How it Works
Fortinet
Loading...
FortiAnalyzer 3.0 MR7
User Manual
234 pgs4.98 Mb0
Table of contents
Loading...

Fortinet FortiAnalyzer 3.0 MR7 User Manual

ADMINISTRATION GUIDE
FortiAnalyzer Version 3.0 MR7
www.fortinet.com
FortiAnalyzer Administration Guide
!
Version 3.0 MR7 08 September 2008 05-30007-0082-20080908
Trademarks
Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate®, FortiGate Unified Threat Management System, FortiGuard®, FortiGuard-Antispam, FortiGuard­Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet®, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Regulatory compliance
FCC Class A Part 15 CSA/CUS
CAUTION: Risk of Explosion if Battery is replaced by an Incorrect Type. Dispose of Used Batteries According to the Instructions.

Contents

Contents
Introduction ........................................................................................ 9
About this document......................................................................................... 9
Fortinet documentation................................................................................... 10
Fortinet Tools and Documentation CD ........................................................ 10
Fortinet Knowledge Center ......................................................................... 11
Comments on Fortinet technical documentation......................................... 11
Customer service and technical support ...................................................... 11
What’s new for 3.0 MR7................................................................... 13
3.0 MR7 new features and changes ............................................................... 15
Power supply monitoring for FortiAnlayzer-2000A and 4000A ................... 15
Registered devices’ hard limits ................................................................... 15
CLI displays the tasks in the upload queue................................................. 15
Dashboard enhancements .......................................................................... 15
Custom fields for log messages .................................................................. 16
Reports........................................................................................................ 16
Report configuration enhancements..................................................... 16
VoIP reports.......................................................................................... 17
Alert email configuration changes ............................................................... 17
Administrative Domains (ADOMs).................................................. 19
About administrative domains (ADOMs)....................................................... 19
Configuring ADOMs ........................................................................................ 22
Accessing ADOMs as the admin administrator............................................ 23
Assigning administrators to an ADOM.......................................................... 24
System .............................................................................................. 25
Dashboard........................................................................................................ 25
Tabs ............................................................................................................ 27
RAID Monitor............................................................................................... 28
System Information ..................................................................................... 29
Setting the time..................................................................................... 29
Changing the host name....................................................................... 30
Changing the firmware.......................................................................... 30
License Information..................................................................................... 30
System Resources ...................................................................................... 31
Viewing operational history................................................................... 32
System Operation ....................................................................................... 33
Formatting the log disks........................................................................ 33
Resetting to the default configuration ................................................... 33
Alert Message Console ............................................................................... 34
Viewing alert console messages .......................................................... 34
Statistics...................................................................................................... 35
FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080908 3
Contents
Viewing session information ................................................................. 35
Filtering session information................................................................. 36
Report Engine ............................................................................................. 36
Log Receive Monitor ................................................................................... 37
Intrusion Activity.......................................................................................... 38
Virus Activity ............................................................................................... 39
Top FTP Traffic ........................................................................................... 40
Top Email Traffic......................................................................................... 41
Top IM/P2P Traffic ...................................................................................... 42
Top Traffic................................................................................................... 43
Top Web Traffic .......................................................................................... 44
Network ............................................................................................................ 45
Interface ...................................................................................................... 45
Changing interface settings .................................................................. 45
About Fortinet Discovery Protocol ........................................................ 47
DNS ............................................................................................................ 47
Routing........................................................................................................ 47
Adding a route ...................................................................................... 48
Admin ............................................................................................................... 48
Adding or editing an administrator account................................................. 49
Changing an administrator’s password ................................................ 50
Access Profile ............................................................................................. 50
Auth Group.................................................................................................. 51
RADIUS Server........................................................................................... 51
Administrator Settings................................................................................. 52
Monitor ........................................................................................................ 52
Network Sharing.............................................................................................. 53
Adding share users ..................................................................................... 53
Adding share groups................................................................................... 54
Configuring Windows shares ...................................................................... 54
Assigning user permissions.................................................................. 55
Configuring NFS shares.............................................................................. 55
Default file permissions on NFS shares ............................................... 56
Config ............................................................................................................... 56
Automatic file deletion and local log settings .............................................. 57
Configuring log aggregation........................................................................ 58
Configuring an aggregation client......................................................... 59
Configuring an aggregation server ....................................................... 59
Configuring log forwarding .......................................................................... 60
Configuring IP aliases ................................................................................. 60
Importing an IP alias list file.................................................................. 61
IP alias ranges...................................................................................... 62
Configuring RAID ........................................................................................ 62
RAID levels........................................................................................... 62
Hot swapping hard disks ...................................................................... 64
FortiAnalyzer Version 3.0 MR7 Administration Guide
4 05-30007-0082-20080908
Contents
Hot swapping the FortiAnalyzer-2000/2000A and FortiAnalyz-
er-4000/4000A................................................................................... 66
Configuring RAID on the FortiAnalyzer-400 and FortiAnalyzer-800/800B.
67
Configuring RAID on the FortiAnalyzer-2000/2000A and FortiAnalyz-
er-4000/4000A ................................................................................... 67
Configuring LDAP connections ................................................................... 68
Maintenance..................................................................................................... 69
Backup & Restore ....................................................................................... 69
FortiGuard Center ....................................................................................... 70
Device................................................................................................ 73
Viewing the device list .................................................................................... 73
Maximum number of devices ...................................................................... 76
Unregistered vs. registered devices............................................................ 77
Configuring unregistered device connection attempt handling ................. 79
Manually adding a device ............................................................................... 80
Classifying FortiGate network interfaces..................................................... 84
Manually adding a FortiGate unit using the Fortinet Discovery Protocol (FDP) 85
Blocking device connection attempts ........................................................... 86
Configuring device groups............................................................................. 88
Log..................................................................................................... 91
Viewing log messages .................................................................................... 91
Viewing current log messages .................................................................... 91
Viewing historical log messages ................................................................. 92
Browsing log files............................................................................................ 93
Viewing log file contents.............................................................................. 94
Importing a log file....................................................................................... 95
Downloading a log file ................................................................................. 96
