserved for the
system (that is, space not allocated to the devices), since the search results may take
considerable amount of disk space. See “To set the eDiscovery disk quota” on
page 159.
•
Create folders to store search results. Typically, you store search results that are part
of a single investigation under one folder. See “To create eDiscovery folders” on
page 160.
•
Search email based on the search criteria and save the results to a folder where you
will view, download, delete, or clone the results. See “To search email” on page 160.
To set the eDiscovery disk quota
1 Go to Log & Archive > eDiscovery > Config.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
159
Using eDiscovery
Log & Archive
2 Enter the maximum size of disk space for storing eDiscovery search results.
The used and available disk spaces also display. The size of the reserved space for
eDiscovery varies by the total disk space. You cannot adjust the disk quota below the
size of the existing eDiscovery results. eDiscovery results will not be saved if they
exceed the disk quota.
3 Click Apply.
To create eDiscovery folders
1 Go to Log & Archive > eDiscovery > Folders.
2 Click Create New.
3 Enter a folder name.
4 Click OK.
To search email
1 Go to Log & Archive > eDiscovery > Search.
2 Complete the following search criteria:
160
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Log & Archive
Using eDiscovery
Name of the
GUI item
Description
Device
Select the FortiGate unit of which you want to search the archived email.
Timeframe
Select the time period for the email that you want to search. If you click Specify,
enter the start and end time.
From
Enter the sender’s email address that you want to search. This can be a full or
partial email address.
To
Enter all or part of the recipient’s email address. For multiple recipients, enter
any one of the recipients, or enter multiple recipient addresses in the order that
they appear in the email address field, separated by a comma (,) and a space,
such as:
user1@example.com, user2@example.com
Subject
Enter all or part of the subject line of the email message.
Message
Contains
Enter all or part of a word or phrase in the email message.
Save to
Folder
If you want to save the search results, select a folder.
If you do not want to save the search results, select Don’t Save.
If you want to create a new folder for the search results, select Create New,
enter a folder name and select OK.
Task Name
Enter a unique name for this search task. Such a name will help you identify a
particular search result in a folder. For more information, see “Folder Name” on
page 158.
This field appears only if you selected to save the search results to a folder in
the Save to Folder field.
Description
Enter a note to describe the task name. For more information, see “Description”
on page 162.
This field appears only if you selected to save the search results to a folder in
the Save to Folder field.
3 Do one of the following:
• If you selected Don’t Save in the Save to Folder field, select Search.
The search results will display.
• If you selected a folder in the Save to Folder field, select Search & Save.
The search results are saved to the selected folder.
To view a search task
1 Go to Log & Archive > eDiscovery > Folders.
2 Select the arrow beside a folder that contains the task you want to view.
3 Select the task name you want to view.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
161
Using eDiscovery
Log & Archive
The task’s email list displays. Selecting an item displays its detailed information.
Attachment
Column Settings
162
Name of the
GUI item
Description
Task name
The name of this search task. For more information, see “Task Name” on
page 161.
Description
The note for this task. For more information, see “Description” on page 161.
Device
The serial number(s) of the FortiGate unit(s) of which you have searched the
archived email. For more information, see “Device” on page 161.
Timeframe
The date and time when the search task was created.
SHAR1
The SHA1 digest for this search task.
When a search result is downloaded to an external device, the SHA1 digest
calculated on the downloaded file must match this digest in order to prove that
the search result has not been tampered with since leaving the FortiAnalyzer
unit.
MD5
The MD5 digest for this search task.
When a search result is downloaded to an external device, the MD5 digest
calculated on the downloaded file must match this digest in order to prove that
the search result has not been tampered with since leaving the FortiAnalyzer
unit.
Column
Settings
Click to change the columns to view and the order they appear on the page. For
more information, see “Displaying and arranging log columns” on page 141.
Last Activity
The date and time that the FortiAnalyzer unit received the email from the
FortiGate unit.
From
The sender’s email address that was searched. This can be a full or partial email
address.
To
The recipient’s email address that was searched. This can be a full or partial
email address.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Log & Archive
Using eDiscovery
Subject
The subject line of an email.
The email list can display full and/or summary email archives. Summary email
archives contain only email messages with summary metadata. Full email
archives contain both the summary and a hyperlink to the associated archived
message.
For example, if the FortiAnalyzer unit has a full email archive for an email
message, the subject column of the email contains a link that enables you to
view the email message. If the FortiAnalyzer unit has only a email archive
summary, the subject column does not contain a link.
Whether or not each email archive will be full or summary varies by:
• whether the FortiGate unit is configured to send full email archives
• whether the content satisfies email archiving requirements
• whether the FortiAnalyzer unit has the file or message associated with the
summary email message (that is, full email archives do not appear if you
have deleted the associated message)
For more information about requirements and configuration of DLP archiving,
see the FortiGate Administration Guide.
Size
The size of the email message.
Attachment
icon
If an email has an attachment, this icon appears.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
163
Using eDiscovery
164
Log & Archive
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Reports
Configuring reports from logs in the proprietary indexed file system
Reports
FortiAnalyzer units can collate information collected from FortiGate log files and present
the information in tabular and graphical reports, which provides quick analysis of what is
occurring on the network.
You can create reports based on logs from the proprietary indexed file system or SQL
database, depending on your SQL database configuration in System > Config >
SQL Database. For more information on selecting the storage method, see “Configuring
SQL database storage” on page 83.
By using reports, you can:
•
minimize the effort required to identify attack patterns when customizing policies to
prevent attacks
•
monitor Internet surfing patterns for compliance with company policy
•
identify your web site visitors for potential customers
FortiAnalyzer reports are also flexible, offering administrators a choice to compile a report
layout based on variables (which can be reused) or based on specific information. Fortinet
recommends a report layout based on variables and then reuse them.
This topic includes:
•
Configuring reports from logs in the proprietary indexed file system
•
Configuring reports from logs in a SQL database
•
Browsing reports
Note: Reports can only be created for registered devices and device groups. For more
information about registering devices, see “Unregistered vs. registered devices” on
page 124.
Note: If you want to configure custom charts, or configure a chart containing criteria for web
clicks vs. web hits, see the FortiAnalyzer CLI Reference because these are only configured
in the CLI. For information about new and changed reports, see “Appendix B: Report
templates” on page 285.
Configuring reports from logs in the proprietary indexed file
system
If you have disabled SQL database for log storage in System > Config > SQL Database,
you must instead configure reports based on logs from the proprietary indexed file system.
For information on selecting the storage method, see “Configuring SQL database storage”
on page 83.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
165
Configuring reports from logs in the proprietary indexed file system
Reports
Figure 72: Configuring SQL database
Logs must be collected or uploaded before you can generate a report. Logs are the basis
of all FortiAnalyzer reports. After logs are collected or uploaded, you can then define the
three basic components that make up a report based on logs from the proprietary indexed
file system:
• report layout (the report template and the contents)
•
output and data filter templates, language (optional components)
•
report schedule (log data parameters and time range)
You need to configure a report layout and data filter before configuring the report
schedule, because the report schedule requires a report layout. You also need to
configure remote report output (see “Configuring report output templates” on page 89) if
you want to upload completed report files to a server accepting FTP, SFTP, or SCP when
scheduling a report. The layout configurations are referred to as templates because they
can be applied to any report schedules that you want.
If you are using data filter or output templates with a report schedule, these templates
cannot be deleted. Data filter or output templates can be deleted when they are not being
used by a report schedule.
Configuring a report layout
Report > Config > Layout enables you to configure and define multiple report layouts,
which can then be applied to report schedules or generated immediately.
There are also default report layouts for you to choose from, and they appear in the report
layout list with the report layouts you created. The default layouts are:
166
•
Bandwidth_Analysis: An overview of bandwidth consuming applications and users.
•
Forensic_Analysis: An overview of detailed network activity information such as
instant messaging programs and email.
•
Threat_Analysis: An overview of user Anti-Virus, Intrusion Protection and Anti-Spam
threats for the time period.
•
Web_Filtering-Group_Activity: An overview of user web site activity for a group of
users while also providing a summary and analysis information on usage and behavior.
•
Web_Filtering-User_Activity: An overview of user web site activity plus detailed audit
of all blocked sites and all sites visited.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Reports
Configuring reports from logs in the proprietary indexed file system
When configuring a report layout, you can choose and specify each individual chart. The
charts include default and customized ones. You can configure customized charts in the
CLI. For more information, see the FortiAnalyzer CLI Reference.
You can edit charts either during or after they are included in the report layout.
Figure 73: Report layout list
Name of the GUI item
Description
Clone
Create a duplicate of a report layout to use as a basis for creating a new
report layout.
Run
Run a report layout immediately (on demand), instead of waiting for the
report layout’s scheduled time.
Name
The name of the report layout given when configuring a report layout.
Description
The description or comments entered in the Description field of the report
layout.
Company Name
The name of the company, if given, when configuring the report layout.
Number of Charts
The number of charts that are included in that report layout.
To configure a report layout
1 Go to Report > Config > Layout.
2 Click Create New.
3 Configure the following:
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
167
Configuring reports from logs in the proprietary indexed file system
Reports
Browse
logo files
Name of the
GUI item
Description
Name
Enter a name for the report.
Description
Enter a description, for example, for what the report is about.
Company
Name
Enter the name of your company or organization.
Report Title
Enter a title name for the report, for example, Report_1.
Header
Enter a header name for the report.
Title Page
Logo
Select the Browse logo files icon to choose a logo that will appear on the title
page of the report. You need to select a logo file format that is compatible with
your selected file format outputs. The logo will not appear if it is incompatible
with the chosen file format.
You can choose JPG, PNG, and GIF logo formats for PDFs and HTMLS; WMF
are also supported for RTF.
Header Logo Select the Browse logo files icon to choose a logo that will appear only in the
header of the report. Logo formats for headers also need to be compatible with
the chosen file format. The same logo formats for the title page also apply to
headers.
Add Chart(s) Select to add default or user-defined charts to your report. See “To add a chart”
on page 169.
168
Device
Type
Select one of the device types from the drop-down list. The available types are
FortiGate, FortiClient and FortiMail. The report’s log information will come from
the selected device type. For example, if you selected FortiMail, the log
information used is only FortiMail logs.
Category
Select a category or all categories of charts from the drop-down list.
Note: Customized charts (Custom Charts) are under Others category.
Chart
Name
The names of the charts in each category. The category name is in bold, and the
charts associated within that category name and data source are displayed
beneath.
Action
Select the plus (+) symbol in the row containing the main chart name to add all
charts of the category to the report.
Select the plus (+) symbol in each row to add charts individually.
When the plus (+) symbol is selected, a minus (-) symbol appears. Select the
minus (-) symbol in each row to remove the selected chart or charts.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Reports
Configuring reports from logs in the proprietary indexed file system
Add Section
Select to add a section to a report that keeps charts separate from each other.
• Title – Enter a name to describe the charts and information.
• Description – Enter a description, if applicable, to describe the charts.
See “To add a section” on page 170.
Add Text
Select to add a note or comment about a section or to include additional
information about the charts that are in the report. See “To add a text” on
page 171.
4 Click OK.
Note: Report layouts cannot be deleted if they are associated with a report schedule; if you
want to delete a report layout, remove that layout from the schedule it is associated with,
and then delete it.
Adding charts, sections, and texts
You can add default or user-defined charts to your report. You can also add a section to a
report that keeps charts separate from each other, or add a note or comment about a
section or to include additional information about the charts that are in the report.
To add a chart
1 Go to Report > Config > Layout.
2 Click Create New.
3 Click Add Chart(s).
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
169
Configuring reports from logs in the proprietary indexed file system
Reports
Main chart name
Individual chart name
4 Select one of the device types from the Device Type drop-down list.
The available types are FortiGate, FortiClient and FortiMail. The report’s log
information will come from the selected device type. For example, if you selected
FortiMail, the log information used is only FortiMail logs.
5 Select a category or all categories of charts from the Category drop-down list.
Customized charts (Custom Charts) are under Others category.
6 In Chart Name, select the plus (+) symbol in the row containing the main chart name,
such as Network Analysis, to add all charts of the category to the report. Select the
plus (+) symbol in each row, such as Top Sources by Volume, to add charts
individually.
When the plus (+) symbol is selected, a minus (-) symbol appears. Select the minus (-)
symbol in each row to remove the selected chart or charts.
7 Select OK.
To add a section
1 Go to Report > Config > Layout.
2 Click Create New.
3 Click Add Section.
170
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Reports
Configuring reports from logs in the proprietary indexed file system
4 In the Title field, enter a title for the chart.
5 In the Description field, enter a description, if applicable, to describe the charts.
6 Select OK.
To add a text
1 Go to Report > Config > Layout.
2 Click Create New.
3 Click Add Text.
4 Add a note or comment about a section or to include additional information about the
charts that are in the report.
5 Select OK.
Editing charts in a report layout
After adding charts, sections, and texts, you can edit charts in a report layout at any time
as well as rearrange the charts from within the Chart List. You can also edit Text and
Section.
You cannot edit the charts of the default report layouts.
The following procedures assume you have already selected the report layout in which
you want to edit charts, texts and sections. You do so by going to Report > Config >
Layout.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
171
Configuring reports from logs in the proprietary indexed file system
Reports
When editing charts in a report layout, certain options are available when other options are
selected. For example, if you select a bar chart style, Time Scale will appear. Options such
as User and Group disappear when an LDAP query is selected.
To edit a chart
1 Go to Report > Config > Layout.
2 Click the Edit icon of a report layout.
You cannot edit the charts of the default report layouts.
3 Go to Chart List and click the Edit Chart icon beside the chart name.
172
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Reports
Configuring reports from logs in the proprietary indexed file system
4 Enter the appropriate information for the selected chart. The following is a sample chart
for Total IM Events per Protocol.
Name of the GUI item
Description
Chart Output
Select one of the following to display chart information:
• Table & Graph – displays both a table and graph
• Table Only – displays only a table
• Graph Only – displays only a graph
Chart Style
Select a style for the chart. You can choose a bar style, column style
or pie style.
If you select a Bar chart style, Time Scale appears. This is available
only to the Bar chart style.
Maximum Entries (TopN)
Enter a number for the top ranked log information, such as top number
of viruses, and if applicable, select the check box List All Results.
If you select List All Results, it means that the FortiAnalyzer unit will
need to list all logs for this chart, which will hang or delay report
generation. Select this check box only when it is necessary.
When entering a number for the maximum top entries (with pie chart
style selected), any item whose percentage is less than one percent
will not appear in the pie diagram; also, if no items’ percentage is
greater than one percent, “Other” occupies the pie diagram, or 100
percent of the pie diagram. For example, if you enter the number five,
any of the five items that have less than one percent are considered
under “Other” and only “Other” displays on the pie diagram.
This issue occurs only when the pie chart style is selected. The bar
chart style is not affected.
Time Scale
Select what type of time period you want the focus of the report to be
on.
Source ID
(certain charts only)
Select from the drop-down list whether to have the user name or IP
address (or both) as the identification of the source. This option does
not appear for all charts.
Advanced
Select the following to specify the number and appearance of results
in the report.
Resolve Host Names
Select to display host name by an alias or reverse DNS lookup rather
than IP addresses. For more information about configuring IP aliases,
see “Configuring IP aliases” on page 102.
If the DNS server is slow and/or does not support reverse DNS, the
FortiAnalyzer report generation would hang. Select this check box
only when it is necessary.
Resolve Service
Names
Select to display network service names rather than port numbers
such as HTTP instead of port 80.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
173
Configuring reports from logs in the proprietary indexed file system
Reports
Max. number of rows Enter the number of rows that you want for each variable. This is
available only to certain chart types.
for 2nd parameter
(appears when Bar or
Line chart style is
selected)
Include “Other”
Category (in graphs)
Select to include the other results that are not included in the top
entries, that display in a graph.
Include Web Clicks
Only
Select this option to differentiate the user-requested URLs from the
non-user-driven web activities that are included in the web logs. For
example, popup advertisements and images are not web clicks.
The following criteria helps to determine what is considered a web
click when the report is being generated:
• If the file name extensions to the URL of the web log does not
match the file types that are specified in the configuration attributes
in “file filter” and “custom filter”.
• If the URL does not belong to the advertisement category.
• If there is no previous web log from the same source IP address
and user name within a short interval such as two seconds.
Consolidate URLs by
root domain
Select to group together the URLs under the same root domain.
Override Run-time
Variables
Select to specify the following that will be associated with this chart.
Device/Group – Select to specify a device or device group from the
drop-down list. You can also select all devices, if applicable.
Virtual Domain (FortiGate charts only) – Enter to specify a virtual
domain.
User – Enter the user’s name that you want to use in the report. You
can enter multiple names in the field, using commas to separate the
user names.
This option disappears when an LDAP query is selected.
Group – Enter a group’s name that you want to use in the report. You
can enter multiple names in the field, using commas to separate the
group names.
This option disappears when an LDAP query is selected.
LDAP Query– Select an LDAP directory from the drop-down list to
restrict report scope using a list of user names from the LDAP
directory, instead of a group name configured on a device.
For information on configuring LDAP servers, see “Configuring LDAP
queries for reports” on page 109.
LDAP Group – Enter an LDAP group. This option appears only when
LDAP Query is selected.
5 Click OK.
If you want to rearrange the charts so that they are presented in a different order, click
and drag a chart to a position above or below another chart. The order is reflected in
the generated report.
To edit a section
1 Go to Report > Config > Layout.
2 Click the Edit icon of a report layout.
3 Go to Chart List and click the Edit Section icon beside the section name.
174
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Reports
Configuring reports from logs in the proprietary indexed file system
4 Clear the appropriate information that appears in either Title or Description fields, or
both fields.
5 Enter the new information in either Title or Description fields, or both fields.
6 Click OK.
To edit text
1 Go to Report > Config > Layout.
2 Click the Edit icon of a report layout.
3 Go to Chart List and click the Edit Text icon beside the text name.
4 Clear the appropriate information that appears in the Message field.
5 Enter the new information in the Message field.
6 Click OK.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
175
Configuring reports from logs in the proprietary indexed file system
Reports
Configuring data filter templates
You can configure multiple data filter templates for reports. These templates can be
applied to any report schedule you want.
Data filters are configured to sort through and omit specific log information, enabling you
to include or exclude log messages to focus your report on certain types of log messages
that match your criteria. For example, you want to include a specific range of IP
addresses. In the Source(s) field you input the IP addresses range, 172.16.110.0-255,
which will match all IP addresses in the 172.16.110.0/255.255.255.0 or
172.16.120.110/24. If you do not want to match this specific IP address range, you would
enter the IP address range and mark the not check box.
Data filter options operate on specific log message fields. For information about log
message fields, see the FortiGate Log Message Reference.
To view the data filter templates, go to Report > Config > Data Filter.
Figure 74: Data filter templates
Name of the GUI item
Description
Name
The name of the data filter template.
Description
Any comments entered in the Description field when configuring the
data filter template.
To configure a data filter template
1 Go to Report > Config > Data Filter.
2 Click Create New.
176
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Reports
Configuring reports from logs in the proprietary indexed file system
3 Configure the following:
Name of the GUI item
Description
Name
Enter a name for the new data filter configuration. This name concerns
only this particular data filter configuration, not the report itself.
Description
Enter a description for the report. This is optional.
Filter logic
Select all to include only logs in the report that match all filter criteria. If
any aspect of a log message does not match all criteria, the
FortiAnalyze unit will exclude the log message from the report.
Select any to include logs in the report that match any of the filter
criteria. If any aspect of a log message matches any of the filter
criteria, the FortiAnalyzer unit will include the log in the report.
Source(s)
Enter the source or sources of IP addresses to include matching logs.
You can also select from the alias list. Separate multiple sources with
a comma.
You can filter on IP ranges or subnets. The following formats are
supported:
• IP Range: xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx
• Subnet: xxx.xxx.xxx.xxx/xxx.xxx.xxx.xxx or xxx.xxx.xxx.xxx/cidr
Note that you cannot use a format like 172.20.110.0-255.
Alias
Select the appropriate alias from the drop-down list. For more
information about configuring IP aliases, see “Configuring IP aliases”
on page 102.
not
Select to instead include only log messages that do not match this
criterion. For example, you might include logs except those matching
a specific source IP address.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
177
Configuring reports from logs in the proprietary indexed file system
Destination(s)
Enter the destination IP address to include matching logs, or select
from the Alias list. Separate multiple sources with a comma. For more
information about configuring IP aliases, see “Configuring IP aliases”
on page 102.
You can filter on IP ranges or subnets. The following formats are
supported:
• IP Range: xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx
• Subnet: xxx.xxx.xxx.xxx/xxx.xxx.xxx.xxx or xxx.xxx.xxx.xxx/cidr
Note that you cannot use a format like 172.20.110.0-255.
Alias
Select the appropriate alias. Select the appropriate alias from the
drop-down list. See “Configuring IP aliases” on page 102 for more
information about configuring IP aliases.
not
Select to instead include only log messages that do not match this
criterion. For example, you might include logs except those matching
a specific destination IP address.
Interface(s)
not
Policy ID(s)
not
Service(s)
not
Email Domain(s)
(only FortiMail reports)
not
Email Direction(s)
(only FortiMail reports)
not
Email Sender(s)
not
Email Recipient(s)
178
Reports
Enter the network interface or interfaces to include matching logs.
Separate multiple interface names with a comma.
Select to instead include only log messages that do not match this
criterion. For example, you might include logs except those matching
a specific network interface.
Enter the FortiGate firewall policy ID numbers to include matching
logs. The report will include logs from all FortiGate log files containing
firewall policy ID numbers, which excludes event and DLP archive
logs. Separate multiple policy IDs with a comma.
Select to instead include only log messages that do not match this
criterion. For example, you might include logs except those matching
a specific policy ID.
Enter specific services to include matching logs. Separate multiple
services with a comma.
Select to instead include only log messages that do not match this
criterion. For example, you might include logs except those matching
a specific service.
Enter the email domain or domains that you want included in the filter.
An email domain is a set of email accounts that reside on a particular
email server. The email domain is the portion of the user’s email
address following the “@” symbol. For more information about email
domains, see the FortiMail Administration Guide.
This field is used only when creating FortiMail reports.
Select to instead include only log messages that do not match this
criterion. For example, you might include logs except those matching
a specific email domain.
Enter one of the following types of email directions:
• IN – the incoming email traffic direction
• OUT – the outgoing email traffic direction
• UNKNOWN – the unknown email traffic direction
This field is used only when creating FortiMail reports.
Select to instead include only log messages that do not match this
criterion. For example, you might include logs except those matching
a specific email direction.
Enter the sender or senders of the email.
This field is used only when creating FortiMail reports.
Select to instead include only log messages that do not match this
criterion. For example, you might include logs except those matching
a specific email sender.
Enter the receiver or receivers of the email.
This field is used only when creating FortiMail reports.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Reports
Configuring reports from logs in the proprietary indexed file system
not
Select to instead include only log messages that do not match this
criterion. For example, you might include logs except those matching
a specific email recipient.
Day of the Week
Select specific days of the week to include matching logs.
Web Category
Category List
Select the categories you want to filter logs by selectively including
web filtering logs that match your criteria, then indicate included
categories by selecting one or more category check box.
Select to instead include only logs that do not match the criterion.
You can select a whole category by selecting the check box beside the
Expand Arrow of the category. You can also select the individual
subcategories that are within the category by selecting the Expand
Arrow to display the sub-categories. For example, you might select to
include all web filtering logs with a category of Potentially Bandwidth
Consuming, or you might select only Internet Radio and TV within that
category.
Priority
Select a severity level from the Available Levels column and then use
the -> arrow to move the level to the Selected Levels column.
If you want to remove a severity level from the Selected Levels
column, select the level first and then use the <- arrow to move the
level back to the Available Levels column.
Generic Filter(s)
Enter a generic filter for the filter template.
Key
Enter a keyword in this field.
Value
Enter a number for the value. Select the not check box to instead
include only log messages that do not match the generic filter criteria.
not
Select to instead include only log messages that do not match this
criterion. For example, you might include logs except those matching
a specific generic filter.
Add
Select Add to add the keyword and value number to the generic filter
list. The generic filter list displays all configured generic filters in the
field beside both Add and Delete.
Delete
Select to delete the generic filter. Select the generic filter first, and
then select Delete.
4 Click OK.
Configuring report schedules
Caution: When configuring a report schedule, which contains both an output template and
selected file formats in Output Types, the file formats sent by email are determined by the
configuration settings. Only those file formats that are enabled in both output template and
schedule output types are sent by email. For example, if PDF and Text formats are selected
in the output template, and then PDF and MHT are selected in the report schedule, the
report’s file format in the email attachment is PDF.
Report schedules are configured after you have configured report layouts. If you do not
have a report layout, you cannot configure a report schedule.
Report schedules provide a way to schedule a daily, monthly or weekly report so that the
report will generate at a specific time period. You can configure multiple report schedules.
To view the report schedule list, go to Report > Schedule > Schedule.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
179
Configuring reports from logs in the proprietary indexed file system
Reports
Figure 75: Report schedules
Name of the GUI item
Description
Run
Run a report schedule immediately, (on demand), instead of waiting
for the scheduled time.
Schedule Name
The name given to the report schedule when configuring the report
schedule.
Layout Name
The name of the report layout that is associated with the report
schedule.
Device
The device or device group that is associated with the report
schedule.
Schedule
The time period or range for the report, in the following formats:
• Daily: hh:mm
• Weekly: hh:mm at [days of week]
• Monthly: hh:mm at [dates of month]
Effective Period
The start and end date, including the start and end time, of the
schedule.
To configure report schedules
1 Go to Report > Schedule > Schedule.
2 Click Create New.
3 Configure the following:
180
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Reports
Configuring reports from logs in the proprietary indexed file system
Name of the GUI item
Description
Name
Enter a name for the schedule.
Description
Enter a description for the schedule. This is optional.
Layout
Select a configured report layout from the drop-down list. You must
apply a report layout to a report schedule.
Language
Select a language from the drop-down list or choose Default to use the
default language.
Schedule
Select one of the following to have the report generated only once,
daily, weekly, or monthly at a specified date or time period.
Daily
Select to generate the report every day at the same time. Enter the
hour and minute time period for the report. The format is hh:mm.
Weekly
Select to generate the report on specified days of the week. Select the
days of the week check boxes.
Monthly
Select to generate the report on a specific day or days of the month.
Enter the days with a comma to separate the days. For example, you
want to generate the report on the first day, the 21st day and 30th day:
1, 21, 30.
Once
Select to have the report generated only once.
On Demand
Select to have the report generated on demand.
Time
Select the hour and minute (from the drop-down lists) of the time of
day when you want to generate the report.
Start Date
Select the calendar beside Start Date to select a date when the report
will generate on. Select the time as well and then select OK.
You can select the month and year if you need a different month or
year for the report.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
181
Configuring reports from logs in the proprietary indexed file system
End Date
Log Data Filtering
Reports
Select the calendar beside End Date to select a date when the report
will stop generating on. Select the time as well and then select OK.
You can select the month and year if you need a different month or
year for the report.
You can specify the variables that were selected in the charts when
configuring the report layout.
If you did not specify any variables in the charts added to report
layout, proceed to Data Filter.
Device/Group
Select a device or device group from the list.
If a layout is not selected, no FortiGate units or groups will appear in
the list.
Virtual Domain
Select to create a report based on virtual domains. Enter a specific
virtual domain to include in the report.
User
Select to create a report based on a network user. Enter the user or
users in the field.
Group
Select to create a report based on a group network users, defined
locally. Enter the name of the group or groups in the field.
LDAP Query
Select an LDAP directory from the drop-down list.
LDAP Group
Enter an LDAP group. This option appears only when LDAP Query is
selected.
Data Filter
Select a data filter template from the drop-down list to the report
schedule. For more information on data filter, see “Configuring data
filter templates” on page 176.
Time Period
Local Time for – Select to base the time period on the local time of
the FortiAnalyzer unit or the selected devices.
Log time stamps reflect when the FortiAnalyzer unit received the
message, not when the device generated the log message. If you
have devices located in different time zones, and are creating a report
layout based on a span of time, ensure that the time span is relative to
the device, not the FortiAnalyzer unit.
For example, if you have a device and a FortiAnalyzer unit located
three time zones apart, a report for the time frame from 9 AM to 11 AM
will yield different results depending on whether the report time frame
is relative to the device’s local time, or to the FortiAnalyzer unit’s local
time.
From – Select the beginning date and time of the log time range.
To – Select the ending date and time of the log time range.
Output
Select the type of output you want the report to be in and if you want to
apply an output template as well.
Output Types
Select the type of file format you want the generated report to be. You
can choose from PDF, XML, HTML (default), MS Word, Text, and
MHT.
Note: Only those file formats that are enabled in both output template
and schedule output types are sent by email. For example, if PDF and
Text formats are selected in the output template, and then PDF and
MHT are selected in the report schedule, the report’s file format in the
email attachment is PDF.
Email/Upload
Select the check box if you want to apply a report output template from
the drop-down list. For more information on configuring report output,
see “Configuring report output templates” on page 89.
4 Click OK.
Configuring language
When creating a report layout, you can select which language the report will be written in.
If your preferred languages require modification, you can create your own report language
customization, which then becomes available for selection in the report layout.
Report language components include:
182
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Reports
Configuring reports from logs in the proprietary indexed file system
•
a string file, also known as a language resource file, containing report text
•
a format file specifying the language encoding, as well as file format specific settings
•
a font file whose glyphs support your encoding’s character set
The font file is used to render graph titles and Y-axis labels in a font of your choice. Some
fonts, particularly for double-byte languages, do not support character rotation, which is
required by the Y-axis label. Compatible fonts must be a TrueType (.ttf) font, and must
support character rotation. Examples of known compatible fonts include Arial, AR PL
Mingti2L Big5, AR PL SungtiL GB, DFPHSGothic-W5, and Verdana.
The string file specifies pieces of text that may be used in various places throughout the
report. Each string line consists of a key followed by an equal symbol (=) and its value.
You can add comments to the string file by preceding them with a number symbol (#).
For example, in these lines:
# Printed in place of report when zero log messages matched
report filter.
no_match=No matching log data for this report
the comment is:
# Printed in place of report when zero log messages matched
report filter.
the key is no_match, and the string value for that key is No matching log data for
this report.
Keys are required and must not be removed or changed. Keys map a string to a location in
the report, and are the same in each language file. If you change or remove keys, the
FortiAnalyzer unit cannot associate your string with a location in the report, string file
validation will fail, and the string file upload will not succeed.
String values may be changed to customize report text. If your custom string values use a
different encoding or character set than the default language file, customize your format
file to reflect your new character set and/or encoding.
Comment lines are optional; you can add them throughout the file to provide notes on your
work.
The format file contains settings for the file format renderers, including encodings. The
format file contains sections that are preceded by an output type label, consisting of the
file format name followed by a colon character (:). Within each output type’s section, one
or more settings exist, consisting of a variable name followed by an equal symbol (=) and
its value, contained by quote characters (“”). You can add comments to the format file by
preceding them with a number symbol (#).
For example, in these lines:
# Localization uses a Latin character set.
html:
html_charset="iso-8859-1"
The comment is:
# Localization uses a Latin character set.
The output type label is html:, the variable name is html_charset, and the variable’s
value is iso-8859-1.
Variables are required and must not be removed or changed. If you change or remove
variables, the FortiAnalyzer unit may not be able to properly format your reports.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
183
Configuring reports from logs in the proprietary indexed file system
Reports
If your custom string values use a different encoding or character set than the default
language file, you must customize your format file to reflect your new character set and/or
encoding. If your string file requires double-byte encoding, also set doublebytes="1".
Otherwise, set doublebytes="0". The variable’s value must be in a pattern acceptable
by the output type. If variable value syntax is not correct, format file validation will fail, and
the format file upload will not succeed.
Supported encodings used by the string file and referenced in the format file include those
specified by the PDF, RTF, and HTML standards. For character set and encoding syntax
and other specifications, see:
•
W3C HTML 4.01 Specification
•
Adobe PDF Reference
•
Microsoft Word 2003 Rich Text Format (RTF) Specification, version 1.8
Comment lines are optional; you can add them throughout the file to provide notes on your
work.
If you require further format file customization, including adjustments to PDF objects,
contact Fortinet Technical Support.
Note: Both format and string files use Unix-style line endings (LF characters, not CR-LF).
To view the language list, go to Report > Config > Language.
Figure 76: Languages tab
Name of the GUI item
Description
Delete Font File
Remove the font file from the selected report language customization.
Download
Select Download Format File to download the file format settings.
Select Download String File to download the language resource.
Select Download Font File to download the custom font file. This option
does not appear for default languages and report language
customizations using a default font.
Language
The name of the report language customization.
Description
The description of the report language customization.
Font
If you uploaded a font file with your report language customization, the
name of the font.
This does not appear if the report language uses a default font.
To customize a default report language
1 Go to Report > Config > Language.
2 Mark the check box of the default language that you want to customize.
184
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Reports
Configuring reports from logs in the proprietary indexed file system
3 Go to Download > Download String File.
4 Open the string file using a plain text editor that supports Unix-style line endings and
the string file’s encoding, such as jEdit. Verify that the correct encoding has been
detected or selected.
5 Locate and edit text that you want to customize.
Do not change or remove keys. Modifiable text is located to the right of the equal
symbol (=) in each line.
6 Save the string file.
7 If you changed the encoding of the string file, go to Download > Download Format File
and open the format file using a plain text editor that supports Unix-style line endings,
such as jEdit, and edit the encoding and character set values for each file format. If you
have switched between a single-byte and a double-byte encoding, also set the
doublebytes value to true (1) or false (0).
For specifications on how to indicate encoding and character set, refer to each file
format’s specifications:
•
W3C HTML 4.01 Specification
•
Adobe PDF Reference
•
Microsoft Word 2003 Rich Text Format (RTF) Specification, version 1.8
8 Save the format file.
To create a report language customization
1 Go to Report > Config > Language.
2 Click Create New to create a separate language option, or mark the check box for an
existing language then click Edit.
3 If you are creating a new report language, enter the language of the report.
The language name cannot contain spaces.
4 Enter a Description for the language.
5 For the Format File, click Browse and locate your customized format file.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
185
Configuring reports from logs in the proprietary indexed file system
Reports
6 For the String File, click Browse and locate your customized string file.
7 If you want to customize the font of report graph titles and Y-axis labels, for Font File,
click Browse and locate your font.
If your font is located in the system font folder, you may need to first copy the font from
the system font folder to another location, such as a temporary folder or your desktop,
to be able to select the font for upload.
Note: Some font licenses prohibit copying or simultaneous use on multiple hosts or by
multiple users. Verify your font’s license.
8 Click OK.
Time required to upload the language customization files varies by the size of the files
and the speed of your connection. If there are any errors with your files, correct the
errors, then repeat this procedure.
Table 6: Language file error messages
Error message
Description
Specified format file contains
invalid syntax.
Your format or string file contains syntax errors. To
locate the errors, compare your customized file with
a default language’s file. Refer to file format
specifications or view default files for valid syntax.
Specified language string file is
missing one or more strings.
Your string file is missing strings for one or more
keys. To locate missing strings, compare your
customized format file with a default language’s
string file.
Specified font file is not a standard Your font file is not a TrueType font. Only TrueType
TrueType font (*.ttf).
fonts are supported.
After successfully uploading and verifying, your custom language becomes available
as a report output language.
Note: The string file contains many keys, and each report type uses a subset of those keys.
If your language modification does not appear in your report, verify that you have modified
the string of a key used by that report type.
Example reports (file system-based)
The following scenarios are examples of how to configure reports based on specific log
information from the proprietary indexed file storage system. These are examples that you
can use when configuring your own reports. Each scenario covers a specific type of
report, such as a FortiGate report or FortiMail report, and includes what types of logs you
need to have before a report is configured, as shown in the examples.
This topic contains the following:
•
Example: FortiGate report
•
Example: FortiClient report
•
Example: FortiMail report
Example: FortiGate report
The IT manager suspects an individual is surfing the Internet during working hours and
has asked you to send a report on this web activity only. The IT manager wants you to
send it to him, your manager, and headquarters. The suspected IP address is
172.16.124.125.
186
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Reports
Configuring reports from logs in the proprietary indexed file system
The log types that are necessary to configure this type of report are traffic, DLP archive
and web filter logs.
Creating the report Most web sites visited by an individual employee
1 To configure the output template that will be used in the report, go to System >
Config > Remote Output, click Create New.
2 Configure as follows:
•
In Name, enter Most_web_sites_visited_by_an_individual_employee.
•
In Output Format, select PDF and then deselect the defaulted HTML.
•
Select Send Report by Email.
•
Select Compress Report Files to compress the report for attachment to the email
message.
•
Enter your email address in From.
•
Select the email server, server.example.com.
•
For Recipient, enter the individual’s email address and then select Add; repeat for
the other email addresses (IT manager and headquarters).
•
In the Subject field, enter Web activity for .125 computer user.
•
In the Body field, enter the following:
For internal use only. The attachment is a report created to
explain allegations concerning computer user .125 using the
Internet during work hours.
•
Select Upload Report to Server then enter the company’s FTP server information in
the fields.
•
Select OK.
3 To configure the report layout that will be used in the report, go to Report > Config >
Layout, click Create New.
4 Configure as follows:
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
187
Configuring reports from logs in the proprietary indexed file system
Reports
•
In Name, enter Most_web_sites_visited_by_an_individual_employee.
•
In the Description field, enter the following:
For an employee that may or may not be surfing the Internet
during working hours.
•
In the Report Title field, enter Most visited web sites by an individual
employee.
•
In the Header field, enter the company’s name.
•
In the Title Page Logo field, select the Browse logo files icon to locate the
company’s title page logo.
•
In the Header Logo field, select the Browse logo files icon to locate the company’s
header logo.
•
Select Add Chart(s) and then select the following charts under Web Activity:
Web Volume by Time Period
Top Web Clients by Volume
Top Web Servers by Connection
Top Web Servers by Volume and Hits
Top Web Servers by Connections for Most Active Clients
•
Select OK to include the charts in the layout.
•
For the Web Volume by Time Period chart, select Edit and then from the Time Scale
list, select Hour of Day. Select OK.
•
For the Web Clients by Volume chart, select Edit and then from the Source ID list,
select IP Address. Select OK.
•
For the Top Web Servers by Connections for Most Active Clients, select Edit and
then from the Source ID list, select IP Address. Select OK.
•
Select OK.
5 To configure the report data filter that will be used in the report, go to Report > Config >
Data Filter, click Create New.
6 Configure as follows:
188
•
In Name, enter Most_web_sites_visited_by_an_individual_employee.
•
In Sources, enter the IP address of the computer.
•
In Day of Week, select the check boxes next to the days of the work week.
•
Expand Web Category, and then select the check boxes beside:
Potentially Liable
Objectionable or Controversial
Potentially Non-productive
Potentially Bandwidth Consuming
Potentially Security Violating.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Reports
Configuring reports from logs in the proprietary indexed file system
•
In Priority, select the level Notification in Available Levels and then use the left arrow
to move it to Select Levels.