Customizing the log view................................................................................ 97
Displaying and arranging log columns ........................................................ 97
Filtering logs................................................................................................ 98
Filtering tips .......................................................................................... 99
Searching the logs......................................................................................... 100
Search tips ................................................................................................ 102
Printing the search results......................................................................... 103
Downloading the search results ................................................................ 103
Rolling and uploading logs........................................................................... 104
Content Archive ............................................................................. 107
Viewing content archives.............................................................................. 107
FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080908 5
Contents
Customizing the content archive view ........................................................ 108
Displaying and arranging log columns ...................................................... 109
Filtering logs.............................................................................................. 110
Filtering tips ........................................................................................ 110
Searching full email content archives......................................................... 111
Reports ........................................................................................... 113
Configuring reports....................................................................................... 113
Configuring report layout........................................................................... 114
Editing charts in a report layout ................................................................ 116
Configuring report schedules .................................................................... 118
Configuring data filter templates ............................................................... 121
Configuring report output templates.......................................................... 123
Configuring language................................................................................ 126
Browsing reports........................................................................................... 130
Quarantine...................................................................................... 131
Viewing quarantined files ............................................................................. 131
Alert................................................................................................. 133
Alert Events.................................................................................................... 133
Adding an alert event ................................................................................ 133
Output............................................................................................................. 135
Configuring alerts by email server ............................................................ 135
Testing the mail server configuration.................................................. 136
Configuring SNMP traps and alerts .......................................................... 136
Adding an SNMP server ..................................................................... 137
FortiAnalyzer SNMP support.............................................................. 138
Configuring alerts by Syslog server .......................................................... 140
Adding a Syslog server....................................................................... 140
Network Analyzer........................................................................... 141
Connecting the FortiAnalyzer unit to analyze network traffic................... 141
Viewing Network Analyzer log messages ................................................... 142
Viewing current Network Analyzer log messages..................................... 143
Viewing historical Network Analyzer log messages.................................. 143
Browsing Network Analyzer log files .......................................................... 144
Viewing Network Analyzer log file contents .............................................. 145
Downloading a Network Analyzer log file.................................................. 147
Customizing the Network Analyzer log view .............................................. 148
Displaying and arranging log columns ...................................................... 148
Filtering logs.............................................................................................. 149
Filtering tips ........................................................................................ 150
FortiAnalyzer Version 3.0 MR7 Administration Guide
6 05-30007-0082-20080908
Contents
Searching the Network Analyzer logs ......................................................... 150
Search tips ................................................................................................ 152
Printing the search results......................................................................... 153
Downloading the search results ................................................................ 153
Rolling and uploading Network Analyzer logs ........................................... 153
Tools................................................................................................ 157
Preparing for the vulnerability scan job ...................................................... 157
Preparing Windows target hosts ............................................................... 158
Preparing Unix target hosts....................................................................... 160
Viewing vulnerability scan modules............................................................ 161
Configuring vulnerability scan jobs............................................................. 162
Viewing vulnerability scan reports .............................................................. 166
File Explorer................................................................................................... 167
Managing firmware versions......................................................... 169
Backing up your configuration..................................................................... 169
Backing up your configuration using the web-based manager ................. 170
Backing up your configuration using the CLI............................................. 170
Backing up your log files ........................................................................... 170
Testing firmware before upgrading ............................................................. 172
Upgrading your FortiAnalyzer unit .............................................................. 174
Upgrading to FortiAnalyzer 3.0 ................................................................. 174
Upgrading using the web-based manager.......................................... 174
Upgrading using the CLI ..................................................................... 175
Verifying the upgrade ................................................................................ 176
Reverting to a previous firmware version................................................... 177
Downgrading to FortiLog 1.6..................................................................... 177
Verifying the downgrade ........................................................................... 178
Downgrading to FortiLog 1.6 using the CLI............................................... 178
Restoring your configuration ....................................................................... 180
Restoring configuration settings on a FortiAnalyzer unit........................... 180
Restoring your configuration settings using the web-based manager ...... 182
Restoring your configuration settings using the CLI.................................. 182
FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080908 7
Contents
Appendix: FortiAnalyzer reports in 3.0 MR7 ............................... 185
FortiGate reports ........................................................................................... 185
Intrusion Activity........................................................................................ 186
Antivirus Activity........................................................................................ 186
Webfilter Activity ....................................................................................... 189
Antispam Activity....................................................................................... 190
IM Activity.................................................................................................. 191
VoIP reports .............................................................................................. 192
Content Activity ......................................................................................... 193
Network Activity ........................................................................................ 194
Web Activity .............................................................................................. 195
Mail Activity ............................................................................................... 196
FTP Activity............................................................................................... 196
Terminal Activity........................................................................................ 197
VPN Activity .............................................................................................. 197
Event Activity ............................................................................................ 198
P2P Activity............................................................................................... 199
Audit Activity ............................................................................................. 200
Summary Reports.......................................................................................... 201
Forensic Reports........................................................................................... 202
Audit.......................................................................................................... 202
Detailed..................................................................................................... 202
Summary................................................................................................... 203
FortiMail Reports........................................................................................... 203
Mail High Level ......................................................................................... 203
Mail Sender............................................................................................... 205
Mail Recipient Activity ............................................................................... 206
Mail Destination IP .................................................................................... 206
Spam Sender ............................................................................................ 207
Spam Recipient......................................................................................... 208
Spam Destination IP ................................................................................. 209
Virus Sender ............................................................................................. 209
Virus Recipient.......................................................................................... 211
Virus Destination IP .................................................................................. 212
FortiClient Reports........................................................................................ 212
Index................................................................................................ 213
FortiAnalyzer Version 3.0 MR7 Administration Guide
8 05-30007-0082-20080908
Introduction About this document