•
Select OK.
7 To configure the report schedule for generating the report, go to Report > Schedule >
Schedule, click Create New.
8 Configure as follows:
•
In Name, enter Most_web_sites_visited_by_an_individual_employee.
•
In Layout, select the report layout, Most visited web sites by an individual employee
from the list.
•
In Schedule, select Once and then select the Calendar icon to configure today’s
date and time.
•
Under Log Data Filtering, select the FortiGate-50B unit in the Device/Group list,
which logged the information needed to complete the report.
•
Select the data filter from the Data Filter list.
•
In Time Period, select Devices and then select Past Month from the Time Period
list.
•
In Output, select the check box beside PDF and then select the check box beside
Email/Upload. In the Email/Upload list, select the output template.
•
Select OK.
Example: FortiClient report
The IT department of your company wants to know exactly how many viruses were
detected by FortiClient installations on the company’s widely distributed computers. They
have asked you to send them a two-week report by email, showing the top 10 viruses that
were detected by the FortiClient installations.
The log types that are necessary to configure this type of report are traffic and antivirus.
Creating the report Total viruses detected by FortiClient
1 To configure the output template that will be used in the report, go to System >
Config > Remote Output, click Create New.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
189
Configuring reports from logs in the proprietary indexed file system
Reports
2 Configure as follows:
•
In Name, enter Total_viruses_detected_by_FortiClient.
•
In Output Format, select PDF and then deselect the defaulted HTML.
•
Select Send Report by Email.
•
Select Compress Report Files to compress the report for attachment to the email
message.
•
Enter your email address in From.
•
Select the email server, server.example.com.
•
For Recipient, enter the IT department’s email address and then select Add.
•
In the Subject field, enter the following:
Total viruses that were detected by our FortiClients within
the past two weeks.
•
In the Body field, enter the following:
Attached please find the report, Total viruses detected by
FortiClient, which indicates how many viruses were found in
the previous two weeks.
•
Select Upload Report to Server then enter the company’s FTP server information in
the fields.
•
Select OK.
3 To configure the report layout that will be used in the report, go to Report > Config >
Layout, click Create New.
4 Configure as follows:
190
•
In Name, enter Total_viruses_detected_by_FortiClient.
•
In Description field, enter the following:
A FortiClient report that looks at the total amount of viruses
which our company’s FortiClients are detecting.
•
In the Report Title field, enter the following;
Total_viruses_over_a_two_week_period_by_FortiClient.
•
In the Header field, enter the company’s name.
•
In the Title Page Logo field, select the Browse logo files icon to locate the
company’s title page logo.
•
In the Header Logo field, select the Browse logo files icon to locate the company’s
header logo.
•
Select Add Chart(s).
•
Select FortiClient in the Device Type list, and then select the plus sign beside
FortiClient Antivirus Activity to include all charts that are in that report group.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Reports
Configuring reports from logs in the proprietary indexed file system
•
Select OK.
•
Select the Edit icon within the Top Viruses (from Antivirus log) chart to change the
default settings.
•
In the edit chart window, select Graph Only from the Chart Output list so that only a
graph displays.
•
Select Pie from the Chart Style list.
•
Enter the number 5 in the Maximum Entries (TopN) field.
•
Expand Advanced, and select the check boxes beside Resolve Host Names and
Resolve Service Names.
•
Select OK.
•
Select the Edit icon within the Top Files (from Antivirus Log) chart to change the
default settings.
•
In the edit chart window, select Table Only from the Chart Output list so that only a
table displays.
•
Select Line from the Chart Style list.
•
In Maximum Entries (TopN), select the check box beside List All Results.
When you select the check box, a warning symbol appears beside Maximum
Entries (TopN) which, if you hover your mouse over the symbol, explains that if you
have a large number for this setting, the FortiAnalyzer unit’s performance may be
degraded.
•
Expand Advanced, and select the check boxes beside Resolve Host Names and
Resolve Service Names.
•
Select OK.
•
Select Add Text
•
In the Message field, enter the following:
This report is based on the previous two weeks, July 20-31.
•
Select OK.
•
Drag Text Message to the top of the list of reports.
•
Select OK.
5 To configure the report data filter that will be used in the report, go to Report > Config >
Data Filter, click Create New.
6 Configure as follows:
•
In Name, enter Total_viruses_detected_by_FortiClient.
•
In Sources, choose the alias, headquarters_A, from the Alias list.
•
In Destinations, choose the alias, FortiClient_PCs, from the Alias list.
•
In Day of Week, select the check boxes beside all the days of the work week.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
191
Configuring reports from logs in the proprietary indexed file system
Reports
•
In Priority, select Information in the Available Levels and move it to the Selected
Levels list.
•
Select OK.
7 To configure the report schedule for generating the report, go to Report > Schedule >
Schedule, click Create New.
8 Configure as follows:
•
In Name, enter Total_viruses_detected_by_FortiClient.
•
In Layout, select the report layout, Total viruses detected by FortiClient.
•
In Schedule, select Once and then select the Calendar icon to configure today’s
date and time.
•
In Log Data Filtering, select the configured data filter in the Data Filter list.
•
In Time Period, select Selected Devices, select Past N Week from the Time Period
list, and then enter the number 2 in the field that appears.
•
In Output, select the check box beside PDF, and then select the check box beside
Email/Upload.
•
In the Email/Upload list, select the output template.
•
Select OK.
Example: FortiMail report
The headquarter’s office requires a report containing how much spam email is getting
through. This report must be sent to the CEO, managing director, and IT manager. The
report must also be in XML format so that it can be uploaded to the company’s internal
web site.
The log type that is necessary to configure this type of report is email filter.
Creating the report Total spam email detected by FortiMail
1 To configure the output template that will be used in the report, go to System >
Config > Remote Output, click Create New.
2 Configure as follows:
192
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Reports
Configuring reports from logs in the proprietary indexed file system
•
In Name, enter Total_spam_email_detected_by_FortiMail.
•
In Output Format, select XML and then deselect the defaulted HTML.
•
Select Send Report by Email.
•
Select Compress Report Files to compress the report for attachment to the email
message.
•
Enter your email address in From.
•
Select the email server, server.example.com
•
Enter the CEO’s email address and then select Add; repeat for the other email
addresses.
•
In the Subject field, enter the following:
Spam activity report for the month of July.
•
In the Body field, enter the following:
For internal use only. The attachment is a report based on the
total amount of spam activity our company’s FortiMail unit
detected over the course of a month.
•
Select Upload Report to Server then enter the company’s FTP server information in
the fields.
•
Select OK.
3 To configure the report layout that will be used in the report, go to Report > Config >
Layout, click Create New.
4 Configure as follows:
•
In Name, enter Total_spam_email_detected_by_FortiMail.
•
In the Description field, enter the following:
This report is for finding out the total amount of spam email
messages that are being detected by the FortiMail and getting
through to the internal network.
•
In the Report Title field, enter Total_spam_email_detected_in_June.
•
In the Header field, enter the company’s name.
•
In the Title page logo field, select the Browse logo files icon to locate the company’s
title page logo.
•
In the Header Logo field, select the Browse logo files icon to locate the company’s
header logo.
•
Select Add Chart(s).
•
Select FortiMail in the Device Type list, and then select the plus sign beside Spam
Activity to include all charts under this group.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
193
Configuring reports from logs in the proprietary indexed file system
Reports
•
Select OK to include the charts in the layout.
•
Select the Edit icon for each chart and change the Time Scale setting to Hour of
Day.
•
Select Add Section.
•
In the Title field, enter Top Spam Activity.
•
Drag the section to the top of the list of charts.
•
Select OK.
5 To configure the report data filter that will be used in the report, go to Report > Config >
Data Filter, click Create New.
6 Configure as follows:
•
In Name, enter Total_spam_email_detected_by_FortiMail.
•
In Sources, enter the IP address range, 172.16.125.100/24.
•
In Day of Week, select the check boxes for the days of the work week.
•
In Priority, select Information in the Available Levels and move it to the Selected
Levels list.
•
Select OK.
7 To configure the report schedule for generating the report, go to Report > Schedule >
Schedule, click Create New.
8 Configure as follows:
194
•
In Name, enter Total_spam_email_detected_by_FortiMail.
•
In Layout, select the report layout,
Total_spam_email_detected_by_FortiMail.
•
In Schedule, select Weekly, and then select On Demand so that the report can be
run at any time.
•
In Log Data Filtering, select the company’s FortiMail-400 unit in the Device/Group
list.
•
In Log Data Filtering, select the data filter configured for the report in the Data Filter
list.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Reports
Configuring reports from logs in a SQL database
•
In Time Period, select Devices and then select This Month from the Time Period list.
•
In Output, select the check box beside XML and then select the check box beside
Email/Upload.
•
In the Email/Upload list, select the output template.
•
Click OK.
Configuring reports from logs in a SQL database
If you have selected SQL database for log storage in System > Config > SQL Database,
you must configure reports based on logs from a SQL database. For information on
selecting the storage method, see “Configuring SQL database storage” on page 83.
Note: You can only generate SQL database-based reports from the FortiGate log data.
Logs must be collected or uploaded before you can generate a report. Logs are the basis
of all FortiAnalyzer reports. After logs are collected or uploaded, you can then configure
reports based on the default or customized chart templates.
In most cases, the default chart templates are sufficient for report configuration. However,
you can create customized chart templates by configuring the data sets to get the exact
chart data you want. FortiAnalyzer data sets are a collection of the log files from the
devices monitored by the FortiAnalyzer unit. Reports are generated based on the data
sets. For more information, see “Configuring data sets” on page 199 and “Configuring
report chart templates” on page 195.
A report for logs from the SQL database has three basic components:
•
report chart template (the report template and the data set)
•
graphics (optional component)
•
report schedule (log data parameters and time range)
You need to configure a chart template before configuring a report, because the report
requires a chart template. You also need to configure remote report output (see
“Configuring report output templates” on page 89) if you want to upload completed report
files to a server accepting FTP, SFTP, or SCP when configuring a report. The report chart
templates can be applied to any reports.
Configuring report chart templates
The FortiAnalyzer unit provides default report chart templates for each report category.
You can create customized report chart templates using your own data set configuration.
For information on data set configuration, see “Configuring data sets” on page 199.
Go to Report > Chart > Template to view the list of both default and customized report
chart templates.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
195
Configuring reports from logs in a SQL database
Reports
Figure 77: Report template list
Output Capacity
Toggle Favorite State
Name of the GUI item
Description
Clone
Create a duplicate of a report chart template to use as a basis for
creating a new one.
The cloned template shares the same name plus “Copy_<sequentialnumber>” at the end.
Favorite
Click the arrow beside Favorite:
• click Add to Favorite to add one or more selected report chart
templates to your favorite list.
The star icon (Toggle Favorite State) turns orange.
• click Remove from Favorite to remove one or more selected report
chart templates from your favorite list.
The star icon (Toggle Favorite State) turns grey.
The favorite templates can be used to generate reports for quick and
easy access. For more information, see “Adding report dashboards
and widgets” on page 205.
Toggle Favorite State
A grey star means that this report chart template is not in the favorite
list. An orange star means that this report chart template is in the
favorite list.
Selecting the star toggles between adding a template into the favorite
list or removing a template from the favorite list.
Output Capacity
The format of the report, tabular, graphical, or both.
Name
The name of the report chart template. The name of a default template
is composed of the report category and the name of the data set.
Category
The category for this chart template such as Antivirus or Traffic.
Title
The description about the chart. For example, if the name of the chart
is “vpn-ipsec-usr-dur”, the title can be “Top VPN IPsec User by
Duration”.
Data Set
The name of the data set used in this chart template.
To create a report chart template
1 Go to Report > Chart > Template.
2 Click Create New.
196
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Reports
Configuring reports from logs in a SQL database
3 Configure the following, then click OK.
Field Output
Field Output
Name of the GUI
item
Description
Name
Enter the name for the report chart template.
Description
Enter any comments or notes about the chart template.
Category
Select the log category for this chart template.
Data Set
Select the data set for the selected category. For example, data set names
for the AntiVirus category start with “av”.
FortiAnalyzer data sets are a collection of the log files from the devices
monitored by the FortiAnalyzer unit. Reports are generated based on the
data sets. For information about data set configuration, see “Configuring
data sets” on page 199.
Depending on the selection of data set, values in the Field Output and Data
Bindings fields vary.
Field Output
Depending on the selection of data set, the values of this option vary. These
values are used for marking the report graphs, such as X or Y axis in a bar
graph, or column or row title in a table.
Resolve Host
Name
Enable this option to display the device’s host name from an IP alias or
reverse DNS lookup, rather than an IP address. For more information about
configuring IP aliases, see “Configuring IP aliases” on page 102.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
197
Configuring reports from logs in a SQL database
Reports
Favorite
Enable to add this chart template to the favorite list. See “Favorite” on
page 196.
Data Bindings
Depending on your selection in the Graph Type field, the values in this
section vary.
If Graph Type = Bar
X-Axis
Data Binding: Select a value for the X-Axis of the bar graph. The values in
this field change depending on your selection of the data set.
Only Show First n Items: Select the check box and enter a number to
show the top ranked log information, such as top number of viruses, in the
report chart. The default is 6. The rest of the log information will be marked
as “Others” in the chart.
Overwrite Label: Mark the check box to modify the default value for the XAxis, if required.
Y-Axis
Data Binding: Select a value for the Y-Axis of the bar graph. The values in
this field change depending on your selection of the data set.
Overwrite Label: Mark the check box to modify the default value for the YAxis, if required.
Group By: Mark the check box to group the log information according to the
data set field output. This option appears only when a data set’s field output
contains more than 3 fields.
Only Show First n Items: Select the check box and enter a number to
show the top ranked log information, such as top number of viruses, in the
report chart. The default is 3. The rest of the log information will be marked
as “Others” in the chart. This option appears only when a data set’s field
output contains more than 3 fields.
If Graph Type = Pie
Data
Binding
Select a value to show the size of each segment of log information in the pie
chart. The values in this field change depending on your selection of the
data set.
For example, in a pie chart called Top Services by Volume, one of the top
services is SMTP and its percentage in the pie is 8.81. This percentage is
generated by the selection in this field.
Enable Only Show First n Items (Bundle rest into "Others") and enter a
number to show the top ranked log information, such as top number of
viruses, in the report chart. The default is 6. The rest of the log information
will be marked as “Others” in the chart.
Label
Binding
Select a value to label each segment of log information in the pie chart. The
values in this field change depending on your selection of the data set.
For example, in a pie chart called Top Services by Volume, one of the top
services is labeled as SMTP. This label is generated by the selection in this
field.
If Graph Type = Table
Display
Data In
Select Ranked to show the log information in ranked format, such as top x,
or top y of top x, in the table.
Select Raw to show the log information as an audit report which displays the
results only, such as all blocked sites and all sites visited.
Add
Column
Select to add a column to the table. This option only appears after you
select the Remove the column icon.
The data display in the table will be in raw format after selecting the Remove
the column icon.
Field
Output
Select a value to show the column title for the log information in the table.
The values in these fields change depending on your selection of the data
set.
Overwrite Mark the check box to modify the Field Output value, if required.
Header
Only Show Mark the check box and enter a number to show the top ranked log
information, such as top number of viruses, in the table. The default is 3.
First n
The rest of the log information will be marked as “Others” in the table.
Items
This option is only available if you select to display data in ranked format.
198
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Reports
Configuring reports from logs in a SQL database
Configuring data sets
FortiAnalyzer data sets are the collection of log files from the devices monitored by the
FortiAnalyzer unit. Reports are generated based on the data sets.
The FortiAnalyzer unit provides default data sets for each log category. You can modify the
existing data sets by editing the query statements or create new data sets by writing your
own SQL queries.
To view the data set list, go to Report > Chart > Data Set.
Figure 78: Data set list
Name of the GUI item
Description
Name
The name of the data set.
Log Type
The type of logs in the data set.
To create a data set
1 Go to Report > Chart > Data Set.
2 Click Create New.
3 Configure the following, then click OK.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
199
Configuring reports from logs in a SQL database
Reports
Name of the
GUI item
Description
Name
Enter the name for the data set.
Log Type
($log)
Enter the type of logs to be used for the data set.
$log is used in the SQL query to represent the log type you select.
Time Period
Select to use logs from a time frame, or select Specified and define a custom
time frame by selecting the Begin Time and End Time.
Past N
If you selected Past N Hours/Days/Weeks for Time Period, enter the number.
Hours/Days
/Weeks
Begin Time Enter the date (or use the calendar icon) and time of the beginning of the
custom time range.
This option appears only when you select Specified in the Time Period ($time)
field.
End Time
Enter the date (or use the calendar icon) and time of the end of the custom time
range.
This option appears only when you select Specified in the Time Period ($time)
field.
SQL Query
Enter the SQL query syntax to retrieve the log data you want from the SQL
database. For details about how to write the SQL statement, see “Appendix D:
Querying FortiAnalyzer SQL log databases” on page 311.
Test
Click to test whether or not the SQL query is successful. See “To test a SQL
query” on page 200.
To test a SQL query
1 Follow the procedures in “To create a data set” on page 199.
2 After entering the SQL query, click Test.
3 Configure the following, then click Close.
200
Name of the
GUI item
Description
Device
Select a FortiGate unit, FortiMail unit, or FortiClient installation to apply the SQL
query.
VDom
If you want to apply the SQL query to a FortiGate VDOM, enter the name of the
VDOM.
Time Period
Select to query the logs from a time frame, or select Specified and define a
custom time frame by selecting the Begin Time and End Time.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Reports
Configuring reports from logs in a SQL database
Past N
If you selected Past N Hours/Days/Weeks for Time Period, enter the number.
Hours/Days
/Weeks
Begin Time Enter the date (or use the calendar icon) and time of the beginning of the
custom time range.
This option appears only when you select Specified in the Time Period ($time)
field.
End Time
SQL Query
Enter the date (or use the calendar icon) and time of the end of the custom time
range.
This option appears only when you select Specified in the Time Period ($time)
field.
If necessary, modify the SQL query to retrieve the log data you want from the
SQL database.
Run
Click to execute the SQL query.
The results display. If the query is not successful, check the SQL query you
entered and make sure that the SQL database is working properly on the
FortiAnalyzer unit.
Clear
Select to remove the displayed query results.
Save
Options
Select to save the SQL query console configuration to the data set
configuration.
The Device and VDOM configurations are not used by the data set
configuration.
Close
Click to return to the data set configuration page.
Uploading graphics for reports
You can upload graphics, for example, the corporate logo, that can be added to the
reports.
To view and configure the list of graphics, go to Report > Config > Graphic.
Figure 79: Graphic list
Name of the GUI item
Description
Upload
Click to import a graphic.
On the Import Graphic page, click Browse to locate the graphic you
want to upload and click OK.
Graphic Name
The name of the uploaded graphic.
Thumbnail
The reduced-size version of the uploaded graphic.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
201
Configuring reports from logs in a SQL database
Reports
Configuring report profiles
Caution: When configuring a report, which contains both an output template and selected
file formats in Output Format, the file formats sent by email are determined by the
configuration settings. Only those file formats that are enabled in both output template and
report output formats are sent by email. For example, if PDF and Text formats are selected
in the output template, and then PDF and MHT are selected in the report, the report’s file
format in the email attachment is PDF.
Report are configured after you have configured report chart templates and optional
graphics. If you do not have a report chart template, you cannot configure a report.
Reports provide a way to schedule a daily or weekly report so that the report will generate
at a specific time period.
To view the report list, go to Report > Config > Report.
Figure 80: Report list
Name of the GUI item
Description
Clone
Click to create a duplicate of a report to use as a basis for creating a
new report.
Run
Run a report immediately, instead of waiting for the scheduled time.
Name
The name given to the report when configuring the report.
Title
The title name for the report, for example, Report_1.
Description
Comments on this report.
Number of Charts
The number of report chart templates added to the report.
To configure a report
1 Go to Report > Config > Report.
2 Click Create New.
3 Configure the following, then click OK.
202
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Reports
Configuring reports from logs in a SQL database
Name of the GUI item
Description
Name
Enter a name for the report. This name is for the FortiAnalyzer unit to
record the report in its report list.
Title
Enter a title name for the report, for example, Report_1.
Sub Title
Enter a sub title name for the report, for example, Report_1_AV.
Description
Enter a description for the report. This is optional.
Options
Select Display Table of Contents if you want a table of contents for the
report.
Schedule
Select one of the following to have the report generated immediately,
daily, or weekly at a specified date or time period.
Daily
Select to generate the report every day at the same time. Enter the
hour and minute time period for the report. The format is hh:mm.
Weekly
Select to generate the report on specified days of the week. Select the
day of the week and the hour on that day.
Generate Now
Click to generate the report immediately.
Output Format
Select the type of file format you want the generated report to be. You
can choose from HTML (default), PDF, MS Word, Text, MHT, and
XML.
Note: Only those file formats that are enabled in both remote output
template (see “Configuring report output templates” on page 89) and
the report configuration are sent by email. For example, if PDF and
Text formats are selected in the output template, and then PDF and
MHT are selected in the report schedule, the report’s file format in the
email attachment is PDF.
Email/Upload
Mark the check box if you want to apply a report output template from
the drop-down list. For more information on configuring report output,
see “Configuring report output templates” on page 89.
Report content
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
203
Configuring reports from logs in a SQL database
Reports
Header
Enter a header for the report and select to use normal text or graphic
for the header.
If you select Graphic, click Browse to find and add a graphic you have
imported. For more information, see “Uploading graphics for reports”
on page 201.
Click Add to add a header and Delete to remove a header.
Footer
Enter a footer for the report.
Click Add to add a footer and Delete to remove a footer.
Components
Click Add to add the components for the report. For more information,
see “To add a report component” on page 204.
Type
The type of report component. This information appears after you
have added a report component.
Component
The name of the report component. This information appears after you
have added a report component.
Action
Click Edit to modify a component (see “To add a report component” on
page 204) or Delete to remove a component. This information
appears after you have added a report component.
To add a report component
1 Go to Report > Config > Report.
2 Click Create New.
3 In the Components section, click Add.
The Report Component Chooser page opens.
You can only add one type of component each time.
204
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Reports
Configuring reports from logs in a SQL database
Search
4 Finish adding the report components, then click Add.
Name of the
GUI item
Description
Search
Enter partial, one or more key words to search the components for this report.
If you search before selecting a component type, all types of components
containing the key word appear.
If you search after selecting a component type, all components containing the
key word of the selected type appear.
Text
Select to add a heading or text to a report that keeps charts separate from each
other.
If you select a heading, enter the heading content in the Heading field.
If you select Normal Text, enter the content in the Text field.
Charts
Select to add default or user-defined chart templates to your report.
Select the category for the chart template and then select one or more charts
that display. To select more than one chart, press Ctrl and then select.
Title: If you select one chart template and want to rename it, enter the new
name.
• Device: Select a device to apply the chart template.The report’s log
information for the selected chart template(s) will come from the selected
device. For example, if you selected All FortiGates, the log information used
for the chart template(s) is logs from all FortiGate units.
• VDOM: If you select a device other than All FortiGates and want to apply
the chart template to one of its VDOM, enter the name of the VDOM.
Graphics
Select to add an uploaded graphic to the report.
Misc
Select to add page break to the report.
Adding report dashboards and widgets
You can create report dashboards and widgets for quick and easy access to the reports.
Using the pre-defined or customized report chart templates, these reports are generated
instantly. Up to three dashboards can be added.
To create a report dashboard and add its widgets
1 Go to Report > Access.
2 Click the name of an existing dashboard except Scheduled Report.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
205
Configuring reports from logs in a SQL database
Reports
Dashboard name
3 Click Dashboard, then select Add Dashboard. Enter the name for the dashboard and
click OK.
4 Select the name of the new dashboard and click Widget to add report components to
the dashboard. For details, see “To add a report component” on page 204.
5 Click Add.
Example reports (SQL-based)
The following scenario is an example of how to configure reports based on specific
FortiGate log information from the SQL database.
Note: You can only generate SQL database-based reports from FortiGate log data.
This topic contains the following:
•
Example: FortiGate report
Example: FortiGate report
The management of your company wants to know the top web surfers during working
hours and has asked you to send a report on this information. You are asked to send the
report to the headquarters.
Creating the report Top_web_surfers
1 To configure the output template that will be used in the report, go to System >
Config > Remote Output, click Create New.
2 Configure as follows:
206
•
In Name, enter Top_web_surfers.
•
In Output Format, select PDF and then deselect the default, HTML.
•
Select Send Report by Email.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Reports
Configuring reports from logs in a SQL database
•
Select Compress Report Files to compress the report for attachment to the email
message.
•
Enter your email address in From.
•
Select the email server, server.example.com.
•
For Recipient, enter the email address provided by the headquarters and then
select Add.
•
In the Subject field, enter Web activity within past 24 hours.
•
In the Body field, enter the following:
For internal use only. The attachment is a report on the top
Internet users within the past 24 hours.
•
Select Upload Report to Server then enter the company’s FTP server information in
the fields.
•
Select OK.
3 To configure the report chart template that will be used in the report, go to Report >
Chart > Template, click Create New.
4 Configure as follows:
•
In Name, enter Top_web_surfers.
•
In the Description field, enter the following:
Employees that surfed the Internet in the past 24 hours.
•
In the Category field, select Application Control.
•
In the Data Set field, select the default data set appctrl-top-web-users-last24hours.
You can also create a data set. See “To create a data set” on page 199.
•
In the Graph Type field, select Bar.
•
Select Resolve Host Name.
•
In the X-Axis Data Binding field, select Field(1)(f_user).
•
Enter the number 10 for Only show First n Items.
•
Select Overwrite Label and enter Top Users.
•
In the Y-Axis Data Binding field, select Field(2)(totalnum).
•
Select Overwrite Label and enter Past 24 Hours.
•
Select OK.
5 To configure the report, go to Report > Config > Report, click Create New.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
207
Browsing reports
Reports
6 Configure as follows:
•
In Name, enter Top_web_surfers.
•
In Title, enter Top Web Surfers in the Past 24 Hours.
•
In Schedule, select Daily and then enter the hour to generate the report.
•
In Output Format, select PDF.
•
Select the check box beside Email/Upload. In the Email/Upload list, select the
output template.
•
In Component, select Add.
On the Report Component Chooser page, select Charts > Application Control, and
then select the chart template top_web_users.
•
In the Device field, select the FortiGate-50B which logged the information needed to
complete the report.
•
Select Add.
•
On the New Report page, select OK.
Browsing reports
After reports are generated by the FortiAnalyzer unit using log data from either a SQL
database or proprietary indexed file storage system, you can view them in Report >
Access > Scheduled Report. This page displays all generated reports, including
generated scheduled reports.
Figure 81: Viewing reports
Current page
208
Name of the GUI
item
Description
Delete
Select to remove selected reports.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Reports
Browsing reports
Rename
Select to rename a selected report.
Refresh
Select to refresh the list. If the FortiAnalyzer unit is in the process of
generating a report, use Refresh to update the status of the report generation.
Device Type
Select the device type for which you want to see the reports. For example, if
you select FortiGate, all reports for FortiGate units appear.
Report Files
Select the report name to view the entire report in HTML format.
Select the Expand Arrow to view the individual reports in HTML format.
Device Type
The type of device that was selected for collecting logs from.
Started
The date and time when the FortiAnalyzer unit generated the report.
Finished
The date and time when the FortiAnalyzer unit completed the report. If the
FortiAnalyzer unit is in the process of generating a report, a progress bar will
appear in this column. If the FortiAnalyzer unit has not yet started generating
the report, which can occur when another report is not yet finished, Pending
appears in this column.
Size (bytes)
The file size of the report’s HTML format output, if any.
The size does not reflect other output formats that may be present, such as
PDF.
Other Formats
Select a file format, if any, to view the generated report in that format.
In addition to HTML, if any, the generated reports may also be available in
PDF, RTF, XML/XSL, and ASCII text formats, depending on the output
configuration. For more information about setting output options, see
“Configuring report output templates” on page 89.
Current Page
By default, the first page of the list of items is displayed. The total number of
pages displays after the current page number. For example, if 2/10 appears,
you are currently viewing page 2 of 10 pages.
To view pages, select the left and right arrows to display the first, previous,
next, or last page.
To view a specific page, enter the page number in the field and then press
Enter.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
209
Browsing reports
210
Reports
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Vulnerability Management
How to use vulnerability management
Vulnerability Management
The Vulnerability Management menu configures vulnerability scans and their resulting
reports.
New vulnerabilities appear in any organization's network due to problems such as flaws in
software or faulty application configuration. The vulnerability management feature can
determine whether your organization’s computers are vulnerable to attacks. With this
feature, you can define your host assets or discover hosts in the network, configure
vulnerability management scans, generate reports, and interpret the results.
FortiAnalyzer units come with a default database of more than 2,500 vulnerabilities. For
FortiGuard Vulnerability Management Service subscribers, this database can be
periodically updated via the FortiGuard Distribution Network (FDN) to receive definitions of
the most recently discovered vulnerabilities. For details, see “Scheduling & uploading
vulnerability management updates” on page 114.
The vulnerability scan is suitable for scanning many types of hosts, including those
running Microsoft Windows or Unix variants such as Linux and Apple Mac OS X, as well
as a variety of applications and services/daemons.
The workflow of vulnerability scan is as following:
Parsing Scan Settings
Detecting Live Hosts
Scanning Ports if
Required
Performing Service
Scan
Performing Vulnerability
Scan with Specified
FIDs
Scanning OS if
Required
This topic includes:
•
How to use vulnerability management
•
Configuring host assets
•
Discovering network host assets
•
Configuring vulnerability scans
•
Viewing host vulnerability statuses
•
Viewing the vulnerability database
•
Configuring compliance report templates
•
Viewing compliance reports
How to use vulnerability management
To configure vulnerability management scan, follow these general steps:
1 Define which host assets that you want to scan, then group them. You can do this
either manually or automatically, by discovering hosts through a network map scan.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
211
Configuring host assets
Vulnerability Management
For details, see “Configuring host assets” on page 212 or “Discovering network host
assets” on page 215.
2 Group host assets. For more information, see “Configuring host assets” on page 212.
3 Add sensors to define which vulnerabilities you want to discover. For more information,
see “Configuring vulnerability sensors” on page 221.
4 Configure scan profiles to specify the port numbers, sensors, and other options to be
used for scanning host vulnerabilities. For more information, see “Configuring
vulnerability scan profiles” on page 227.
5 Schedule network vulnerability scans. For more information, see “Scheduling
vulnerability scans” on page 229.
When vulnerability scans are completed, the following reports are generated:
•
Summary report: Identifies overall network host vulnerabilities discovered by all scans
(see “Viewing host vulnerability statuses” on page 235)
•
Scan report: Identifies network host vulnerabilities discovered by a specific scan (see
“Viewing vulnerability scan reports” on page 231)
•
Compliance report: Reports on hosts’ compliance to the PCI data security standard
(see “Viewing compliance reports” on page 241)
Configuring host assets
Vulnerability Management > Asset > Host displays the list of known host assets.
Before the FortiAnalyzer unit can scan your hosts for vulnerabilities, you must define your
host assets, and group them into asset groups. You can either add hosts to this list
manually, or, alternatively, discover them through a network map scan. For details, see
“Discovering network host assets” on page 215 and “Grouping host assets” on page 214.
Figure 82: Host asset list
Name of the GUI item
Description
Name
The host name.
IP/Range
The IP address of the host, or the IP address range of the hosts.
Authentication
The green symbol indicates authentication credentials have been
entered for this host. They can be Windows, UNIX, or SNMP.
The authentication credentials are used by the FortiAnalyzer unit to
access the hosts for vulnerability scan.
Location
The location of the host. This is an optional information-only field.
Function
The function of the host. This is an optional information-only field.
Number of Vulnerabilities The number of vulnerabilities found on this host.
To add a host asset
1 Go to Vulnerability Management > Asset > Host.
212
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Vulnerability Management
Configuring host assets
2 Click Create New.
3 Enter the appropriate information and click OK.
Name of the GUI item
Description
Name
The name of the host. Names can not contain spaces.
Type
Select Host for a single host, or IP Range for multiple hosts in a
contiguous IP address range.
IP Address
If you set Type to Host, enter the host IP address.
If you set Type to IP Range, enter the first and last IP addresses of the
range. All the hosts within the range will be included in the host asset.
Location
An optional field containing the location of the host.
Function
An optional field containing the function of the host.
Asset Tag
An optional field containing the tag of the host.
Comments
An optional field containing a comment relevant to the host.
Authentication
Enter the authentication credentials for the host(s). The authentication
credentials are used by the FortiAnalyzer unit to access the hosts for
vulnerability scan.
If you selected IP Range in the Type field and entered the host IP
addresses in the range, you can enter the authentication credential for
the hosts only if they share the same credential. Otherwise you can
only enter the authentication credential on a host by host basis by
selecting Host for Type and entering the IP address the host.
Windows
For Windows authentication, select whether the host uses domain
authentication or local authentication, and enter the user name and
password. Domain authentication requires the domain name as well.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
213
Configuring host assets
Vulnerability Management
UNIX
For UNIX authentication, enter the user name, password, and the
PEM-encoded private RSA and DSA keys in text format. You may also
give the FortiAnalyzer unit superuser privileges by selecting
Enable Sudo.
SNMP
Enter the required community strings.
The SNMP community string specifies the relationship between an
SNMP server system and the client systems. This string acts like a
password to control the clients' access to the server.
Grouping host assets
Vulnerability Management > Asset > Group displays the list of groups of host assets.
Before hosts can be scanned, they must be grouped. These groups are then selected
within network map configurations and scan schedules. Grouping hosts eliminates the
need to select every host in each scan profile. When your groups have been created,
simply select the required group in the scan profile. Hosts can be included in multiple
groups.
Figure 83: Group list
Name of the GUI item
Description
Name
The group name.
Host
The hosts in the group.
Business Impact
A rating indicating the relative importance of the hosts in the group.
Number of Vulnerabilities The number of vulnerabilities found on the hosts of this group.
To add a group
1 Go to Vulnerability Management > Asset > Group.
2 Click Create New.
214
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Vulnerability Management
Discovering network host assets
3 Enter the appropriate information and click OK.
Include
Exclude
Name of the GUI item
Description
Name
The group name.
Host
Select the available host assets and select the include icon to add
them to the asset group.
Business Impact
A rating indicating the relative importance of the hosts in the group.
Comments
An optional comment describing the group.
Discovering network host assets
Vulnerability Management > Network Map > Config displays the list of network map
profiles, which are used to discover host assets by scanning the network.
Through network mapping, the FortiAnalyzer unit lists all the hosts it is able to discover on
the local network segment in a report. The discovered hosts can be imported into an asset
group to ensure that they are covered by the vulnerability scans.
You can create multiple network map configurations to scan and discover the live hosts on
your network. The configurations can have different scan targets such as asset groups,
domains, or IP address ranges. Network map reports are generated based on these
configurations.
Depending on the scan targets you select, the network map process runs in two ways:
•
If you have selected an asset group or entered an IP range, the FortiAnalyzer unit will
attempt to detect the live hosts directly within the asset group or IP range. The host
numbers may vary at different times because not all hosts may be reachable at all
times.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
215
Discovering network host assets
•
Vulnerability Management
If you have entered a domain name, the FortiAnalyzer unit will attempt to find the hosts
under the domain by identifying the authoritative name server for the domain, and
sending a request to list all the hosts under the domain managed by the name server.
However, this request is not always permitted and may be forbidden by the Name
Server administrator. If this is the case, the FortiAnalyzer unit will use brute force to
query the name server to find out the IP address assigned to each FQDN. The
FortiAnalyzer unit uses a proprietary list of roughly 100 common names, such as www
or ftp, to form a list of FQDNs. Once it finds the IP address for the target domain, it
will access the domain to discover its hosts.
The FortiAnalyzer unit uses the following host discovery methods:
•
ICMP
•
TCP ports
•
UDP ports
•
DNS
•
Reverse DNS
•
DNS zone transfer
•
TCP RST
•
Traceroute
•
Other protocol or ICMP
•
Other TCP ports
Figure 84: Network map profile list
Name of the GUI item
Description
Run
Select to run a network map scan immediately. This may take a while
depending on the targets selected, number of hosts in the network,
and network speed.
Cancel
Select to stop running a network map scan.
Name
The network map configuration name.
Target
The asset group, domain, or IP address range on which the network
map scan will be run.
Scan Ports
The host ports to be checked by the network map scan. Select TCP,
UDP, or TCP & UDP.
Schedule
If the network map scan is configured to run on a repeating schedule,
the frequency will be listed here. For example, “Daily at 16:00.”
Effective Period
The first time a repeating schedule occurs will be listed here. For
example, “From 2009-02-12.”
To create a network map configuration
1 Go to Vulnerability Management > Network Map > Config.
216
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Vulnerability Management
Discovering network host assets
2 Click Create New.
3 Enter the appropriate information and click OK.
Name of the GUI item
Description
Name
The name of the network map configuration.
Target
This section defines what part of your network will be examined by the
network map scan.
Scan Ports
The host ports to be checked. Select TCP, UDP, or TCP & UDP.
Asset Group
The asset group on which the network map scan will be run.
Maintain Asset Group Select to have the network map scan automatically update the
selected asset group if new hosts are discovered through domain or
IP address range scan. No hosts will be removed even if they are
unreachable. A domain or IP range must be entered if this option is
selected.
Domain
Enter a domain name in which the scan will be executed.
IP Range
Enter an IP range in which the scan will be executed. The IP range
must be within the same subnet.
Schedule
Run Now
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Network map reports can be generated automatically at regular
intervals, or on demand.
Select to specify an on-demand report. A report will be generated
when the profile is saved, and when the Run Now icon is selected. No
scheduled reports will be generated.
217
Discovering network host assets
Vulnerability Management
Run Later
Select to have reports generated at regular intervals.
Daily/Weekly/Monthly Select Daily, Weekly, or Monthly to have a report automatically
generated at the specified interval.
Start Date
Specify the date the first scheduled report is generated. From then on,
it will be generated at daily, weekly, or monthly intervals.
Time
Specify the time of day the scheduled report will be generated.
Output Option
File output
Select the formats in which the network map report will be generated.
HTML is the default format. Any or all other available formats may be
selected.
Email/Upload
To have the report delivered to an email address or FTP server, select
an existing report output template or create a new one. For more
information, see “Configuring report output templates” on page 89.
Viewing network map reports
Vulnerability Management > Network Map > Report displays the list of network map
reports generated by the FortiAnalyzer unit.
Network map reports are generated by network map scans. For details, see “Discovering
network host assets” on page 215.
Figure 85: Network map reports
Current page
218
Name of the GUI item
Description
Rename
Select to rename a selected report.
Import
Select to import the hosts discovered by the network map scan into an
asset group to ensure that they are covered by the vulnerability scans.
The hosts you select can be added to an existing asset group or a new
group.
The host import page lists the following information on each host
discovered:
• IP Address: The IP address of the host.