Introduction

FortiAnalyzer units are network appliances that provide integrated log collection and reporting tools. Reports analyze logs for email, FTP, web browsing, security events, and other network activity to help identify security issues and reduce network misuse and abuse.
In addition to logging and reporting, FortiAnalyzer units also have several major features that augment or enable certain FortiGate unit functionalities, such as content archiving and quarantining, and improve your ability to stay informed about the state of your network.
This chapter contains the following topics:
About this document
Fortinet documentation
Customer service and technical support

About this document

This document describes how to configure and use FortiAnalyzer units through their web-based manager.
Note: The recommended minimum screen resolution for the management computer connecting to the web-based manager is 1280 by 1024 pixels.
This document contains the following chapters:
What’s new for 3.0 MR7 describes what the new maintenance release contains.
Administrative Domains (ADOMs) describes how to enable and configure domain-based access to data and configurations for connected devices and the FortiAnalyzer unit itself.
System describes how to configure FortiAnalyzer system settings, such as network interfaces, system time, administrators, network shares (NAS), and local logging.
Device describes how to configure and manage connections to the FortiAnalyzer unit from FortiGate, FortiMail, FortiClient, FortiManager, and Syslog device types.
Log describes how to view logs from devices or the FortiAnalyzer unit itself. It also describes how to customize the log view.
Content Archive describes how to view logs and files that have been full and/or summary content archived by FortiGate units using the FortiGate content archiving feature.
Quarantine describes how to view files quarantined by FortiGate units, and to configure the quarantine disk space quota.
FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080908 9
Fortinet documentation Introduction
Reports describes how to configure report profiles for one-time or scheduled reports on your network devices, users, or groups.
Alert describes how define log message criteria that signify critical network events. As log messages arrive, if they meet those criteria, FortiAnalyzer units send alert messages using a method of your choice: email, SNMP, or Syslog. This chapter also lists SNMP traps that the FortiAnalyzer unit supports.
Network Analyzer describes how to connect the FortiAnalyzer unit to a span or mirror port on a network switch to analyze, or sniff, the network traffic passing through the FortiAnalyzer unit.
Tools describes how to configure vulnerability scans and view the resulting reports as well as viewing all files on the FortiAnalyzer unit.
Managing firmware versions describes how to properly back up your current configuration, upgrade/downgrade firmware, and restore your configuration. This chapter also describes how to test a firmware image before installing the image on the FortiAnalyzer unit.
Appendix: FortiAnalyzer reports in 3.0 MR7 describes the FortiAnalyzer reports that changed or were moved to other categories or both. This appendix also includes what reports were removed and what were unchanged in FortiAnalyzer 3.0 MR7.

Fortinet documentation

The most up-to-date publications and previous releases of Fortinet product documentation are available from the Fortinet Technical Documentation web site at http://docs.forticare.com.
The following FortiAnalyzer product documentation is available:
FortiAnalyzer Administration Guide
Describes how to use the web-based manager of the FortiAnalyzer unit to configure all available features.
FortiAnalyzer CLI Reference
Describes how to use the command line interface of the FortiAnalyzer unit to configure all available features, CLI structure and available commands.
FortiAnalyzer online help
Provides a searchable version of the Administration Guide in HTML format. You can access context-appropriate online help using the online help button in the web-based manager as you work.
FortiAnalyzer QuickStart Guides
Describes how to install and set up the FortiAnalyzer unit.
FortiAnalyzer Install Guide
Describes in detail how to install and set up the FortiAnalyzer unit, how to connect to the CLI and web-based manager, default settings, and how to manage firmware.
FortiAnalyzer Version 3.0 MR7 Administration Guide
10 05-30007-0082-20080908
Introduction Customer service and technical support

Fortinet Tools and Documentation CD

All Fortinet documentation is available from the Fortinet Tools and Documentation CD shipped with your Fortinet product. The documents on this CD are current at shipping time. For up-to-date versions of Fortinet documentation, see the Fortinet Technical Documentation web site at http://docs.forticare.com.

Fortinet Knowledge Center

The knowledge center contains short how-to articles, FAQs, technical notes, product and feature guides, and much more. Visit the Fortinet Knowledge Center at http://kc.forticare.com.

Comments on Fortinet technical documentation

Please send information about any errors or omissions in this document, or any Fortinet technical documentation, to techdoc@fortinet.com.

Customer service and technical support

Fortinet Technical Support provides services designed to make sure that your Fortinet systems install quickly, configure easily, and operate reliably in your network.
Visit the Fortinet Technical Support web site at http://support.fortinet.com to learn about the technical support services that Fortinet provides.
FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080908 11
Customer service and technical support Introduction
FortiAnalyzer Version 3.0 MR7 Administration Guide
12 05-30007-0082-20080908