• DNS Hostname: The hostname indicated when querying the DNS
server.
• NetBIOS Hostname: The NetBIOS name of the host, if any.
• OS: The operating system running on the host.
Note that the network map scan may discover more hosts than those
specified in a target asset group because the scan can discover hosts
via a specified domain. For more information, see “Discovering
network host assets” on page 215.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Vulnerability Management
Discovering network host assets
Name
The name of the report. The name is made up of the map
configuration and the date and time the report was generated. Select
the name to view the HTML version of the report. The Map Report
Summary table lists the configuration profile options of the network
map scan. See “To view a report” on page 219.
Started
The date and time the report generation was started.
Finished
The date and time the report generation was completed. Based on the
Started and Finished times, you can calculate how long the
FortiAnalyzer unit took to generate the report.
Size (bytes)
The size, in bytes, of the HTML report.
Formats
The formats in which the report was generated. HTML is the default
format and any others are listed here.
Current page
By default, the first page of reports is displayed. The total number of
pages appears after the current page number. For example, if 2 of 10
appears, you are currently viewing page 2 of 10 pages.
To view pages, select the left and right arrows to display the first,
previous, next, or last page.
To view a specific page, enter the page number in the field and then
press Enter.
To view a report
1 Go to Vulnerability Management > Network Map > Report.
2 Click a report name.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
219
Discovering network host assets
Vulnerability Management
Name of the
GUI item
Description
Map Report Summary
220
Date
The date and time the network map report was generated.
Asset Group
The asset group on which the network map scan was run.
Domain
The domain in which the scan was executed.
IP Range
The IP range in which the scan was executed.
Total Hosts
Found
The number of hosts found during the scan on the targets.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Vulnerability Management
Configuring vulnerability scans
Scan Started
The starting date and time of the scan.
Scan Ended
The ending date and time of the scan.
VM Engine
Version
The Vulnerability Management engine version number and date of last update.
This is updated via the FortiGuard distribution network if you are a FortiGuard
Vulnerability Management Service subscriber.
VM Plugin
Version
The Vulnerability Management module version number and date of last update.
This is updated via the FortiGuard distribution network if you are a FortiGuard
Vulnerability Management Service subscriber.
(TCPor UDP)
Ports
The host port(s) that is configured to be checked.
Live Host
Sweep
The status of netblock live host discovery. Live host sweep discovers live hosts
in the IP address range specified.
This option is enabled and disabled through the CLI command. For more
information, see the command config vm in the FortiAnalyzer CLI Reference.
By default, this option is enabled. If you disable it, the FortiAnalyzer unit will
treat all hosts in the IP range as alive, even if some are not accessible.
Exclude Hosts If this option is On, the network map scan will exclude hosts discovered by
querying the DNS server.
Discovered
Only By DNS This option is enabled and disabled through the CLI. For more information, see
the command config vm in the FortiAnalyzer CLI Reference.
By default, this option is disabled.
Scan target
Under each scan target (asset group, domain, or IP range) specified, the
discovered hosts and their respective services are listed.
Hosts
Host
The IP address of the discovered host.
DNS
The hostname indicated when querying the DNS server.
NetBIOS
The NetBIOS name of the host, if any.
Router
The router used by the host.
OS
The operating system running on the host.
Active
Identifies whether the host was alive at the time of the discovery. A host is alive
if it replies to the host discovery methods.
X means alive and an empty field means dead.
Registered Identifies whether the host is registered as an host asset with the FortiAnalyzer
unit.
X means registered and an empty field means unregistered.
Approved Identifies whether the host in the approved host list. The approved hosts can be
configured for the map scan via CLI. For more information, see the command
config vm in the FortiAnalyzer CLI Reference.
Host Services
Discovery The method used to discover a host.
Method
Port
The port number scanned by the discovery method.
Service
The service running on the discovered host.
Configuring vulnerability scans
The Vulnerability Management > Scan menu contains the tools you need to define how
your assets are scanned, when they’re scanned, and the reports detailing the results.
Configuring vulnerability sensors
Vulnerability Management > Scan > Sensor displays the list of vulnerability scan sensors.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
221
Configuring vulnerability scans
Vulnerability Management
Sensors define which vulnerabilities the vulnerability scan checks your hosts for. The
filters in each sensor include pre-defined vulnerability scan signatures.
By adding filters, you group signatures into sensors for easy selection in profiles. You can
define signatures for specific types of vulnerability scan in separate sensors, and then
select those sensors in profiles designed to handle that type of vulnerability scan.
For example, you could specify all of the application-related signatures in an sensor, and
the sensor can then be used by a profile that specifies the means to be used for scanning
host application vulnerabilities.
The FortiGuard Vulnerability Management Service periodically updates the pre-defined
signatures, with signatures added to discover new threats. Because the signatures
included in filters are defined by specifying signature attributes, new signatures matching
existing filter specifications will automatically be included in those filters. For example, if
you have a filter that includes all signatures for the Windows operating system, your filter
will automatically incorporate new Windows signatures as they are added. To display your
FortiAnalyzer unit’s database of currently known vulnerability signatures, see “Viewing the
vulnerability database” on page 238.
FortiAnalyzer units come with pre-defined sensors. You cannot modify or delete the predefined sensors. They are updated with the vulnerability management engine and plug-in
releases.
Figure 86: Sensor list
Name of the GUI item
Description
View Vulnerability Details View all of the vulnerabilities included in the sensor. This is updated
via the FortiGuard service.
Name
The sensor name.
# Entries
The total number of filters and overrides in the sensor.
Profiles
The name of the vulnerability scan profile in which the sensor is used.
Comment
An optional comment describing the sensor.
To add a sensor
1 Go to Vulnerability Management > Scan > Sensor.
2 Click Create New.
222
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Vulnerability Management
Configuring vulnerability scans
3 Enter a name and an optional comment for the sensor.
4 Click OK.
Name of the
GUI item
Description
Filters
Insert
Select a filter and then Insert to place a new filter above the selection.
Move To
Select a filter and then Move To to move the filter to a new position.
View
Select a filter and then View Vulnerability Details to view all of the vulnerability
Vulnerability signatures included in the filter.
Details
#
Current position of each filter in the list.
Name
The filter name.
Type
Indicates whether the filter includes or excludes the matching vulnerability
scan parameters.
Severity
The severity level of the vulnerabilities in the filter.
Category
The type of vulnerabilities included in the filter. The category includes
application types, traffic types, and host types.
Authentica- The specified host type(s) to be scanned for vulnerabilities. The scan requires
host authentication credentials. For information on host authentication
tion
credentials configuration, see “Configuring host assets” on page 212.
Existent
The attributes identified for the signatures. Only the signatures that have these
attributes are used for this filter.
Non-existent The attributes identified for the signatures. Only the signatures that do not
have these attributes are used for this filter.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
223
Configuring vulnerability scans
Vulnerability Management
Last Update The time period during which the updated signatures were used for the
vulnerability scan. This is useful if you only want to use some signatures for a
Time
scan.
Overrides
Overrides are configured and work mainly in the same way as filters. Unlike
filters, each override defines the behavior of one or more signatures.
Overrides can be used in two ways:
• To change the behavior of a signature already included in a filter. For
example, to scan application vulnerabilities, you could create a filter that
includes all signatures related to applications. If you wanted to disable one
of those signatures, the simplest way would be to create an override and
mark the signature as excluded.
• To add an individual signature, not included in any filters, to a sensor. This
is the only way to add custom signatures to the sensors.
#
Current position of each override in the list.
Name
The override name.
Type
Indicates whether the override includes or excludes the specified vulnerability
scan signatures.
FID
The specified Fortinet ID of the vulnerability scan signature to be included or
excluded in the sensor. The FID is a unique identifier assigned by the
FortiGuard Vulnerability Management Service.
To configure a filter
1 Go to Vulnerability Management > Scan > Sensor.
2 Either:
• Click Create New to add a sensor. See “To add a sensor” on page 222.
• Select an existing sensor and click Edit.
3 Under Filters, click Create New.
224
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Vulnerability Management
Configuring vulnerability scans
4 Enter the appropriate information and click OK.
Right Arrow
Left Arrow
Name of the
GUI item
Description
Name
The filter name.
Type
Select whether the filter includes or excludes the matching vulnerability scan
signature.
Severity
The severity level of the vulnerabilities in the filter. Select all or specify any
particular levels.
Severity defines the relative importance of each signature. Signatures rated
critical detect the most dangerous vulnerabilities while those rated as
information pose a much smaller vulnerability.
Authentication Specify the host type(s) to be scanned for vulnerabilities. The scan requires
host authentication credentials. For information on host authentication
credentials configuration, see “Configuring host assets” on page 212.
Category
The type of vulnerabilities included in the filter. The category includes
application types, traffic types, and host types. Select all or specify any
categories.
Use the Right Arrow to move the specified categories into the Selected field.
Last Update
Time
The time period during which the updated signatures will be used for the
vulnerability scan. This is useful if you only want to use some signatures for a
scan to save time.
Top20 Group
Optionally, select to include Fortinet top 20 vulnerabilities or SANS (SANS
Internet Storm Center) top 20 vulnerabilities in the filter.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
225
Configuring vulnerability scans
Vulnerability Management
Other Options
The attributes in a vulnerability signature. Select to refine the signatures for
the filtering.
• Patch Availability: The availability of patches for the vulnerability of a host.
• CVE ID: The Common Vulnerabilities and Exposures ID of the signature.
CVE IDs are unique, common identifiers for publicly known information
security vulnerabilities.
• Bug Traq ID: The Bugtraq ID of this signature. Bugtraq is an electronic
mailing list dedicated to issues about computer security.
• FortiGuard IPS Signature: The name of the FortiGuard IPS signature for
this vulnerability.
• Vendor Reference: The remedy for the vulnerability recommended by the
host vendor.
• Affected Hosts: The number of hosts affected by the vulnerability.
Ignore
Ignore this attribute in the signature. All signatures with or without this attribute
will be used for this filter.
Existent
Only use the signatures that have this attribute for this filter.
Non-existent Only use the signatures that do not have this attribute for this filter.
To configure an override
1 Go to Vulnerability Management > Scan > Sensor.
2 Either:
• Click Create New to add a sensor. See “To add a sensor” on page 222.
• Select an existing sensor and click Edit.
3 Under Overrides, click Create New.
226
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Vulnerability Management
Configuring vulnerability scans
4 Enter the appropriate information and click OK.
Select Vulnerability ID
Name of the
GUI item
Description
Name
The override name.
Type
Select whether the override includes or excludes the specified vulnerability
scan signatures (FIDs).
FID
The specified Fortinet ID of the vulnerability signature to be included or
excluded in the sensor. The FID is a unique identifier assigned by the
FortiGuard Vulnerability Management Service.
Select the Select Vulnerability ID icon to choose the FIDs and then select
Import. The FIDs are inserted into this field.
If you enter the FIDs manually, separate them with “,”.
Configuring vulnerability scan profiles
Vulnerability Management > Scan > Profile displays the list of vulnerability scan profiles.
Profiles define what means are used to scan hosts for vulnerabilities. When configuring a
profile, various ports can be specified as well as the sensor to be used. The FortiAnalyzer
unit comes with pre-defined profiles. You cannot modify or delete the pre-defined profiles.
They are updated with the vulnerability management engine and plug-in releases.
Figure 87: Profile list
Name of the GUI item
Description
Run
Select to run the profile on an asset group to scan the hosts in the
group. A vulnerability report will be generated. See “Viewing
vulnerability scan reports” on page 231.
Name
The profile name.
Sensor
The sensor used in this profile.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
227
Configuring vulnerability scans
Vulnerability Management
To create a profile
1 Go to Vulnerability Management > Scan > Profile.
2 Click Create New.
3 Enter the appropriate information and click OK.
Name of the GUI item
Description
Name
Enter a name for the profile.
vulnerability Scan
If you want to use this profile for a vulnerability scan, select this
option and a sensor.
Port Scan
Select the host ports to be scanned. A port must be selected for a
profile.
TCP Ports
228
None
The profile will not scan for open TCP ports.
Full
The profile will scan all TCP ports, from 1-65535.
Standard
The profile will scan about 2000 commonly used TCP ports.
Light
The profile will scan about 160 commonly used TCP ports.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Vulnerability Management
Configuring vulnerability scans
Additional
Enable and enter any TCP ports or port ranges you wish to scan in
addition to the previous selection. To scan only the entered ports,
select None for the previous setting. Port ranges are defined with
the start and and values separated by a hyphen, and ports and
ranges are separated by commas. For example, a valid entry is
6000-7000,9725,11000.
UDP Ports
None
The profile will not scan for open UDP ports.
Full
The profile will scan all UDP ports, from 1-65535.
Standard
The profile will scan about 180 commonly used UDP ports.
Light
The profile will scan about 30 commonly used UDP ports.
Additional
Enable and enter any UDP ports or port ranges you wish to scan in
addition to the previous selection. To scan only the entered ports,
select None for the previous setting. Port ranges are defined with
the start and and values separated by a hyphen, and ports and
ranges are separated by commas. For example, a valid entry is
6000-7000,9725,11000.
Other Options
Perform TCP 3-way
Handshake
Establish a connection with the host using the TCP-standard 3-way
handshake. Closing the connection is also performed the same
way.
Scan Dead Host
Scan hosts that appear to be unreachable. Some hosts may not
return pings although they are still active. Enabling Scan Dead
Hosts will force the FortiAnalyzer unit to scan these hosts.
Enabling this option will significantly increase the time required to
complete a scan.
Scheduling vulnerability scans
Vulnerability Management > Scan > Schedule displays the list of vulnerability scan
schedules.
Vulnerability reports are generated based on scheduled scans. Multiple schedules can be
created to automatically generate the required reports when required.
Figure 88: Schedule list
Name of the GUI item
Description
Run
Select to run a scheduled scan immediately.
Cancel
Select to stop running a scheduled scan.
Name
The schedule name.
Target
The asset group on which the scheduled scan will be run.
Profile
The profile to be used for the schedule. For information about profile,
see “Configuring vulnerability scan profiles” on page 227.
Schedule
The recurrence time of the schedule.
Effective Period
The starting date of the schedule.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
229
Configuring vulnerability scans
Vulnerability Management
To create a schedule
1 Go to Vulnerability Management > Scan > Schedule.
2 Click Create New.
3 Enter the appropriate information and click OK.
Name of the GUI item
Description
Name
The profile name
Profile
The profile to be used for the schedule.
Enable PCI
Compliance
Select to ensure that the scheduled vulnerability scan uses the predefined PCI scan profile.
Selecting this option automatically populates the Profile field with the
pre-defined PCI scan profile - vcm_pci_profile and the field
becomes read-only.
For more information about PCI compliance, see “About PCI DSS
compliance reports” on page 243.
Asset Group
The asset group on which the scheduled scan will be run.
Schedule
Vulnerability scan reports can be generated automatically at regular
intervals, or on demand.
Run Now
Select to specify an on-demand report. A report will be generated
when the schedule is saved, and when the Run Now icon is selected.
No reports will be generated automatically.
Run Later
Select to have reports automatically generated at regular intervals.
Daily/Weekly/Monthly Select Daily, Weekly, or Monthly to have a report automatically
generated at the specified interval.
Start Date
230
Specify the date the first scheduled report is generated. From then on,
it will be generated at daily, weekly, or monthly intervals.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Vulnerability Management
Configuring vulnerability scans
Time
Specify the time of day the scheduled report will be generated.
Output Option
File output
Select the formats in which the report will be generated. HTML is the
default format. Any or all other available formats may be selected.
Email/Upload
To have the report delivered to an email address or FTP server, select
this option and enter the appropriate information.
Viewing vulnerability scan reports
Vulnerability Management > Scan > Report displays the list of vulnerability scan reports.
Reports detail the results of vulnerability scans, whether those reports are initiated on
demand or by schedule.
Figure 89: Report list
Current Page
Name of the GUI item
Description
Rename
Change the name of a selected report.
Name
The name of the report. The name is made up of the VM scan profile
name and the date and time the report was generated. Select the
name to view the HTML version of the report.
Started
The date and time the report was started.
Finished
The date and time the report was completed. Looking at the Started
and Finished times, you can calculate how long the FortiAnalyzer unit
took to generate the report.
Size (bytes)
The size, in bytes, of the HTML report.
Formats
The formats in which the report was generated. HTML is the default
format and any others are listed here.
Current page
By default, the first page of reports is displayed. The total number of
pages appears after the current page number. For example, if 2 of 10
appears, you are currently viewing page 2 of 10 pages.
To view pages, select the left and right arrows to display the first,
previous, next, or last page.
To view a specific page, enter the page number in the field and then
press Enter.
To view a vulnerability scan report
1 Go to Vulnerability Management > Scan > Report.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
231
Configuring vulnerability scans
Vulnerability Management
2 Select a report name.
232
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Vulnerability Management
Configuring vulnerability scans
Name of the
GUI item
Description
Report Summary
Created
The date and time the report was generated.
Total Hosts
The number of hosts found during the scan on the targets.
Active Hosts
The number of reachable hosts found during the scan on the targets. A host is
reachable if it replies to the host discovery methods.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
233
Configuring vulnerability scans
Vulnerability Management
Inactive Hosts The number of unreachable hosts found during the scan on the targets.
PCI
Compliance
The status PCI compliance in the scan schedule. For more information, see
“Enable PCI Compliance” on page 230.
Start Time
The starting date and time of the report generation.
End Time
The ending date and time of the scan report generation.
VM Engine
Version
The Vulnerability Management engine version number and date of last update.
This is updated via the FortiGuard distribution network if you are a FortiGuard
Vulnerability Management Service subscriber.
VM Plugin
Version
The Vulnerability Management module version number and date of last update.
This is updated via the FortiGuard distribution network if you are a FortiGuard
Vulnerability Management Service subscriber.
Scan Profile
The name of the profile used by this scan schedule. It links to the Profile section
of this report.
PCI Status
If you enabled PCI compliance for the profile used for the scan, this information
appears. For more information about PCI compliance, see “About PCI DSS
compliance reports” on page 243.
Live IP
The active hosts scanned for PCI compliance.
Addresses
Scanned
Security
Risk
Rating
The vulnerability level rated for the host. There are 5 ratings with 5 being the
highest risk.
PCI Status Indicates whether the host passed the PCI compliance scan.
A PCI compliance status of PASSED for a single host/IP indicates that no
vulnerabilities or potential vulnerabilities, as defined by the PCI DSS
compliance standards set by the PCI Council, were detected on the host.
A PCI compliance status of FAILED for a single host/IP indicates that at least
one vulnerability or potential vulnerability, as defined by the PCI DSS
compliance standards set by the PCI Council, was detected on the host.
Vulnerability Scan Summary
Vulnerabili- The total number of vulnerabilities detected are presented in a table and chart
by severity level.
ties by
Severity
Vulnerabili- The total number of vulnerabilities detected are presented in a table and chart
ties by Cat- by category.
egory
Top 10
The top 10 vulnerable hosts discovered with their IP addresses, total
Vulnerable vulnerabilities of each host, and number of vulnerabilities under each severity
level.
Hosts
234
OS and
Services
Detected
List the top 10 operating systems detected, top 10 services detected, top 10
TCP services detected, and top 10 UDP services detected in table and chart
format.
Hosts
List the following information on each active host:
• Total vulnerabilities, scanned port type, and open ports.
• Number of vulnerabilities under each severity level.
• Number of vulnerabilities under each category.
• Operating system.
• Detailed vulnerability information by severity.
Profile
The information of the profile used by this scan schedule. For more information,
see “Configuring vulnerability scan profiles” on page 227.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Vulnerability Management
Viewing host vulnerability statuses
Viewing host vulnerability statuses
Vulnerability Management > Summary > Host Status combines the results of the last scan
performed against each defined host and summarizes the information in three ways on
this page:
•
vulnerabilities by severity level
•
top 10 vulnerability categories
•
top 10 vulnerable hosts by business risk
In addition, the page displays a list of the top ten vulnerabilities that is kept updated by the
FortiGuard Vulnerability Management subscription service. For information on scheduling
FortiGuard service updates, see “Scheduling & uploading vulnerability management
updates” on page 114.
Vulnerabilities by severity level & top 10 categories
The two charts on the host status summary page give you an at-a-glance view of the
vulnerabilities detected when your hosts were last scanned.
The FortiAnalyzer unit takes the results of the last scan performed on each host and
combines them to form these two charts. Therefore, if some or all of your hosts have not
been scanned recently, the summary may be out of date. Use recurring schedules to keep
the summaries current.
Figure 90: Summary of vulnerabilities by severity level and category
Name of the GUI item
Description
Vulnerabilities By Severity The number of all detected vulnerabilities are displayed in a bar graph,
broken down by severity level.
Level
Top 10 Vulnerability
Categories
The 10 most common vulnerability categories of all detected
vulnerabilities are displayed in a pie graph.
Top 10 vulnerable hosts by business risk
The top 10 vulnerable hosts list shows the 10 hosts with the most significant business risk.
Ratings are based on the business impact rating assigned to the host group, the
vulnerabilities detected, and the severity levels of the detected vulnerabilities. The hosts
appearing on this top 10 list should be the first to receive attention when increasing
security on your network.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
235
Viewing host vulnerability statuses
Vulnerability Management
Figure 91: Summary of vulnerable hosts
View All Hosts
Name of the GUI item
Description
IP Address
The IP address of the host.
DNS Name
The DNS name of the host, if any.
NetBIOS Name
The NetBIOS name of the host, if any.
Business Impact
The business impact rating assigned to the group the host belongs to.
Average Security Risk
A calculated value indicating the security risk.
Business Risk
If the host is vulnerable, the business risk is a calculated value
showing the degree of risk.
Number of Vulnerabilities The number of vulnerabilities detected by the scan run on the host.
Last Scan Date
The time and date the host was last scanned.
View All Hosts
Click to view a complete list of all hosts with detected vulnerabilities.
See “To view a complete list of all hosts with detected vulnerabilities”
on page 236.
To view a complete list of all hosts with detected vulnerabilities
1 Go to Vulnerability Management > Summary > Host Status.
2 In the Top 10 Vulnerable Hosts (By Business Risk) area, click View All Hosts.
Column Settings
Current Page
236
Name of the GUI item
Description
Column Settings
Select to choose which columns are displayed, as well as their order.
For more information, see “Displaying and arranging log columns” on
page 141.
IP Address
The IP address of the host.
DNS Hostname
The hostname indicated when querying the DNS server.
NetBIOS Hostname
The NetBIOS name of the host, if any.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Vulnerability Management
Viewing host vulnerability statuses
Business Impact
The business impact rating assigned to the group the host belongs to.
Average Security Risk
A calculated value indicating the security risk.
Business Risk
If the host is vulnerable, the business risk is a calculated value
showing the degree of risk.
Number of Vulnerabilities The number of vulnerabilities detected by the scan run on the host.
Last Scan Date
The date the host was scanned.
Router
The router used by the host.
OS
The operating system running on the host.
Mapping Status
Host status flags:
• A Identifies whether the host in the approved host list. The
approved hosts can be configured for the map scan via CLI. For
more information, see the command config vm in the
FortiAnalyzer CLI Reference.
• L Identifies whether the host was active at the time of the
discovery. A host is active if it replies to the host discovery
methods.
• S Identifies whether the host is registered as an host asset.
Asset Group
The name of the asset group the host is a part of.
View n per page
Select the number of rows of log entries to display per page.
Current page
By default, the first page of hosts is displayed. The total number of
pages appears after the current page number. For example, if 2 of 10
appears, you are currently viewing page 2 of 10 pages.
To view pages, select the left and right arrows to display the first,
previous, next, or last page.
To view a specific page, enter the page number in the field and then
press Enter.
Top 10 vulnerabilities
With a FortiGuard Vulnerability Management Service subscription, the vulnerability
database is automatically updated as new vulnerabilities are discovered. The 10 most
common vulnerabilities are listed in the Top 10 Vulnerabilities table.
The table lists only the vulnerability name, severity, and Fortinet ID. To see additional
information about a vulnerability, select the vulnerability name.
Figure 92: Top 10 Vulnerabilities list
Vulnerability Indicator
Name of the GUI item
Description
Vulnerability Indicator
A red indicator will appear if the vulnerability was detected on a host
during its most recent scan.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
237
Viewing the vulnerability database
Vulnerability Management
FID
The Fortinet ID of the vulnerability. The FID is a unique identifier
assigned by the FortiGuard Vulnerability Management Service.
Severity
The vulnerability severity rating.
Title
The name of the vulnerability. Select the name for additional details.
Affected Hosts
The number of hosts affected by a vulnerability.
Viewing the vulnerability database
Vulnerability Management > Summary > Vulnerability Database displays the list of
vulnerabilities that your FortiAnalyzer unit is currently capable of detecting.
FortiAnalyzer units come with a default database of more than 2,500 vulnerabilities. For
FortiGuard Vulnerability Management Service subscribers, this database can be
periodically updated via the FortiGuard Distribution Network (FDN) to receive definitions of
the most recently discovered vulnerabilities. For details, see “Scheduling & uploading
vulnerability management updates” on page 114.
You can configure sensors to define which subset of the vulnerability database will be
used when scanning a host. For details, see “Configuring vulnerability sensors” on
page 221.
Figure 93: Vulnerability list
Filter icon
Column Settings
Current Page
238
Name of the GUI item
Description
Enable
Select to enable checking for any vulnerability. All vulnerabilities are
enabled by default.
If a disabled, the FortiAnalyzer will not check hosts for the vulnerability
even if it is included in the scan profile.date
Disable
Select to disable checking for any vulnerability. All vulnerabilities are
enabled by default.
If a disabled, the FortiAnalyzer will not check hosts for the vulnerability
even if it is included in the scan profile.
Column Settings
Select to choose which columns are displayed, as well as their order.
For more information, see “Displaying and arranging log columns” on
page 141.
Filter icon
Select to filter only those vulnerabilities that do or do not contain your
specified content in that column. By default, most column headings
contain a gray filter icon, which becomes green when a filter is
configured and enabled.
The use of this filtering tool is similar to that of the log filtering tool. For
more information, see “Filtering logs” on page 142.
FID
The Fortinet ID of the vulnerability. The FID is a unique identifier
assigned by the FortiGuard Vulnerability Management Service.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Vulnerability Management
Configuring compliance report templates
Title
The name of the vulnerability. Select the name for additional details.
Authentication
The authentication type required to scan for this vulnerability. If the
field is blank, no authentication is required.
Category
The part of a host in which the vulnerability exists. Example categories
include, Operating System, Applications, File Transfer, and Email.
Severity
The vulnerability severity rating.
Affected Hosts
The number of hosts affected by a vulnerability.
Status
Select to enable or disable checking for any vulnerability. The green
symbol indicates the vulnerability is enabled. The grey symbol
indicates the vulnerability is disabled. All vulnerabilities are enabled by
default.
If a disabled, the FortiAnalyzer will not check hosts for the vulnerability
even if it is included in the scan profile.date
Last Update Time
The date when the vulnerability was last updated.
Patch Availability
The availability of patches for the vulnerability of a host.
CVE ID
The Common Vulnerabilities and Exposures ID of the vulnerability.
CVE IDs are unique, common identifiers for publicly known
information security vulnerabilities.
Bug Traq ID
The Bugtraq ID of this vulnerability. Bugtraq is an electronic mailing list
dedicated to issues about computer security.
FortiGuard IPS Signature The name of the FortiGuard IPS signature for this vulnerability.
Compliance
The status PCI compliance in the vulnerability. For more information,
see “Enable PCI Compliance” on page 230.
Vendor Reference
The remedy for the vulnerability recommended by a host vendor.
Top20 Group
Indicates whether this vulnerability is part of Fortinet top 20
vulnerabilities or SANS (SANS Internet Storm Center) top 20
vulnerabilities.
x Per Page
Select the number of vulnerabilities to display per page. You can
choose up to 1000 entries.
Current page
By default, the first page of vulnerabilities is displayed. The total
number of pages appears after the current page number. For
example, if 2 of 10 appears, you are currently viewing page 2 of 10
pages.
To view pages, select the left and right arrows to display the first,
previous, next, or last page.
To view a specific page, enter the page number in the field and then
press Enter.
Configuring compliance report templates
Vulnerability Management > Compliance Report > Template displays the list of
compliance report templates.
Compliance report templates are pre-defined report formats designed to conform to the
Payment Card Industry Data Security Standard (PCI DSS). You cannot modify or delete
the pre-defined templates. They are updated with the vulnerability management engine
and plug-in releases.
Running a template generates a compliance report using the same scan configurations
when you perform a vulnerability scan in Vulnerability Management > Scan > Schedule.
The only difference is that the scan by running a compliance template uses the
“vcm_pci_profile” by default. When you run a template, the window that appears allows
you to limit the compliance report results to a specified time period and asset group.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
239
Configuring compliance report templates
Vulnerability Management
Note: The compliance report template uses existing vulnerability scan reports to create a
compliance report, you must have scan results for the period and assets you specify when
running a template. For more information, see “To run a template to generate a compliance
report” on page 240.
Figure 94: Compliance report template list
Name of the GUI item
Description
View
Select to view a sample of the template report. The data does not
represent your network, but you can view the report format.
Run now
Select to run the template and generate a compliance report. For
more information, see “To run a template to generate a compliance
report” on page 240.
Cancel
Select to stop running the template.
Name
The name of the template.
Last Update
The date and time the report was last updated through the
vulnerability management engine and plug-in releases.
Status
If the template is running, the current stage of completion is reported
here. If the template is not running, this field is blank.
To run a template to generate a compliance report
1 Go to Vulnerability Management > Compliance Report > Template.
2 Select a template and click Run now.
240
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Vulnerability Management
Viewing compliance reports
3 Enter the appropriate information and click OK.
Wait a moment for the scan to finish. You can refresh the page and update the Status
column by selecting the Template tab. The scan is complete when the Status column is
blank.
Name of the
GUI item
Description
Report Name Enter the report name the FortiAnalyzer unit will display in the compliance
report list. The date and time will be appended to the end of the name each time
a compliance report is generated.
Report Title
This field is auto-populated depending on the type of template you choose. You
can change it.
Asset Group
Choose an asset group. The compliance report results will be limited to the
hosts defined in the specified asset group.
Period Scope Choose a start and end time. The compliance report results will be limited to the
time period you specify.
Output Option
File Output Select the formats in which the report will be generated. HTML is the default
format. Any or all other available formats may be selected.
Email/
Upload
To have the report delivered to an email address or FTP server, select this
option and select the output template or create a new one. For more information
about output templates, see “Configuring report output templates” on page 89.
Viewing compliance reports
Vulnerability Management > Compliance Report > Report displays the list of generated
compliance reports.
Compliance reports detail the scanned hosts compliance to the PCI data security
standard. Compliance reports are generated from compliance report templates. For
details, see “Configuring compliance report templates” on page 239.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
241
Viewing compliance reports
Vulnerability Management
Figure 95: Compliance report list
Current Page
Name of the GUI item
Description
Name
The name of the report. The name includes the date and time the
report was generated. Select the name to view the HTML version of
the report. For more information, see “To view a compliance report” on
page 242.
Started
The date and time the report was started.
Finished
The date and time the report was completed. Looking at the Started
and Finished times, you can calculate how long the FortiAnalyzer unit
took to generate the report.
Size (bytes)
The size, in bytes, of the HTML report.
Formats
The formats in which the report was generated. The HTML report is
accessed by selecting the report name. Other formats are listed here.
Current page
By default, the first page of the list of reports is displayed. The total
number of pages appears after the current page number. For
example, if 2 of 10 appears, you are currently viewing page 2 of 10
pages.
To view pages, select the left and right arrows to display the first,
previous, next, or last page.
To view a specific page, enter the page number in the field and then
press Enter.
To view a compliance report
1 Go to Vulnerability Management > Compliance Report > Report.
2 Click the report name to view the HTML version of the report. If the report was
generated in any additional formats, click the link in the Format column corresponding
to the format you want to view.
The following is a sample PCI Technical Report.
242
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Vulnerability Management
Viewing compliance reports
Name of the
GUI item
Description
Report Summary
Created
The date and time network map report was generated.
Total Hosts
The IP addresses or IP range of the hosts found during the scan on the targets.
Summary
From Date
The starting date and time of the report generation.
Summary To
Date
The ending date and time of the report generation.
VM Engine
Version
The Vulnerability Management engine version number and date of last update.
This is updated via the FortiGuard distribution network if you are a FortiGuard
Vulnerability Management Service subscriber.
VM Plugins
Version
The Vulnerability Management module version number and date of last update.
This is updated via the FortiGuard distribution network if you are a FortiGuard
Vulnerability Management Service subscriber.
PCI Status
IP
The IP address of the host scanned.
Addresses
Failed
Times
The number of times the host failed the PCI compliance scan.
Passed
Times
The number of times the host passed the PCI compliance scan.
Total
Scanned
Times
The total number of scans on the host.
Last Scan The status of the last scan.
A PCI compliance status of PASSED for a single host/IP indicates that no
vulnerabilities or potential vulnerabilities, as defined by the PCI DSS
compliance standards set by the PCI Council, were detected on the host.
A PCI compliance status of FAILED for a single host/IP indicates that at least
one vulnerability or potential vulnerability, as defined by the PCI DSS
compliance standards set by the PCI Council, was detected on the host.
Host Details
The top 10 vulnerable hosts by vulnerabilities and by times.
Vulnerability
Detail
The total number of vulnerabilities detected are presented by severity, category,
and date. The top 20 vulnerabilities are also listed.
Host
All services and vulnerabilities found for each host. The vulnerabilities that
cause the host to fail compliance are highlighted.
This option is only available for PCI Technical report.
Appendix
Information about the Payment Card Industry (PCI) status and vulnerability
levels.
About PCI DSS compliance reports
Payment Card Industry Data Security Standard (PCI DSS), defined by PCI Security
Standards Council, is a set of data security requirements to which banks, online
merchants and Member Service Providers (MSPs) must adhere, enforcing the safe
handling of card holder information.
To comply with the requirements, merchants and MSPs must perform the following:
•
Annually conduct an on-site audit or complete the PCI Self-Assessment Questionnaire.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
243
Viewing compliance reports
Vulnerability Management
•
Quarterly conduct vulnerability scans on the entire Internet facing networks and
systems. These scans must be performed by an approved scanning vendor to detect
and eliminate security threats associated with electronic commerce, and provide the
acquiring bank with a report demonstrating compliance status.
You can generate a PCI compliance report that provides a pass or failure status of your
network.
244
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Tools
Network Analyzer
Tools
The Tools menu provides the ability to view the files that are on your FortiAnalyzer unit
using the File Explorer, and to view packets on your network using the Network Analyzer.
By default, the Tools menu is hidden. To make it visible, go to System > Admin > Settings
and enable Show Network Analyzer. For details, see “Configuring the web-based
manager’s global settings” on page 82.
This topic includes:
•
Network Analyzer
•
File Explorer
Network Analyzer
Network Analyzer can be used as an enhanced local network traffic sniffer to diagnose
areas of the network where firewall policies may require adjustment, or where traffic
anomalies occur.
Network analyzer logs all traffic seen by the interface for which it is enabled. If that
network interface is connected to the span port of a switch, observed traffic will include all
traffic sent through the switch by other hosts. You can then locate traffic which should be
blocked, or which contains other anomalies.
All captured traffic information is saved to the FortiAnalyzer hard disk. You can then
display this traffic information directly, search it, or generate reports from it.
This section describes how to enable and view traffic captured by the network analyzer. It
also describes network analyzer log storage configuration options.
Network analyzer is not visible under the Tools menu until it is enabled in System >
Admin > Settings. For more information, see “Configuring the web-based manager’s
global settings” on page 82.
Connecting the FortiAnalyzer unit to analyze network traffic
You usually first connect the FortiAnalyzer unit to a hub or the span (or mirroring) port of
an Ethernet switch to sniff traffic with the FortiAnalyzer unit. Both the management and
sniffing ports can be connected to the same switch.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
245
Network Analyzer
Tools
Figure 96: Example network topology for network analyzer use
Internal
network
Hub
or switch
Internet
Span/mirror
port is connected
to Network
Analyzer port
To connect the FortiAnalyzer unit for use with network analyzer
1 Connect an Ethernet cable to a port on the FortiAnalyzer unit other than the port used
to collect device logs.
For example, if you receive logs and quarantined files on port 1, you might use network
analyzer on port 2. Using a separate port for sniffing prevents log and quarantine traffic
from cluttering network analyzer messages, and enables you to analyze networks
without tampering with network settings related to normal logging and quarantine
activity.
2 Connect the other end of the Ethernet cable to the span or mirroring port of an Ethernet
switch.
If connected to the span or mirror port of a switch, network analyzer will be able to
observe all traffic passing through the switch.
3 In the web-based manager, go to System > Admin > Settings > GUI Menu
Customization, enable Show Network Analyzer and select Apply.
246
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Tools
Network Analyzer
4 In the web-based manager, go to System > Network > Interface.
5 If the interface you will use with network analyzer is currently down, select Bring Up to
enable it.
6 Select Modify for the interface you will use with network analyzer.
7 Enter the IP/Netmask.
8 Select OK.
You can now configure network analyzer settings in Tools > Network Analyzer >
Config.
Viewing network analyzer log messages
After attaching a FortiAnalyzer unit interface to the network and enabled the network
analyzer for that interface, traffic information displays.
The network analyzer’s log viewers display logs of traffic seen by the network interface
you have configured for use with network analyzer, focusing on specific time frames.
The network analyzer has two types of log viewing options:
•
Real-time displays the network analyzer log messages of traffic most recently
observed by the network interface for which network analyzer is enabled. The display
refreshes every few seconds, and contains only the most current activity.
•
Historical displays all network analyzer log messages whose time stamps are within
your specified time frame.
Viewing current network analyzer log messages
The real-time logs in network analyzer update continually, displaying the most recent
traffic observed by the network analyzer.
To view the most recent traffic, go to Tools > Network Analyzer > Historical and select the
Realtime Log icon. You can view the details of a log message by double-clicking any of its
columns.
Figure 97: Network Analyzer Realtime Log icon
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
247
Network Analyzer
Tools
Figure 98: Real-time Network Analyzer logs
Pause
Column Settings
Historical Log
Search
Current Page
Name of the GUI item
Description
Type
The type of log you are viewing.
Historical Log
Select to view the historical network analyzer log messages. For more
information, see “Viewing historical network analyzer log messages”
on page 249.
Pause
Select to stop updating the real-time logs.
Column Settings
Select to change the columns to view and the order they appear on
the page. For more information, see “Displaying and arranging log
columns” on page 253.
Search
Enter a keyword to perform a simple search on the available log
information, then press the Enter key to begin the search.
Last Activity
The date and time the traffic was transmitted.
Source
The IP address of the sender of the traffic.
Destination
The IP address of the recipient of the traffic.
Source Port
The port a UDP or TCP packet was being sent from.
Destination Port
The port a UDP or TCP packet was being sent to.
Protocol
The protocol used when sending the traffic.
Message
Information payload of the traffic sent through the switch.