What’s new for 3.0 MR7

What’s new for 3.0 MR7
This section lists and describes the new features and changes in FortiAnalyzer
3.0 MR7. The chapter, “Managing firmware versions” on page 169, provides detailed information about how to properly upgrade to FortiAnalyzer 3.0 MR7.
New CLI commands, as well as changes to existing CLI commands, are found in the What’s new chapter of the FortiAnalyzer CLI Reference.
The following bulleted list includes links to other sections in this document where you can find additional information about these new features and changes.
New features and changes for FortiAnalyzer 3.0 MR7 are:
High-end FortiAnalyzer units support additional terabytes (TB) of space – The higher-end FortiAnalyzer units, such as the FortiAnalyzer-2000/2000A and FortiAnalyzer-4000/4000A, now support up to 8 TB for log disk file systems. There is no additional information available.
Power supply monitoring feature – A new feature, power supply monitoring, provides a notification when a power supply failure occurs or an administrator adds a power supply to the FortiAnalyzer unit. See “Power supply monitoring
for FortiAnlayzer-2000A and 4000A” on page 15 for more information.
Registered devices’ limits changed – Registered device limits have increased. See “Maximum number of devices” on page 76 for more information.
Web-based manager change – The Action column is now an unnamed column across all menus and tabs within the web-based manager. There is no additional information on this change.
CLI displays tasks in the upload queue – The command, diagnose upload status, displays what files are waiting to be uploaded. See “CLI
displays the tasks in the upload queue” on page 15 for more information.
Dashboard enhancements – There are several new widgets added to the Dashboard in FortiAnalyzer, including a widget for configuring and displaying RAID status. See “Dashboard” on page 25 for more information.
Administration admin name enhancement – Administrators can now configure names with the @ symbol. For additional information, see “Admin”
on page 48 in the System chapter.
HTTPS certificates – Administrators can now change and customize (text only) HTTPS certificates. This is only available in the CLI. See the FortiAnalyzer CLI Reference for additional information.
Security engine removed – The security engine feature has been removed for FortiAnalyzer 3.0 MR7. There is no additional information available.
Software RAID changes – When using software RAID5, the system becomes overloaded on units with software RAID. If redundancy is required, Fortinet now recommends RAID 10. RAID 5, unless selected from the CLI, will not appear on the web-based manager. For additional information, see
“Configuring RAID” on page 62 in the System chapter.
FortiAnalyzerVersion 3.0 MR7 Administration Guide 05-30007-0082-20080908 13
What’s new for 3.0 MR7
Network Summary menu removed – The Network Summary menu was
removed in FortiAnalyzer 3.0 MR7. This menu was removed because most of the information that previously displayed, now displays as widgets on the Dashboard. See “Dashboard” on page 25 for more information about these new widgets that have replaced the Network Summary menu.
Log Viewer menu enhancements – When viewing real-time logs or historical
logs, the options Resolve Host and Resolve Service are no longer available. From within the Real-time tab, you can now view up to 1000 log messages; you can also view up to 1000 log messages from the Historical tab as well. See
“Viewing log messages” on page 91 for more information.
Custom fields for log messages – You can now enable custom fields for log
messages that are received from FortiGate units from the CLI. See “Custom
fields for log messages” on page 16 for more information.
Report configuration enhancements – Reports contain several
enhancements in FortiAnalyzer 3.0 MR7, as well as the additional of VoIP reports. See both “Report configuration enhancements” on page 16 and
“Reports” on page 113 for more information.
Logs for HA members – Logs that are viewed on the FortiGate unit now
contain device ID fields for HA members. See the FortiGate Administration Guide and the FortiGate Log Message Reference for additional information.
Log search results enhancement – You can now view log search results in
both Format and Raw formats. See “Searching the logs” on page 100 for more information.
Alert email configuration changes – When configuring an alert email, you
are now required to enter information in the alert name field, destination field, and device field and a drop-down list is included for selecting a destination. See “Alert” on page 133 for more information.
Alert emails – Alert emails now contain the FortiAnalyzer serial number in the
Source Device field in the body of the email. The FortiAnalyzer serial number replaces the IP address of port 1 (FortiAnalyzer unit), which was used to identify the FortiAnalyzer unit that sent the alert email. See “Alert” on page 133 for additional information about configuring alert emails.
SNMP enhancements – When configuring SNMP communities in Alert > Output > SNMP Access List, you can now specify that traps for certain local system events will be generated that meet certain criteria. See “Configuring
SNMP traps and alerts” on page 136 for more information.
File directory menu – You can now access all files that are on the FortiAnalyzer unit in Tools > File Directory. See “File Explorer” on page 167 for more information.
FortiAnalyzerVersion 3.0 MR7 Administration Guide
14 05-30007-0082-20080908
What’s new for 3.0 MR7 3.0 MR7 new features and changes

3.0 MR7 new features and changes

The following descriptions includes only menus containing new features, changes to features, or both. Additional information is provided within this document.

Power supply monitoring for FortiAnlayzer-2000A and 4000A

In FortiAnalyzer 3.0 MR7, the new feature power supply monitoring provides a notification when a power supply fails or an administrator adds a power supply to the system. This notification is sent by the hardware monitoring daemon and in the following forms:
Log – a log message is recorded at the system level
Email – an email is sends out a critical event email message
SNMP trap – a power supply event trap is sent Both the web-based manager and CLI include settings for this new feature.

Registered devices’ hard limits

In previous FortiAnalyzer 3.0 releases, the license limits of registered devices was reduced, causing those registered devices to not carry forward. The limit is now back to the maximum limit in FortiAnalyzer 3.0 MR4. This limit number prevents any loss of registered devices during upgrade. You can view the limits for registered devices on “Maximum number of devices” on page 76 in the Device chapter.

CLI displays the tasks in the upload queue

A new diagnose command, diagnose upload status, has been added in FortiAnalyzer 3.0 MR7 for displaying files that are in the upload queue. Previously, in FortiAnalyzer 3.0 MR6, a queue maintained the upload’s tasks but there was no way of verifying what was and what was not included in the queue.

Dashboard enhancements

The Dashboard contains nine new widgets in FortiAnalyzer 3.0 MR7. Administrators can have up to five tabs to the Dashboard as well.
Tabs allow administrators to customize what widgets display, for example, if administrators only need to view traffic widgets a tab can be configured so that it only displays all the traffic widgets.
The following are the new widgets that are available for display on the Dashboard:
Log Receive Monitor
RAID Monitor (if RAID is available on the FortiAnalyzer unit)
•Top Traffic
Top Web Traffic
Top Email Traffic
•Top FTP Traffic
Top IM/P2P Traffic
Virus Activity
Intrusion Activity
FortiAnalyzerVersion 3.0 MR7 Administration Guide 05-30007-0082-20080908 15
3.0 MR7 new features and changes What’s new for 3.0 MR7
For the Log Receive Monitor widget, a diagnose command will be introduced to provide information about total message rate, message rate per-protocol, and message rate per-device in the CLI.
See “System” on page 25 for information about the new widgets for FortiAnalyzer
3.0 MR7.