View n per page
Select the number of rows of log entries to display per page.
Current page
By default, the first page of vulnerabilities is displayed. The total
number of pages appears after the current page number. For example,
if 2 of 10 appears, you are currently viewing page 2 of 10 pages.
To view pages, select the left and right arrows to display the first,
previous, next, or last page.
To view a specific page, enter the page number in the field and then
press Enter.
Change Display Options
248
Resolve Host Name
Select to display host names by a recognizable name rather than IP
addresses. For more information about on configuring IP address host
names, see “Configuring IP aliases” on page 102.
Resolve Service
Select to display the network service names rather than the port
numbers, such as HTTP rather than port 80.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Tools
Network Analyzer
Formatted
Select to display the network analyzer log files in columnar format.
This is the default view. For more information, see “Customizing the
network analyzer log view” on page 252.
Raw
Select to display the network analyzer log information as it actually
appears in the log file. For more information, see “Customizing the
network analyzer log view” on page 252.
Viewing historical network analyzer log messages
The Historical tab in Tools > Network Analyzer displays network analyzer logs for a
specific time range. When viewing log messages, you can filter the information to find
specific traffic information.
To view a historical network analyzer log, go to Tools > Network Analyzer > Historical and
then select the log you want to view. You can view the details of a log message by doubleclicking any of its columns.
Figure 99: Historical network analyzer logs
Column Settings
Realtime Log
Printable Version
Download Current View
Search
Current Page
Name of the GUI item
Description
Type
The type of log you are viewing.
Timeframe
Select the time frame during which you want to view the logs.
Realtime Log
Select to view the real-time network analyzer log messages. For more
information, see “Viewing current network analyzer log messages” on
page 247.
Column Settings
Select to change the columns to view and the order they appear on the
page. For more information, see “Displaying and arranging log
columns” on page 253.
Printable Version
Select to download an HTML file containing all log messages that
match the current filters. The HTML file is formatted to be printable.
Time required to generate and download large reports varies by the
total amount of log messages, the complexity of any search criteria,
the specificity of your column filters, and the speed of your network
connection.
Download Current View
Select to download only those log messages which are currently
visible, according to enabled filters.
Search
Enter a keyword to perform a simple search on the log information
available. Press Enter to begin the search.
Advanced Search
Select to search the network analyzer log files for matching text using
two search types: Quick Search and Full Search. For more
information, see “Searching the network analyzer logs” on page 256.
Last Activity
The date and time the traffic was transmitted.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
249
Network Analyzer
Tools
Source
The IP address of the sender of the traffic.
Destination
The IP address of the recipient of the traffic.
Source Port
The port a UDP or TCP packet was being sent from.
Destination port
The destination port of the traffic.
Protocol
The protocol used when sending the traffic.
Message
Information payload on the traffic sent through the switch.
View n per page
Select the number of rows of log entries to display per page.
Current page
By default, the first page of vulnerabilities is displayed. The total
number of pages appears after the current page number. For example,
if 2 of 10 appears, you are currently viewing page 2 of 10 pages.
To view pages, select the left and right arrows to display the first,
previous, next, or last page.
To view a specific page, enter the page number in the field and then
press Enter.
Change Display Options
Resolve Host Name
Select to display host names by a recognizable name rather than IP
addresses. For more information about on configuring IP address host
names, see “Configuring IP aliases” on page 102.
Resolve Service
Select to display the network service names rather than the port
numbers, such as HTTP rather than port 80.
Formatted
Select to display the network analyzer log files in columnar format.
This is the default view. For more information, see “Customizing the
network analyzer log view” on page 252.
Raw
Select to display the network analyzer log information as it actually
appears in the log file. For more information, see “Customizing the
network analyzer log view” on page 252.
Browsing network analyzer log files
The Browse tab in Tools > Network Analyzer enables you to see all stored network
analyzer log files, view the network analyzer logs, download log files to your hard disk or
delete unneeded files.
When a log file reaches its maximum size, or reaches the scheduled time, the
FortiAnalyzer rolls the active log file by renaming the file. The file name will be in the form
of xlog.N.log, where x is a letter indicating the log type and N is a unique number
corresponding to the time the first log entry was received.
For more information about setting the maximum file size and log rolling options, see
“Rolling and uploading network analyzer logs” on page 258.
To view the log file list, go to Tools > Network Analyzer > Browse.
Figure 100: Network analyzer log file list
250
Name of the GUI item
Description
Display
Select to view the contents of the selected log file.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Tools
Network Analyzer
Download
Select to save the selected log file to your local hard disk.
From
The date and time when the FortiAnalyzer unit starts to generate the
log file.
To
The date and time when the FortiAnalyzer unit completes generating
the log file when the file reaches its maximum size or the scheduled
time.
Size (bytes)
The size of the log file.
Viewing network analyzer log file contents
The Browse tab enables you to view all log messages within network analyzer log files.
If you display the log messages in formatted view, you can display and arrange columns
and/or filter log messages by column contents. For more information, see “Customizing
the network analyzer log view” on page 252.
To view a log file
1 Go to Tools > Network Analyzer > Browse.
2 Select a log file and then select Display.
The log file’s contents appear. For more information on understanding the log file
contents, see “Viewing network analyzer log messages” on page 247.
Downloading a network analyzer log file
You can download a log file to save it as a backup or for use outside the FortiAnalyzer unit.
You can choose to download either the entire file or only log messages selected by
filtering.
To download a whole log file
1 Go to Tools > Network Analyzer > Browse.
2 Select a log file.
3 Click Download.
4 Select any of the following download options you want and click OK.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
251
Network Analyzer
Tools
Name of the GUI item
Description
Log file format
Downloads the log in text (.txt), comma-separated value (.csv), or
standard .log (Native) format. Each log element is separated by a
comma. CSV files can be viewed in spreadsheet applications.
Compress with gzip
Compress the .log or .csv file with gzip compression. For
example, downloading a log-formatted file with gzip compression
would result in a download with the file extension .log.gz.
5 If prompted by your web browser, select a location to save the file, or open it without
saving.
To download a partial (filtered) log file
1 Go to Tools > Network Analyzer > Browse.
2 Select a log file.
3 Click Display.
4 Select a filter icon to restrict the current view to only items which match your criteria,
then select OK. For more information about filtering information, see “Filtering logs” on
page 142.
5 Select Download Current View.
6 Select any of the download options you want and click OK.
Name of the GUI item
Description
Log file format
Downloads the log in text (.txt), comma-separated value (.csv), or
standard .log (Native) format. Each log element is separated by a
comma. CSV files can be viewed in spreadsheet applications.
Compress with gzip
Compress the .log or .csv file with gzip compression. For
example, downloading a log-formatted file with gzip compression
would result in a download with the file extension .log.gz.
7 If prompted by your web browser, select a location to save the file, or open it without
saving.
Customizing the network analyzer log view
Log messages can be displayed in either raw or formatted view.
252
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Tools
Network Analyzer
•
Raw view displays log messages exactly as they appear in the log file.
•
Formatted view displays log messages in a columnar format. Each log field in a log
message appears in its own column, aligned with the same field in other log messages,
for rapid visual comparison. When displaying log messages in formatted view, you can
customize the log view by hiding, displaying and arranging columns and/or by filtering
columns, refining your view to include only those log messages and fields that you
want to see.
To display logs in raw or formatted view
1 Go to a page which displays log messages, such as Tools > Network Analyzer >
Historical.
2 Select Change Display Options.
3 Select Formatted or Raw.
If you select Formatted, options appear that enable you to display and arrange log
columns and/or filter log columns.
Displaying and arranging log columns
When viewing logs in formatted view, you can display, hide and re-order columns to
display only relevant categories of information in your preferred order.
For most columns, you can also filter data within the columns to include or exclude log
messages which contain your specified text in that column. For more information, see
“Filtering logs” on page 254.
To display or hide columns
1 Go to a page which displays log messages, such as Tools > Network Analyzer >
Historical.
2 Select Column Settings.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
253
Network Analyzer
Tools
Lists of available and displayed columns for the log type appear.
3 Select which columns to hide or display.
• In the Available Fields area, select the names of individual columns you want to
display, then select the single right arrow to move them to the Display Fields area.
Alternatively, to display all columns, select the double right arrow.
• In the Display Fields area, select the names of individual columns you want to hide,
then select the single left arrow to move them to the Available Fields area.
Alternatively, to hide all columns, select the double left arrow.
• To return all columns to their default displayed/hidden status, select Default.
4 Select OK.
To change the order of the columns
1 Go to a page which displays log messages, such as Tools > Network Analyzer >
Historical.
2 Select Column Settings.
Lists of available and displayed columns for the log type appear.
3 In the Display Fields area, select a column name whose order of appearance you want
to change.
4 Select the up or down arrow to move the column in the ordered list.
Placing a column name towards the top of the Display Fields list will move the column
toward the left side of the formatted log view.
5 Select OK.
Filtering logs
When viewing log messages in formatted view, you can filter columns to display only
those log messages that do or do not contain your specified content in that column. By
default, most column headings contain a gray filter icon, which becomes green when a
filter is configured and enabled.
Note: Filters do not appear in raw view, or for unindexed log fields in formatted view.
When viewing real-time logs, you cannot filter on the time column: by definition of the realtime aspect, only current logs are displayed.
254
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Tools
Network Analyzer
Figure 101: Filter icons in network analyzer
Filter icon
To filter log messages by column contents
1 In the heading of the column that you want to filter, select the filter icon.
2 Select Enable.
3 If you want to exclude log messages with matching content in this column, select NOT.
If you want to include log messages with matching content in this column, deselect
NOT.
4 Enter the text that matching log messages must contain.
Matching log messages will be excluded or included in your view based upon whether
you have selected or deselected NOT.
5 Select OK.
A column’s filter icon is green when the filter is currently enabled.
To disable a filter
1 In the heading of the column whose filter you want to disable, select the filter icon.
A column’s filter icon is green when the filter is currently enabled.
2 To disable the filter on this column, deselect Enable.
Alternatively, to disable the filters on all columns, select Clear All Filters. This disables
the filter; it does not delete any filter text you might have configured.
3 Select OK.
A column’s filter icon is gray when the filter is currently disabled.
Filtering tips
When filtering by source or destination IP, you can use the following in the filtering criteria:
•
a single address (2.2.2.2)
•
an address range using a wild card (1.2.2.*)
•
an address range (1.2.2.1-1.2.2.100)
You can also use a Boolean operator (or) to define mutually exclusive choices:
• 1.1.1.1 or 2.2.2.2
• 1.1.1.1 or 2.2.2.*
• 1.1.1.1 or 2.2.2.1-2.2.2.10
Most column filters require that you enter the column’s entire contents to successfully
match and filter contents; partial entries do not match the entire contents, and so will not
create the intended column filter.
For example, if the column contains a source or destination IP address (such as
192.168.2.5), to create a column filter, enter the entire IP address to be matched. If you
enter only one octet of the IP address, (such as 192) the filter will not completely match
any of the full IP addresses, and so the resulting filter would omit all logs, rather than
including those logs whose IP address contains that octet.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
255
Network Analyzer
Tools
Exceptions to this rule include columns that contain multiple words or long strings of text,
such as messages or URLs. In those cases, you may be able to filter the column using a
substring of the text contained by the column, rather than the entire text contained by the
column.
Searching the network analyzer logs
You can search the network analyzer log files for matching text using two search types:
Quick Search and Full Search.
You can use Quick Search to find results more quickly if your search terms are relatively
simple and you only need to search indexed log fields. Indexed log fields are those that
appear with a filter icon when browsing the logs in column view; unindexed log fields do
not contain a filter icon for the column or do not appear in column view, but do appear in
the raw log view. Quick Search keywords cannot contain:
•
special characters such as single or double quotes (' or ") or question marks (?)
•
wild card characters (*), or only contain a wild card as the last character of a keyword
(logi*)
You can use Full Search if your search terms are more complex, and require the use of
special characters or log fields not supported by Quick Search. Full Search performs an
exhaustive search of all log fields, both indexed and unindexed, but is often slower than
Quick Search.
To search the logs, go to Tools > Network Analyzer > Historical. Select Advanced Search.
Figure 102: Network analyzer log search button
Figure 103: Network analyzer log search
256
Name of the GUI item
Description
Time Period
Select to search logs from a time frame, or select Specify and define a
custom time frame by selecting the From and To date and times.
From
Enter the date and select the time of the beginning of the custom time
range.
This option appears only when Date is Specify.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Tools
Network Analyzer
To
Enter the date and select the time of the end of the custom time range.
This option appears only when Date is Specify.
Keyword(s)
Enter search terms which will be matched to yield log message search
results. To specify that results must include all, any, or none of the
keywords, select from Match.
Quick Search
Select to perform a Quick Search, whose keywords cannot contain
special characters and that searches only indexed fields.
Full Search
Select to perform a Full Search, whose keywords may contain special
characters, and searches all log message fields. The time of the
search varies by the complexity of the search query and the amount of
log messages to be searched.
Stop Search
Select to stop the search process.
More Options
Select the blue arrow to hide or expand additional search options.
Other Filters
Specify additional criteria, if any, that can be used to further restrict the
search criteria.
• Source IP: Enter an IP address to include only log messages
containing a matching source IP address. For example, entering
192.168.2.1 would cause search results to include only log
messages containing src=192.168.2.1.
• Destination IP: Enter an IP address to include only log messages
containing a matching destination IP address. For example,
entering 192.168.2.1 would cause search results to include only
log messages containing dst=192.168.2.1.
Search tips
If your search does not return the results you expect, but log messages exist that should
contain matching text, examine your keywords and filter criteria using the following search
characteristics and recommendations.
•
Separate multiple keywords with a space (arp who-has 1.1.1.1).
•
Keywords cannot contain unsupported special characters. Supported characters vary
by selection of Quick Search or Full Search.
•
Keywords must literally match log message text, with the exception of case insensitivity
and wild cards; resolved names and IP aliases will not match.
•
Some keywords will not match unless you include both the log field name and its value,
surrounded by quotes (“Ack=2959769124”).
•
Remove unnecessary keywords and search filters which can exclude results. For a log
message to be included in the search results, all keywords must match; if any of your
keywords does not exist in the message, the match will fail and the message will not
appear in search results.
•
You can use the asterisk (*) character as a wild card (192.168.2.*). For example,
you could enter any partial term or IP address, and then enter * to match all terms that
have identical beginning characters or numbers.
•
You can search for IP ranges, including subnets. For example:
•
172.168.1.1/24 or 172.168.1.1/255.255.255.0 matches all IP addresses
in the subnet 172.168.1.1/255.255.255.0
•
172.168.1.1-140.255 matches all IP addresses from 172.168.1.1 to
172.168.140.255
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
257
Network Analyzer
Tools
•
The search returns results that match all of the search terms.
For example, consider two similar keyword entries: 172.20.120.127 tcp and
172.20.120.127 udp. If you enter the keywords 172.20.120.127 tcp, UDP
traffic would not be included in the search results, since although the first keyword (the
IP address) matches, the second keyword, tcp, does not match.
•
The search returns results that match all, any, or none of the search terms, according
to the option you select in Match.
For example, if you enter into Keyword(s):
172.20.120.127 tcp
and if from Match you select All Words, log messages for UDP traffic to
172.20.120.127 do not appear in the search results, since although the first keyword
(the IP address) appears in log messages, the second keyword (the protocol) does not
match UDP log messages, and so the match fails for UDP log messages. If the match
fails, the log message is not included in the search results.
Printing and downloading the search results
After completing a search, you can use the Printable Version button to download and print
a HTML copy of the search results. You can also use the Download Current View button to
download the search results in text (.txt), comma-separated value (.csv), or standard log
(.log) format (native format).
To download and print search results, Select the Printable Version button to download the
results. You can print this file immediately, save it to your computer for later use, or email
it.
Note: Large logs require more time to download. Download times can be improved by
selecting Compress with gzip.
To download log search results
1 Go to Tools > Network Analyzer > Historical.
2 Perform a search using either simple or advanced search.
3 Select Download Current View.
Options appear for the download’s file format and compression.
4 Select the download options that you want, then select OK.
Name of the GUI item
Description
Log file format
Downloads the log file in text (.txt), comma-separated value (.csv),
or standard .log (Native) file format.
Compress with gzip
Compress the downloaded log file with gzip compression. For
example, downloading a log-formatted file with gzip compression
would result in a download with the file extension .log.gz.
5 If prompted by your web browser, select a location to save the file, or open it without
saving.
Rolling and uploading network analyzer logs
You can control log file size and manage log file consumption of the hard disk space with
log rolling and uploading.
258
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Tools
Network Analyzer
The network analyzer captures a very detailed network traffic information, and its log
volume can consume the FortiAnalyzer unit’s hard disk space more rapidly than standard
logs. Rolling and uploading logs frees hard disk space to collect further data.
As the FortiAnalyzer unit receives new log items, it performs the following tasks:
•
verifies whether the log file has exceeded its file size limit
•
if the file size is not exceeded, checks to see if it is time to roll the log file. You configure
the time to be either a daily or weekly occurrence, and when the roll occurs
When a current log file (tlog.log) reaches its maximum size, or reaches the scheduled
time, the FortiAnalyzer unit rolls the active log file by renaming the file. The file name will
be in the form of xlog.N.log (for example, tlog,1252929496.log), where x is a
letter indicating the log type and N is a unique number corresponding to the time the first
log entry was received. The file modification time will match the time when the last log was
received in the log file.
Once the current log file is rolled into a numbered log file, it will not be changed. New logs
will be stored in the new current log called tlog.log.
If log uploading is enabled, once logs are uploaded to the remote server or downloaded
via the web-based manager, they are in the following format:
FG3K6A3406600001-tlog.1252929496.log-2009-09-14-14-00-14.gz
If you have enabled log uploading, you can choose to automatically delete the rolled log
file after uploading, thereby limiting the amount of disk space used by rolled log files.
To enable log rolling, or to disable network analyzer, go to Tools > Network Analyzer >
Config.
Figure 104: Traffic Log Settings
Name of the GUI item
Description
Enable Network Analyzer Select the port on which network analyzer observes traffic.
on
If you disable this option and log out, network analyzer will be hidden
in the web-based manager menu. For more information about on reenabling network analyzer and making it visible again, see
“Connecting the FortiAnalyzer unit to analyze network traffic” on
page 245.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
259
Network Analyzer
Tools
Allocated Disk Space (MB) Enter the amount of disk space reserved for network analyzer logs.
The dialog also displays the amount used of the allocated space.
When Allocated Disk
Space is All Used
Select what the FortiAnalyzer unit does when the allocated disk space
is filled up. Select to either overwrite the older log file or stop logging
until you can clear some room.
To avoid completely filling the hard disk space, use the log rolling and
uploading options.
Reuse settings from
standard logs
Select to use the same log rolling and uploading settings that you set
for standard logs files in Logs > Config.
This option is selected by default.
Log rolling settings
Define when the FortiAnalyzer unit should roll its network analyzer log
files. This option becomes active only if you deselect Reuse Settings
from Standard Logs.
Log file should not
exceed
Enter the maximum size of each network analyzer log file.
When the log file reaches the specified maximum size, the
FortiAnalyzer unit saves the current log file with an incremental
number and starts a new active log file. For example, if the maximum
size is reached, the current xlog.log is renamed to xlog.n.log,
then a new xlog.log is created to receive new log messages.
Log file should be
Set the time of day when the FortiAnalyzer unit renames the current
rolled... even if size is log file and starts a new active log file.
• Daily: Roll log files daily, even if the log file has not yet reached
not exceeded
maximum file size.
• Weekly: Roll log files weekly, even if the log file has not yet
reached maximum file size.
• Optional: Roll log files only when the log file reaches the
maximum file size, regardless of time interval.
260
Enable log uploading
Select to upload log files to an server when a log file rolls.
Server type
Select the protocol to use when uploading to the server:
• File Transfer Protocol (FTP)
• Secure File Transfer Protocol (SFTP)
• Secure Copy Protocol (SCP)
Server IP address
Enter the IP address of the log upload server.
Username
Enter the user name required to connect to the upload server. By
default, the user name is anonymous; select the field to enter a
different user name.
Password
Enter the password required to connect to the upload server.
Confirm Password
Re-enter the password to verify correct entry.
Directory
Enter a location on the upload server where the log file should be
saved.
Upload Files
Select when the FortiAnalyzer unit should upload files to the server.
• When rolled: Uploads logs whenever the log file is rolled, based
upon Log file should be rolled.
• Daily at hh:mm: Uploads logs at the configured time, regardless
of when or what size it rolls at according to Log file should be
rolled.
Uploaded log format
Select to upload the log file in text (.txt), comma-separated value
(.csv), or standard .log (Native) file format.
Compress uploaded
log files
Select to compress the log files in GZIP format before uploading to the
server.
Delete files after
uploading
Select to remove the log file from the FortiAnalyzer hard disk once the
FortiAnalyzer unit completes the upload.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Tools
File Explorer
File Explorer
Tools > File Explorer > File Explorer displays the FortiAnalyzer unit’s directories and files.
There are two main directories:
•
Archive: Contains files associated with eDiscovery, full DLP archiving, and the
quarantine.
•
Storage: Contains information unlikely to change once written, like logs and reports.
Note: The file explorer lists log files stored using the Proprietary Index file system only. If
you have enabled SQL database storage, logs stored using that method will not appear in
the file explorer.
To expand or hide the two main directories or their sub-directories, click the plus or minus
icon located beside each directory name.
File Explorer is not visible under the Tools menu until enabled in System > Admin >
Settings. For details, see “Configuring the web-based manager’s global settings” on
page 82.
Figure 105: File Explorer
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
261
File Explorer
262
Tools
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Maintaining firmware
Firmware upgrade path and general firmware upgrade steps
Maintaining firmware
Fortinet recommends reviewing this section before upgrading or downgrading the
FortiAnalyzer firmware because it contains important information about how to properly
back up your current configuration settings and log data, including what to do if the
upgrade or downgrade is unsuccessful.
In addition to firmware images, Fortinet releases patch releases – maintenance release
builds that resolve important issues. Fortinet strongly recommends reviewing the release
notes for the patch release before upgrading the firmware. Installing a patch release
without reviewing release notes or testing the firmware may result in changes to settings
or unexpected issues.
Note: Fortinet recommends upgrading the FortiAnalyzer unit during a low traffic period, for
example at night, to re-index log data. During the upgrade process, the FortiAnalyzer unit
re-indexes log data, which takes time to complete if there is a large amount of log data. You
can verify that the indexing of log data is complete by viewing the Alert Message console on
the Dashboard.
Downgrading from FortiAnalyzer 4.0 to FortiAnalyzer 3.0 MR7 is not supported.
This topic includes:
•
Firmware upgrade path and general firmware upgrade steps
•
Backing up your configuration
•
Testing firmware before upgrading/downgrading
•
Installing firmware from the BIOS menu in the CLI
•
Upgrading your FortiAnalyzer unit
Firmware upgrade path and general firmware upgrade steps
Follow the path below to upgrade your FortiAnalyzer firmware. Failing to do so may cause
unexpected problems.
For more information about your specific firmware release, see the Release Notes for the
release.
Figure 106: Firmware upgrade path
V3.0 MR6
V3.0 MR7
V4.0
V4.0 MR1
V4.0 MR2
Follow the general upgrade steps below:
•
Download and review the release notes for the firmware release.
•
Download the firmware release from https://support.fortinet.com if you have registered
your FortiAnalyzer unit.
•
Back up the current configuration. See “Backing up your configuration” on page 264.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
263
Backing up your configuration
Maintaining firmware
•
Testing the firmware. See “Testing firmware before upgrading/downgrading” on
page 265 and “Installing firmware from the BIOS menu in the CLI” on page 267.
•
Upgrade the firmware. See “Upgrading your FortiAnalyzer unit” on page 267.
Backing up your configuration
Caution: Always back up your configuration and log data before installing a patch release,
upgrading/downgrading firmware, or resetting configuration to factory defaults.
Fortinet recommends backing up all configuration settings from your FortiAnalyzer unit
before upgrading. This ensures all configuration settings are not lost if you later want to
downgrade and want to restore those configuration settings.
Backing up your configuration through the web-based manager
The following procedures describe how to back up your current configuration through the
web-based manager.
To back up your configuration file through the web-based manager
1 Go to System > Maintenance > Backup & Restore.
2 Select Local PC from the Backup Configuration to list.
3 Select Backup.
If you want to encrypt your configuration file, select the Encrypt configuration file check
box, enter a password, and enter the password again to confirm.
Backing up your configuration through the CLI
The following procedure describes how to back up your current configuration through the
CLI. You can enter a password for added security.
To back up your configuration file through the CLI
Enter the following to back up the configuration:
execute backup config <filename_str> <address_ipv4>
<password_str>
This may take a few minutes.
Backing up your log files
Backing up your log files uses the same procedure as downloading log files. You can back
up log files through either the web-based manager or CLI. Fortinet recommends backing
up all log files before upgrading/downgrading, resetting to factory defaults, or when testing
a new firmware image.
To back up FortiAnalyzer 4.0 MR1/MR2 log files through the web-based manager
1 Go to Log & Archive > Log > Browse.
2 Select the device type from the Device Type list.
3 In the Log Files column, locate a device and log type. Select Expand Arrows to reveal
the specific log file (wlog.log, elog.log, etc.) that you want to back up.
4 Select Download.
264
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Maintaining firmware
Testing firmware before upgrading/downgrading
5 Select one of the following:
Log file format
Select to download log files in text (.txt), comma-separated value
(.csv), or standard .log (Native) file format. Each log element is
separated by a comma. CSV files can be viewed in spreadsheet
applications.
Compress with gzip
Compress the .log or .csv file with gzip compression. For example,
downloading a log-formatted file with gzip compression would result in
a download with the file extension .log.gz.
6 Select OK.
7 Select a location when prompted by your web browser to save the file.
To back up log files through the CLI
Enter the following to back up all log files:
execute backup logs all {ftp | sftp | scp} <server_ipv4>
<username_str> <password_str> <directory_str>
After successfully backing up your configuration file, either from the CLI or the web-based
manager, proceed with upgrading.
Testing firmware before upgrading/downgrading
You may want to test the firmware you want to install before upgrading to a new firmware
version, maintenance or patch release. By testing the firmware image, you can familiarize
yourself with the new features and changes to existing features, as well as understand
how your configuration works with the firmware. You can test a firmware image by
installing it from a system reboot and saving it to system memory. After the firmware is
saved to system memory, the FortiAnalyzer unit operates using the firmware with the
current configuration.
The procedure does not permanently install the firmware; the next time the FortiAnalyzer
unit restarts, it operates using the firmware originally installed on the FortiAnalyzer unit.
You can install the firmware permanently using the procedures in “Upgrading your
FortiAnalyzer unit” on page 267.
You can use the following procedure for either a regular firmware image or a patch
release. The following procedure assumes that you have already downloaded the
firmware image to your management computer.
Note: After you test the firmware, and reboot the FortiAnalyzer unit, the original
configuration is cleared. You need to restore the configuration after testing the firmware.
To test the firmware image before upgrading/downgrading
1 Copy the new firmware image file to the root directory of the TFTP server.
2 Start the TFTP server.
3 Log in to the CLI.
4 Enter the following command to ping the computer running the TFTP server:
execute ping <server_ipaddress>
Pinging the computer running the TFTP server verifies that the FortiAnalyzer unit and
TFTP server are successfully connected.
5 Enter the following to restart the FortiAnalyzer unit.
execute reboot
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
265
Testing firmware before upgrading/downgrading
Maintaining firmware
6 As the FortiAnalyzer unit reboots, a series of system startup messages appears. When
the following message appears,
Press any key to display configuration menu…
7 Immediately press any key to interrupt the system startup.
You have only three seconds to press any key. If you do not press a key soon enough,
the FortiAnalyzer unit reboots and you must log in and repeat steps 3 to 7 again.
If you successfully interrupt the startup process, the following message appears:
[G]:
[F]:
[B]:
[C]:
[Q]:
[H]:
Get firmware image from TFTP server.
Format boot device.
Boot with backup firmware and set as default.
Configuration and information.
Quit menu and continue to boot with default firmware.
Display this list of options.
8 Type G to get the new firmware image from the TFTP server.
The following message appears:
Enter TFTP server address [192.168.1.168]:
9 Type the address of the TFTP server and press Enter.
The following message appears:
Enter Local Address [192.168.1.188]:
10 Type the internal IP address of the FortiAnalyzer unit.
This IP address connects the FortiAnalyzer unit to the TFTP server. This IP address
must be on the same network as the TFTP server, but make sure you do not use an IP
address of another device on the network.
The following message appears:
Enter firmware image file name [image.out]:
11 Enter the firmware image file name and press Enter.
The TFTP server uploads the firmware image file to the FortiAnalyzer unit and the
following appears:
Save as Default firmware/Backup firmware/Run image without
saving: [D/B/R]
12 Type R.
The FortiAnalyzer firmware image installs and saves to system memory. The
FortiAnalyzer unit starts running the new firmware image with the current configuration.
When you are done testing the firmware, you can reboot the FortiAnalyzer unit and
resume using the original firmware. You will need to restore the original configuration file
after the testing.
266
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Maintaining firmware
Installing firmware from the BIOS menu in the CLI
Installing firmware from the BIOS menu in the CLI
Caution: You must back up your current configuration before using the following
procedure. The following procedure resets all settings to their default state, which includes
interface IP addresses, HTTP, HTTPS, SSH, and telnet access.
If you encounter access problems to the web-based manager after upgrading the
firmware, you can re-install the previous firmware image from the BIOS menu in the CLI.
During some upgrades, the firmware image may not successfully install on the
FortiAnalyzer unit, which may be caused by the corrupted firmware image.
To install firmware from the BIOS menu, use the procedure in “Testing firmware before
upgrading/downgrading” on page 265. At step 12 in the procedure, enter D instead of R.
The option D installs the firmware permanently on the FortiAnalyzer unit, as the default
firmware.
Upgrading your FortiAnalyzer unit
After backing up your current configuration, you can now upgrade the firmware on your
FortiAnalyzer unit. The following procedures are used every time you are upgrading the
firmware, whether it is a maintenance release or patch release.
You can also use the following procedure when installing a patch release. A patch release
is a maintenance release build that resolves important issues. You can install a patch
release whether the FortiAnalyzer unit was upgraded to the current firmware version or
not.
Note: The FortiAnalyzer upgrade path is as following: Version 3.0 MR6 > MR7 > Version
4.0 > 4.0 MR1 > 4.0 MR2. However, the RVS configuration will not be carried forward and
the FortiGuard configuration will be reset to its defaults.
Upgrading/downgrading through the web-based manager
Caution: Always back up your configuration and log data before installing a patch release,
upgrading/downgrading firmware, or resetting configuration to factory defaults.
The following procedure uses the web-based manager for upgrading the FortiAnalyzer
unit from version 4.0 MR1 to MR2. The following procedure assumes that you have
already downloaded the firmware image to your management computer.
To upgrade through the web-based manager
1 Copy the firmware image file to your management computer.
2 Log in to the web-based manager as the administrative user.
3 Go to System > Dashboard > Status.
4 In the System Information area, select Update for Firmware Version.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
267
Upgrading your FortiAnalyzer unit
Maintaining firmware
5 Enter the path and filename of the firmware image file, or select Browse and locate the
file.
6 Select OK.
7 The FortiAnalyzer unit uploads the firmware image file, upgrades to the new firmware
version, restarts, and displays the FortiAnalyzer login. This process may take a few
minutes.
When the upgrade is successfully installed:
•
Ping to your FortiAnalyzer unit to verify there is still a connection.
•
Clear the browser’s cache and log in to the web-based manager.
After logging back in to the web-based manager, you should save the configuration
settings that are carried forward. Go to System > Maintenance > Backup & Restore to
save the configuration settings that carried forward.
Upgrading/downgrading through the CLI
Caution: Always back up your configuration and log data before installing a patch release,
upgrading/downgrading firmware, or resetting configuration to factory defaults.
The following procedure uses the CLI and a TFTP server to upgrade the FortiAnalyzer unit
from 4.0 MR1 to MR2. The CLI upgrade procedure reverts all current firewall
configurations to factory default settings.
The following procedure assumes that you have already downloaded the firmware image
to your management computer.
The procedures may vary depending on the firmware versions you use for the upgrade.
To upgrade to FortiAnalyzer 4.0 MR2 through the CLI
1 Copy the new firmware image file to the root directory of the TFTP server.
2 Start the TFTP server.
3 Log in to the CLI.
4 Enter the following command to ping the computer running the TFTP server:
execute ping <server_ipaddress>
Pinging the computer running the TFTP server verifies that the FortiAnalyzer unit and
TFTP server are successfully connected.
268
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Maintaining firmware
Upgrading your FortiAnalyzer unit
5 Enter the following command to copy the firmware image from the TFTP server to the
FortiAnalyzer unit:
execute restore image tftp <name_str> <tftp_ip4>
Where <name_str> is the name of the firmware image file and <tftp_ip> is the IP
address of the TFTP server. For example, if the firmware image file name is
image.out and the IP address of the TFTP server er is 192.168.1.168, enter:
execute restore image tftp image.out 192.168.1.168
The FortiAnalyzer unit responds with a message similar to the following:
This operation will replace the current firmware version!
Do you want to continue? (y/n)
6 Type y.
The FortiAnalyzer unit uploads the firmware image file, upgrades to the new firmware
version, and restarts. This process takes a few minutes.
7 Reconnect to the CLI.
8 Enter the following command syntax to confirm the firmware image installed
successfully:
get system status
Verifying the upgrade
After upgrading, you should verify that the configuration settings have been carried
forward. Verifying your configuration settings also enables you to familiarize yourself with
the new features and changes in the new firmware.
You can verify your configuration settings by:
•
going through each menu and tab in the web-based manager
•
using the show command in the CLI
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
269
Upgrading your FortiAnalyzer unit
270
Maintaining firmware
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Troubleshooting
Report issue
Troubleshooting
This chapter provides troubleshooting techniques for some frequently encountered
problems. Each troubleshooting item describes both the problem and the solution.
For late-breaking troubleshooting information, see the Fortinet Knowledge Base.
This topic includes:
•
Report issue
•
Binary files issue
•
CPU usage issue
•
HA log issue
•
NFS server connection issue
•
Vulnerability management issues
•
Upgrade issue
•
Web-based manager issue
•
Disk usage issue
•
Device IP issue
•
Error message "EXT3-fs error (device...)"
•
Running an HQIP for hardware integrity control
•
Packet capture (CLI sniffer) best practice
•
No logs received with encryption enabled between a FortiGate unit and a FortiAnalyzer
unit
Report issue
Problem
FortiAnalyzer reports show the same users twice (name in upper case and lower case).
Solution
When a FortiGate unit is set to require authentication, it may use two methods to
authenticate: LDAP and FSAE.
The behavior is different depending on the method used and this will cause the
FortiAnalyzer unit to have two different log entries for the same user: one with upper case
name and one with lower case name).
The FortiAnalyzer reports will show the same user twice. This is because the
FortiAnalyzer filter is case-sensitive.
This issue was resolved in FortiOS 4.0 MR1 with the addition of a new CLI command to
allow ALL user names logged to be in upper case. This is useful when the same servers
are shared by LDAP and FSAE.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
271
Binary files issue
Troubleshooting
Binary files issue
Problem
The Alert Message Console on the Dashboard may display a message similar to the
following:
2 of 70 binary files need to be regenerated.
Solution
The binary files indicated in the message are used by the FortiAnalyzer report engine to
generate reports. During a firmware upgrade, the binary files may have changed due to
some new features. In such a case, the affected binary files are regenerated. This
message means that some of the binary file have not yet regenerated.
The speed of regeneration (how long it takes to complete) depends on the activity of the
FortiAnalyzer unit, such as the logging rate and number of reports running.
The number displayed in the message will steadily decrease. It may briefly increase when
log files are manually imported, or in some cases during log rolling on a non-processed
file.
This is a normal process, and will resolve itself once the regeneration is complete.
CPU usage issue
Problem
The FortiAnalyzer unit’s CPU usage can appear to be continually high.
Solution
There are three key CPU-intensive operations on a FortiAnalyzer unit:
•
Log indexing
A FortiAnalyzer unit deployed in a network can receive hundreds of log messages per
second throughout the day. The FortiAnalyzer unit indexes nearly all fields in a log
message to include it in the database. This process can be very CPU intensive, as the
indexing component is continually running to keep up with the incoming log messages.
•
Report generation and other enhanced features
Due to the many reporting functions, various report generations can be running at any
time during the day, including:
272
•
security event reports
•
traffic summary reports
•
regular reports whose complexity can vary depending on the requirements
•
quota checking with log rolling
•
network sniffing
•
vulnerability scan.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Troubleshooting
HA log issue
•
Summary reports daemon
The summary reports daemon (sumreportsd) is responsible for computing data for
drill down widgets configured on the dashboard.
The widgets are:
•
Top Web Traffic
•
Intrusion Activity
•
Virus Activity
•
Top FTP Traffic
•
Top Email Traffic
•
Top IM/P2P Traffic
•
Top Traffic
By default, none of these drill down widgets is enabled.
Depending on the hardware platform or the amount of logs present in the FortiAnalyzer
unit, sumreportsd may consume a considerable amount of CPU when running and
may run for a considerable amount of time (from a few minutes, to hours, or even
longer if it has to compute new data while still processing old ones). The resulting effect
is that drill down widgets may be empty or not up to date.
All these tasks can be CPU intensive, especially when a combination of them is occurring
at the same time. This can cause the CPU usage to stay at 90% or more a lot of the time.
It is important to set the indexing operation to the lowest priority so that the critical
processes such as receiving log messages will not be affected.
On smaller devices, such as the FortiAnalyzer-100A, where the CPU and disk speeds are
not as fast as the higher-end models, the CPU usage can appear more pronounced.
In case of high CPU usage and depending on the current environments on the
FortiAnalyzer unit, it is suggested to:
•
reduce the devices being monitored to only the ones needed.
•
reduce the Time Scope of a widget to a lower value (Hour or Day).
•
disable all drill down widgets from all admin accounts.
HA log issue
Problem
When sending FortiGate logs to the FortiAnalyzer unit with a secure connection, only the
primary unit's logs are successfully received by the FortiAnalyzer unit.
Solution
When configuring a secure connection to send log information, you need to set the secure
connection for all units in an HA cluster on the FortiAnalyzer unit. For more information,
see “Secure” on page 123.
If the FortiAnalyzer unit will still not accept log information from the FortiGate unit for which
you have enabled secure connection, check if you entered the preshared key and the
device information correctly.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
273
NFS server connection issue
Troubleshooting
NFS server connection issue
Problem
When attempting to connect to the FortiAnalyzer unit as an NFS server, the connection
times out or does not connect.
Solution
The FortiAnalyzer unit uses the DNS settings to enable connections for network file
sharing. If the DNS settings are not configured correctly, or have incorrect DNS entries,
the FortiAnalyzer unit will not be able to perform reverse lookups for users attempting to
connect. If the FortiAnalyzer unit cannot perform this check, the operation times out,
appearing to the user as being unable to connect.
To verify your DNS configuration, go to System > Network > DNS. For more information,
see “Configuring DNS” on page 67.
Note that the FortiAnalyzer unit uses the DNS settings for a number of network functions.
The DNS settings must be valid to ensure the system functions correctly.
Vulnerability management issues
Problem
On the Dashboard, Vulnerability Management under License Information showing as not
registered.
Solution
Vulnerability Management is an additional service which, similar to FortiGuard Services,
must be purchased and registered.
Even if the FortiAnalyzer unit has been registered and licensed, Vulnerability Management
Service will show as “Not Registered” if it has not been purchased and registered.
Problem
Vulnerability management updates are not working.
Solution
1 Make sure you have a valid license
Vulnerability management is a separate subscription that must be purchased. Make
sure that there is a valid VM subscription before starting to troubleshoot. For more
information, see “Scheduling & uploading vulnerability management updates” on
page 114.
2 Check the default gateway.
The FortiAnalyzer unit needs a default gateway to be able to access the Internet and
download updates. Go to System > Network > Routing and make sure the default
gateway is configured correctly.
If the default gateway is configured correctly, it should be possible to ping IP addresses
on the Internet (assuming that nothing is blocking the pings). This can be tested by
using the command:
exec ping <IP address on the Internet>
274
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Troubleshooting
Upgrade issue
3 Make sure nothing is blocking port 443 from the FortiAnalyzer unit.
The FortiAnalyzer unit will contact the update servers on port 443. If something
(usually a firewall) is blocking port 443 from the FortiAnalyzer unit, it will not be able to
receive updates. Check if something is blocking port 443 by sniffing the traffic using the
command:
diag sniff packet any 'port 443' 4
If something is blocking port 443, TCP SYNs will be seen going out but with no TCP
SYN/ACKs coming back in.
4 Enable Debug.
There are a number of other issues that may be causing a problem with VM updates.
The easiest way to check all of them is to enable debugging and check the output for
errors. Run the commands below:
diag debug output enable
diag debug application fortiguard 8
exec update-vm
The output will show any errors that are happening with the update process. Once the
update is complete, it is important to disable debug using the commands:
diag debug application fortiguard 0
diag debug output disable
Upgrade issue
Problem
The message "Upload file is too big or invalid" may be seen when
upgrading a FortiAnalyzer unit from the web-based manager.
Solution
Assuming that the correct firmware image has been downloaded from
support.fortinet.com, a possible cause of this problem is related to the free memory on a
FortiAnalyzer unit that has had a long uptime. In order to load the required firmware
image, it is necessary to reboot the FortiAnalyzer unit so that more system resources
become available. Once the device has been rebooted, the upgrade will proceed as
required.
Web-based manager issue
Problem
After logging in to the web-based manager, the following occur:
•
Console access window opens blank
•
Menu, tabs and button bar do not work
•
Log view settings are not saved.
Solution
Enable cookies and JavaScript in your browser. Make sure that cookies are not erased
when you close your browser.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
275
Disk usage issue
Troubleshooting
Cookies store preferences for the browser you use to access the web-based manager. If
the cookies are erased when you close the browser (session cookies), the preferences
are not saved, and will not be available the next time you open the browser.
JavaScript is used for navigation of the menus and tabs in the web-based manager.
The following procedures describe how to enable cookies and JavaScript in Internet
Explorer and Firefox.
In Internet Explorer 6 and 7:
1 Go to Tools > Internet Options.
2 Select the Privacy Tab.
3 Select a level of Medium or lower for the Privacy level.
4 Select OK.
5 Select the Security Tab.
6 Select Custom Level.
7 In Settings, under Scripting, enable Active Scripting and Scripting of Java Applets.
8 Select OK.
In Firefox:
1 Go to Tools > Options.
2 Select Privacy.
3 Select Allow sites to set cookies.
4 Select Keep cookies until they expire.
5 Select Content.
6 Select Enable JavaScript.
7 Select OK.
Disk usage issue
Problem
Disk usage on a FortiAnalyzer unit shows different values than on a monitored FortiGate
unit.
Solution
The disk usage on a FortiGate unit shows the usage of the allocated space for that
particular FortiGate unit configured on the FortiAnalyzer unit. While the disk usage on the
FortiAnalyzer unit represents the total disk usage on the FortiAnalyzer unit as a whole.
For information about configuring allocated space for a device, see “Manually adding or
deleting a device or HA cluster” on page 127.
Device IP issue
Problem
Device IP address displays as 0.0.0.0 on the FortiAnalyzer unit device list (Devices > All
Devices > Allowed) even if the FortiGate unit is already registered on the FortiAnalyzer
unit.
276
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Troubleshooting
Device IP issue
Solution
The FortiAnalyzer unit will change the IP once it receives logs from the FortiGate unit. The
IP address of the FortiGate unit is 0.0.0.0 if the FortiAnalyzer unit has not received logs
from the FortiGate unit.
The FortiAnalyzer unit may not be receiving logs even if the Test Connectivity test on the
FortiGate unit shows that the FortiGate unit is connected to the FortiAnalyzer unit (On the
FortiGate unit: Log&Report > Log Config > Log Settings > FortiAnalyzer > Test
Connectivity). This can be due to the fact that the FortiGate unit is configured to send logs
to the FortiAnalyzer unit but is not generating any logs yet or that a connectivity problem
between the FortiGate unit and the FortiAnalyzer unit on port 514 UDP (Test connectivity
runs on port 514 TCP).
Non encrypted connection
You can use sniffer commands to check if the FortiGate unit is generating logs and if the
FortiAnalyzer unit is receiving them. Note that the commands below are for a nonencrypted traffic.
On the FortiGate unit:
diagnose sniffer packet any 'host <IP address of FortiAnalyzer>
and port 514' 4
On the FortiAnalyzer unit:
diagnose sniffer packet any 'host <IP address of the FortiGate>
and port 514'
This will show us whether the FortiGate unit is sending traffic and whether the
FortiAnalyzer unit is receiving it. The TCP sessions in the sniffer outputs are for content
archive logs while UDP session are for normal logs just about everything else.
Common Cases:
1 The FortiGate unit is generating logs but the FortiAnalyzer unit is not receiving them.
This is usually due to something dropping (filtering) out port 514 (UDP or TCP)
between the FortiGate and the FortiAnalyzer units.
2 The FortiGate unit is not generating logs. Check the logging options on the firewall
policies and the protection profiles. Make sure they are set to send logs to the
FortiAnalyzer unit. Also check the logging level on the FortiGate unit and make sure it
is not set too high (Log&Report > Log Config > Log Settings > FortiAnalyzer >
Minimum log level). If these are set correctly you can check the filters on the FortiGate
unit by running the CLI command:
show full log fortianalyzer filters
Encrypted Connections
You can sniff the connection between the FortiGate unit and the FortiAnalyzer unit using
the commands:
On the FortiGate unit:
diagnose sniffer packet any 'host <IP address of
FortiAnalyzer>'4
On the FortiAnalyzer unit:
diagnose sniffer packet any 'host <IP address of FortiGate>'
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
277
Error message "EXT3-fs error (device...)"
Troubleshooting
UDP port 500 is for IKE trying to create the VPN tunnel between the FortiGate unit and the
FortiAnalyzer unit. If this is the only thing you see between the two devices, then the
encryption settings between the FortiGate unit and FortiAnalyzer unit are not correct and
the tunnel cannot be established.
IP protocol 50 is for ESP which carries the encrypted traffic. If you see IP protocol 50
leaving the FortiGate unit but not reaching the FortiAnalyzer unit, then something is
dropping the packets in the middle, although seeing IP protocol 50 means that the
connection settings are correct between the two devices.
Error message "EXT3-fs error (device...)"
Problem
FortiAnalyzer unit doesn't boot properly and/or some errors are displayed on console
during the boot.
Example 1:
Reading boot image 1463602 bytes.
Initializing firewall...
System is started.
EXT3-fs error (device md(9,0)): ext3_readdir: bad entry in
directory #1474561: r
ec_len is smaller than minimal - offset=0, inode=0, rec_len=0,
name_len=0
EXT3-fs error (device md(9,0)): ext3_readdir: bad entry in
directory #1474561: r
ec_len is smaller than minimal - offset=0, inode=0, rec_len=0,
name_len=0
Example 2:
Reading boot image 1463602 bytes.
Initializing firewall...
System is started.
EXT3-fs error (device ide0(3,1)): ext3_get_inode_loc: unable to
read inode block - inode=65409, block=131074
EXT3-fs error (device ide0(3,1)) in ext3_reserve_inode_write: IO
failure
EXT3-fs error (device ide0(3,1)): ext3_get_inode_loc: unable to
read inode block - inode=65409, block=131074
EXT3-fs error (device ide0(3,1)) in ext3_reserve_inode_write: IO
failure
EXT3-fs error (device ide0(3,1)): ext3_get_inode_loc: unable to
read inode block - inode=130817, block=262146
EXT3-fs error (device ide0(3,1)) in ext3_reserve_inode_write: IO
failure
EXT3-fs error (device ide0(3,1)): ext3_get_inode_loc: unable to
read inode block - inode=65409, block=131074
EXT3-fs error (device ide0(3,1)) in ext3_reserve_inode_write: IO
failur
278
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Troubleshooting
Running an HQIP for hardware integrity control
Some error details may vary from a device to another, but the EXT3-fs error indicates
there is an issue with the local file system.
Solution
This issue appears to be due to some corruption in the file system that affects the boot
device and/or firmware loading.
In most cases the issue may be resolved by reformatting the boot device and then
reinstalling the firmware via TFTP.
Make sure to reload the same firmware version as the one used to save the configuration
backup file. In case there is no configuration backup file, the unit needs to be reconfigured
from scratch.
To reload the firmware:
1 Connect to the FortiAnalyzer unit on the serial console.
2 Reboot the unit and hit any key to enter the Boot Menu.
3 Select "format boot device".
4 Select "Reload Firmware via TFTP".
5 When the unit is up, open the web-based manager and go to System > Maintenance >
Backup & Restore and restore the latest configuration from backup.
Running an HQIP for hardware integrity control
The Hardware Quick Inspection Package (HQIP) test image can be used to check the
FortiAnalyzer unit's system function and its interfaces. HQIP will check almost all
components, including CPU, memory, Compact Flash, hard disk and PCI devices
(NIC/ASIC). It will also check the critical benchmarks and system configurations.
HQIP cannot detect all hardware malfunctions. If the FortiAnalyzer unit is rebooting or
unstable, HQIP cannot detect the issues.
If an HQIP test is required, follow the instructions in Fortinet Knowledge Base.
Packet capture (CLI sniffer) best practice
Fortinet devices include a built-in sniffer that you can use for debugging purposes. Details
on its usage are explained in the Fortinet Knowledge Base.
The following are suggestions to improve the usability of this tool:
•
Always include ICMP in the sniffer filter. You may capture an ICMP error message that
can help identify the cause of the problem. For example, diag sniff packet
interface wan1 'tcp port 3389 or icmp' 3.
•
Use the "any" interface if you want to confirm that a specific packet is received or sent
by the Fortinet device, without specifically knowing on which interface this may be. This
will essentially enable the sniffer for all interfaces. For example, diag sniff packet
interface any 'tcp port 3389' 3.
•
The Fortinet device may not display all packets if too much information is requested to
be displayed, or the traffic being sniffed is significant. When this occurs, the unit will log
the following message once the trace is terminated:
12151 packets received by filter
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
279
No logs received with encryption enabled between a FortiGate unit and a FortiAnalyzer unit
Troubleshooting
3264 packets dropped by kernel
When this occurs, it is possible that what you were attempting to capture was not
actually captured. In order to avoid this, you may try to tighten the display filters,
reduce the verbose level, or perform the trace during a lower traffic period.
•
The packet timestamps as displayed by the sniffer may become skewed or delayed
under high load conditions. This may occur even if no packets were dropped (as
mentioned above). Therefore, it is not recommended that you rely on these values in
order to troubleshoot or measure performance issues that require absolute precise
timing.
•
Enabling the sniffer will consume additional CPU resources. This can be as high as an
additional 25% of CPU usage on low-end models. Therefore, enabling it on a unit that
is experiencing excessively high CPU usage can only render the situation worse. If you
must perform a sniff, keep the sniffing sessions short.
•
The Ethernet source and/or destination MAC addresses may be incorrect when using
the "any" interface. They may be displayed as all zeros (00:00:00:00:00:00) or
00:00:00:00:00:01.
No logs received with encryption enabled between a FortiGate unit
and a FortiAnalyzer unit
Logs are being sent correctly from the FortiGate unit to the FortiAnalyzer unit when
encryption is disabled but no logs are received once encryption is enabled.
Sniffing the traffic between the FortiGate unit and the FortiAnalyzer unit only shows UDP
port 500 (IKE) but does not show IP protocol 50 (ESP):
On the FortiGate unit, run the command:
diag sniff packet any 'host <IP address of FortiAnalyzer> and
port 514' 4
On the FortiAnalyzer unit, run the command:
diag sniff packet any 'host <IP address of the FortiGate> and
port 514' 4
The VPN monitor on the FortiGate unit (VPN > IPSec > Monitor) also shows the tunnel as
down.
The most common cause of this problem is that the Local ID on the FortiGate unit is not
configured correctly.
Use the following commands to enable encryption between the FortiGate unit and the
FortiAnalyzer unit:
On the FortiGate unit:
config system fortianalyzer
set encrypt enable
set psksecret <presharedkey_str>
set localid <devname_str>
end
On the FortiAnalyzer unit:
config log device
edit <devname_str>
set secure psk
set psk <presharedkey_str>
set id <devid_str>
280
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Troubleshooting
No logs received with encryption enabled between a FortiGate unit and a FortiAnalyzer unit
end
Note that the local ID on the FortiGate unit (line 4) needs to match the device name on the
FortiAnalyzer unit (line 2). If these values do not match, the IPSec tunnel will not be
established.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
281
No logs received with encryption enabled between a FortiGate unit and a FortiAnalyzer unit
282
Troubleshooting
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Appendix A: SNMP MIB support
Appendix A: SNMP MIB support
The FortiAnalyzer SNMP agent supports the following management information blocks
(MIBs):
Table 7: FortiAnalyzer MIBs
MIB or RFC
Description
FORTINET-CORE-MIB
This Fortinet-proprietary MIB enables your SNMP
manager to query for system information and to receive
traps that are common to multiple Fortinet devices.
FORTINET-FORTIANALYZER-MIB
This Fortinet-proprietary MIB enables your SNMP
manager to query for FortiAnalyzer-specific information
and to receive FortiAnalyzer-specific traps.
RFC-1213 (MIB II)
The FortiAnalyzer SNMP agent supports MIB II groups,
except:
• There is no support for the EGP group from MIB II
(RFC 1213, section 3.11 and 6.10).
• Protocol statistics returned for MIB II groups (IP,
ICMP, TCP, UDP, etc.) do not accurately capture all
FortiAnalyzer traffic activity. More accurate
information can be obtained from the information
reported by the FortiAnalyzer MIB.
RFC-2665 (Ethernet-like MIB)
The FortiAnalyzer SNMP agent supports Ethernet-like
MIB information except the dot3Tests and dot3Errors
groups.
You can obtain these MIB files from the Fortinet Technical Support web site,
https://support.fortinet.com.
To be able to communicate with your FortiAnalyzer unit’s SNMP agent, you must first
compile these MIBs into your SNMP manager. If the standard MIBs used by the SNMP
agent are already compiled into your SNMP manager, you do not have to compile them
again.
To view a trap or query’s name, object identifier (OID), and description, open its MIB file in
a plain text editor.
All traps sent include the message, the FortiAnalyzer unit’s serial number, and host name.
For instructions on how to configure traps and queries, see “Configuring the SNMP agent”
on page 92.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
283
Appendix A: SNMP MIB support
284
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Appendix B: Report templates
FortiGate report templates
Appendix B: Report templates
This appendix describes the pre-defined report templates for the FortiGate units, FortiMail
units, and FortiClient installations.
For more information about reports in general, such as how to create a report, including
scheduling reports, see “Reports” on page 165.
This topic includes:
•
FortiGate report templates
•
FortiClient Report Templates
•
FortiMail Report Templates
FortiGate report templates
Depending on your selection of the log storage system (see “Configuring SQL database
storage” on page 83), the following categories of FortiGate report templates are available:
•
Proprietary Indexed file system
•
Intrusion Activity
•
Antivirus Activity
•
Webfilter Activity
•
Email Filter Activity
•
IM Activity
•
DLP Activity
•
Network Analysis
•
Web Activity
•
Mail Activity
•
FTP Activity
•
Terminal Activity
•
VPN Activity
•
Event Activity
•
P2P Activity
•
VoIP Activity
•
Data Leak Activity
•
Application Control Activity
•
Network Scan
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
285
FortiGate report templates
Appendix B: Report templates
•
SQL database
•
Application _Control
•
Intrusion_Detection
•
AntiVirus
•
Data_Leak_Prevention
•
Email Filter
•
Event
•
Traffic
Intrusion Activity
Intrusion Activity report templates contain statistics about the FortiGate intrusion activity.
Table 8: Intrusion Activity report templates
Report
Description
Top Attacks
The most frequently detected attack types over the reporting period.
Top Attacks per
Category
(signature/Anomaly)
The number of attacks for each attack category over the reporting period,
broken down by attack type.
Top Attack Sources
The most frequent sources of attacks over the reporting period.
Top Attack
Destinations
The most frequently attacked destinations over the reporting period.
Attacks by Time
Period
The time period breakdown of the number of detected attacks.
Top Attack Protocols
The protocols used most frequently for attacks.
Top Attacks per
Traffic Direction
The number of attacks over the reporting period, broken down by direction
and attack ID.
Top Attacks per
Counter-Measure
The number of attacks over the reporting period, broken down by attack
status and attack type.
Top Attacks for Most
Common Protocols
The protocols carrying the most attacks over the reporting period, broken
down by attack type.
Top Attack Sources
per Traffic Direction
The number of attacks over the reporting period, broken down by direction
and source IP address.
Top Sources for Most The most frequently detected attack types over the reporting period,
Common Attacks
broken down by sources.
Top Sources for the
Most Common
Destinations
The most frequently attacked destinations over the reporting period,
broken down by source.
Top Attacks per
Device
The most frequently attacked destinations over the reporting period,
broken down by device and attack ID.
Top Devices by
Number of Attack
Detections
The most frequently detected attack target devices over the reporting
period.
Top Devices by
Number of Attack
Detections for Most
Common Attacks
The most frequently detected attack types over the reporting period,
broken down by device.
Antivirus Activity
Antivirus Activity report templates contain statistics about the FortiGate antivirus activity.
286
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Appendix B: Report templates
FortiGate report templates
Table 9: Antivirus Activity report templates
Report
Description
Top Viruses
The most frequently detected viruses over the reporting period.
Antivirus Violations Breakdown
(Infected/Oversize/Filename)
The antivirus events for each event type.
Antivirus Actions per Violation
Type
(Infected/Oversize/Filename)
The breakdown of the antivirus actions for each violation type
(infected/oversize/filename) over the reporting period.
Top Virus Sources
The most frequent sources of virus.
Top Virus Destinations
The most frequent destinations for viruses.
Top Virus Protocols
The protocols with the most frequent virus infections.
Top Infected FIles
The most frequently infected files over the reporting period.
Top Infected File Extensions
The most frequently infected file extensions.
Top Viruses per Traffic Direction
The most frequently detected viruses for each traffic direction
over the reporting period.
AV Events by Top Senders and
Virus Name (MM1)
The most frequent senders of virus over the reporting period,
broken down by virus name.
AV Events by Top Receivers and The most frequent receivers of virus over the reporting period
Virus Name (MM1)
broken down by virus name.
Total Number of Unique Infected The total number of infected MSISDN per protection profile per
MSISDN per Country
VDOM over the reporting period.
Infected Customer Base
The number of infected MSISDN customers over the reporting
period and last period.
Overall Trends
Trends of the overall trend, all MMS/intercepted, detected
malware, and infected MSISDN over the reporting period in
comparison with last period.
Total Number of Virus Senders
per Country (MM1)
The total number of virus senders per protection profile per
VDOM over the reporting period.
Top Virus per Virus Class
The number of occurrences of the variations of viruses over the
reporting period.
Top Virus Sources over POP3
The most frequent sources of virus over POP3.
Top Virus Sources over SMTP
The most frequent sources of virus over SMTP.
Top Virus Sources over IMAP
The most frequent sources of virus over IMAP.
Top Virus Sources over FTP
The most frequent sources of virus over FTP.
Top Virus Sources over HTTP
The most frequent sources of virus over HTTP.
Top Virus Receivers over Email
The most frequent receivers of virus infected mail over the
reporting period.
Top Virus Destinations over
POP3
The most frequent sources of virus over POP3.
Top Virus Destinations over
SMTP
The most frequent sources of virus over SMTP.
Top Virus Destinations over
IMAP
The most frequent sources of virus over IMAP.
Top Virus Destinations over FTP
The most frequent sources of virus over FTP.
Top Virus Destinations over
HTTP
The most frequent sources of virus over HTTP.
Top Infected File Extensions over The most frequently infected file extensions over POP3.
POP3
Top Infected File Extensions over The most frequently infected file extensions over SMTP.
SMTP
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
287
FortiGate report templates
Appendix B: Report templates
Table 9: Antivirus Activity report templates
Top Infected File Extensions over The most frequently infected file extensions over IMAP.
IMAP
Top Infected File Extensions over The most frequently infected file extensions over FTP.
FTP
Top Infected File Extensions over The most frequently infected file extensions over HTTP.
HTTP
Top Devices by Antivirus
Violations
The total number of antivirus events over the reporting period,
broken down by device.
Top Sources with Antivirus
Violations Breakdown
(Infected/Oversize/Filename)
The source of the most AV events over the reporting period,
broken down by event type.
Top Sources (Email or IP)
Antivirus Violations Breakdown
(Infected/Oversize/Filename)
The senders (email or IP address) of the most AV events over
the reporting period, broken down by event type
Top Destinations (IP) with
Antivirus Violations Breakdown
(Infected/Oversize/Filename)
The destinations of the most AV events over the reporting
period, broken down by event type.
Top Destinations (Email or IP)
with Antivirus Violations
Breakdown
(Infected/Oversize/Filename)
The receivers (email or IP address) of the most AV events over
the reporting period, broken down by event type.
Top Devices with Antivirus
Violations Breakdown
(Infected/Oversize/Filename)
The total number of antivirus events over the reporting period
broken down by device and event type.
Top Protocols with Antivirus
Violations Breakdown
(Infected/Oversize/Filename)
The total number of antivirus events over the reporting period,
broken down by Internet service and by event type.
Top Virus Sources per Traffic
Direction
The most frequent sources of virus over the reporting period for
each traffic direction.
Top Viruses for Most Common
Sources (IP)
The most frequent sources of virus over the reporting period,
broken down by virus name.
Top Viruses for Most Common
Sources (Email or IP)
The most frequent sources of virus over the reporting period,
broken down by virus name.
Top Viruses for Most Common
Destinations (IP)
The most frequent virus destinations over the reporting period,
broken down by virus name.
Top Infected Files for Most
Common Sources
The most frequent sources of virus over the reporting period,
broken down by infected file name.
Top Infected Files for Most
Common Destinations (IP)
The most frequent virus destinations over the reporting period,
broken down by infected file name.
Webfilter Activity
Webfilter Activity report templates contain statistics about the FortiGate webfiltering
activity.
Table 10: Webfilter Activity report templates
Report
Description
All Allowed Web Sites
Breakdown of sites by permitted categories.
All Blocked Web Sites
Breakdown of sites by blocked categories.
Top Allowed Categories The most frequently allowed web categories over the reporting period.
Top Blocked Categories The most frequently blocked web categories over the reporting period.
All Requested Web
Sites by Time Period
288
Breakdown of web sites by access time.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Appendix B: Report templates
FortiGate report templates
Table 10: Webfilter Activity report templates
Top Allowed Web Sites
The most frequently allowed web sites over the reporting period.
Top Blocked Web Sites The most frequently blocked web sites over the reporting period.
Top Allowed Web Users The sources with the most allowed web page requests over the reporting
period.
Top Blocked Web Users The users with the most blocked web site connection attempts over the
reporting period.
Top Active Web Users
The clients with the most web page requests over the reporting period.
Top Requested Web
Domains
The destinations with the most web page access attempts.
Top Requested Web
Pages
The most frequently requested web pages.
Allowed Web Activity
over Time Period
The number of web page requests listed by time.
Blocked Web Activity
over Time Period
The number of blocked web page requests list by time.
Top Requested File
Types
The most frequently requested file types over the reporting period.
Estimated Browse Time Breakdown of estimated browse time.
Total Hits per Status
(allowed/blocked/etc)
Breakdown of web filter events by status.
Total Hits per Device
Breakdown of web filter events by devices.
Total Hits per Web Filter The number of web hits for each filter type.
Type
Top Web Users per
Device
The sources with the most web page requests for each device over the
reporting period.
Top Web Users with
Status Breakdown
(allowed/blocked/etc)
The sources with the most web page requests over the reporting period,
broken down by webfilter status.
Top Web Sites with
Status Breakdown
(allowed/blocked/etc)
The most frequently requested web sites over the reporting period,
broken down by webfilter status.
Top Web Pages with
Status Breakdown
(allowed/blocked/etc)
The most frequently requested web pages over the reporting period.
Top Requested
Categories
The most frequently requested categories over the reporting period.
Top Block Web Risk
Groups
The most frequently blocked web risk groups over the reporting period.
Top Requested Web
Risk Groups
The most frequently requested web risk groups over the reporting period.
Top Web Sites for Most The clients with the most web page requests over the reporting period,
Active Users
broken down by web site.
Top Web Sites for Most The clients with the most blocked web page requests over the reporting
Blocked Users
period, broken down by web site.
Top Web Sites +
Category for Most
Active Users
The clients with the most web page requests over the reporting period,
broken down by web site.
Top Allowed Categories The sources with the most allowed web page requests over the reporting
for Most Active Users
period, broken down by web site.
Top Blocked Categories The sources with the most blocked web page requests over the reporting
for Most Active Blocked period, broken down by category.
Users
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
289
FortiGate report templates
Appendix B: Report templates
Table 10: Webfilter Activity report templates
Top Users for Most
The web pages that received the most hits over the reporting period,
Requested Web Pages broken down by web client.
Top Web Overrides
The most frequently overridden web page requests over the reporting
period.
Top Users for Web
Overrides
The sources with the most overridden web page requests over the
reporting period, broken down by web site.
Email Filter Activity
Email Filter Activity report templates contain statistics about the FortiGate antispam
activity.
Table 11: Email Filter Activity report templates
Report
Description
Mail Summary
(by Email Count)
The mail count over the reporting period, broken down by status.
Mail Summary
(by Email Size)
The mail traffic volume over the reporting period, broken down by status.
Top Spam Sources
The most frequent spam senders over the reporting period.
Top Spam Destinations
The most frequent spam receivers over the reporting period.
Spam Activity by Time
Period
Breakdown of spam activities.
Top Spam Sources with The spammers that sent the most spam emails over the reporting period,
Blocking Criteria
broken down by blocking criteria.
Breakdown
Top Spam Sources per
Device
The spammers that sent the most spam emails for each device over the
reporting period.
Top Spam Destinations
per Device
The most frequent mail receivers for each device over the reporting
period.
Total Spam per Device
(by Email Count)
The spam count over the reporting period, broken down by device.
Total Spam per Device
(by Email Size)
The spam traffic volume over the reporting period, broken down by
device.
Top Spam Sources for
Most Common
Destinations
The most frequent spam email receiver over the reporting period, broken
down by mail senders.
Top Spam Blocking
Criteria per Device
The most frequent mail blocking criteria for each device over the
reporting period.
IM Activity
Instant Message (IM) Activity report templates contain statistics about instant messaging
activity filtered by the FortiGate unit.
Table 12: IM Activity report templates
Report
Description
Total IM Events per Protocol The number of established IM sessions for each IM protocol over the
reporting period.
Total IM Events per
Message Category
(chat/file/etc.)
290
The established IM sessions over the reporting period, broken down
by permitted action.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Appendix B: Report templates
FortiGate report templates
Table 12: IM Activity report templates
Top IM Sources by
Messages
The local IM users with the most messages over the reporting period.
Top IM Sources by Traffic
Volume
The local IM users with the most traffic volume over the reporting
period.
Top IM Destinations by
Messages
The remote IM users with the most messages over the reporting
period.
Top Destinations by Traffic
Volume
The remote IM users with the most traffic volume over the reporting
period.
Top Local IM Users
The local IM users with the most connection attempts.
Top Local IM Users
(FortiOS 4.0 GA or earlier)
The local IM users with the most connection attempts, for configuring
reports with log information that is FortiOS 4.0 GA or earlier.
Top Allowed Local IM Users The local IM users with the most established sessions for each IM
per IM Protocol
protocol over the reporting period.
Top Blocked Local IM Users The local IM users with the most blocked sessions for each IM
per IM Protocol
protocol over the reporting period.
Top Blocked Local IM Users The local IM users with the most blocked sessions for each IM
per IM Protocol
protocol over the reporting period, for configuring reports with log
(FortiOS 4.0 GA or earlier) information that is FortiOS 4.0 GA or earlier.
Top Allowed Local IM Users The local IM users with the most allowed sessions.
Top Blocked Local IM Users The local IM users with the most blocked sessions.
Top Blocked Local IM Users The local IM users with the most blocked sessions, for configuring
(FortiOS 4.0 GA or earlier) reports with log information that is FortiOS 4.0 or earlier.
Top Allowed Remote IM
Users
The remote IM users with the most allowed sessions.
Top Blocked Remote IM
Users
The remote IM users with the most blocked sessions.
Top Blocked Remote IM
Users
(FortiOS 4.0 GA or earlier)
The remote IM users with the most blocked sessions, for configuring
reports with log information that is FortiOS 4.0 GA or earlier.
The Local IM Users per
Message Category
(chat/file/etc)
The local IM users with the most connection attempts over the
reporting period, broken down by action.
Top Local IM Users per
Message Category
(chat/file/ect)
(FortiOS 4.0 GA or earlier)
The local IMM users with the most connection attempts over the
reporting period, broken down by action, for configuring reports with
log information that is FortiOS 4.0 GA or earlier.
Top Actions for Most Active
Sources
The local IP with the most actions over the reporting period.
Top Local IM Users for Most The local IP with the most active local users over the reporting
Active Sources
period.
Top Remote IM Users for
Most Active Sources
The local IP with the most active remote users over the reporting
period.
DLP Activity
DLP Activity report templates contain statistics about the DLP archive activity filtered by
the FortiGate unit.
Table 13: DLP Activity report templates
Report
Description
Number of Inspected
Messages per
Application
The units of filtered content, broken down by Internet service.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
291
FortiGate report templates
Appendix B: Report templates
Table 13: DLP Activity report templates
Volume of Filtered DLP The volume of content filtered traffic, broken down by Internet service.
content per Application
Volume of Filtered DLP The traffic of filtered content, broken down by device.
content per Device
Volume of Filtered DLP The traffic of filtered content, broken down by source.
content per Source
Volume of Filtered DLP The traffic of filtered content, broken down by destination.
content per Destination
Top HTTP Servers by
Volume
Breakdown of web traffic by servers.
Top HTTP Servers by
Breakdown of web traffic by virus status and servers.
Volume per Virus Status
Network Analysis
Network Analysis report templates contain statistics about the network activity going
through the FortiGate unit.
Table 14: Network Activity report templates
Report
Description
Traffic Volume by
Direction
The traffic volume for the reporting period, broken down by direction.
Top Services by
Volume
The Internet services with the most traffic volume over the reporting
period.
Top Sources by Volume The sources with the most traffic volume over the reporting period.
Top Destinations by
Volume
The destinations with the most traffic volume over the reporting period.
Top Source-Destination The sources with the most traffic volume over the reporting period,
Pairs by Volume
broken down by destination.
Top Destination-Source The destinations with the most traffic volume over the reporting period,
Pairs by Volume
broken down by source.
Top Denied Sources
The sources with the most policy violation attempts.
Top Denied
Destinations
The destination with the most policy violation attempts.
Top Denied Services
The Internet services with the most policy violation attempts.
Top Denied Policies
The firewall policies with the most violation attempts.
Top Allowed Policies by The firewall policies with the most allowed sessions.
Number of Firewall
Sessions
Top Allowed Policies by The firewall policies with the most allowed traffic volume.
Volume
292
Traffic Volume per
Device
The traffic volume over the reporting period, broken down by device.
Top Services by
Volume per Device
The traffic volume over the reporting period, broken down by device.
Top Services by
Volume per Traffic
Direction
The Internet services with the most traffic volume over the reporting
period, broken down by direction.
Top Services by
Volume for most
Common Sources
The sources with the most traffic volume over the reporting period,
broken down by Internet service.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Appendix B: Report templates
FortiGate report templates
Table 14: Network Activity report templates
Top Services by
Volume for most
Common Destinations
The destinations with the most traffic volume over the reporting period,
broken down by Internet service.
Top Sources by Firewall The sources with the longest cumulated traffic duration over the reporting
Sessions Duration
period.
Top Destinations by
Firewall Session
Duration
The destinations with the longest cumulated traffic duration over the
reporting period.
Top User Groups by
Firewall Duration
The groups with the longest cumulated traffic duration over the reporting
period.
Top Allowed Policies by The firewall policies with the most allowed session duration.
Firewall Session
Duration
Top Allowed/Denied
Policies by Number of
Firewall Sessions
The firewall policies with the most allowed/denied sessions.
Overall Bandwidth
Optimization
The overall bandwidth optimization over the reporting period list by time.
Optimization Bandwidth The most bandwidth-optimized application over the reporting period.
by Application
LAN Bandwidth
Composition
The composition of LAN bandwidth over the reporting period.
WAN Bandwidth
Composition
The composition of WAN bandwidth over the reporting period.
Optimized Bandwidth
by Source
The most bandwidth-optimized sources over the reporting period.
Optimized Bandwidth
by Destination
The most bandwidth-optimized destinations over the reporting period.
Optimized Bandwidth
by Rule
The most bandwidth-optimized rules over the reporting period.
Overall Bandwidth
Optimization by Device
The overall bandwidth optimization over the reporting period, broken
down by device.
LAN Bandwidth
Composition by Device
The composition of LAN bandwidth over the reporting period, broken
down by device.
WAN Bandwidth
Composition by Device
The composition of WAN bandwidth over the reporting period, broken
down by device.
Optimized Bandwidth
Sources by Device
The most bandwidth-optimized sources over the reporting period, broken
down by device.
Optimized Bandwidth
Destinations by Device
The most bandwidth-optimized destinations over the reporting period,
broken down by device.
Optimized Bandwidth
Rules by Device
The most bandwidth-optimized rules over the reporting period, broken
down by device.
Web Activity
Web Activity report templates contain statistics about the web activity going through the
FortiGate unit.
Table 15: Web Activity report templates
Report
Description
Web Volume by Time
Period
The web traffic volume over the reporting period list by time.
Web Volume per Traffic The web traffic volume over the reporting period, broken down by
Direction
direction.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
293
FortiGate report templates
Appendix B: Report templates
Table 15: Web Activity report templates
Top Web Servers by
Volume
The web sites that produced the most traffic volume over the reporting
period.
Top Web Clients by
Volume
The web clients that generated the most web traffic volume over the
reporting period.
Top Web Servers by
Volume for most Active
Clients
The web clients that generated the most web traffic volume over the
reporting period, broken down by web site.
Top Web Servers by
Connections
The web sites that were accessed most often over the reporting period.
Top Web Servers by
Volume and Hits
The web sites that produced the most traffic volume over the reporting
period, with hit count information.
Top Web Clients by
Connections
The web clients with the most web server connections over the reporting
period. This connection may include more than one web page hit.
Top Web Servers by
Connections for most
Active Clients
The web clients with the most server connections over the reporting
period, broken down by web site. This connection may include more than
one web page hit.
Top Web Servers by
Firewall Session
Duration
The web sites with the longest cumulated traffic duration over the
reporting period.
Top Web Clients by
Firewall Session
Duration
The web clients with the longest cumulated traffic duration over the
reporting period.
Top Web Servers by
Firewall Session
Duration for most
Active Clients
The web clients with the longest cumulated traffic duration over the
reporting period, broken down by web site.
Top Web Sites by
The clients with the most traffic volume over the reporting period.
Traffic Volume For Most
Active Sources
Top Web Sites By Hits
For Most Active
Sources
The clients with the most hits over the reporting period.
Mail Activity
Mail Activity report templates contain statistics about the email activity going through the
FortiGate unit.
Table 16: Mail Activity report templates
Report
Description
Incoming Mail Activity
by Time Period
(POP3/IMAP)
Breakdown of incoming mail activity by time slice.
Outgoing Mail Activity
Breakdown of outgoing email activity by time slice.
by Time Period (SMTP)
294
Mail/Volume/Size by
Time
The mail traffic volume over the reporting period list by time.
Top Mail Clients
(by Volume)
The mail clients that produced the most amount of traffic volume over the
reporting period.
Top Mail Servers
(by Volume)
The mail servers that produced the most traffic volume over the reporting
period.
Top Mail Clients for
Most Common Mail
Servers (by Volume)
The mail servers that produced the most amount of traffic volume over
the reporting period, broken down by mail client.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Appendix B: Report templates
FortiGate report templates
Table 16: Mail Activity report templates
Mail Volume/Size by
Traffic Direction
The mail traffic volume over the reporting period, broken down by
direction.
Top Mail Clients
(Connections)
The mail clients that accessed mail servers the most often over the
reporting period.
Top Mail Servers
(Connections)
The mail servers that were accessed the most often over the reporting
period.
Top Mail Clients for
Most Common Mail
Servers (Connections)
The mail servers that were accessed the most often over the reporting
period, broken down by mail clients.
Top Mail Sources for
The mail traffic volume over the reporting period, broken down by filtering
each Spam Detection
status and by mail sender.
Status (client/spam/etc)
Top Mail Destinations
for each Spam
Detection Status
(clean/spam/etc)
The mail traffic volume over the reporting period, broken down by filtering
status and by mail receiver.
Top Sender by Volume
for each Mail Protocol
The mail traffic volume over the reporting period, broken down by mail
service (POP3, SMTP, IMAP, etc) and by mail sender.
Top Receiver by
Volume for each Mail
Protocol
The mail traffic volume over the reporting period, broken down by mail
service (POP3, SMTP, IMAP, etc) and by mail receiver.
Top Email Senders By The local IP and email sender with traffic volume over the reporting
Traffic Volume For Most period.
Active Sources
Top Email Senders By
Number Of Emails For
Most Active source
The local IP and email sender with connections over the reporting period.
Top Email Recipients
By Traffic Volume For
Most Active Sources
The local IP and email recipient with traffic volume over the reporting
period.