Custom fields for log messages

In FortiAnalyzer 3.0 MR7, you can now enable custom fields for log messages so that when the FortiAnalyzer unit receives these types of log messages, it can index them properly for reports or searching logs.
This feature is enabled only in the CLI using the following command syntax:
config log settings
set custom-field<1-5>
The previous logs require re-indexing for this feature to be effective on them, and is only available in the CLI using the diagnose log-indexer command. This particular command can index per device and type, or all devices.

Reports

Reports have been enhanced and modified for FortiAnalyzer 3.0 MR7. VoIP report charts were also included in FortiAnalyzer 3.0 MR7. These changes are also reflected in the CLI. See the FortiAnalyzer CLI Reference for additional information about the associated commands.
Report configuration enhancements
Report configuration has changed dramatically from FortiAnalyzer 3.0 MR6 to FortiAnalyzer 3.0 MR7. These changes are also reflected in the FortiGate unit’s web-based manager and CLI. These dramatic changes do not affect previously configured reports in FortiAnalyzer 3.0 MR6 and earlier; however, you may want to reconfigure certain settings to simplify the previously configured reports.
These previously configured reports are separated based on what is included; for example, if DeviceSummary1_layout contains filters and output settings, the filters will be put in the Data Filter tab and given a name, and the output settings will be put in the Output tab and also given a name.
Figure 1: The previous FortiAnalyzer 3.0 MR6 reports, outlined in red, carried
forward to FortiAnalyzer 3.0 MR7 and displayed in Layout with default report layouts
FortiAnalyzerVersion 3.0 MR7 Administration Guide
16 05-30007-0082-20080908
What’s new for 3.0 MR7 3.0 MR7 new features and changes
Fortinet recommends configuring a test report layout and report schedule to familiarize yourself with how reports are configured in FortiAnalyzer 3.0 MR7. See
“Reports” on page 113 about how to configure reports in FortiAnalyzer 3.0 MR7.
In Report > Config, new tabs were added: Layout, Data Filter, Output, and Language. These new tabs allow you to configure multiple data filters, output destinations, report layouts (previously referred to as report profiles), and languages. The new menu, Schedule, provides settings and options for configuring a scheduled report.
Previously, you could configure specific report layouts such as Device Summary, Forensic, and User/Client report profiles. These report types were combined with other report types and removed from their respective tabs, which now provide greater flexibility for configuring report layouts. Forensic report options are now available when you select [Add Chart(s)] from the Chart List section of Report Layout.
Report schedules should be configured after configuring the report layout because you need to apply the report layout to the report schedules. Report schedules can also be configured from the FortiGate unit’s web-based manager.
After configuring a report, you can generate that report immediately by selecting Run Now and view it in Report > Browse. You can also generate scheduled reports this way in Report > Schedule.
When viewing generated reports in Report Browse, the naming scheme is changed to the following:
On-Demand-<name of report>-<yyyy-mm-dd>-<time initiated by
admin_hhmm> – for reports that are generated immediately, for example: On-Demand-Report_Headquarters-2008-06-03-0830
<name of scheduled report>-<yyyy-mm-dd>-<time_scheduled> – all other reports, for example:
Report_Headquarters-2008-05-26-1030
These generated reports in Report Browse also contain only one rolled report when you expand a report. The name of rolled reports has changed as well and each is named after the section title that was configured in Layout. For example, if you had two section titles, Top Web Attacks and Top Viruses, the rolled reports would be named Top Web Attacks and Top Viruses. The default name for the rolled report is FortiAnalyzer Report. If generated reports carry forward from FortiAnalyzer 3.0 MR6, rolled reports might be renamed to the default name, FortiAnalyzer Report.
VoIP reports
VoIP activities and events are now available in reports. There are three log files that contain VoIP activity and event information: tlog.log, plog.log and clog.log. These log will be used for the following information:
tlog.log – number of bytes pass per session
plog.log – blocked VoIP activity
clog.log – user registration information and call duration information
The individual reports that you select when configuring a report are available in the Fortinet Knowledge Center article, FortiAnalyzer Reports in 3.0 MR7, on the Fortinet Knowledge Center website.
FortiAnalyzerVersion 3.0 MR7 Administration Guide 05-30007-0082-20080908 17
3.0 MR7 new features and changes What’s new for 3.0 MR7

Alert email configuration changes

When configuring an alert email in Alert > Alert Event, you now are required to enter information in the following fields:
•alert name
destination (or destinations)
device Another configuration change is a drop-down list, providing the destinations of
syslog servers, mail servers and SNMP access lists. The Syslog servers and SNMP access lists only display in the list when configured in Alert > Output.
Figure 2: The Destination drop-down list, circled, provides three destinations
FortiAnalyzerVersion 3.0 MR7 Administration Guide
18 05-30007-0082-20080908
Administrative Domains (ADOMs) About administrative domains (ADOMs)

Administrative Domains (ADOMs)

Administrative Domains (ADOMs) enable the admin administrator to constrain other FortiAnalyzer unit administrators’ access privileges to a subset of devices in the device list. For FortiGate devices with virtual domains (VDOMs), ADOMs can further restrict access to only data from a specific FortiGate VDOM.
This section includes the following topics:
About administrative domains (ADOMs)
Configuring ADOMs

About administrative domains (ADOMs)