Top Email Recipients
By Number of Emails
For Most Active
Sources
The local IP and email recipient with number of emails over the reporting
period.
Top Email Recipients
By Traffic Volume For
Most Active Sender
The email recipient and email sender with traffic volume over the
reporting period.
Top Email Recipients
The email recipient and email sender with number of emails over the
By Number of Emails
reporting period.
For Most Active Sender
Top Senders By Traffic The email recipient and email sender with traffic volume over the
Volume For Most Active reporting period.
Recipients
Top Senders By
Number Of Emails For
Most Active Recipients
The email recipient and email sender with number of emails over the
reporting period.
Top Protocols By Traffic The local IP and email protocols with traffic volume over the reporting
Volume For Most Active period.
Sources
FTP Activity
FTP Activity report templates contain statistics about the FTP activity going through the
FortiGate unit.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
295
FortiGate report templates
Appendix B: Report templates
Table 17: FTP Activity report templates
Report
Description
FTP Volume by Time
Period
The FTP traffic volume over the reporting period listed by time.
FTP Volume per Traffic
Direction
The FTP traffic volume over the reporting period, broken down by
direction.
Top FTP Servers by
Volume
The FTP traffic volume over the reporting period, broken down by
direction.
Top FTP Clients by
Volume
The FTP clients that generated the most traffic volume over the reporting
period.
Top Client-Server Pairs The FTP clients that generated the most traffic volume over the reporting
by Volume
period, broken down by FTP server.
Top FTP Servers by
Connections
The FTP sites that were accessed the most often over the reporting
period.
Top FTP Clients by
Connections
The FTP clients with the most FTP server connections over the reporting
period.
Top Client-Server Pairs The FTP clients with the most server connections over the reporting
by Connections
period, broken down by FTP server.
Top FTP Servers By
The FTP servers that generated the most traffic volume over the
Traffic Volume For Most reporting period.
Active Sources
Top FTP Servers By
Number of Actions For
Most Active Sources
The FPT clients with the most server connections over the reporting
period.
Terminal Activity
Terminal Activity report templates contain statistics about the terminal activity (including
SSH and Telnet) going through the FortiGate unit.
Table 18: Terminal Activity report templates
Report
Description
Terminal Traffic Volume The terminal traffic volume, broken down by service.
per Service
(Telnet+SSH)
Top Terminal Servers
by Traffic Volume
(per Service)
The terminal servers with the most traffic volume over the reporting
period, broken down by service.
Top Terminal Clients by The terminal clients with the most traffic volume over the reporting
Traffic Volume
period, broken down by service.
(per Service)
SSH Traffic Volume per The SSH traffic volume for each direction.
Direction
296
Top SSH Servers by
Traffic Volume for Most
Active Client
The SSH clients with the most traffic volume over the reporting period,
broken down by server.
Telnet Traffic Volume
per Direction
The Telnet traffic volume for each direction.
Top Telnet Servers by
Traffic Volume for Most
Active Clients
The Telnet clients with the most traffic volume over the reporting period,
broken down by server.
Top Terminal Servers
by Connections (per
Service)
The terminal servers with the most connections over the reporting period,
broken down by service.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Appendix B: Report templates
FortiGate report templates
Table 18: Terminal Activity report templates
Top Terminal Clients by The terminal clients with the most connections over the reporting period,
Connections
broken down by service.
(per Service)
Top SSH Servers by
Connections for Most
Active Clients
The SSH clients with the most connections over the reporting period,
broken down by server.
Top Telnet Servers by
Connections for Most
Active Clients
The Telnet clients with the most connections over the reporting period,
broken down by server.
VPN Activity
VPN Activity report templates contain statistics about VPN tunnel activity going through
the FortiGate unit.
Table 19: VPN Activity report templates
Report
Description
Top VPN Tunnels
The VPN tunnels with the most traffic volume over the reporting period.
VPN Traffic Volume per The VPN traffic volume over the reporting period, broken down by
Direction
direction.
Top VPN Sources
The sources with the most VPN traffic volume over the reporting period.
Top VPN Destinations
The destinations with the most VPN traffic volume over the reporting
period.
Top VPN Peers per
Device (by Traffic
Volume)
The VPN peers with the most traffic volume for each device over the
reporting period.
VPN Traffic Volume per The VPN traffic volume for each device over the reporting period.
Device
Total VPN Tunnels per
Device
The number of VPN tunnels for each device over the reporting period.
Top VPN Peers per
Device (by Number of
Tunnels)
The VPN peers with the most tunnels for each device over the reporting
period.
Top Protocols over VPN The Internet services with the most traffic volume for each device over
per Device
the reporting period.
(by Traffic Volume)
IPSec Tunnel Activity
per Device
The statistics related to IPSec tunnel activity for each device over the
reporting period.
PPTP Tunnel Activity
per Device
The statistics related to PPTP tunnel activity for each device over the
reporting period.
L2TP Tunnel Activity
per Device
The statistics related to L2TP tunnel activity for each device over the
reporting period.
SSL Reverse Proxy
Activity per Device
The statistics related to SSL reverse proxy activity for each device over
the reporting period.
SSL Tunnel Activity per The statistics related to the SSL tunnel activity for each device over the
Device
reporting period.
Event Activity
Event Activity report templates contain statistics about the FortiGate event activity.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
297
FortiGate report templates
Appendix B: Report templates
Table 20: Event Activity report templates
Report
Description
Total Event Count per
Severity
The most frequently occurring event severities over the reporting period.
Total Event Count per
Software Module
The most frequently occurring event types over the reporting period.
System Administration
Summary
Audit of all administrative activity over the reporting period.
System Administration
Details
Detailed audit of all administrative activity over the reporting period.
CPU Usage by Time
Period
This report shows FortiGate CPU usage by time.
Memory Usage by Time This report shows FortiGate memory usage by time.
Period
Active Firewall
Sessions by Time
Period
This report shows the number of FortiGate active sessions by time.
Total Event Count per
Device
This report provides information about the total events count triggered on
each Firewall.
Top Events (by Log ID)
The most frequently occurring events over the reporting period.
Top Events per Device
(by Log ID)
This report provides information about the events triggered on each
firewall.
Top Emergency Events The most frequently occurring emergency events.
(by Log ID)
Top Critical Events
(by Log ID)
The most frequently occurring critical events.
Top Alert Events
(by Log ID)
The most frequently occurring alert events.
Top Error Events
(by Log ID)
The most frequently occurring error events.
Top Warning Events
(by Log ID)
The most frequently occurring warning events.
Top Notification Events
(by Log ID)
The most frequently occurring notification events.
Top Information Events
(by Log ID)
The most frequently occurring information events.
Top Event Severities
per Device
This report provides information about the events triggered by device and
severity.
Top Software Module
Events per Device
This report provides information on the types of events that are occurring
on a particular system.
Overall MMS Traffic
Measures
This report provides information of overall scanned messages,
infected/blocked messages, intercepted messages, suspicious
messages for the period.
Total Virus Notification
per Profile by VDOM
The total number of virus notifications per protection profile per VDOM
over the reporting period.
P2P Activity
P2P Activity report templates contain statistics about the peer-to-peer (P2P) activity
filtered by the FortiGate unit.
298
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Appendix B: Report templates
FortiGate report templates
Table 21: P2P Activity report templates
Report
Description
Total Events per P2P
Protocol
The number of P2P sessions established over the reporting period,
broken down by protocol.
Total Events per P2P
The number of P2P sessions established over the reporting period,
Protocol
broken down by protocol, for configuring reports containing log
(FortiOS 4.0 GA or earlier) information that is FortiOS 4.0 GA or earlier.
Total Pass/Block Events
(All Protocols)
The established P2P sessions, broken down by action type.
Total Pass/Block Events
The established P2P sessions, broken down by action type, for
(All Protocols) (FortiOS 4.0 configuring reports containing log information that is FortiOS 4.0 or
or earlier)
earlier.
Top P2P Sources by Traffic The local P2P peers with the most traffic volume.
Volume
Top P2P Destinations by
Traffic Volume
The remote P2P peers with the most traffic volume.
Top Allowed P2P Local
Peers
The local P2P peers with the most allowed sessions.
Top Allowed P2P Local
The local P2P peers with the most allowed sessions, for configuring
Peers
reports containing log information that is FortiOS 4.0 GA or earlier.
(FortiOS 4.0 GA or earlier)
Top Blocked P2P Local
Peers
The local P2P peers with the most blocked sessions.
Top Blocked P2P Local
The local P2P peers with the most blocked sessions, for configuring
Peers
reports containing log information that is FortiOS 4.0 GA or earlier.
(FortiOS 4.0 GA or earlier)
Top Allowed P2P Remote
Peers
The remote P2P peers with the most allowed sessions.
Top Allowed P2P Remote
Peers (FortiOS 4.0 GA or
earlier)
The remote P2P peers with the most allowed sessions, for configuring
reports containing log information that is FortiOS 4.0 GA or earlier.
Top Blocked P2P Remote
Peers
The remote P2P peers with the most blocked sessions.
Top Blocked P2P Remote The remote P2P peers with the most blocked sessions, for configuring
Peers
reports containing log information that is FortiOS 4.0 GA or earlier.
(FortiOS 4.0 GA or earlier)
Top P2P Protocols For
Most Active Sources By
Traffic Volume
The local IP with the most protocols and traffic volume over the
reporting period.
Top P2P Protocols By
Traffic Volume
The most protocols with traffic volume over the reporting period.
Top Allowed BitTorrent
Local Peers
The local BitTorrent peers with the most allowed sessions.
Top Allowed BitTorrent
The local BitTorrent peers with the most allowed sessions, for
Local Peers
configuring reports containing log information that is FortiOS 4.0 GA or
(FortiOS 4.0 GA or earlier) earlier.
Top Blocked BitTorrent
Local Peers
The local BitTorrent peers with the most blocked sessions.
Top Blocked BitTorrent
The local BitTorrent peers with the most blocked sessions, for
Local Peers
configuring reports containing log information that is FortiOS 4.0 GA or
(FortiOS 4.0 GA or earlier) earlier.
Top Allowed eDonkey
Local Peers
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
The local eDonkey peers with the most allowed sessions.
299
FortiGate report templates
Appendix B: Report templates
Table 21: P2P Activity report templates
Top Allowed eDonkey
The local eDonkey peers with the most allowed sessions, for
Local Peers
configuring reports containing log information that is FortiOS 4.0 GA or
(FortiOS 4.0 GA or earlier) earlier.
Top Blocked eDonkey
Local Peers
The local eDonkey peers with the most blocked sessions.
Top Blocked eDonkey
The local eDonkey peers with the most blocked sessions, for
Local Peers
configuring reports containing log information that is FortiOS 4.0 GA or
(FortiOS 4.0 GA or earlier) earlier.
Top Allowed Gnutella Local The local Gnutella peers with the most allowed sessions.
Peers
Top Allowed Gnutella Local The local Gnutella peers with the most allowed sessions, for
Peers
configuring reports containing log information that is FortiOS 4.0 GA or
(FortiOS 4.0 GA or earlier) earlier.
Top Blocked Gnutella
Local Peers
The local Gnutella peers with the most blocked sessions.
Top Blocked Gnutella
The local Gnutella peers with the most blocked sessions, for
Local Peers
configuring reports containing log information that is FortiOS 4.0 GA or
(FortiOS 4.0 GA or earlier) earlier.
Top Allowed KaZaa Local
Peers
The local KaZaa peers with the most allowed sessions.
Top Allowed KaZaa Local The local KaZaa peers with the most allowed sessions, for configuring
Peers
reports containing log information that is FortiOS 4.0 GA or earlier.
(FortiOS 4.0 GA or earlier)
Top Blocked KaZaa Local
Peers
The local KaZaa peers with the most blocked sessions.
Top Blocked KaZaa Local The local KaZaa peers with the most blocked sessions, for configuring
Peers
reports containing log information that is FortiOS 4.0 GA or earlier.
(FortiOS 4.0 GA or earlier)
Top Allowed Skype Local
Peers
The local Skype peers with the most allowed sessions.
Top Allowed Skype Local
The local Skype peers with the most allowed sessions, for configuring
Peers
reports containing log information that is FortiOS 4.0 GA or earlier.
(FortiOS 4.0 GA or earlier)
Top Blocked Skype Local
Peers
The local Skype peers with the most blocked sessions.
Top Blocked Skype Local The local Skype peers with the most blocked sessions, for configuring
Peers
reports containing log information that is FortiOS 4.0 GA or earlier.
(FortiOS 4.0 GA or earlier)
Top Allowed WinNY Local
Peers
The local WinNY peers with the most allowed sessions.
Top Allowed WinNY Local The local WinNY peers with the most allowed sessions, for configuring
Peers
reports containing log information that is FortiOS 4.0 GA or earlier.
(FortiOS 4.0 GA or earlier)
Top Blocked WinNY Local
Peers
The local WinNY peers with the most blocked sessions.
Top Blocked WinNY Local The local WinNY peers with the most blocked sessions, for
Peers
configuring reports containing log information that is FortiOS 4.0 GA or
(FortiOS 4.0 GA or earlier) earlier.
VoIP Activity
VoIP Activity report templates contain statistics about the Voice-over-IP activity filtered by
the FortiGate unit.
300
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Appendix B: Report templates
FortiGate report templates
Table 22: VoIP Activity report templates
Report
Description
Total Pass/Block Events
(All VoIP Protocols
The Voice-over-IP activity over the reporting period, broken down by
action.
Total Events per VoIP
Protocol
The Voice-over-IP activity over the reporting period, broken down by
protocol.
VoIP Traffic Volume per
Direction
The Voice-over-IP traffic volume for the reporting period, broken
down by direction.
VoIP Traffic Volume by
Time Period
The time period breakdown of Voice-over-IP traffic volume over the
reporting period.
Top VoIP Sources by Traffic The Voice-over-IP sources that generated the most traffic volume
Volume
over the reporting period.
Top VoIP Destinations by
Traffic Volume
The Voice-over-IP destinations that generated the most traffic volume
over the reporting period.
Top SIP Called Numbers
The most frequently called SIP numbers over the reporting period.
Top SIP Users by Number
of Calls
The SIP users that produced the most amount of calls over the
reporting period.
Top SIP Users by Duration
The SIP users the produced the longest cumulated call durations
over the reporting period.
Top Blocked SIP Users
The most frequently blocked SIP users over the reporting period.
Top Blocked SIP Users
(FortiOS 4.0 GA or earlier)
The most frequently blocked SIP users over the reporting period, for
configuring reports containing log information that is FortiOS 4.0 GA
or earlier.
Top Blocked SIP Callers
The most frequently blocked SIP callers over the reporting period.
Top Blocked SIP Callers
(FortiOS 4.0 GA or earlier)
The most frequently blocked SIP callers over the reporting period, for
configuring reports containing log information that is FortiOS 4.0 GA
or earlier.
Total SIP Calls by Duration
Ranges
The SIP call durations over the reporting period, broken down by
range.
Top SCCP Called Numbers The most frequently called SCCP numbers over the reporting period.
Top SCCP Users by
Number of Calls
The SCCP users that produced the most amount of calls over the
reporting period.
Top SCCP Users by
Duration
The SCCP users that produced the longest cumulated call durations
over the reporting period.
Top Blocked SCCP Users
The most frequently blocked SCCP users over the reporting period.
Top Blocked SCCP Users
(FortiOS 4.0 GA or earlier)
The most frequently blocked SCCP users over the reporting period,
for configuring reports containing log information that is FortiOS 4.0
or earlier.
Top Blocked SCCP Callers
The most frequently blocked SCCP callers over the reporting period.
Top Blocked SCCP Callers
(FortiOS 4.0 GA or earlier)
The most frequently blocked SCCP callers over the reporting period,
for configuring reports containing log information that is FortiOS 4.0
GA or earlier.
Total SCCP calls by
Duration Ranges
The SCCP call durations over the reporting period, broken down by
range.
Top VoIP Sources by
Connections
The Voice-over-IP sources with the most connections over the
reporting period.
Top VoIP Destinations by
Connections
The Voice-over-IP destinations with the most connections over the
reporting period.
Top Blocked SIP Users by
Blocking Criteria
The most frequently blocked SIP users, broken down by reason.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
301
FortiGate report templates
Appendix B: Report templates
Table 22: VoIP Activity report templates
Top Blocked SIP Users by
Blocking Criteria
(FortiOS 4.0 GA or earlier)
The most frequently blocked SIP users, broken down by reason, for
configuring reports containing log information that is FortiOS 4.0 GA
or earlier.
Top Blocked SIP Callers by The most frequently blocked SIP callers, broken down by reason.
Blocking Criteria
Top Blocked SIP Callers by The most frequently blocked SIP callers, broken down by reason, for
Blocking Criteria
configuring reports containing log information that is FortiOS 4.0 or
earlier.
Total SIP Calls per Status
(Start/End/etc)
The number of SIP calls over the reporting period, broken down by
status.
Total SIP Call Registrations The time period breakdown of the number of SIP call registers over
by Time Period
the reporting period.
Top SIP Called Numbers
for Most Active Callers
Top SIP callers over the reporting period, broken down by called
numbers.
Top Blocked SCCP Users
by Blocking Criteria
The most frequently blocked SCCP users, broken down by reason.
Top Blocked SCCP Users
by Blocking Criteria
(FortiOS 4.0 GA or earlier)
The most frequently blocked SCCP users, broken down by reason,
for configuring reports containing log information that is FortiOS 4.0
GA or earlier.
Top Blocked SCCP Callers
by Blocking Criteria
The most frequently blocked SCCP callers, broken down by reason.
Top Blocked SCCP Callers
by Blocking Criteria
The most frequently blocked SCCP callers, broken down by reason,
for configuring reports containing log information that is FortiOS 4.0
or earlier.
Total SCCP Calls per
Status (Start/End/etc)
The number of SCCP calls over the reporting period, broken down by
status.
Total SCCP Call
Registrations by Time
Period
The time period breakdown of the number of SCCP call registers
over the reporting period.
Top SCCP Called Numbers Top SCCP callers over the reporting period, broken down by called
for Most Active Callers
numbers.
Data Leak Activity
Data Leak Activity report templates contain log information from Data Leak Protocol logs.
Table 23: Data Leak Activity report templates
302
Report
Description
Top Data Leak Rules
The most frequently triggered data leak prevention rules over the
reporting period.
Top Data Leak Sources
The most frequent sources for data leaks over the reporting period.
Top Data Leak Destinations
The most frequent destinations for data leaks over the reporting
period.
Top Data Leak Protocols
The protocols causing the most data leaks over the reporting
period.
Top Data Leak Mail Senders
The mail senders causing the most data leaks over the reporting
period.
Top Data Leak Mail
Receivers
The mail receivers causing the most data leaks over the reporting
period.
Top Data Leak Web Servers
The web servers causing the most data leaks over the reporting
period.
Top Data Leak FTP Servers
The FTP servers causing the most data leaks over the reporting
period.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Appendix B: Report templates
FortiGate report templates
Application Control Activity
Application Control Activity report templates contain statistics about the FortiGate
application control activity.
Table 24: Application control report templates
Report
Description
Top Applications
The most frequently used applications by number of events.
Top Application By Type
The top applications for the most frequently used application types.
Top Users By Application
The top users of the most frequently used applications.
Top Allowed Applications
The top allowed applications by number of events.
Top Blocked Applications
The top blocked applications by number of events.
Network Scan
Network Scan report templates contain statistics about the FortiGate vulnerability
management activity.
Table 25: Network scan report templates
Report
Description
Vulnerabilities by Severity
The network scanned vulnerabilities listed by severity.
Vulnerabilities by Category
The network scanned vulnerabilities listed by category.
Top Scanned Operating
Systems
The operating systems scanned by the FortiGate unit.
Top Scanned Services
The top services scanned by the FortiGate unit.
Top Scanned TCP Services
The top TCP services scanned by the FortiGate unit.
Top Scanned UDP Services
The top UDP services scanned by the FortiGate unit.
Application _Control
Application_Control report templates contain statistics about the FortiGate application
control activity.
Table 26: Application control report templates
Report
Description
appctrl-count-p2p-eventslast24hours
The count of P2P pass/block events over last 24 hours.
appctrl-dist-type-last24hours The distribution of applications by type in last 24 hours.
appctrl-top10-appsbandwidth-last24hours
The top 10 applications by bandwidth in last 24 hours.
appctrl-top10-apps-usedlast24hours
The top 10 applications used in last 24 hours.
appctrl-top10-email-userslast24hours
The top 10 email users in last 24 hours.
appctrl-top10-media-destlast24hours
The top 10 media downloads by destination in last 24 hours.
appctrl-top10-media-sourcelast24hours
The top 10 media downloads by source in last 24 hours.
appctrl-top10-media-userslast24hours
The top 10 media users in last 24 hours.
appctrl-top10-p2p-appvolume-last24hours
The top 10 P2P volume per application last 24 hours.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
303
FortiGate report templates
Appendix B: Report templates
Table 26: Application control report templates
appctrl-top10-p2p-localpeers-bittorrent-blockedlast24hours
The top 10 blocked bittorrent local peers over last 24 hours.
appctrl-top10-p2p-localpeers-blocked-last24hours
The top 10 blocked P2P local peers over last 24 hours.
appctrl-top10-web-userslast24hours
The top 10 web users in last 24 hours.
Intrusion_Detection
Intrusion_Detection report templates contain statistics about the FortiGate intrusion
activity.
Table 27: Intrusion detection report templates
Report
Description
attack-dist-protocollast24hours
The distribution of attack protocols over the last 24 hours.
attack-top10last24hours
The top 10 attacks over the last 24 hours.
attack-top10-sourcelast24hours
The top 10 attack sources over the last 24 hours.
AntiVirus
AntiVirus report templates contain statistics about the FortiGate antivirus activity.
Table 28: Antivirus report templates
Report
Description
av-dist-protocol-last24hours
The distribution of infections by protocol in the last 24 hours.
av-dist-violations-last24hours
The violation breakdown (infected/oversize/file) block in the last
24 hours.
av-top10-file-extensionlast24hours
The top 10 infected file extensions in the last 24 hours.
av-top10-file-name-last24hours
The 10 infected filenames in then last 24 hours.
av-top10-sources-httplast24hours
The top 10 HTTP virus sources over the last 24 hours.
av-top10-sources-last24hours
The top 10 virus sources over the last 24 hours.
av-top10-virus-last24hours
The top 10 viruses detected in last 24 hours.
Data_Leak_Prevention
Data Leak Prevention report templates contain log information from Data Leak Protocol
logs.
Table 29: Data Leak Prevention report templates
Report
Description
dlp-dist-protocol-last24hours The distribution of data leaks by protocol over the last 24 hours.
304
dlp-top10-email-receiverslast24hours
The top 10 email receivers triggering DLP rules in the last 24 hours.
dlp-top10-email-senderslast24hours
The top 10 email senders triggering DLP rules in the last 24 hours.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Appendix B: Report templates
FortiClient Report Templates
Email Filter
Email Filter report templates contain statistics about the FortiGate antispam activity.
Table 30: Email filter report templates
Report
Description
email-count-volumelast24hours
The count of mail by size over the last 24 hours.
email-top10-receiverslast24hours
The top 10 receivers over the last 24 hours.
email-top10-senderslast24hours
The top 10 senders over the last 24 hours.
email-top10-spamsources-last24hours
The top 10 spam sources over the last 24 hours.
email-usage-incominglast24hours
The number of incoming mails (POP3/IMAP) over the last 24 hours.
email-usage-outgoinglast24hours
The number of outgoing mails (SMTP) over the last 24 hours.
Event
Event report templates contain statistics about the FortiGate event activity.
Table 31: Event report templates
Report
Description
event-count-sessionslast24hours
The count of Active Firewall Sessions over the last 24 hours.
event-dist-last24hours
The event distribution over the last 24 hours.
event-top10-alllast24hours
The top 10 events in the last 24 hours.
event-top10-criticallast24hours
The top 10 critical events in the last 24 hours.
event-top10The top 10 emergency events in the last 24 hours.
emergency-last24hours
event-usage-cpulast24hours
The CPU usage over the last 24 hours.
event-usage-memlast24hours
The memory usage over the last 24 hours.
Traffic
Traffic report templates contain statistics about the network traffic activity going through
the FortiGate unit.
FortiClient Report Templates
Table 32: Traffic report templates
Report
Description
traffic-count-networksession-last24hours
The count of network sessions over the last 24 hours.
traffic-count-port1volume-last24hours
The traffic volume count for port1 interface over the last 24 hours.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
305
FortiClient Report Templates
Appendix B: Report templates
Table 32: Traffic report templates
traffic-count-terminalssh-volumelast24hours
The count of SSH terminal client by volume over the last 24 hours.
traffic-count-terminaltelnet-volumelast24hours
The count of telnet terminal client by volume over the last 24 hours.
traffic-count-wanoptbandwidth-last24hours
The Wan Optimization bandwidth over the last 24 hours.
traffic-dist-networkbandwidth-last24hours
The network bandwidth composition over last 24 hours.
traffic-dist-wanopt-applan-bandwidthlast24hours
The Wan Opt application in LAN composition over the last 24 hours.
traffic-dist-wanopt-appwan-bandwidthlast24hours
The Wan Opt application in WAN composition over the last 24 hours.
traffic-top10-ftp-clientvolume-last24hours
The Top 10 FTP clients by volume over the last 24 hours.
traffic-top10-ftp-pairvolume-last24hours
The top 10 FTP client server pairs by volume over the last 24 hours.
traffic-top10-ftpservers-volumelast24hours
The top 10 FTP servers accessed by volume over the last 24 hours.
traffic-top10-im-userblocked-last24hours
The top 10 blocked IM users over the last 24 hours.
traffic-top10-im-uservolume-last24hours
The top 10 IM users by volume over the last 24 hours.
traffic-top10-networkdest-blockedlast24hours
The top 10 network destinations blocked (denied) over the last 24 hours.
traffic-top10-networkdest-volumelast24hours
The top 10 network destinations by volume over the last 24 hours.
traffic-top10-networkpolicies-blockedlast24hours
The top 10 network policies blocked (denied) over the last 24 hours.
traffic-top10-networksource-blockedlast24hours
The top 10 network sources blocked (denied) over the last 24 hours.
traffic-top10-networksource-volumelast24hours
The top 10 network sources by volume over the last 24 hours.
traffic-top10-networkusers-sourcebandwidth-last24hours
The top 10 users by source and bandwidth over the last 24 hours.
traffic-top10-terminalvolume-last24hours
The top 10 terminal clients by volume over the last 24 hours.
The following are FortiClient report templates that are only available for Proprietary Index
file system. FortiClient logs are the only logs used when compiling FortiClient reports.
Table 33: FortiClient Network Activity
306
Top Denied Sources
The top attempts to violate a policy configured on a FortiClient by
the attempt’s source IP address.
Top Denied
Destinations
The top attempts to violate a policy configured on a FortiClient by
the attempt’s target IP address.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Appendix B: Report templates
FortiMail Report Templates
Table 34: FortiClient Web Filter Activity
Top Blocked Web Sites
Breakdown of blocked web sites.
Top Blocked Web Sites by
User
Breakdown of blocked web sites by user.
Top Visited Web Sites
Breakdown of visited web sites.
Top Visited Web Sites by
User
Breakdown of visited web sites by user.
Table 35: FortiClient Email Filter Activity
Top Blocked Mail Senders
Breakdown of the most blocked sender email addresses.
Top Blocked Mail Receivers Breakdown of the most blocked receiver email addresses.
FortiMail Report Templates
The following are FortiMail report templates that are available for Proprietary Index file
system. FortiMail logs are the only logs used when compiling FortiMail reports.
Table 36: Mail High Level reports
Report
Description
Top Client IP
Breakdown of Top Client IPs.
Top Local User
Breakdown of Top Local Users.
Top Remote Address
Breakdown of Top Remote Addresses.
Spam Filter
Breakdown of spam filters.
Disposition Action
Breakdown of disposition actions.
Top Virus
Breakdown of top virus names.
Top Client MSISDN
Breakdown of top client MSISDNs.
Table 37: Mail Activity reports
Report
Description
Top Sender
Breakdown of top senders.
Top Sender IP
Breakdown of top sender IPs.
Top Local Sender
Breakdown of top local senders.
Top Remote Sender
Breakdown of top remote senders.
Top Sender MSISDN
Breakdown of top sender MSISDNs.
Top Recipient
Breakdown of top recipients.
Top Local Recipient
Breakdown of top local recipients.
Top Remote Recipient
Breakdown of top remote recipients.
Top Mail Destination IP
Breakdown of top mail destination IPs.
Total Sent and Received
Total sent and received.
Total Spam and NonSpam
Total spam and non-spam.
Table 38: Spam Activity reports
Report
Description
Top Spam Sender
Breakdown of top spam senders.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
307
FortiMail Report Templates
Appendix B: Report templates
Table 38: Spam Activity reports
Top Spam Domain
Breakdown of top spam domains.
Top Spam IP
Breakdown of top spam IPs.
Top Local Spam Sender
Breakdown of top local spam senders.
Top Local Spam Domain
Breakdown of top local spam domains.
Top Remote Spam Sender Breakdown of top remote spam senders.
Top Remote Spam Domain Breakdown of top remote spam domains.
Top Spam MSISDN
Breakdown of top spam MSISDNs.
Top Spam Recipient
Breakdown of top spam recipients.
Top Local Spam Recipient
Breakdown of top local spam recipients.
Top Remote Spam
Recipient
Breakdown of top remote spam recipients.
Top Spam Destination IP
Breakdown of top spam destination IPs.
Table 39: Virus Activity reports
308
Report
Description
Top Virus Sender
Breakdown of top virus senders.
Top Virus Domain
Breakdown of top virus domains.
Top Virus IP
Breakdown of top virus IPs.
Top Local Virus Sender
Breakdown of top local virus senders.
Top Local Virus Domain
Breakdown of top local virus domains.
Top Remote Virus Sender
Breakdown of top remote virus senders.
Top Remote Virus Domain
Breakdown of top remote virus domains.
Top Virus MSISDN
Breakdown of top virus MSISDNs.
Top Virus Recipient
Breakdown of top virus recipients.
Top Local Virus Recipient
Breakdown of top local virus recipients.
Top Remote Virus Recipient
Breakdown of top remote virus recipients.
Top Virus Destination IP
Breakdown of top virus destination IPs.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Appendix C: Maximum values matrix
Appendix C: Maximum values matrix
Table 40: Maximum values of FortiAnalyzer models
Feature
FortiAnalyzer- FortiAnalyzer- FortiAnalyzer- FortiAnalyzer- FortiAnalyzer- FortiAnalyzer100B, 100C
400B
800, 800B
1000,1000C
2000, 2000A, 4000, 4000A,
2000B
4000B
Administrative
domains (ADOMs)
1
10
50
50
100
250
Devices per ADOM
100
200
500
2000
2000
2000
Administrators
10
20
100
100
200
500
Administrator access
profiles
10
20
100
100
200
500
RADIUS servers
6
6
6
6
6
6
RADIUS
6
authentication groups
6
6
6
6
6
RADIUS servers per
authentication group
6
6
6
6
6
6
Static routes
32
32
32
32
32
32
SMB shares
16
32
64
64
64
64
SMB users
16
32
64
64
64
64
SMB groups
16
32
64
64
64
64
SMB users per group
16
32
64
64
64
64
SMB read-only users
& groups per share
16
32
64
64
64
64
SMB read-write users
& groups per share
16
32
64
64
64
64
NFS exports
16
32
64
64
64
64
NFS RO clients per
export
16
32
64
64
64
64
NFS RW clients per
export
16
32
64
64
64
64
Registered log
devices
(FGT/FMG/FML/SL
+FC)
100
200
500
2000
2000
2000
HA members per log
device
5
5
5
5
5
5
Log device groups
50
100
250
1000
1000
1000
Log devices per
device group
100
200
500
2000
2000
2000
Unregistered log
devices
100
200
500
2000
2000
2000
Blocked log devices
100
200
500
2000
2000
2000
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
309
Appendix C: Maximum values matrix
Table 40: Maximum values of FortiAnalyzer models
Report LDAP servers
6
6
6
6
6
6
Report IP aliases
256
256
512
512
512
512
Report schedules
250
250
500
500
750
1000
Report layouts
250
250
500
500
750
1000
Objects/queries per
report layout
500
500
500
500
500
500
Report outputs
250
250
500
500
750
1000
Report filters
250
250
500
500
750
1000
Report datasets
250
250
500
500
750
1000
Outputs per report
dataset
3
3
3
3
3
3
Report custom charts 250
250
500
500
750
1000
SQL report layouts
250
250
500
500
750
1000
SQL report chart
templates
250
250
500
500
750
1000
SQL report datasets
250
250
500
500
750
1000
SQL report
components per
layout
500
500
500
500
500
500
Alerts/SNMP
managers
(CmdGens/NotRcvrs)
31
31
31
31
31
31
Alerts/SNMP
managers per
community
10
10
10
10
10
10
Alerts email servers
1
8
16
16
32
32
Alerts Syslog servers
1
8
16
16
32
32
Alerts events
10
100
100
100
256
256
Alerts destinations
per event
16
16
32
32
64
64
VM host assets
100
200
200
500
500
1000
VM business risks
1
1
1
1
1
1
Administrator
sessions
300
300
300
300
300
300
NTP servers
20
20
20
20
20
20
310
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Appendix D: Querying FortiAnalyzer SQL log databases
Creating datasets
Appendix D: Querying FortiAnalyzer
SQL log databases
The FortiAnalyzer unit supports local PostgreSQL and remote MySQL databases for
storage of log tables.
To create a report based on the FortiGate log messages in a local or remote database,
you can use either the predefined datasets, or create your own custom datasets by
querying the log messages in the SQL database on the FortiAnalyzer unit.
This document describes the procedure for creating datasets, and describes the fields in
each type of log table to assist in writing SQL queries.
This section contains the following topics:
•
Creating datasets
•
SQL tables
•
Examples
Creating datasets
The following procedure describes how to create datasets in the web-based manager. You
can also use the CLI command config sql-report dataset to create datasets. For
details, see the FortiAnalyzer CLI Reference and the “Examples” section.
To create a custom data set in the web-based manager
1 Go to Report > Chart > Data Set.
2 Click Create New.
3 Configure the following, then click OK.
Name of the
GUI item
Description
Name
Enter the name for the data set.
Log Type
($log)
Enter the type of logs to be used for the data set.
$log is used in the SQL query to represent the log type you select, and it is run
against all tables of this type.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
311
Creating datasets
Appendix D: Querying FortiAnalyzer SQL log databases
Time Period
($filter)
Select to use logs from a time frame, or select Specified and define a custom
time frame by selecting the Begin Time and End Time. $filter is used in the SQL
query "where" clause to limit the results to the period you select.
Past N
If you selected Past N Hours/Days/Weeks for Time Period, enter the number.
Hours/Days
/Weeks
Begin Time Enter the date (or use the calendar icon) and time of the beginning of the
custom time range.
This option appears only when you select Specified in the Time Period ($time)
field.
End Time
Enter the date (or use the calendar icon) and time of the end of the custom time
range.
This option appears only when you select Specified in the Time Period ($time)
field.
SQL Query
Enter the SQL query syntax to retrieve the log data you want from the SQL
database.
Different SQL systems use different query syntaxes to deal with date/time
format. The FortiAnalyzer unit uses PostgreSQL as the local database and
supports MySQL as the remote database. To facilitate querying in both MySQL
and PostgreSQL systems, you can use the following default date/time macros
and query syntaxes for the corresponding time period you choose:
• Hour_of_day: For example, you can select Yesterday for the Time Period
and enter the syntax "select $hour_of_day as hourstamp, count(*) from $log
where $filter group by hourstamp order by hourstamp ".
• Day_of_week: For example, you can select This Week for the Time Period
and enter the syntax "select $day_of_week as datestamp, count(*) from
$log where $filter group by datestamp order by datestamp".
• Day_of_month: For example, you can select This Month for the Time Period
and enter the syntax "select $day_of_month as datestamp, count(*) from
$log where $filter group by datestamp order by datestamp”.
• Week_of_year: For example, you can select This Year for the Time Period
and enter the syntax "select $week_of_year as weekstamp, count(*) from
$log where $filter group by weekstamp order by weekstamp”.
• Month_of_year: For example, you can select This Year for the Time Period
and enter the syntax "select $month_of_year as monthstamp, count(*) from
$log where $filter group by monthstamp order by monthstamp”.
The results of running the queries will display the date and time first, followed
by the log data.
Test
Click to test whether or not the SQL query is successful. See “To test a SQL
query” on page 312.
To test a SQL query
1 Follow the procedures in “To create a custom data set in the web-based manager” on
page 311.
2 After entering the SQL query, click Test.
3 Configure the following, then click Run to view the query results.
312
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Appendix D: Querying FortiAnalyzer SQL log databases
Creating datasets
Figure 107: SQL Query test results
Name of the GUI Description
item
Device
Select a specific FortiGate unit, FortiMail unit, or FortiClient installation, or
select all devices, to apply the SQL query to.
VDom
If you want to apply the SQL query to a FortiGate VDOM, enter the name of
the VDOM.
Time Period
($filter)
Select to query the logs from a time frame, or select Specified and define a
custom time frame by selecting the Begin Time and End Time. $filter is used
in the where clause of the SQL query to limit the results to the period you
select.
Past N
If you selected Past N Hours/Days/Weeks for Time Period, enter the number.
Hours/Days
/Weeks
Begin Time Enter the date (or use the calendar icon) and time of the beginning of the
custom time range.
This option appears only when you select Specified in the Time Period
($filter) field.
End Time
SQL Query
Enter the date (or use the calendar icon) and time of the end of the custom
time range.
This option appears only when you select Specified in the Time Period
($filter) field.
Enter the SQL query to retrieve the log data you want from the SQL
database.
Run
Click to execute the SQL query.
The results display. If the query is not successful, see “Troubleshooting” on
page 314.
Clear
Select to remove the displayed query results.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
313
SQL tables
Appendix D: Querying FortiAnalyzer SQL log databases
Save
Options
Select to save the SQL query console configuration to the data set
configuration.
The Device and VDOM configurations are not used by the data set
configuration.
Close
Click to return to the data set configuration page.
Troubleshooting
If the query is unsuccessful, an error message appears in the results window indicating
the cause of the problem.
SQL statement syntax errors
Here are some example error messages and possible causes:
You have an error in your SQL syntax (remote/MySQL) or ERROR: syntax
error at or near... (local/PostgreSQL)
•
Check that SQL keywords are spelled correctly, and that the query is well-formed.
•
Table and column names are demarked by grave accent (`) characters. Single (') and
double (") quotation marks will cause an error.
No data is covered.
•
The query is correctly formed, but no data has been logged for the log type. Check that
you have configured the FortiAnalyzer unit to save that log type. Under System >
Config > SQL Database, make sure that the log type is checked.
Connection problems
If well formed queries do not produce results, and logging is turned on for the log type,
there may be a database configuration problem with the remote database.
Ensure that:
•
MySQL is running and using the default port 3306.
•
You have created an empty database and a user with create permissions for the
database.
Here is an example of creating a new MySQL database named fazlogs, and adding a
user for the database:
#Mysql –u root –p
mysql> Create database fazlogs;
mysql> Grant all privileges on fazlogs.* to ‘fazlogger’@’*’
identified by ‘fazpassword’;
mysql> Grant all privileges on fazlogs.* to
‘fazlogger’@’localhost’ identified by ‘fazpassword’;
SQL tables
The FortiAnalyzer™ unit creates a database table for each managed device and each log
type, when there is log data. If the FortiAnalyzer unit is not receiving data from a device, or
logging is not enabled under System > Config > SQL Database, it does not create log
tables for that device.
SQL tables follow the naming convention of [Device Name]-[SQL table type]-[
timestamp], where the SQL table type is one of the types listed in Table 41 on
page 315.
314
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Appendix D: Querying FortiAnalyzer SQL log databases
SQL tables
Note: The timestamp portion of the log name depends on the FortiAnalyzer unit firmware
release. It is either the creation time of the table (in releases before 4.2.1), or the timestamp
of the log on disk (in releases 4.2.1 and later).
To view all the named tables created in a database, you can use:
•
local (PostgreSQL) database: SELECT * FROM pg_tables
•
remote (MySQL): SHOW TABLES
The names of all created tables and their types are stored in a master table named
table_ref.
Table 41: Log types and table types
Log Type
SQL table
Description
type
Traffic log
tlog
The traffic log records all traffic to and through the FortiGate
interface.
Event log
elog
The event log records management and activity events. For
example, when an administrator logs in or logs out of the
web-based manager.
Antivirus log
vlog
The antivirus log records virus incidents in Web, FTP, and email
traffic.
Webfilter log
wlog
The web filter log records HTTP FortiGate log rating errors
including web content blocking actions that the FortiGate unit
performs.
Attack log
alog
The attack log records attacks that are detected and prevented
by the FortiGate unit.
Spamfilter log
slog
The spam filter log records blocking of email address patterns
and content in SMTP, IMAP, and POP3 traffic.
Data Leak
Prevention log
dlog
The Data Leak Prevention log records log data that is
considered sensitive and that should not be made public. This
log also records data that a company does not want entering
their network.
Application
Control log
rlog
The application control log records data detected by the
FortiGate unit and the action taken against the network traffic
depending on the application that is generating the traffic, for
example, instant messaging software, such as MSN
Messenger.
DLP archive log clog
The DLP archive log, or clog.log, records all log messages,
including most IM log messages as well as the following
session control protocols (VoIP protocols) log messages:
• SIP start and end call
• SCCP phone registration
• SCCP call info (end of call)
• SIMPLE log message
Vulnerability
Management
log
The vulnerability management log, or netscan log, contains
logging events generated by a network scan.
nlog
FortiAnalyzer™ logs also include log sub-types, which are types of log messages that are
within the main log type. For example, in the event log type there are the subtype admin
log messages. FortiAnalyzer™ log types and subtypes are numbered, and these numbers
appear within the log identification field of the log message.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
315
SQL tables
Appendix D: Querying FortiAnalyzer SQL log databases
Table 42: Log Sub-types
Log Type
traffic (Traffic
Log)
event
(Event Log)
316
Sub-Type
•
•
•
allowed – Policy allowed traffic
violation – Policy violation traffic
Other
For FortiGate devices:
• system – System activity event
• ipsec – IPSec negotiation event
• dhcp – DHCP service event
• ppp – L2TP/PPTP/PPPoE service event
• admin – admin event
• ha – HA activity event
• auth – Firewall authentication event
• pattern – Pattern update event
• alertemail – Alert email notifications
• chassis – FortiGate-4000 and
FortiGate-5000 series chassis event
• sslvpn-user – SSL VPN user event
• sslvpn-admin – SSL VPN administration event
• sslvpn-session – SSL VPN session even
• his-performance – performance statistics
• vipssl – VIP SSL events
• ldb-monitor – LDB monitor events
dlp
(Data Leak
Prevention)
•
dlp – Data Leak Prevention
app-crtl
(Application
Control Log)
•
app-crtl-all – All application control
DLP archive
(DLP Archive
Log)
•
•
•
•
•
HTTP – Virus infected
FTP – FTP content metadata
SMTP – SMTP content metadata
POP3 – POP3 content metadata
IMAP – IMAP content metadata
virus (Antivirus
Log)
•
•
•
infected – Virus infected
filename – Filename blocked
oversize – File oversized
webfilter (Web
Filter Log)
•
•
•
•
•
•
•
•
content – content block
urlfilter – URL filter
FortiGuard block
FortiGuard allowed
FortiGuard error
ActiveX script filter
Cookie script filter
Applet script filter
ips (Attack Log)
•
•
signature – Attack signature
anomaly – Attack anomaly
emailfilter
(Spam Filter
Log)
•
•
•
SMTP
POP3
IMAP
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Appendix D: Querying FortiAnalyzer SQL log databases
SQL tables
Log severity levels
You can define what severity level the FortiGate unit records logs at when configuring the
logging location. The FortiGate unit logs all message at and above the logging severity
level you select. For example, if you select Error, the unit logs Error, Critical, Alert, and
Emergency level messages.
Table 43: Log Severity Levels
Levels
Description
Generated by
0 - Emergency
The system has become unstable.
Event logs, specifically
administrative events, can
generate an emergency severity
level.
1 - Alert
Immediate action is required.
Attack logs are the only logs that
generate an Alert severity level.
2 - Critical
Functionality is affected.
Event, Antivirus, and Spam filter
logs.
3 - Error
An error condition exists and
functionality could be affected.
Event and Spam filter logs.
4 - Warning
Functionality could be affected.
Event and Antivirus logs.
5 - Notification
Information about normal events.
Traffic and Web Filter logs.
6 - Information
General information about system
operations.
Content Archive, Event, and
Spam filter logs.
The Debug severity level, not shown in Table 43, is rarely used. It is the lowest log severity
level and usually contains some firmware status information that is useful when the
FortiGate unit is not functioning properly. Debug log messages are only generated if the
log severity level is set to Debug. Debug log messages are generated by all types of
FortiGate features.
Log fields in each table
This section describes the fields of each log table stored in an SQL database. Because of
differences in SQL dialects, some fields have different types depending on whether they
are stored locally or remotely.
The tables described in this section are:
•
“Common log fields,” on page 317
•
“Application control log fields” on page 319
•
“Attack log fields” on page 321
•
“DLP archive / content log fields” on page 322
•
“Data Leak Prevention log fields” on page 327
•
“Email filter log fields” on page 328
•
“Event log fields” on page 329
•
“Traffic log fields” on page 343
•
“Antivirus log fields” on page 345
•
“Web filter log fields” on page 347
•
“Netscan log fields” on page 348
Common log fields
All log tables share some common fields, described in Table 44.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
317
SQL tables
Appendix D: Querying FortiAnalyzer SQL log databases
Table 44: Common Fields
Field
Type
Description
Tables
PostgreSQL
MySQL
id
int not null
primary key
int unsigned
ID / primary key for the record
not null primary
key
all
itime
timestamp
datetime
The time the log event was received by the
FortiAnalyzer.
all
dtime
timestamp
datetime
The time the log event was generated on the device.
all
cluster_id
varchar(24)
varchar(24)
The HA cluster ID if the FortiGate runs in HA mode.
all
device_id
varchar(16)
varchar(16)
The serial number of the device.
all
log_id
int default 0
smallint
unsigned
default 0
A ten-digit number. The first two digits represent the
all
log type and the following two digits represent the log
subtype. The last one to five digits are the message id.
For more detail about what the combination of type,
subtype and message ID means, see the FortiGate
Log Message Reference.
subtype
varchar(255)
varchar(255)
The subtype of the log message. The possible values all
of this field depend on the log type. See Table 42 for a
list of subtypes associated with each log type.
type
varchar(255)
varchar(255)
The log type.
all
timestamp
int default 0
int unsigned
default 0
Timestamp for the event
all
pri
varchar(255)
varchar(255)
The log priority level. See Table 43 for a list of priority
levels and the log types that generate them.
all
vd
varchar(255)
varchar(255)
The virtual domain where the traffic was logged. If no
virtual domains are enabled and configured, this field
contains the virtual domain, root.
all
user
varchar(255)
varchar(255)
The name of the user creating the traffic.
all except nlog
group
varchar(255)
varchar(255)
The name of the group creating the traffic.
all except nlog
src
varchar(40)
(255 for alog)
varchar(40)
(255 for alog)
The source IP address.
all except nlog
dst
varchar(40)
(255 for alog)
varchar(40)
(255 for alog)
The destination IP address.
all except nlog
src_port
int default 0
smallint
unsigned
default 0
The source port of the TCP or UDP traffic. The source all except nlog
protocol is zero for other types of traffic.
dst_port
int default 0
smallint
unsigned
default 0
The destination port number of the TCP or UDP traffic. all except nlog
The destination port is zero for other types of traffic.
src_int
varchar(255)
varchar(255)
The interface where the through traffic comes in. For
outgoing traffic originating from the firewall, it is
“unknown”.
all except clog
and nlog
dst_int
varchar(255)
varchar(255)
The interface where the through traffic goes to the
public or Internet. For incoming traffic to the firewall, it
is “unknown”.
all except clog
and nlog
policyid
bigint default
0
int unsigned
default 0
The ID number of the firewall policy that applies to the all except nlog
session or packet. Any policy that is automatically
added by the FortiGate will have an index number of
zero. For more information, see the Fortinet
Knowledge Base article, Firewall policy=0.
318
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Appendix D: Querying FortiAnalyzer SQL log databases
SQL tables
Table 44: Common Fields
service
varchar(255)
varchar(255)
The service of where the activity or event occurred,
whether it was on a web page using HTTP or HTTPs.
This field is an enum, and can have one of the
following values:
• http
• https
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• pop3s
• imaps
all except clog
identidx
bigint default
0
int unsigned
default 0
The identity index number.
all except nlog
profile
varchar(255)
varchar(255)
The protection profile associated with the firewall
policy that traffic used when the log message was
recorded.
all except dlog,
tlog, and nlog
profiletype
varchar(255)
varchar(255)
The type of profile associated with the firewall policy
that traffic used when the log message was recorded.
all except dlog,
tlog, and nlog
profilegroup
varchar(255)
varchar(255)
The profile group associated with the firewall policy
that traffic used when the log message was recorded.
all except dlog,
tlog, and nlog
Application control log fields
The table below lists the fields defined in application control log tables (type rlog).
Field
Type
Description
PostgreSQL
MySQL
status
varchar(255)
varchar(255)
The status of the action the FortiGate unit took when the event
occurred.
For application control logs, this field can be:
• request
• cancel
• accept
• fail
• download
• stop
• start
• end
• timeout
• blocked
• succeeded
• failed
• authentication-required
• pass
• block
carrier_ep
varchar(255)
varchar(255)
The FortiOS Carrier end-point identification. For example, it would
display MSISDN of the phone that sent the MMS message. This field
will always display N/A in FortiOS.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
319
SQL tables
Field
Appendix D: Querying FortiAnalyzer SQL log databases
Type
Description
PostgreSQL
MySQL
kind
varchar(255)
varchar(255)
This field is an enum, and can be one of the following values:
• login
• chat
• file
• photo
• audio
• call
• regist
• unregister
• call-block
• request
• response
dir
varchar(255)
varchar(255)
The direction of the traffic. This field is an enum, and can be one of the
following:
• incoming
• outgoing
• N/A
src_name
varchar(255)
varchar(255)
The name of the source or the source IP address.
dst_name
varchar(255)
varchar(255)
The destination name or destination IP address.
proto
int default 0
smallint unsigned The protocol number that applies to the session or packet. The
default 0
protocol number in the packet header that identifies the next level
protocol. Protocol number’s are assigned by the Internet Assigned
Number Authority (IANA).
serial
bigint default 0
int unsigned
default 0
Serial number of the log message.
app_list
varchar(255)
varchar(255)
The application control list (under UTM > Application Control >
Application Control List on the FortiGate unit) that contains the policy
that triggered this log item.
app_type
varchar(255)
varchar(255)
The application category.
app
varchar(255)
varchar(255)
The application name. You can look the application type up in UTM >
Application Control > Application List, and then select the name that is
in the field to go to more detailed information on the FortiGuard
Encyclopedia.
action
varchar(255)
varchar(255)
The action the FortiGate unit took for this session or packet.
This field is an enum and can be one of the following values:
• pass
• block
• monitor
• kickout
• encrypt-kickout
• reject
count
bigint default 0
int unsigned
default 0
Total number of blocked applications.
filename
varchar(255)
varchar(255)
The file name associated with the blocked application.
filesize
bigint default 0
int unsigned
default 0
The file size of the file.
message
varchar(255)
varchar(255)
The blocked message of chat applications.
content
varchar(255)
varchar(255)
Content of the blocked applications.
320
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Appendix D: Querying FortiAnalyzer SQL log databases
SQL tables
Field
Type
Description
PostgreSQL
MySQL
reason
varchar(255)
varchar(255)
The reason why the log was recorded.
This field is an enum, and can be one of the following values:
• meter-overload-drop
• meter-overload-refuse
• rate-limit
• dialog-limit
• long-header
• unrecognized-form
• unknown
• block-request
• invalid-ip
• exceed-rate
req
varchar(255)
varchar(255)
Request.
phone
varchar(255)
varchar(255)
Phone number of the blocked application.
msg
varchar(255)
varchar(255)
Explains why the log was recorded.
attack_id
bigint default 0
int unsigned
default 0
Attack ID.
Attack log fields
The table below lists the fields defined in attack log tables (type alog).
Field
Type
Description
PostgreSQL
MySQL
status
varchar(255)
varchar(255)
The status of the action the FortiGate unit took when the event
occurred.
For attack logs, this field can be:
• detected
• dropped
• reset
• reset_client
• reset_server
• drop_session
• pass_session
• clear_session
serial
bigint default 0
int unsigned
default 0
The serial number of the log message.
attack_id
bigint default 0
int unsigned
default 0
The identification number of the attack log message.
severity
varchar(255)
varchar(255)
The specified severity level of the attack.
This field is an enum, and can have one of the following values:
• info
• low
• medium
• high
• critical
carrier_ep
varchar(255)
varchar(255)
The FortiOS Carrier end-point identification. For example, it
would display the MSISDN of the phone that sent the MMS
message. If you do not have FortiOS Carrier, this field always
display N/A.
sensor
varchar(255)
varchar(255)
The DLP sensor that was used.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
321
SQL tables
Appendix D: Querying FortiAnalyzer SQL log databases
Field
Type
Description
PostgreSQL
MySQL
icmp_id
varchar(255)
varchar(255)
The Internet Control Message Protocol (ICMP) message ID
(returned for ECHO REPLY).
icmp_type
varchar(255)
varchar(255)
The ICMP message type.
icmp_code
varchar(255)
varchar(255)
The ICMP message code.
proto
smallint default 0
tinyint unsigned
default 0
The protocol of the event.
ref
varchar(255)
varchar(255)
A reference URL to the Fortiguard IPS database for more
information about the attack.
count
bigint default 0
int unsigned
default 0
The number of times that attack was detected within a short
period of time. This is useful when the attacks are DoS attacks.
incident_serialno
bigint default 0
int unsigned
default 0
The unique ID for this attack. This number is used for crossreferences IPS packet logs.
msg
varchar(255)
varchar(255)
Explains the activity or event that the FortiGate unit recorded. In
this example, an attack occurred that could have caused a
system crash.
DLP archive / content log fields
The table below lists the fields defined in application DLP / Content log tables (type clog).
Field
Type
Description
PostgreSQL
MySQL
status
varchar(255)
varchar(255)
The status of the action the FortiGate unit took when the
event occurred.
clogver
smallint default 0
tinyint unsigned default 0
The version of the content log.
epoch
bigint default 0
int unsigned default 0
The unique number for each archive. It is used for cross
reference purposes.
eventid
bigint default 0
int unsigned default 0
The ID of the archive event.
SN
bigint default 0
int unsigned default 0
The session number.
endpoint
varchar(255)
varchar(255)
The ID of the endpoint, such as MSISDN or account ID.
client
varchar(40)
varchar(40)
The IP of the client.
server
varchar(40)
varchar(40)
The IP of the server.
laddr
varchar(40)
varchar(40)
The local IP.
raddr
varchar(40)
varchar(40)
The remote IP.
322
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Appendix D: Querying FortiAnalyzer SQL log databases
Field
cstatus
Type
SQL tables
Description
PostgreSQL
MySQL
varchar(255)
varchar(255)
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
The cstatus field can be any one of the following:
• clean
• infected
• heuristic
• banned_word
• blocked
• exempt
• oversize
• carrier_endpoint_filter (FortiOS Carrier only)
• mass_mms (FortiOS Carrier only)
• dlp
• fragmented
• spam
• im_summary
• im-message
• im_file_request (a file was transferred
• im_file_accept (an file was accepted)
• im_file_cancel
• im_voice (an IM voice chat)
• im_photo_share_request (a photo was shared)
• im_photo_share_cancel
• im_photo_share_stop
• im_photo_xfer (a photo was transferred during the
chat)
• voip
• error
323
SQL tables
Field
Appendix D: Querying FortiAnalyzer SQL log databases
Type
Description
PostgreSQL
MySQL
infection
varchar(255)
varchar(255)
virus
varchar(255)
varchar(255)
The virus name.
rcvd
bigint default 0
int unsigned default 0
The number of bytes that were received from the client.
sent
bigint default 0
int unsigned default 0
The number of bytes that were received from the server.
method
varchar(255)
varchar(255)
The type of HTTP command used. For example, GET.
url
varchar(255)
varchar(255)
The URL address of the web site that was accessed.
cat
varchar(255)
varchar(255)
The http/https category.
cat_desc
varchar(255)
varchar(255)
The http/https category description.
to
varchar(255)
varchar(255)
To
from
varchar(255)
varchar(255)
From
subject
varchar(255)
varchar(255)
Subject
direction
varchar(255)
varchar(255)
Incoming or outgoing.
324
The infection type. This field is an enum, and can be one
of the following:
• bblock
• fileexempt
• file intercept
• mms block
• carrier end point filter
• mms flood
• mms duplicate
• virus
• virusrm
• heuristic
• html script
• script filter
• banned word
• exempt word
• oversize
• virus
• heuristic
• worm
• mime block
• fragmented
• exempt
• ip blacklist
• dnsbl
• FortiGuard - AntiSpam ip blacklist
• helo
• emailblacklist
• mimeheader
• dns
• FortiGuard - AntiSpam ase block
• banned word
• ipwhitelist
• emailwhitelist
• fewhitelist
• headerwhitelist
• wordwhitelist
• dlp
• dlpban
• pass
• mms content checksum
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Appendix D: Querying FortiAnalyzer SQL log databases
Field
Type
SQL tables
Description
PostgreSQL
MySQL
attachment
smallint default 0
tinyint unsigned default 0
Mail attachment present.
ftpcmd
varchar(255)
varchar(255)
The FTP command. This field is an enum and can be one
of:
• NONE
• USER
• PASS
• ACCT
• STOR
• RETR
• QUIT
file
varchar(255)
varchar(255)
The archive file name.
local
varchar(255)
varchar(255)
The local user.
remote
varchar(255)
varchar(255)
The remote user.
proto
varchar(255)
varchar(255)
The protocol.
kind
varchar(255)
varchar(255)
The kind field can be any one of the following:
• summary
• chat
• file (a file was transferred)
• photo (photo sharing)
• photo-xref (a photo was transferred)
• audio (a voice chat)
• oversize (an oversized file)
• fileblock (a file was blocked)
• fileexempt
• virus
• dlp
• call-block (SIP call blocked)
• call-info (SIP call information)
• call (SIP call)
• register (SIP register)
• unregister (SIP unregister)
action
varchar(255)
varchar(255)
The action.
dir
varchar(255)
varchar(255)
The direction, either "inbound" or "outbound".
messages
bigint default 0
int unsigned default 0
The message number.
start-date
varchar(255)
varchar(255)
The local start date.
end-date
varchar(255)
varchar(255)
The local end date.
content
varchar(255)
varchar(255)
IM chat content.
filename
varchar(255)
varchar(255)
File name.
filesize
bigint default 0
int unsigned default 0
File size.
message
varchar(255)
varchar(255)
Message.
conn-mode
varchar(255)
varchar(255)
Connection mode.
heuristic
varchar(255)
varchar(255)
Heuristic.
duration
bigint default 0
int unsigned default 0
The duration of the session.
reason
varchar(255)
varchar(255)
The reason.
phone
varchar(255)
varchar(255)
Phone number.
dlp_sensor
varchar(255)
varchar(255)
DLP sensor.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
325
SQL tables
Field
Appendix D: Querying FortiAnalyzer SQL log databases
Type
Description
PostgreSQL
MySQL
message_type
varchar(255)
varchar(255)
The message type. This field is an enum, and be one of:
• request
• response
request_name
varchar(255)
varchar(255)
Request name.
malform_desc
varchar(255)
varchar(255)
Malformed content description. This field is an enum, and
can be one of the values listed in Table 45 on page 326.
malform_data
bigint default 0
int unsigned default 0
Malform data.
line
varchar(255)
varchar(255)
Line.
column
bigint default 0
int unsigned default 0
Column.
Table 45: Values for malform-desc
<att-field>expected
<att-value>expected
<bwtype>execpted
<callid>-expected
<CSeq-num>expected
<delta-seconds>expected
<encoding-name>- <fmt>-expected
expected-in-rtpmap
<gen-value>expected
<generic-param>with-invalid-<genvalue>
<integer>-expected
<m-attribute>expected-afterSEMI
<m-subtype>expected
<method>-doesnot-match-therequest-line
<method>expected
<Method>expected-after<CSeq-num>
<payload-type><proto>-expected
expected-in-rtpmap
<repeat-interval>expected
<response-num>expected
<seq>-numberexpected
<sess-id>expected
<sess-version>expected
<text>-expected
<time>-expected
<token>-expectedin-<proto>-afterslash
<typed-time>expected
<username>exepcted
<word>-expected
boundaryparameterappears-morethan-once
colon-expected
digits-expected
domain-labeloversize
domain-nameinvalid
domain-nameoversize
duplicated-sipheader
empty-quotedstring
end-of-line-error
EQUAL-expectedafter-<m-attribute>
expires-headerrepeated
header-lineoversize
header-parameterexpected
IN-expected
invalid-<clockrate>-in-rtpmap
invalid-<encodingparameters>-inrtpmap
invalid-<genvalue>
invalid-<m-value>
invalid-<protocolname>
invalid-<protocolversion>
invalid-<quotedstring>-in-<genvalue>
invalid-<quotedstring>-in-<mvalue>
invalid-<SIPVersion>-onrequest-line
invalid-<start-time> invalid-<stop-time> invalid-<transport>
invalid-<userinfo>
invalid-branchparameter
invalid-candidateline
invalid-escapeencoding-in<reason-phrase>
invalid-escapeencoding-in<userinfo>
invalid-escapeencoding-in-uriheader
invalid-escapeencoding-in-uriparameter
invalid-expiresparameter
invalid-fqdn
invalid-ipv4address
invalid-ipv6address
invalid-maddrparameter
invalid-maxforwards
invalid-method-uriparameter
invalid-port
invalid-port-after-ip- invalid-port-after-ip- invalid-port-in-rtcpaddress-in-alt-line address-inline
candidate-line
invalid-q-parameter invalid-quotedstring-in-displayname
invalid-quotingcharacter
invalid-receivedparameter
invalid-rportparameter
invalid-status-code
invalid-tagparameter
invalid-transporturi-parameter
invalid-ttlparameter
invalid-ttl-uriparameter
invalid-uri-headername
invalid-uri-headername-value-pair
invalid-uri-headervalue
invalid-uriparameter-pname
326
<bandwidth>expected
<m-type>-expected <media>-expected
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Appendix D: Querying FortiAnalyzer SQL log databases
SQL tables
Table 45: Values for malform-desc
invalid-uriparameter-value
invalid-user-uriparameter
IP-expected
IP4-or-IP6expected
ipv4-addressexpected
IPv4-or-IPv6address-expected
ipv6-addressexpected
left-angle-bracketis-mandatory
line-order-error
LWS-expected
missingmandatory-field
msg-body-oversize
multipart-ContentType-has-noboundary
no-matchingdouble-quote
no-METHOD-onrequest-line
no-SLASH-after<protocol-name>
no-SLASH-after<protocol-version>
no-tag-parameter
o-line-not-allowedon-media-level
port-expected
port-not-allowed
r-line-not-allowedon-media-level
right-angle-bracket- s-line-not-allowednot-found
on-media-level
sdp-alt-line-before- sdp-candidate-line- sdp-invalid-alt-line
m-line
before-m-line
sdp-rtcp-linebefore-m-line
sdp-v-o-s-t-linesare-mandatory
sip-udp-messagetruncated
sip-Yahoocandidate-invalidprotocol
slash-expectedafter-<encodingname>-in-rtpmap
SLASH-expectedafter-<m-type>
space-violation
syntax-malformed
t-line-not-allowedon-media-level
token-expected
too-many-c-lines
too-manycandidate-lines
too-many-i-lines
too-many-m-lines
too-many-o-lines
too-many-rtcp-lines too-many-s-lines
too-many-v-line
trailing-bytes
unexpectedcharacter
unknown-header
unknown-scheme
uri-expected
uri-parameterrepeat
uri-parameters-not- v-line-not-allowedallowed-by-RFC
on-media-level
whitespaceexpected
z-line-not-allowedon-media-level
via-parameterrepeat
Data Leak Prevention log fields
The table below lists the fields defined in data leak prevention log tables (type dlog).
Field
Type
Description
PostgreSQL
MySQL
status
varchar(255)
varchar(255)
The status of the action the FortiGate unit took when the
event occurred.
For DLP logs, this field can be:
• detected
• blocked
service
varchar(255)
varchar(255)
The service of where the activity or event occurred. For DLP
logs, this field is an enum, and can have one of the following
values:
• http
• https
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• nntp
• im
• smtps
• pop3s
• imaps
serial
bigint default 0
int unsigned default 0
The serial number of the log message.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
327
SQL tables
Appendix D: Querying FortiAnalyzer SQL log databases
Field
Type
Description
PostgreSQL
MySQL
sport
int default 0
smallint unsigned
default 0
The source port.
dport
int default 0
smallint unsigned
default 0
The destination port.
hostname
varchar(255)
varchar(255)
The host name or IP address.
url
varchar(255)
varchar(255)
The URL address of the web site that was visited.
from
varchar(255)
varchar(255)
The sender’s email address.
to
varchar(255)
varchar(255)
The receiver’s email address.
msg
varchar(255)
varchar(255)
Explains the activity or event that the FortiGate unit
recorded.
rulename
varchar(255)
varchar(255)
The name of the rule within the DLP sensor.
compoundname
varchar(255)
varchar(255)
The compound name.
action
varchar(255)
varchar(255)
The action that was specified within the rule. In some rules
within sensors, you can specify content archiving. If no log
type is specified, this field displays log-only.
This field is an enum, and can have one of the following
values:
• log-only
• block
• exempt
• ban
• ban sender
• quarantine ip
• quarantine interface
severity
smallint default 0
tinyint unsigned
default 0
The level of severity for the specified rule.
Email filter log fields
The table below lists the fields defined in email filter log tables (type slog).
Field
status
328
Type
Description
PostgreSQL
MySQL
varchar(255)
varchar(255)
The status of the action the FortiGate unit took when the
event occurred.
For email filter logs, this field can be:
• exempted
• blocked
• detected
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Appendix D: Querying FortiAnalyzer SQL log databases
Field
Type
SQL tables
Description
PostgreSQL
MySQL
service
varchar(255)
varchar(255)
The service of where the activity or event occurred. For DLP
logs, this field is an enum, and can have one of the following
values:
• http
• smtp
• pop3
• imap
• ftp
• mm1
• mm3
• mm4
• mm7
• im
• nntp
• https
• smtps
• imaps
• pop3s
serial
bigint default 0
int unsigned default 0
The serial number of the log message.
sport
int default 0
smallint unsigned
default 0
The source port.
dport
int default 0
smallint unsigned
default 0
The destination port.
carrier_ep
varchar(255)
varchar(255)
The FortiOS Carrier end-point identification. For example, it
would display the MSISDN of the phone that sent the MMS
message. If you do not have FortiOS Carrier, this field
always displays N/A.
from
varchar(255)
varchar(255)
The sender’s email address.
to
varchar(255)
varchar(255)
The receiver’s email address.
banword
varchar(255)
varchar(255)
The name of the Banned Word policy.
tracker
varchar(255)
varchar(255)
Tracker
dir
varchar(255)
varchar(255)
The email direction. This field is an enum, and can have one
of the following values:
• tx
• rx
agent
varchar(255)
varchar(255)
This field is for FortiGate units running FortiOS Carrier. If
you do not have FortiOS Carrier running on your FortiGate
unit, this field always displays N/A.
msg
varchar(255)
varchar(255)
Explains the activity or event that the FortiGate unit
recorded. In this example, the sender’s email address is in
the blacklist and matches the fourth email address in that
list.
Event log fields
The table below lists the fields defined in event log tables (type elog).
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
329
SQL tables
Field
Appendix D: Querying FortiAnalyzer SQL log databases
Type
Description
PostgreSQL
MySQL
status
varchar(255)
varchar(255)
The status of the action the FortiGate unit took when the
event occurred.
For event logs, the possible values of this field depend
on the subcategory:
subcategory ipsec
• success
• failure
• negotiate_error
• esp_error
• dpd_failure
subcategory voip
• start
• end
• timeout
• blocked
• succeeded
• failed
• authentication-required
subcategory gtp
• forwarded
• prohibited
• rate-limited
• state-invalid
• tunnel-limited
• traffic-count
• user-data
msg
varchar(255)
varchar(255)
Explains the activity or event that the FortiGate unit
recorded.
ssid
varchar(255)
varchar(255)
The service set identifier.
330
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Appendix D: Querying FortiAnalyzer SQL log databases
Field
action
Type
SQL tables
Description
PostgreSQL
MySQL
varchar(255)
varchar(255)
The action the FortiGate unit should take for this firewall
policy.
For event logs, the possible values of this field depend
on the subcategory of the event:
subcategory ipsec:
• negotiate
• error
• install_sa
• delete_phase1_sa
• delete_ipsec_sa
• dpd
• tunnel-up
• tunnel-down
• tunnel-stats
• phase2-up
• phase2-down
subcategory nac-quarantine:
• ban-ip
• ban-interface
• ban-src-dst-ip
subcategory sslvpn-user
• tunnel-up
• tunnel-down
• ssl-login-fail
subcategory sslvpn-admin
• info
subcategory sslvpn-session
• tunnel-stats
• ssl-web-deny
• ssl-web-pass
• ssl-web-timeout
• ssl-web-close
• ssl-sys-busy
• ssl-cert
• ssl-new-con
• ssl-alert
• ssl-exit-fail
• ssl-exit-error
• tunnel-up
• tunnel-down
• tunnel-statsssl-tunnel-unknown-tag
• ssl-tunnel-error
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
331
SQL tables
Field
Appendix D: Querying FortiAnalyzer SQL log databases
Type
PostgreSQL
Description
MySQL
action
(continued)
subcategory voip:
• permit
• block
• monitor
• kickout
• encrypt-kickout
• cm-reject
• exempt
• ban
• ban-user
• log-only
subcategory his-performance
• perf-stats
session_id
bigint default 0
int unsigned default 0
count
bigint default 0
int unsigned default 0
The number of dropped SIP packets.
proto
varchar(255)
varchar(255)
The protocol
cpu
smallint default 0
tinyint unsigned default 0
The CPU usage, for performance.
epoch
bigint default 0
int unsigned default 0
The unique number for each archive. It is used for cross
reference purposes.
mem
smallint default 0
tinyint unsigned default 0
The memory usage, for performance.
duration
bigint default 0
int unsigned default 0
The duration of the interval for item counts (such as
infected, scanned, etc) in this log entry.
infected
bigint default 0
int unsigned default 0
The number of infected messages.
from
varchar(255)
varchar(255)
Source IP address.
ha_group
smallint default 0
tinyint unsigned default 0
High availability group
tunnel_id
bigint default 0
int unsigned default 0
Tunnel ID
bssid
varchar(255)
varchar(255)
The basic service set identifier.
tunnel_type
varchar(255)
varchar(255)
Tunnel type
event_id
bigint default 0
int unsigned default 0
Event ID
ip
varchar(40)
varchar(40)
IP address
ha_role
varchar(255)
varchar(255)
High availability role.
rem_ip
varchar(40)
varchar(40)
Remote IP (used in ipsec subcategory logs).
suspicious
bigint default 0
int unsigned default 0
The number of suspicious messages.
sn
varchar(255)
varchar(255)
Serial number of the event
to
varchar(255)
varchar(255)
Destination IP address..
total_session
bigint default 0
int unsigned default 0
Total IP sessions.
ap
varchar(255)
varchar(255)
The physical AP name.
scanned
bigint default 0
int unsigned default 0
The number of scanned messages.
vcluster
bigint default 0
int unsigned default 0
Virtual cluster.
remote_ip
varchar(40)
varchar(40)
Remote IP (Used in sslvpn-* subcategory logs).
carrier_ep
varchar(255)
varchar(255)
The FortiOS Carrier end-point identification. For
example, it would display the MSISDN of the phone that
sent the MMS message. If you do not have FortiOS
Carrier, this field always displays N/A.
332
The session ID
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Appendix D: Querying FortiAnalyzer SQL log databases
Field
Type
SQL tables
Description
PostgreSQL
MySQL
imsi
varchar(255)
varchar(255)
loc_ip
varchar(40)
varchar(40)
Local IP
from_vcluster
bigint default 0
int unsigned default 0
From virtual cluster.
rem_port
int default 0
smallint unsigned default 0
Remote port.
msisdn
varchar(255)
varchar(255)
The MSISDN of the carrier endpoint.
tunnel_ip
varchar(40)
varchar(40)
Tunnel IP.
intercepted
bigint default 0
int unsigned default 0
The number of intercepted messages.
vap
varchar(255)
varchar(255)
The virtual AP name.
apn
varchar(255)
varchar(255)
The access point name.
out_intf
varchar(255)
varchar(255)
The out interface.
blocked
bigint default 0
int unsigned default 0
The number of blocked messages.
mac
varchar(255)
varchar(255)
MAC address.
to_vcluster
bigint default 0
int unsigned default 0
To virtual cluster.
acct_stat
varchar(255)
varchar(255)
The accounting state. This is an enum and can have one
of the following values:
• Start
• Stop
• Interim-Update
• Accounting-On
• Accounting-Off
selection
varchar(255)
varchar(255)
The selection. This is an enum and can have one of the
following values:
• apns-vrf
• ms-apn-no-vrf
• net-apn-no-vrf
reason
varchar(255)
varchar(255)
The reason this log was generated.
rate
smallint default 0
tinyint unsigned default 0
Traffic rate
loc_port
int default 0
smallint unsigned default 0
Local port.
vcluster_mem
ber
bigint default 0
int unsigned default 0
Virtual cluster member.
vcluster_state
varchar(255)
varchar(255)
Virtual cluster state.
app-type
varchar(255)
varchar(255)
Application type.
nsapi
smallint default 0
tinyint unsigned default 0
Network Service Access Point Identifier, an identifier
used in cellular data networks.
dport
int default 0
smallint unsigned default 0
Destinatlon port.
An International Mobile Subscriber Identity or IMSI is a
unique number associated with all GSM and UMTS
network mobile phone users.
channel
smallint default 0
tinyint unsigned default 0
Channel.
cookies
varchar(255)
varchar(255)
Cookies.
checksum
bigint default 0
int unsigned default 0
The number of content checksum blocked messages.
dst_host
varchar(255)
varchar(255)
Destination host name or IP.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
333
SQL tables
Field
Appendix D: Querying FortiAnalyzer SQL log databases
Type
Description
PostgreSQL
MySQL
nf_type
varchar(255)
varchar(255)
The notification type. This is an enum and can have one
of the following values:
• bword
• file_block
• carrier_ep_bwl
• flood
• dupe
• alert
• mms_checksum
• virus
vdname
varchar(255)
varchar(255)
The VDOM name.
linked-nsapi
smallint default 0
tinyint unsigned default 0
Linked Network Service Access Point Identifier.
next_stats
bigint default 0
int unsigned default 0
Next Statistics.
virus
varchar(255)
varchar(255)
Virus name.
imei-sv
varchar(255)
varchar(255)
International Mobile Equipment Identity or IMEI is a
number, usually unique,to identify GSM, WCDMA, and
iDEN mobile phones, as well as some satellite phones.
devintfname
varchar(255)
varchar(255)
The device interface name.
security
varchar(255)
varchar(255)
The wireless security. This field is an enum, and can
have one of the following values:
• open
• wep64
• wep128
• wpa-psk
• wpa-radius
• wpa
• wpa2
• wpa2-auto
policy_id
bigint default 0
int unsigned default 0
The policy ID that triggered this log.
rai
varchar(255)
varchar(255)
Routing Area Identification.
hostname
varchar(255)
varchar(255)
The host name or IP
xauth_user
varchar(255)
varchar(255)
Authenticated user name.
uli
varchar(255)
varchar(255)
User Location Information.
xauth_group
varchar(255)
varchar(255)
Authenticated user group.
sent
numeric(20)
default 0
bigint unsigned default 0
Number of bytes sent.
rcvd
numeric(20)
default 0
bigint unsigned default 0
Number of bytes received.
sess_duration
bigint default 0
int unsigned default 0
The duration of the session.
hbdn_reason
varchar(255)
varchar(255)
Heartbeat down reason. This field is an enum, and can
have one of the following values:
• linkfail
• neighbor-info-lost
banned_src
varchar(255)
varchar(255)
Banned source. This field is an enum, and can have one
of the following values:
• ips
• dos
• dlp-rule
• dlp-compound
• av
334
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Appendix D: Querying FortiAnalyzer SQL log databases
Field
Type
SQL tables
Description
PostgreSQL
MySQL
end-usraddress
varchar(40)
varchar(40)
msg-type
smallint default 0
tinyint unsigned default 0
Message type.
sync_type
varchar(255)
varchar(255)
Synchronization type. This field is an enum, and can
have one of the following values:
• configurations
• external-files
banned_rule
varchar(255)
varchar(255)
Banned rule / reason.
vpn_tunnel
varchar(255)
varchar(255)
VPN tunnel.
sync_status
varchar(255)
varchar(255)
Synchronization status. This field is an enum, and can
have one of the following values:
• out-of-sync
• in-sync
alert
varchar(255)
varchar(255)
Alert.
sensor
varchar(255)
varchar(255)
Sensor name.
endpoint
varchar(255)
varchar(255)
The endpoint.
stage
smallint default 0
tinyint unsigned default 0
Stage.
voip_proto
varchar(255)
varchar(255)
This field is an enum, and can have one of the following
values:
• sip
• sccp
deny_cause
varchar(255)
varchar(255)
This field is an enum, and can have one of the following
values:
• packet-sanity
• invalid-reserved-field
• reserved-msg
• out-state-msg
• reserved-ie
• out-state-ie
• invalid-msg-length
• invalid-ie-length
• miss-mandatory-ie
• ip-policy
• non-ip-policy
• sgsn-not-authorized
• sgsn-no-handover
• ggsn-not-authorized
• invalid-seq-num
• msg-filter
• apn-filter
• imsi-filter
• adv-policy-filter
desc
varchar(255)
varchar(255)
Description
dir
varchar(255)
varchar(255)
Direction (inbound or outbound).
kind
varchar(255)
varchar(255)
This field is an enum, and can have one of the following
values:
• register
• unregister
• call
• call-info
• call-block
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
End user address.