Enabling ADOMs alters the structure and available functionality of the web-based manager and CLI according to whether you are logging in as the admin administrator, and, if you are not logging in as the admin administrator, the administrator account’s assigned access profile.
Table 1: Characteristics of the CLI and web-based manager when ADOMs are enabled
admin administrator account Other administrators
Access to Global Configuration
Access to Administrative Domain Configuration (can create ADOMs)
Can create administrator accounts
Can enter all ADOMs Yes No
Yes No
Yes No
Yes No
FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080908 19
About administrative domains (ADOMs) Administrative Domains (ADOMs)
Table 2: Configuration locations when ADOMs are enabled
Within Global Configuration: Within each ADOM: System > Dashboard (includes tabs, if
configured)
System > Network > Interface System > Network > DNS System > Network > Routing System > Admin > Administrator System > Admin > Access Profile System > Admin > Auth Group System > Admin > RADIUS Server System > Admin > Settings System > Admin > Monitor System > Network Sharing > Windows
Share System > Network Sharing > NFS Export System > Network Sharing > User System > Network Sharing > Group System > Config > Log Setting System > Config > Log Aggregation System > Config > Log Forwarding System > Config > RAID System > Maintenance > Backup &
Restore System >
Center Device > All > Device (devices assigned to
an ADOM other than root cannot be deleted)
Device > All > Blocked Device Log > Config > Log Config Report > Config > Language Quarantine > Config > Quarantine Config Alert > Alert Event > Alert Event Alert > Output > SNMP Access List Alert > Output > Syslog Server Too ls > Vulnerability Scan > Module Tools > File Explorer > File Explorer
Maintenance > FortiGuard
System > Config > IP Alias System > Config > LDAP Device > All > Device (read only) Device > All > Group Log > Log Viewer > Real-time Log > Log Viewer > Historical Log > Search > Log Search Log > Browse > Log Browser Content Archive > Web Archive Content Archive > Content Archive > File Transfer Content Archive > IM Chat Content Archive > VoIP Archive Report > Browse > Result Report > Schedule > Schedule Report > Config > Layout Report > Config > Data Filter Report > Config > Output Quarantine > Repository > Repository Alert > Output > Mail Server Tools > Vulnerability Scan > Job Tools > Vulnerability Scan > Report Tools > File Explorer > File Explorer
Email Archive
If ADOMs are enabled and you log in as admin, you first access Administration Domain Configuration. A superset of the typical menus and CLI commands appear, allowing unrestricted access and ADOM configuration.
Global Configuration contains settings used by the FortiAnalyzer unit itself
and settings shared by ADOMs, such as the device list, RAID, and administrator accounts. It does not include ADOM-specific settings or data, such as logs and reports. When configuring other administrator accounts, an additional option appears allowing you to restrict other administrators to an ADOM. If you enter Global Configuration, a Main Menu item appears in the menu, enabling you to return to the top level menu area, Administrative Domain Configuration.
Administrative Domains allows you to configure or access ADOMs. You can
add a device to one or more ADOMs. If you enter an ADOM, a Main Menu item appears in the menu, enabling you to return to the top level menu area, Administrative Domain Configuration.
FortiAnalyzer Version 3.0 MR7 Administration Guide
20 05-30007-0082-20080908
Administrative Domains (ADOMs) About administrative domains (ADOMs)
If ADOMs are enabled and you log in as any other administrator, you enter the ADOM assigned to your account. A subset of the typical menus or CLI commands appear, allowing access only to only logs, reports, quarantine files, content archives, IP aliases, and LDAP queries specific to your ADOM. You cannot access Global Configuration, or enter other ADOMs.
By default, administrator accounts other than the admin account are assigned to the root ADOM, which includes all devices in the device list. By creating ADOMs that contain a subset of devices in the device list, and assigning them to administrator accounts, you can restrict other administrator accounts to a subset of the FortiAnalyzer unit’s total devices or VDOMs.
The admin administrator account cannot be restricted to an ADOM. Other administrators are restricted to their ADOM, and cannot configure ADOMs or Global Configuration.
The maximum number of ADOMs varies by FortiAnalyzer model.
FortiAnalyzer Model Number of Administrative Domains
FortiAnalyzer-400 10 FortiAnalyzer-800/800B 50 FortiAnalyzer-2000/2000A 100 FortiAnalyzer-4000/4000A 250
Note: ADOMs are not available on the FortiAnalyzer-100 or FortiAnalyzer-100A/100B.
The admin administrator can further restrict other administrators’ access to specific configuration areas within their ADOM by using access profiles. For more information, see
“Access Profile” on page 50
FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080908 21
Configuring ADOMs Administrative Domains (ADOMs)
!

Configuring ADOMs

Administrative domains (ADOMs) are disabled by default. To use administrative domains, the admin administrator must first enable the feature, create ADOMs, and assign other FortiAnalyzer administrators to an ADOM.
Figure 1: Administrative Domain Configuration
Global Configuration The admin administrator can access the global configuration.
Select Main Menu to return to the Admin Domain Configuration page.
Create New Select to create a new ADOM. Edit Select an ADOM’s check box, then select Edit to change the name
Delete Select an ADOM’s check box, then select Delete to remove the
Name Select a name to enter that ADOM.
or member devices and VDOMs of the selected ADOM.
selected ADOM.
Select Main Menu to return to Admin Domain Configuration.
Caution: Enabling ADOMs moves non-global configuration items to the root ADOM. Back up the FortiAnalyzer unit configuration before beginning the following procedure, To enable ADOMs. For more information about backing up your configuration, see “Backup &
Restore” on page 69.
To enable ADOMs
1 Log in as admin.
Other administrators cannot enable, disable, or configure ADOMs.
2 Go to System > Admin > Settings. 3 Enable Admin Domain Configuration. 4 Select OK.
A message appears:
Enabling/Disabling the admin domain configuration will require you to re-login. Are you sure you want to continue?
5 Select OK.
The FortiAnalyzer unit logs you out.
6 To confirm that ADOMs are enabled, log in as admin.
Administrative Domain Configuration appears, providing access to both Global Configuration and ADOM configuration. See “To add or edit an ADOM” on
page 22 to create ADOMs. See “Assigning administrators to an ADOM” on page 24 to assign an administrator to an ADOM.
FortiAnalyzer Version 3.0 MR7 Administration Guide
22 05-30007-0082-20080908
Administrative Domains (ADOMs) Configuring ADOMs
!
To add or edit an ADOM
1 Log in as admin.
Other administrators cannot enable, disable, or configure ADOMs.
2 Select Create New, or select the check box next to an ADOM and select Edit. 3 Enter a Name for the ADOM. 4 Select which devices to associate with the ADOM from Available Devices, then
select the right arrow to move them to Selected Devices. You can move multiple devices at once. To select multiple devices, select the first
device, then hold the Shift key while selecting the last device in a continuous range, or hold the Ctrl key while selecting each additional device.
To remove a device from Selected Devices, select one or more devices, then select the left arrow to move them to Available Devices.
5 If the ADOM includes a FortiGate unit and you want to restrict the ADOM to a
specific VDOM, enable Restrict to a FortiGate VDOM, then enter the VDOM name.
6 Select OK.
Caution: Deleting ADOMs, which can occur when disabling the ADOM feature, removes
administrator accounts assigned to ADOMs other than the root ADOM. Back up the FortiAnalyzer unit configuration before beginning this procedure. For more information, see
“Backup & Restore” on page 69.
If you do not wish to delete those administrator accounts, assign them to the root ADOM before disabling ADOMs.
To disable ADOMs
1 Log in as admin.
Other administrators cannot enable, disable, or configure ADOMs.
2 Select the check boxes next to each ADOM except the root (Management
Administrative Domain) ADOM, then select Delete.
If any other ADOMs except the root ADOM remain, the option to disable ADOMs will not appear.
3 Go to Global Configuration > System > Admin > Settings. 4 Disable Admin Domain Configuration. 5 Select OK.
A message appears:
Enabling/Disabling the admin domain configuration will require you to re-login. Are you sure you want to continue?
6 Select OK.
The FortiAnalyzer unit logs you out.
FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080908 23
Accessing ADOMs as the admin administrator Administrative Domains (ADOMs)

Accessing ADOMs as the admin administrator

When ADOMs are enabled, additional ADOM items become available to the admin administrator and the structure of the web-based manager menu changes. After logging in, other administrators implicitly access the subset of the web-based manager that pertains only to their ADOM, while the admin administrator accesses the root of the web-based manager and can use all menus. The admin administrator must explicitly enter the part of the web-based manager that contains an ADOM’s settings and data to configure items specific to an ADOM.
To access an ADOM
1 Log in as admin.
Other administrators can access only the ADOM assigned to their account.
2 In the Administrative Domains area, select the name of the ADOM you want to
enter. The ADOM-specific menu subset appears. While in this menu subset, any
changes you make affect this ADOM only, and do not affect devices in other ADOMs or global FortiAnalyzer unit settings.
You can return to Administrative Domain Configuration by going to Main Menu.

Assigning administrators to an ADOM

The admin administrator can create other administrators and assign an ADOM to their account, constraining them to configurations and data that apply only to devices in their ADOM.
Note: By default, when ADOMs are enabled, existing administrator accounts other than admin are assigned to the root ADOM, which contains all devices in the device list. For more information about creating other ADOMs, see “Configuring ADOMs” on page 22.
To assign an administrator to an ADOM
1 Log in as admin.
Other administrators cannot configure administrator accounts when ADOMs are enabled.
2 Go to Global Configuration > System > Admin > Administrator. 3 Configure the administrator account as described in “Adding or editing an
administrator account” on page 49, selecting the Admin Domain that the
administrator will be able to access. Do not select Edit for the admin account. The admin administrator account
cannot be restricted to an ADOM.
FortiAnalyzer Version 3.0 MR7 Administration Guide
24 05-30007-0082-20080908
System Dashboard

System

The System menu contains basic FortiAnalyzer unit system settings, such as network interfaces, DNS, routing, local logging, administrators, and network shares, and displays system statistics and provides basic system operations from the Dashboard. From the System menu, you can also back up or restore a configuration, or update the firmware on the FortiAnalyzer unit.
This section includes the following topics:
Dashboard
Network
Admin
Network Sharing
Config
Maintenance

Dashboard

Dashboard provides a summary view of the current operating status of the FortiAnalyzer unit, including any additional information happening on the network, such as top attacks or what types of logs were received.
The Dashboard also provides tabs so that you can customize different widget displays. For example, if administrators want to view only traffic activity, a tab called Traffic Activity would be added to the Dashboard with only the traffic activity widgets displaying on that tab.
The following widgets are available on the Dashboard:
System Information Log Receive Monitor
License Information Virus Activity
CLI Console Intrusion Activity
System Resources Top Traffic
System Operation Top FTP Traffic
Alert Message Console Top Email Traffic
Statistics Top Web Traffic
Report Engine Top IM/P2P Traffic
RAID Monitor
FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080908 25
Dashboard System
Figure 1: Dashboard of a FortiAnalyzer-100A unit displaying one of the new widgets
Log Receive Monitor and a tab, Branch Office
To rearrange a Dashboard widget 1 Go to System > Dashboard. 2 Place your mouse cursor over the widget’s title bar area, but not over buttons such
as Hide or Close.
The cursor changes to a multidirectional arrow. 3 Select and drag the widget to its new location.
While dragging the widget, a red dashed line outlines the widget’s current
destination, and other widgets reposition themselves to display the resulting
layout.
To refresh a Dashboard widget 1 Go to System > Dashboard. 2 Place your mouse cursor over the widget’s title bar area.
Refresh Now appears on the right side of the title bar. 3 Select Refresh Now.
The widget refreshes with current data.
To minimize or expand a Dashboard widget 1 Go to System > Dashboard. 2 Place your mouse cursor over the widget’s icon, located on the right side of the
title bar area.
If the widget is currently minimized, the arrow appears on its side, pointing to the right.
If the widget is currently expanded, the arrow appears pointing downward.
FortiAnalyzer Version 3.0 MR7 Administration Guide
26 05-30007-0082-20080908
System Dashboard
3 Select Show or Hide.
The widget toggles between showing the full widget and being minimized to show only its title bar.
To include a Dashboard widget 1 Go to System > Dashboard. 2 Select “+ Widget”. 3 A widget selection overlay appears. 4 Select one or more widgets. Alternatively, to restore the default set of widgets,
select Back to Default.
The selected widgets appear on the Dashboard layout. Widgets whose names are
gray are already included on the Dashboard layout, and cannot be included more
than once. 5 Select “X” in the upper right corner.
The widget selection overlay closes.
To omit a Dashboard widget 1 Go to System > Dashboard.