335
SQL tables
Appendix D: Querying FortiAnalyzer SQL log databases
Field
Type
PostgreSQL
MySQL
init
varchar(255)
varchar(255)
This field is an enum, and can have one of the following
values:
• local
• remote
mode
varchar(255)
varchar(255)
This field is an enum, and can have one of the following
values:
• aggressive
• main
• quick
• xauth
• xauth_client
cert-type
varchar(255)
varchar(255)
Certificate type. This field is an enum, and can have one
of the following values:
• CA
• CRL
• Local
• Remote
ui
varchar(255)
varchar(255)
User interface.
exch
varchar(255)
varchar(255)
This field is an enum, and can have one of the following
values:
• NSA_INIT
• AUTH
• CREATE_CHILD
rat-type
varchar(255)
varchar(255)
This field is an enum, and can have one of the following
values:
• utran
• geran
• wlan
• gan
• hspa
error_num
varchar(255)
varchar(255)
This field is an enum, and can have one of the following
values:
• Invalid ESP packet detected.
• Invalid ESP packet detected (HMAC validation
failed).
• Invalid ESP packet detected (invalid padding).
• Invalid ESP packet detected (invalid padding length).
• Invalid ESP packet detected (replayed packet).
• Received ESP packet with unknown SPI.
method
varchar(255)
varchar(255)
The method.
phase2_name
varchar(255)
varchar(255)
IPSec VPN Phase 2 name
spi
varchar(255)
varchar(255)
IPSec VPN SPI.
c-sgsn
varchar(40)
varchar(40)
SGSN IP address for GTP signalling.
request_name
varchar(255)
varchar(255)
Request name
seq
varchar(255)
varchar(255)
Sequence number
c-ggsn
varchar(40)
varchar(40)
GGSN IP address for GTP signalling.
in_spi
varchar(255)
varchar(255)
Remote SPI in IPSec VPN configuration.
u-sgsn
varchar(40)
varchar(40)
SGSN IP address for GTP user traffic.
out_spi
varchar(255)
varchar(255)
Local SPI in IPSec VPN configuration.
u-ggsn
varchar(40)
varchar(40)
GGSN IP address for GTP user traffic.
336
Description
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Appendix D: Querying FortiAnalyzer SQL log databases
Field
Type
SQL tables
Description
PostgreSQL
MySQL
c-sgsn-teid
bigint default 0
int unsigned default 0
SGSN TEID (Tunnel endpoint identifier) for signalling.
enc_spi
varchar(255)
varchar(255)
Encryption SPI in IPSec VPN.
c-ggsn-teid
bigint default 0
int unsigned default 0
GGSN TEID for signalling.
dec_spi
varchar(255)
varchar(255)
Decryption SPI in IPSec VPN.
message_type
varchar(255)
varchar(255)
Message type. This field is an enum, and can have one
of the following values:
• request
• response
malform_desc
varchar(255)
varchar(255)
Malformed description. This field is an enum. See
“Malform Description Values” on page 339 for possible
values.
tunnel
varchar(255)
varchar(255)
Tunnel name
u-sgsn-teid
bigint default 0
int unsigned default 0
SGSN TEID for user traffic.
u-ggsn-teid
bigint default 0
int unsigned default 0
GGSN TEID for user traffic.
malform_data
bigint default 0
int unsigned default 0
Malformed data.
tunnel-idx
bigint default 0
int unsigned default 0
VPN tunnel index.
line
varchar(255)
varchar(255)
The content of misformed SIP line.
column
bigint default 0
int unsigned default 0
The syntax error point in the SIP line.
c-pkts
numeric(20)
default 0
bigint unsigned default 0
Number of packets for signalling.
phone
varchar(255)
varchar(255)
SCCP phone device name.
profile_group
varchar(255)
varchar(255)
Profile group name.
c-bytes
numeric(20)
default 0
bigint unsigned default 0
Number of bytes for signalling.
u-pkts
numeric(20)
default 0
bigint unsigned default 0
Number of packets used for traffic.
profile_type
varchar(255)
varchar(255)
Profile type.
u-bytes
numeric(20)
default 0
bigint unsigned default 0
Number of bytes used for traffic.
next_stat
bigint default 0
int unsigned default 0
Next stat.
user_data
varchar(255)
varchar(255)
User data.
role
varchar(255)
varchar(255)
This field is an enum, and can have one of the following
values:
• responder
• initiator
result
varchar(255)
varchar(255)
This field is an enum, and can have one of the following
values:
• ERROR
• OK
• DONE
• PENDING
xauth_result
varchar(255)
varchar(255)
Authorization result. This field is an enum, and can have
one of the following values:
• XAUTH authentication successful
• XAUTH authentication failed
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
337
SQL tables
Appendix D: Querying FortiAnalyzer SQL log databases
Field
Type
PostgreSQL
MySQL
esp_transform
varchar(255)
varchar(255)
ESP Transform. This field is an enum, and can have one
of the following values:
• ESP_NULL
• ESP_DES
• ESP_3DES
• ESP_AES
esp_auth
varchar(255)
varchar(255)
ESP Authorization. This field is an enum, and can have
one of the following values:
no authentication
• HMAC_SHA1
• HMAC_MD5
• HMAC_SHA256
error_reason
varchar(255)
varchar(255)
Text explanation for the error. This field is an enum, and
can have one of the following values:
• invalid certificate
• invalid SA payload
• probable preshared key mismatch
• peer SA proposal not match local policy
• peer notification
• not enough key material for tunnel
• encapsulation mode mismatch
• no matching gateway for new request
• aggressive vs main mode mismatch for new request
338
Description
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Appendix D: Querying FortiAnalyzer SQL log databases
Field
Type
PostgreSQL
MySQL
peer_notif
varchar(255)
varchar(255)
SQL tables
Description
Peer Notification.
This field is an enum, and can have one of the following
values:
• NOT-APPLICABLE
• INVALID-PAYLOAD-TYPE
• DOI-NOT-SUPPORTED
• SITUATION-NOT-SUPPORTED
• INVALID-COOKIE
• INVALID-MAJOR-VERSION
• INVALID-MINOR-VERSION
• INVALID-EXCHANGE-TYPE
• INVALID-FLAGS
• INVALID-MESSAGE-ID
• INVALID-PROTOCOL-ID
• INVALID-SPI
• INVALID-TRANSFORM-ID
• ATTRIBUTES-NOT-SUPPORTED
• NO-PROPOSAL-CHOSEN
• BAD-PROPOSAL-SYNTAX
• PAYLOAD-MALFORMED
• INVALID-KEY-INFORMATION
• INVALID-ID-INFORMATION
• INVALID-CERT-ENCODING
• INVALID-CERTIFICATE
• BAD-CERT-REQUEST-SYNTAX
• INVALID-CERT-AUTHORITY
• INVALID-HASH-INFORMATION
• AUTHENTICATION-FAILED
• INVALID-SIGNATURE
• ADDRESS-NOTIFICATION
• NOTIFY-SA-LIFETIME
• CERTIFICATE-UNAVAILABLE
• UNSUPPORTED-EXCHANGE-TYPE
• UNEQUAL-PAYLOAD-LENGTHS
• CONNECTED
• RESPONDER-LIFETIME
• REPLAY-STATUS
• INITIAL-CONTACT
• R-U-THERE
• R-U-THERE-ACK
• HEARTBEAT
• RETRY-LIMIT-REACHED
Malform Description Values
•
unexpected-character
•
invalid-quoting-character
•
trailing-bytes
•
header-line-oversize
•
msg-body-oversize
•
domain-name-oversize
•
domain-label-oversize
•
syntax-malformed
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
339
SQL tables
340
Appendix D: Querying FortiAnalyzer SQL log databases
•
duplicated-sip-header
•
space-violation
•
invalid-ipv4-address
•
invalid-ipv6-address
•
invalid-port
•
invalid-fqdn
•
no-matching-double-quote
•
empty-quoted-string
•
invalid-<userinfo>
•
invalid-escape-encoding-in-<userinfo>
•
invalid-escape-encoding-in-uri-parameter
•
invalid-escape-encoding-in-uri-header
•
invalid-escape-encoding-in-<reason-phrase>
•
port-expected
•
port-not-allowed
•
domain-name-invalid
•
<gen-value>-expected
•
invalid-<gen-value>
•
invalid-<quoted-string>-in-<gen-value>
•
ipv4-address-expected
•
ipv6-address-expected
•
uri-expected
•
invalid-transport-uri-parameter
•
invalid-user-uri-parameter
•
invalid-method-uri-parameter
•
invalid-ttl-uri-parameter
•
invalid-uri-parameter-pname
•
invalid-uri-parameter-value
•
uri-parameter-repeat
•
invalid-uri-header-name
•
invalid-uri-header-value
•
invalid-uri-header-name-value-pair
•
invalid-quoted-string-in-display-name
•
left-angle-bracket-is-mandatory
•
right-angle-bracket-not-found
•
invalid-status-code
•
no-METHOD-on-request-line
•
uri-parameters-not-allowed-by-RFC
•
unknown-scheme
•
whitespace-expected
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Appendix D: Querying FortiAnalyzer SQL log databases
•
LWS-expected
•
invalid-<SIP-Version>-on-request-line
•
invalid-<protocol-name>
•
invalid-<protocol-version>
•
invalid-<transport>
•
no-SLASH-after-<protocol-name>
•
no-SLASH-after-<protocol-version>
•
header-parameter-expected
•
invalid-ttl-parameter
•
invalid-maddr-parameter
•
invalid-received-parameter
•
invalid-branch-parameter
•
invalid-rport-parameter
•
via-parameter-repeat
•
<seq>-number-expected
•
<method>-expected
•
<method>-does-not-match-the-request-line
•
<response-num>-expected
•
<CSeq-num>-expected
•
<Method>-expected-after-<CSeq-num>
•
expires-header-repeated
•
<delta-seconds>-expected
•
invalid-max-forwards
•
token-expected
•
invalid-expires-parameter
•
invalid-q-parameter
•
<generic-param>-with-invalid-<gen-value>
•
<m-type>-expected
•
SLASH-expected-after-<m-type>
•
<m-subtype>-expected
•
<m-attribute>-expected-after-SEMI
•
boundary-parameter-appears-more-than-once
•
EQUAL-expected-after-<m-attribute>
•
invalid-<quoted-string>-in-<m-value>
•
invalid-<m-value>
•
multipart-Content-Type-has-no-boundary
•
digits-expected
•
IN-expected
•
IP-expected
•
IP4-or-IP6-expected
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
SQL tables
341
SQL tables
342
Appendix D: Querying FortiAnalyzer SQL log databases
•
IPv4-or-IPv6-address-expected
•
line-order-error
•
z-line-not-allowed-on-media-level
•
<time>-expected
•
<typed-time>-expected
•
r-line-not-allowed-on-media-level
•
<repeat-interval>-expected
•
<bwtype>-execpted
•
colon-expected
•
<bandwidth>-expected
•
t-line-not-allowed-on-media-level
•
invalid-<start-time>
•
invalid-<stop-time>
•
too-many-i-lines
•
<text>-expected
•
too-many-c-lines
•
too-many-v-line
•
v-line-not-allowed-on-media-level
•
too-many-o-lines
•
o-line-not-allowed-on-media-level
•
<username>-exepcted
•
<sess-id>-expected
•
<sess-version>-expected
•
too-many-s-lines
•
s-line-not-allowed-on-media-level
•
too-many-m-lines
•
<media>-expected
•
<integer>-expected
•
<proto>-expected
•
<token>-expected-in-<proto>-after-slash
•
<fmt>-expected
•
<att-field>-expected
•
<att-value>-expected
•
<payload-type>-expected-in-rtpmap
•
<encoding-name>-expected-in-rtpmap
•
slash-expected-after-<encoding-name>-in-rtpmap
•
invalid-<clock-rate>-in-rtpmap
•
invalid-<encoding-parameters>-in-rtpmap
•
invalid-candidate-line
•
sdp-candidate-line-before-m-line
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Appendix D: Querying FortiAnalyzer SQL log databases
•
sip-Yahoo-candidate-invalid-protocol
•
invalid-port-after-ip-address-in-candidate-line
•
too-many-candidate-lines
•
sdp-invalid-alt-line
•
sdp-alt-line-before-m-line
•
invalid-port-after-ip-address-in-alt-line
•
sdp-rtcp-line-before-m-line
•
invalid-port-in-rtcp-line
•
too-many-rtcp-lines
•
<callid>-expected
•
<word>-expected
•
invalid-tag-parameter
•
no-tag-parameter
•
sdp-v-o-s-t-lines-are-mandatory
•
unknown-header
•
end-of-line-error
•
sip-udp-message-truncated
•
missing-mandatory-field
SQL tables
Traffic log fields
The table below lists the fields defined in traffic log tables (type tlog).
Field
Type
Description
PostgreSQL
MySQL
status
varchar(255)
varchar(255)
The status of the action the FortiGate unit
took when the event occurred.
For traffic logs, this field can be:
• accept
• deny
• start
dir_disp
varchar(255)
varchar(255)
The direction of the sessions. Org displays if
a session is not a child session or the child
session originated in the same direction as
the master session. Reply displays if a
different direction is taken from the master
session.
tran_disp
varchar(255)
varchar(255)
The packet is source NAT translated or
destination NAT translated. This field is an
enum, and can have one of the following
values:
• noop
• snat
• dnat
srcname
varchar(255)
varchar(255)
The source name or the IP address.
dstname
varchar(255)
varchar(255)
The destination name or IP address.
tran_ip
varchar(40)
varchar(40)
The translated IP in NAT mode. For
transparent mode, it is “0.0.0.0”.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
343
SQL tables
Appendix D: Querying FortiAnalyzer SQL log databases
Field
Type
PostgreSQL
MySQL
tran_port
int default 0
smallint unsigned default 0 The translated port number in NAT mode. For
transparent mode, it is zero (0).
proto
int default 0
smallint unsigned default 0 The protocol that applies to the session or
packet. The protocol number in the packet
header that identifies the next level protocol.
Protocol numbers are assigned by the
Internet Assigned Number Authority (IANA).
app_type
varchar(255)
varchar(255)
duration
bigint default 0
int unsigned default 0
This represents the value in seconds.
rule
bigint default 0
int unsigned default 0
The rule number.
sent
bigint default 0
int unsigned default 0
The total number of bytes sent.
rcvd
bigint default 0
int unsigned default 0
The total number of bytes received.
sent_pkt
bigint default 0
int unsigned default 0
The total number of packets sent during the
session.
rcvd_pkt
bigint default 0
int unsigned default 0
The total number of packets received during
the session.
vpn
varchar(255)
varchar(255)
The name of the VPN tunnel used by the
traffic.
SN
bigint default 0
int unsigned default 0
The serial number of the log message.
carrier_ep
varchar(255)
varchar(255)
The FortiOS Carrier end-point identification.
For example, it would display the MSISDN of
the phone that sent the MMS message. If you
do not have FortiOS Carrier, this field always
displays N/A.
wanopt_app_type
varchar(255)
varchar(255)
The type of WAN optimization that was used.
This field is an enum, and can have one of
the following values:
• web-cache
• cifs
• tcp
• ftp
• mapi
• http
wan_in
bigint default 0
int unsigned default 0
This field always displays WAN in.
wan_out
bigint default 0
int unsigned default 0
This field always displays WAN out.
lan_in
bigint default 0
int unsigned default 0
This field always displays LAN in.
lan_out
bigint default 0
int unsigned default 0
This field always displays LAN out.
344
Description
The application or program used. This field is
an enum, and can have one of the following
values:
• N/A
• BitTorrent
• eDonkey
• Gnutella
• KaZaa
• Skype
• WinNY
• AIM
• ICQ
• MSN
• YAHOO
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Appendix D: Querying FortiAnalyzer SQL log databases
SQL tables
Field
Type
Description
PostgreSQL
MySQL
app
varchar(255)
varchar(255)
The type of application. On the FortiGate unit,
you can look the application type up in UTM >
Application Contol > Application List, and
then select the name that is in the field to go
to more detailed information on the
FortiGuard Encyclopedia.
app_cat
varchar(255)
varchar(255)
The application category that the application
is associated with.
shaper_drop_sent
bigint default 0
int unsigned default 0
The number of sent traffic shaper bytes that
were dropped.
shaper_drop_rcvd
bigint default 0
int unsigned default 0
The number of received traffic shaper bytes
that were dropped.
perip_drop
bigint default 0
int unsigned default 0
The number of per-IP traffic shaper bytes that
were dropped.
shaper_sent_name
varchar(255)
varchar(255)
The name of the traffic shaper sending the
bytes.
shaper_rcvd_name
varchar(255)
varchar(255)
The name of the traffic shaper receiving the
bytes
perip_name
varchar(255)
varchar(255)
The name of the per-IP traffic shaper.
Antivirus log fields
The table below lists the fields defined in antivirus log tables (type vlog).
Field
Type
Description
PostgreSQL
MySQL
status
varchar(255)
varchar(255)
The status of the action the FortiGate unit took when the event
occurred.
For antivirus logs, this field can be:
• blocked
• passthrough
• monitored
msg
varchar(255)
varchar(255)
Explains the activity or event that the FortiGate unit recorded. For
example, the file that was downloaded from the web site exceeded
the specified size limit.
sport
int default 0
smallint
The source port of where the traffic is originating from.
unsigned default
0
dport
int default 0
smallint
The destination port of where the traffic is going to.
unsigned default
0
serial
bigint default 0
int unsigned
default 0
The serial number of the log message.
dir
varchar(255)
varchar(255)
Direction
filefilter
varchar(255)
varchar(255)
The file filter. This field is an enum, and can have one of the
following values:
• none
• file pattern
• file type
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
345
SQL tables
Field
Appendix D: Querying FortiAnalyzer SQL log databases
Type
Description
PostgreSQL
MySQL
filetype
varchar(255)
varchar(255)
The file type. This field is an enum, and can have one of the
following values:
• arj
• cab
• lzh
• rar
• tar
• zip
• bzip
• gzip
• bzip2
• bat
• msc
• uue
• mime
• base64
• binhex
• com
• elf
• exe
• hta
• html
• jad
• class
• cod
• javascript
• msoffice
• fsg
• upx
• petite
• aspack
• prc
• sis
• hlp
• activemime
• jpeg
• gif
• tiff
• png
• bmp
• ignored
• unknown
file
varchar(255)
varchar(255)
The file name.
checksum
varchar(255)
varchar(255)
The file checksum.
quarskip
varchar(255)
varchar(255)
This field is an enum, and can have one of the following values:
• No skip
• No quarantine for HTTP GET file pattern block.
• No quarantine for oversized files.
• File was not quarantined.
virus
varchar(255)
varchar(255)
The virus name.
ref
varchar(255)
varchar(255)
The URL reference that gives more information about the virus. If
you enter the URL in your web browser’s address bar, the URL
directs you to the specific page that contains information about the
virus.
346
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Appendix D: Querying FortiAnalyzer SQL log databases
Field
Type
SQL tables
Description
PostgreSQL
MySQL
url
varchar(255)
varchar(255)
The URL address of where the file was acquired.
carrier_ep
varchar(255)
varchar(255)
The FortiOS Carrier end-point identification. For example, it would
display the MSISDN of the phone that sent the MMS message. If
you do not have FortiOS Carrier, this field always displays N/A.
agent
varchar(255)
varchar(255)
This field is for FortiGate units running FortiOS Carrier. If you do not
have FortiOS Carrier running on your FortiGate unit, this field
always displays N/A.
from
varchar(255)
varchar(255)
The from email address.
to
varchar(255)
varchar(255)
The to email address.
command
varchar(255)
varchar(255)
Protocol specific command, such as “POST” and “GET” for HTTP,
“MODE” and “REST” for FTP.
dtype
varchar(255)
varchar(255)
Detection type, possible values:
• virus
• grayware
Web filter log fields
The table below lists the fields defined in web filter log tables (type wlog).
Field
Type
Description
PostgreSQL
MySQL
status
varchar(255)
varchar(255)
The status of the action the FortiGate unit took when the
event occurred.
For web filter logs, this field can be:
• blocked
• exempted
• allowed
• passthrough
• filtered
• DLP
serial
bigint default 0
int unsigned default 0
The serial number of the log message.
sport
int default 0
smallint unsigned
default 0
The source port.
dport
int default 0
smallint unsigned
default 0
The destination port.
hostname
varchar(255)
varchar(255)
The host name or IP.
carrier_ep
varchar(255)
varchar(255)
The FortiOS Carrier end-point identification. For
example, it would display the MSISDN of the phone that
sent the MMS message. If you do not have FortiOS
Carrier, this field always displays N/A.
req_type
varchar(255)
varchar(255)
The request type. This field is an enum, and can have
one of the following values:
• direct
• referral
url
varchar(255)
varchar(255)
The URL.
msg
varchar(255)
varchar(255)
A text message explaining the log entry. For example,
'Message was blocked because it contained a banned
word.'
dir
varchar(255)
varchar(255)
The direction.
agent
varchar(255)
varchar(255)
This field is for FortiGate units running FortiOS Carrier. If
you do not have FortiOS Carrier running on your
FortiGate unit, this field always displays N/A.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
347
SQL tables
Appendix D: Querying FortiAnalyzer SQL log databases
Field
Type
Description
PostgreSQL
MySQL
from
varchar(255)
varchar(255)
From
to
varchar(255)
varchar(255)
To
banword
varchar(255)
varchar(255)
The name of the banned word policy that triggered the
log event.
error
varchar(255)
varchar(255)
The webfilter error.
method
varchar(255)
varchar(255)
The HTTP method. This field is an enum, and can have
one of the following values:
• ip
• domain
class
smallint default 0
tinyint unsigned default Class
0
class_desc
varchar(255)
varchar(255)
cat
smallint default 0
tinyint unsigned default Category
0
cat_desc
varchar(255)
varchar(255)
Category description
mode
varchar(255)
varchar(255)
The mode. Can be 'rule' or 'off-site'.
rule_type
varchar(255)
varchar(255)
Rule type. This field is an enum, and can have one of the
following values:
• directory
• domain
• rating
rule_data
varchar(255)
varchar(255)
Rule data
ovrd_tbl
varchar(255)
varchar(255)
Override table
ovrd_id
bigint default 0
int unsigned default 0
Override ID
count
bigint default 0
int unsigned default 0
The number of scripts blocked by the scriptfilter within
the page.
url_type
varchar(255)
varchar(255)
URL Type. This field is an enum, and can have one of
the following values:
• http
• https
• ftp
• telnet
• mail
urlfilter_idx
bigint default 0
int unsigned default 0
URL Filter Index
urlfilter_list
varchar(255)
varchar(255)
URL Filter List
quota_exceeded
varchar(255)
varchar(255)
Quota Exceeded. Can be 'yes' or 'no'.
quota_used
bigint default 0
int unsigned default 0
Quota time used (in seconds).
quota_max
bigint default 0
int unsigned default 0
Maximum quota time allowed (in seconds).
Class description
Netscan log fields
The table below lists the fields defined in vulnerability / netscan log tables (type nlog).
348
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Appendix D: Querying FortiAnalyzer SQL log databases
Field
Type
Examples
Description
PostgreSQL
MySQL
action
varchar(255)
varchar(255)
The nature of the event. This field is an enum, and can
have one of the following values:
• scan
• vuln-detection
• host-detection
• service-detection
start
bigint default 0
int unsigned default 0
GMT epoch time the scan was started.
end
bigint default 0
int unsigned default 0
GMT epoch time the scan was started
engine
varchar(255)
varchar(255)
The netscan engine version.
plugin
varchar(255)
varchar(255)
The version of netscan plugins.
ip
varchar(40)
varchar(40)
The IP of the scanned asset.
proto
varchar(255)
varchar(255)
The protocol. Can be:
• tcp
• udp
port
int default 0
smallint unsigned default 0
The port scanned.
vuln
varchar(255)
varchar(255)
The name of the vulnerability found.
vuln_cat
varchar(255)
varchar(255)
The found vulnerability category.
vuln_id
bigint default 0
int unsigned default 0
The found vulnerability ID.
vuln_ref
varchar(255)
varchar(255)
A link to the detected vulnerability in FortiGuard.
severity
varchar(255)
varchar(255)
The severity of the vulnerability. This field is an enum,
and can have one of the following values:
• critical
• high
• medium
• low
• info
os
varchar(255)
varchar(255)
The operating system of the scanned asset.
os_family
varchar(255)
varchar(255)
The family of the operating system on the scanned
asset.
os_gen
varchar(255)
varchar(255)
The generation of the operating system on the scanned
asset.
os_vendor
varchar(255)
varchar(255)
The vendor of the operating system on the scanned
asset.
message
varchar(255)
varchar(255)
Informational message.
Examples
The following examples illustrate how to write custom datasets.
After you create the datasets, you can use them when you configure chart templates
under Report > Chart > Template.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
349
Examples
Appendix D: Querying FortiAnalyzer SQL log databases
Figure 108: Adding a dataset to a chart template
Select the dataset
Then you can use add the chart template to a report when you create the new report
under Report > Config > Report.
Figure 109: Adding a chart to a report
Select the chart
350
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Appendix D: Querying FortiAnalyzer SQL log databases
Examples
Note: On the FortiGate unit, custom datasets can only be created via the CLI. On the
FortiAnalyzer unit, datasets can be created via the CLI or the GUI. As well, on the
FortiAnalyzer unit, queries support additional variables for log types ($log) and time periods
($filter) that make authoring queries easier.
Example 1: Distribution of applications by type in the last 24 hours
Figure 110: Creating a dataset
GUI procedure
1 Go to Report > Chart > Data Set.
2 Click Create New to create a new dataset and enter a name (such as
"apps_type_24hrs").
3 Under Log Type($log), select Application Control.
4 Under Time Period, select Past N Hours, and enter 24 in Past N Hours.
5 Enter the query:
SELECT app_type, COUNT( * ) AS totalnum
FROM $log
WHERE $filter
AND app_type IS NOT NULL
GROUP BY app_type
ORDER BY totalnum DESC
CLI procedure
To perform the same task using the CLI, use these commands:
config sql-report dataset
edit apps_type_24hrs
set log-type app-ctrl
set time-period last-n-hours
set period-last-n 24
set query "SELECT app_type, COUNT( * ) AS totalnum FROM $log
WHERE $filter AND app_type IS NOT NULL GROUP BY app_type
ORDER BY totalnum DESC"
end
Notes:
•
$log queries all application control logs.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
351
Examples
Appendix D: Querying FortiAnalyzer SQL log databases
•
$filter restricts the query result to the time period specified; in this case, it’s the past 24
hours.
•
The application control module classifies each firewall session in app_type. One
firewall session may be classified to multiple app_types. For example, an HTTP
session can be classified to: HTTP, Facebook, etc.
•
Some app/app_types may not be able to detected, then the ‘app_type’ field may be
null or ‘N/A’. These will be ignored by this query.
•
The result is ordered by the total session number of the same app_type. The most
frequent app_types will appear first.
Example 2: Top 100 applications by bandwidth in the last 24 hours
GUI procedure
1 Go to Report > Chart > Data Set.
2 Click Create New to create a new dataset and enter a name (such as
"top_100_aps_24hrs").
3 Under Log Type($log), select Traffic.
4 Under Time Period, select Past N Hours, and enter 24 in Past N Hours.
5 Enter the query:
SELECT (
TIMESTAMP - TIMESTAMP %3600
) AS hourstamp, app, service, SUM( sent + rcvd ) AS volume
FROM $log
WHERE $filter and app IS NOT NULL
GROUP BY app
ORDER BY volume DESC
LIMIT 100
CLI procedure
To perform the same task using the CLI, use these commands:
config sql-report dataset
edit top_100_apps_24hrs
set log-type traffic
set time-period last-n-hours
set period-last-n 24
set query "SELECT ( TIMESTAMP - TIMESTAMP %3600 ) AS
hourstamp, app, service, SUM( sent + rcvd ) AS volume
FROM $log WHERE $filter and app IS NOT NULL GROUP BY app
ORDER BY volume DESC LIMIT 100"
end
Notes:
352
•
(timestamp-timestamp%3600) as hourstamp - this calculates an "hourstamp" to
indicate bandwidth per hour.
•
SUM( sent + rcvd ) AS volume - this calculates the total sent and received
bytes.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Appendix D: Querying FortiAnalyzer SQL log databases
Examples
•
ORDER BY volume DESC - this orders the results by descending volume (largest
volume first)
•
LIMIT 100 - this lists only the top 100 applications.
Example 3: Top 10 attacks in the past one hour
GUI procedure
1 Go to Report > Chart > Data Set.
2 Click Create New to create a new dataset and enter a name (such as
"top_attacks_1hr").
3 Under Log Type($log), select Attack.
4 Under Time Period, select Past N Hours, and enter 1 in Past N Hours.
5 Enter the query:
SELECT attack_id, COUNT( * ) AS totalnum
FROM $log
WHERE $filter and attack_id IS NOT NULL
GROUP BY attack_id
ORDER BY totalnum DESC
LIMIT 10
CLI procedure
To perform the same task using the CLI, use these commands:
config sql-report dataset
edit top_attacks_1hr
set log-type attack
set time-period last-n-hours
set period-last-n 1
set query "SELECT attack_id, COUNT( * ) AS totalnum FROM
$log WHERE $filter and attack_id IS NOT NULL GROUP BY
attack_id ORDER BY totalnum DESC LIMIT 10"
end
Notes:
•
The result is ordered by the total attack number of the same attack_id. The most
frequent attack_id will appear first.
Example 4: Top WAN optimization applications in the past 24 hours
GUI procedure
1 Go to Report > Chart > Data Set.
2 Click Create New to create a new dataset and enter a dataset name (such as
"WAN_OPT_24hrs").
3 Under Log Type($log), select Traffic.
4 Under Time Period, select Past N Hours, and enter 24 in Past N Hours.
5 Enter the query:
SELECT wanopt_app_type, SUM( wan_in + wan_out ) AS bandwidth
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
353
Examples
Appendix D: Querying FortiAnalyzer SQL log databases
FROM $log
WHERE $filter
AND subtype = 'wanopt-traffic'
GROUP BY wanopt_app_type
ORDER BY SUM( wan_in + wan_out ) DESC
LIMIT 5
CLI procedure
To perform the same task using the CLI, use these commands:
config sql-report dataset
edit WAN_OPT_24hrs
set log-type traffic
set time-period last-n-hours
set period-last-n 24
set query "SELECT wanopt_app_type, SUM( wan_in + wan_out )
AS bandwidth FROM $log WHERE $filter AND subtype =
'wanopt-traffic' GROUP BY wanopt_app_type ORDER BY SUM(
wan_in + wan_out ) DESC LIMIT 5"
end
Notes:
354
•
The WAN optimizer module will log each application bandwidth. All bandwidth data is
logged in traffic logs and wan opt data will have the subtype ‘wanopt-traffic’
•
SUM( wan_in + wan_out ) AS bandwidth - this calculates the total in and out
traffic.
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Index
Index
Symbols
_email, 16
_fqdn, 16
_index, 16
_int, 16
_ipv4, 16
_ipv4/mask, 16
_ipv4mask, 16
_ipv6, 16
_ipv6mask, 16
_name, 16
_pattern, 16
_str, 16
_url, 16
_v4mask, 16
_v6mask, 16
A
access profile, 23, 25
adding configuring defining
log severity levels, 317
administrative access
interface settings, 63
restricting, 62, 63, 75
administrative domains. See ADOMs
administrator
admin, accessing ADOMs, 30
assigning to ADOM, 30
ADOMs, 25
access privileges, 23
accessing as admin administrator, 30
admin account privileges, 23
assigning administrators, 30
disabling, 29
enabling, 26
Global, 25
maximum number, 309
permissions, 23
root, 29
aggregation client, 99
alerts, 85, 94, 96
testing, 89
alias, 102
B
backing up log files, 264
backing up the configuration
using the CLI, 264
using web-based manager, 264
backup & restore, 112
blocking device connection attempts, 132
Boolean operator, 255
browse
network analyzer, 250
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
sniffer, 250
browser, 21
C
charts, 171
CIDR, 16
classifying FortiGate network interfaces, 135
clock, 36, 37
column view
network analyzer logs, 253
command line interface (CLI), 14, 15, 33, 51, 75
Console widget, 51
prompt, 37
command prompt, 37
connection attempt handling, 131
contract, 38
conventions, 14
count, 150
CPU usage, 39, 40
D
dashboard, 33, 205
data filter template, 176
data set, 199
DC (duplicate count), 151
default
password, 14
delete after upload
network analyzer log, 260
device
adding or deleting, 129
groups, 134
list, 121
maximum number, 124
registration and reports, 150
unregistered vs. registered, 124
disk space
allocated to Network Analyzer, 260
DLP archive, 147
backing up, 156
DNS server, 67
documentation
conventions, 14
dotted decimal, 16
down, 62
download
logs, 154, 258
network analyzer logs, 251
search results, 258
E
eDiscovery, 158
expected input, 15
355
Index
F
Federal Information Processing Standards (FIPS), 11
file
extension, 44, 252, 258
filter
criteria, 255
icon, 252, 254, 256
logs, 142
network analyzer, 254
tip, 255
tips, 143
firmware
install, 36
version, 33, 36
formatted view
network analyzer logs, 253
Fortinet
Knowledge Base, 13
Technical Documentation, 13
comments, 13
conventions, 14
Technical Support, 12
Training Services, 13
Fortinet Discovery Protocol (FDP), 62, 63, 64
FTP, 260
fully qualified domain name (FQDN), 16
license information, widget, 38
lightweight directory access protocol (LDAP), 109, 112
local console access, 51
log forwarding, 101
logs, 36
backing up, 156
content. See DLP archive
CSV format, 258
download, 258
gzip, 44, 252, 258
indexed fields, 256
raw view, 254, 256
search, 256
search tips, 146
unindexed fields, 254, 256
M
mail server, 89
maximum transmission unit (MTU), 64
Maximum Values Matrix, 309
media access control (MAC) address, 63
memory usage, 39
Microsoft
Internet Explorer, 21
migrating data, 116
Mozilla Firefox, 21
G
N
graphical user interface (GUI), 21
gzip, 44, 252, 258, 260
network
sniffer, 250
network analyzer
browse, 250
column view, 248
delete after download, 260
download logs, 251
enable, 259
filter, 254
gzip, 260
historical viewer, 249
real-time viewer, 247
resolve host names, 248, 250
roll settings, 258
upload to, 260
network analyzer logs
column view, 253
formatted view, 253
network file share (NFS), 11
network interface
administrative access, 63
status, 62
network interfaces, classifying (FortiGate), 135
network maps, 215
network share, 11, 68
Network Time Protocol (NTP), 36
new disk
adding for 2000B and 4000B, 48
H
HA cluster, 126, 129
hard disk, 47
historical viewer
network analyzer, 249
host name, 33, 37
hot swap, 47
HTTP, 63
HTTPS, 62, 63
I
ICMP, 63
importing log files, 153
index number, 16
indexed log fields, 256
input constraints, 15
installation, 13
IP alias, 102
resolve host names, 149
IPsec VPN tunnel, 126
J
JavaScript, 51
L
language, 22, 182
356
P
password, 77
administrator, 14
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Index
log upload, 260
patch releases, 263
pattern, 16
Payment Card Industry Data Security Standard (PCI DSS),
243
performance, 33
permissions
access profile, 78
ADOMs, 23
ping, 63
port
destination, 248
number, 22
scan, 11
source, 248
prompt, 51
protocol
FTP, 260
SCP, 260
SFTP, 260
Q
quarantine, 149
count, 150
duplicate count, 151
ticket number, 151
query, 109, 112
DNS, 67
R
raid monitor, widget, 45
random access memory (RAM), 41
real-time viewer
network analyzer, 247
regular expression, 16
remote authentication dial in user service (RADIUS), 80
report
browsing, 208
chart template, 195
charts, 171
data filter, 176
FortiClient example, 189
FortiGate example, 186, 206
FortiMail example, 192
language, 182
layout, 166, 171, 179, 182
output template, 89
profiles, 171
schedule, 179
uploading graphics for, 201
report engine, widget, 45
resolution, 21
resolve host names, 149
network analyzer, 248, 250
roll settings
network analyzer, 258
root (Management Administrative Domain), 29
root ADOM, 25, 29
357
S
scheduling, 36
SCP, 260
search
DLP archive, 147
download results, 258
Network Analyzer logs, 245, 256
tips, 146, 257
user data, 147
secure connection, 150
Secure Shell (SSH), 51, 62, 63
serial number, 36
severity levels (logs), 317
SFTP, 260
share, 11
simple network management protocol (SNMP)
system name, 37
sniffer, 245, 250
See also network analyzer
SNMP
community, 94
event, 96
manager, 95
queries, 96
spam, 192
span port, 245
special characters, 38
SSL, 36
statistics widget, 42
string, 16
subnet, 257
supported RFCs
1213, 93
1918, 14
2665, 93, 283
sync interval, 37
syntax, 15
Syslog server, 96
system information, widget, 36
system operation, widget, 39
system resource usage, 33
system resources, widget, 39
system time, 33
T
Telnet, 51, 63
throughput, 33
ticket number, 151
time, 36
U
unindexed log fields, 254, 256
unknown, 131
unregistered, 124, 150
up, 62
upgrading, 267
uptime, 33
US-ASCII, 38
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Index
V
value parse error, 16
virus
See quarantine
vulnerability management, 211
asset groups, 214
assets, 212
database, 211, 238
host status, 235
network map, 215
scan profiles, 227
scheduling scans, 229
sensors, 221
signatures, 211, 238
summary, 235
W
web browser, 21
web filtering, 146
358
web services, 64
widget, 33
intrusion activity, 60
license information, 38
log receive monitor, 48
logs/data received, 41
raid monitor, 45
report engine, 45
statistics, 42
system information, 36
system operation, 39
system resources, 39
top email traffic, 55
top ftp traffic, 56
top im/p2p traffic, 57
top traffic, 52
top web traffic, 54
virus activity, 59
wild cards, 16
WSDL file
obtaining, 66
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Index
359
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
Index
360
FortiAnalyzer™ Version 4.0 MR2 Administration Guide
Revision 10
http://docs.fortinet.com/ • Feedback
www.fortinet.com
www.fortinet.com
Download PDF
Similar pages