Tabs

2 Place your mouse cursor over the widget’s title bar area.
Close appears on the right side of the title bar. 3 Select Close.
A confirmation dialog appears. 4 Select OK.
The widget is removed from the Dashboard layout.
Tabs provide a way to customize what widgets administrators view, for example,
administrators only need to view traffic widgets. You can add, delete, or rename
tabs.
When adding widgets to tabs, you cannot have duplicate widgets on multiple tabs.
For example, if you have the RAID Monitor widget in the Dashboard and you want
to add the same widget to your new tab, Office_1, the RAID Monitor widget will
only display in the Dashboard.
To add a tab 1 Go to System > Dashboard. 2 Select the plus (+) symbol beside the Dashboard tab. 3 Enter a name for the new tab. 4 Select +Widget to add the widgets you want to the new tab. 5 If applicable, edit the widgets to customize what each displays.
To rename a tab 1 Go to System > Dashboard. 2 Double-click on the name of the tab and press Delete.
FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080908 27
Dashboard System
Drive Status Indicator
Array Status
Array Capacity Graph
Warning symbol in Drive Status Indicator indicating Disk 1 has problems
3 Enter a new name and press Enter.
To delete a tab 1 Go to System > Dashboard. 2 Double-click on the name of the tab and select the (X) symbol.

RAID Monitor

The RAID Monitor area of the Dashboard displays information about the status of
RAID disks as well as what RAID level has been selected. The RAID Monitor also
displays how much disk space is being used.
The RAID Monitor layout is similar to the look of the front panel. The Device Status
Indicator allows you to view each disk’s name and the amount of space in GB
each has. For example, Disk 2: Ready 465.76GB.
You can configure RAID settings from the RAID Monitor area as well by selecting
RAID Settings. This option is only available when you move your mouse over the
title bar.
Figure 2: RAID Monitor displaying a RAID array without any failures
Figure 3: RAID Monitor displaying a failed disk
In Figure 5, the Drive Status Indicator is indicating that Disk 1 has problems. This
is displayed by both a warning symbol and text. The text appears when you hover
your mouse over the warning symbol; the text also indicates the amount of space
in GB. When a disk has failed, a circle with an X appears in Drive Status Indicator.
28 05-30007-0082-20080908
FortiAnalyzer Version 3.0 MR7 Administration Guide
System Dashboard
Rebuild Status bar
Rebuilding icon
Figure 4: RAID Monitor displaying a disk that is being rebuilt
Array Status Displays the following icons and status text when the RAID disk is
Disk space usage Displays the amount of disk used in both percentage and a fill line. Used/Free/Total Displays the amount of used disk space, available or free disk
Rebuild Status progress bar
Estimated rebuild time [start and end time] (For software RAID only)
Rebuild Warning A bar and text reminding you the system has no redundancy
okay, failed or being rebuilt:
green checkmark (OK) – indicates that the RAID disk has no
problems
warning symbol (Warning) – indicates that there is a problem
with the RAID disk, such as a failure, and needs replacing. The RAID disk is also in reduced reliability mode when this status is indicated in the widget.
wrench symbol (Rebuilding) – indicates that a drive has been
replaced and the RAID array is being rebuilt; it is also in reduced reliability mode
exclamation point (Failure) – indicates that multiple drives
have failed and the RAID array is corrupted and that the drive must be reinitialized
space, and the total available disk space. These numbers are displayed in GB.
A bar indicating the progress of the rebuilding of a RAID array. This bar displays the progress in percent. This bar displays only when a RAID array is being rebuilt.
The time period of when the rebuild will be complete. The time is displayed by the number of hours, minutes and seconds. The time period also indicates when the rebuilding process will end, displaying the name of the day, and the time in 12-hour format, for example, Friday at 3:14 pm.
This time period displays only when an array is being rebuilt. This time period will not display in hardware RAID, such as
FortiAnalyzer-2000/2000A, and FortiAnalyzer-4000/4000A.
protection until the rebuilding process is complete. This text displays only when an array is being rebuilt.

System Information

The System Information area of the Dashboard displays basic information about the FortiAnalyzer unit, such as up time and firmware version.
FortiAnalyzer Version 3.0 MR7 Administration Guide 05-30007-0082-20080908 29
Dashboard System
Figure 5: System Information
Serial Number The serial number of the FortiAnalyzer unit. The serial number is
Uptime The time in days, hours and minutes since the FortiAnalyzer was
System Time The current time according to the FortiAnalyzer internal clock.
Host Name The name of the FortiAnalyzer unit. For more information about
Firmware Version The version of the firmware installed on the FortiAnalyzer unit.
unique to the FortiAnalyzer unit and does not change with firmware updates. Use this number when registering your FortiAnalyzer unit with Fortinet.
started or last rebooted.
Select Change to change the time or configure the FortiAnalyzer unit to obtain the time from an NTP server. For more information, see “Setting the time” on page 29.
changing the name, see “Changing the host name” on page 30.
Select Update to upload a new version of the firmware. For more information about updating the firmware, see “Changing the
firmware” on page 30.
Setting the time
Set the system time to ensure correct report time ranges and scheduling and
accurate logging. You can either manually set the FortiAnalyzer system time or
you can configure the FortiAnalyzer unit to automatically keep its system time
correct by synchronizing with a Network Time Protocol (NTP) server.
To set the system time, go to System > Dashboard and select Change for the
System Time.
Figure 6: Time Settings
System Time The current FortiAnalyzer system date and time.
Refresh Update the display of the current FortiAnalyzer system date and
Time Zone Select the FortiAnalyzer unit’s time zone.
Set Time Select to set the FortiAnalyzer system date and time to the values
30 05-30007-0082-20080908
time.
you set in the Year, Month, Day, Hour, Minute and Second fields. Alternatively, select Synchronize with NTP Server.
FortiAnalyzer Version 3.0 MR7 Administration Guide
Loading...
+ 204 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use